samba - Aug 2016 - File Create Mask - did something change since the update?

On Mon, Aug 22, 2016 at 2:17 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 22 Aug 2016 13:42:08 +0200
> Viktor Trojanovic via samba <samba at lists.samba.org> wrote:
>
> > Hi all,
> >
> > After updating Samba last Friday (from 4.3.3-1 to 4.4.5-1), some
> > issues appeared that weren't there before.
> >
> > Consider the following share (on a domain member):
> >
> > [sharename]
> > path = /srv/samba/sharename
> > guest ok = no
> > writeable = yes
> > acl_xattr:ignore system acls = yes
> >
> > This worked perfectly well until now and Windows ACLs were correctly
> > applied. Since last Friday, however, new files are created with the
> > following Linux permissions:
> >
> > -rwx r-- ---
> >
> > i.e., only the owner can modify the new files.
> >
> > Windows share permissions and ACLs on the other hand look perfectly
> > fine but they are still restricted by the ("invisible")
Linux
> > permissions which made this error kind of difficult to find.
> >
> > What changed that this share definition is not working anymore, and
> > how do you propose I change it to get rid of the issue?
> >
> > Appreciate any pointers.
> >
> > Viktor
>
>
> I think you may be running into the fix for bug 11806:
> https://bugzilla.samba.org/show_bug.cgi?id=11806
>
> Rowland
>
Hi Rowland,

Thanks for finding this for me. I admit, I don't see how my issue is
connected to the described "traverse folder" right, so I am not
exactly
clear on what I'm supposed to do now. Are you saying the bug fix created a
new bug that I'm affected by, or is my configuration somehow flawed that it
only worked while there was a bug? If it's the latter, would you be able to
point me to the potential flaw(s)?

Viktor

On Mon, 22 Aug 2016 15:25:11 +0200
Viktor Trojanovic <viktor at troja.ch> wrote:
> Hi Rowland,
> 
> Thanks for finding this for me. I admit, I don't see how my issue is
> connected to the described "traverse folder" right, so I am not
> exactly clear on what I'm supposed to do now. Are you saying the bug
> fix created a new bug that I'm affected by, or is my configuration
> somehow flawed that it only worked while there was a bug? If it's the
> latter, would you be able to point me to the potential flaw(s)?
> 
> Viktor

This is the header from the commitdiff:

When "ignore system acls" is set, do not mess at all with POSIX ACLS,
do not even calculate the would-be POSIX-ACL-based security descriptor
(for performance reasons).
Instead, just store a V3 blob with zero hash. This means that if we
later read the ACL without ignoring system ACLs, the NT ACL shall be
reset to the info derivable from the POSIX ACL.

File ownership is still modified as it has bearing on disk quotas.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11806

I think this is being looked into

Rowland

On Mon, Aug 22, 2016 at 4:53 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 22 Aug 2016 15:25:11 +0200
> Viktor Trojanovic <viktor at troja.ch> wrote:
>
> > Hi Rowland,
> >
> > Thanks for finding this for me. I admit, I don't see how my issue
is
> > connected to the described "traverse folder" right, so I am
not
> > exactly clear on what I'm supposed to do now. Are you saying the
bug
> > fix created a new bug that I'm affected by, or is my configuration
> > somehow flawed that it only worked while there was a bug? If it's
the
> > latter, would you be able to point me to the potential flaw(s)?
> >
> > Viktor
>
>
> This is the header from the commitdiff:
>
> When "ignore system acls" is set, do not mess at all with POSIX
ACLS,
> do not even calculate the would-be POSIX-ACL-based security descriptor
> (for performance reasons).
> Instead, just store a V3 blob with zero hash. This means that if we
> later read the ACL without ignoring system ACLs, the NT ACL shall be
> reset to the info derivable from the POSIX ACL.
>
> File ownership is still modified as it has bearing on disk quotas.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11806
>
> I think this is being looked into
>
> Rowland
>
> --
>
I saw this header but quite frankly could not fully grasp its meaning. I
also read the full thread about xattr with Ralph Böhme and others from 4
days ago that seems connected but what they discuss does not seem 1:1
applicable in my case.

Since I'm really heavily impacted by the situation, can you maybe suggest a
workaround? Would it be proper if I just set mode masks for file and
directory creation (0660 and 0770) for the time being?

Viktor