samba - Mar 2003 - POSIX to NT ACL bug

Hello
recently I set up XFS share under samba , and played from Win2K 
with ACL entries of shared files, 
and noticed that
 Win2K never  DENY  ACL entries , 
 so for example for a XFS file with acl: 

 # owner: a
 user::r--
 group::rwx
 other::rwx
 
  Win2K security tab  shows for user "a": 
   Read & exec = <nothing here>
   Read        = Allowed
   Write       = <nothing here>

 But in fact, POSIX ACL will allow user "a" to read from the file
 and deny write or execute the file , as posix acl will not consult any
 other ACL entries, after founding  appropriate  user:  entry. 
 
  So, shown by Win2K  flags are  wrong, and must be instead : 
   Read & exec = Deny
   Read        = Allowed
   Write       = Deny

  as NT ACL logic suppose, as far as know(?), that in case <nothing here>
  father ACL entries will be consulted, so in this case  NT user suppose
  that he has "rwx" rights on the file  due to  other::rwx rule 
  (-> Everybody, Full Access=Allowed)

  but when tried to write - receive Permission Denied. 

  So that is a samba bug, as samba must have send DENY for "write" and
  "execute" and ALLOW for "read"   for this user's file
("user::r--")  ,
  but now it just sends ALLOW for "read".


 I have samba-2.2.7a, 
 ./configure --with-acl-support --with-ssl --with-smbmount --disable-cups 
          --with-smbwrapper --with-vfs --with-libsmbclient --disable-swat 


Sergey.

I JUST got over this problem with help here on the mailing list... what 
version/distro of linux are you running?

Brad Sagowitz





Sergey Zhitomirsky wrote:
>Hello
>recently I set up XFS share under samba , and played from Win2K 
>with ACL entries of shared files, 
>and noticed that
> Win2K never  DENY  ACL entries , 
> so for example for a XFS file with acl: 
>
> # owner: a
> user::r--
> group::rwx
> other::rwx
> 
>  Win2K security tab  shows for user "a": 
>   Read & exec = <nothing here>
>   Read        = Allowed
>   Write       = <nothing here>
>
> But in fact, POSIX ACL will allow user "a" to read from the file
> and deny write or execute the file , as posix acl will not consult any
> other ACL entries, after founding  appropriate  user:  entry. 
> 
>  So, shown by Win2K  flags are  wrong, and must be instead : 
>   Read & exec = Deny
>   Read        = Allowed
>   Write       = Deny
>
>  as NT ACL logic suppose, as far as know(?), that in case <nothing
here>
>  father ACL entries will be consulted, so in this case  NT user suppose
>  that he has "rwx" rights on the file  due to  other::rwx rule 
>  (-> Everybody, Full Access=Allowed)
>
>  but when tried to write - receive Permission Denied. 
>
>  So that is a samba bug, as samba must have send DENY for "write"
and
>  "execute" and ALLOW for "read"   for this user's
file ("user::r--")  ,
>  but now it just sends ALLOW for "read".
>
>
> I have samba-2.2.7a, 
> ./configure --with-acl-support --with-ssl --with-smbmount --disable-cups 
>          --with-smbwrapper --with-vfs --with-libsmbclient --disable-swat 
>
>
>Sergey.
>
>
>  
>