samba - Jan 2011 - samba acl restore error

Dear Jeremy and samba team ,

 This is suresh from EMC.I am  having samba 3.4.8 on my NAS  with posix acls
support.



 When a backup software backs up files and folders, it typically backs up the
security settings on the files/folders
too. Then during restore, the software will try to restore the files/folders
along with their security settings. The restore is now broken because security
settings cannot be restored any more.

I have enabled samba loglevel 10 . I  see the problem is coming here.
----------
2011/01/26 10:41:04, 10] smbd/open.c:2896(create_file_unixpath)
  create_file_unixpath: access_mask = 0x11e019f file_attributes = 0x80,
share_access = 0x3, create_disposition = 0x1 create_options = 0x4004
oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = Share2/file2.txt
--------------
SEC_FLAG_SYSTEM_SECURITY is 0x01000000

/* We need to support SeSecurityPrivilege for this. */



        if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {



                status = NT_STATUS_PRIVILEGE_NOT_HELD;



                goto fail;



        }


and I see the restore is working fine when I Restore all information except
security for files and directories
----

  create_file_unixpath: access_mask = 0x100001 file_attributes = 0x0,
share_access = 0x7, create_disposition = 0x1 create_options = 0x4001
oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = .
[2011/01/26 10:41:04,  5] smbd/open.c:2391(open_directory)
-------


the if (access_mask & SEC_FLAG_SYSTEM_SECURITY)  condition is not passing
here and error is not coming.



Jeremy, what for we are checking this condition   on SeSecurityPrivilege (
Manage auditing and security log ) in samba code ?.

How tp restore files with ACL's. ?



I am anticipating your reply.





Thanks

Suresh

On Thu, Jan 27, 2011 at 04:26:10AM -0500, suresh.kandukuru at emc.com
wrote:
> Dear Jeremy and samba team ,
> 
>  This is suresh from EMC.I am  having samba 3.4.8 on my NAS  with posix
acls support.
> 
>  
> 
>  When a backup software backs up files and folders, it typically backs up
the security settings on the files/folders
> 
> too. Then during restore, the software will try to restore the
files/folders
> 
> along with their security settings. The restore is now broken because
security
> 
> settings cannot be restored any more.
> 
>  
> 
> I have enabled samba loglevel 10 . I  see the problem is coming here.
> 
> ----------
> 
> 2011/01/26 10:41:04, 10] smbd/open.c:2896(create_file_unixpath)
> 
>   create_file_unixpath: access_mask = 0x11e019f file_attributes = 0x80,
> share_access = 0x3, create_disposition = 0x1 create_options = 0x4004
> oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname =
Share2/file2.txt
> 
> --------------
> 
> SEC_FLAG_SYSTEM_SECURITY is 0x01000000
> 
> /* We need to support SeSecurityPrivilege for this. */
> 
>  
> 
>         if (access_mask & SEC_FLAG_SYSTEM_SECURITY) {
> 
>  
> 
>                 status = NT_STATUS_PRIVILEGE_NOT_HELD;
> 
>  
> 
>                 goto fail;
> 
>  
> 
>         }
> 
>  
> 
> and I see the restore is working fine when I Restore all information except
security for files and directories
The SEC_FLAG_SYSTEM_SECURITY flag is for setting the audit ACE entries
in an ACL - it isn't used for normal restoring of ACL ACE entries.

We return this error here as it's required by MS-Office (Excel) which
expects to get this error when changing ACLs on files (don't ask :-).

This is fixed in 3.5.7 and above by adding it as a privilege that
can be selected for a user who is doing restores.

Ping me off-list if you need a back port of this code.

Jeremy.