samba - Aug 2016 - Issue with acl_xattr:ignore system acls in 4.5rc2

Hi Ralph,
>> The line causing the problem with 4.5rc2 is:
>>   acl_xattr:ignore system acls = yes
>
> this change was introduced in
> <https://bugzilla.samba.org/show_bug.cgi?id=12028>
>
> Before explaining the gory details, one question: why are you setting
> this option?
I am setting this option per the vfs_acl_xattr.8 man page
recommendations. Using a Windows system I setup a Home directory under
the root directory, /zzz/Home in this case, and that directory gets
the needed NT ACLs  when it is created.  Not having access to /zzz on
my Windows AD was a surprise when I started testing 4.5, as this has
worked for me since 4.1.x. Other then creating /zzz, all access to the
/zzz/Home tree is done using shared SMB mounts from Linux and Windows.
> As this severly impacts existing setups, we have three options to
> address this:
>
> 1. Revert it,
> 2. Document it, or
> 3. Do it differently
>
> 1. Revert it
>
> Brings back the original problem: not behaving as a Windows server and
> in certain situations unexpectedly exposing system POSIX permissions
> as described in the above bug.
I would not revert it, but per other recommendations, having a legacy
option would be nice.
> 2. Document it
>
> One could argue that this works as designed, so just add a big note to
> the release notes so people are aware of this change. As everybody
> reads release notes, there'll be no surprise. :)
This would have been very helpful.  I read the release notes before
starting my 4.5 testing, and re-read them as soon as I hit this issue.
A note in the man page that states how this function changed in 4.5
would also be helpful.
> 3. Do it differently
Now that I understand what is going on, I have no problems with the
change.  It was just a surprise that cost me some time to figure it
out.

Thank you for the detailed information.

Eric

Hi Eric,

On Thu, Aug 18, 2016 at 07:57:36AM -0600, Eric Eastman
wrote:
> >> The line causing the problem with 4.5rc2 is:
> >>   acl_xattr:ignore system acls = yes
> >
> > this change was introduced in
> > <https://bugzilla.samba.org/show_bug.cgi?id=12028>
> >
> > Before explaining the gory details, one question: why are you setting
> > this option?
> 
> I am setting this option per the vfs_acl_xattr.8 man page
> recommendations. Using a Windows system I setup a Home directory under
> the root directory, /zzz/Home in this case, and that directory gets
> the needed NT ACLs  when it is created.  Not having access to /zzz on
> my Windows AD was a surprise when I started testing 4.5, as this has
> worked for me since 4.1.x. Other then creating /zzz, all access to the
> /zzz/Home tree is done using shared SMB mounts from Linux and Windows.
ok, thanks for that.
> > As this severly impacts existing setups, we have three options to
> > address this:
> >
> > 1. Revert it,
> > 2. Document it, or
> > 3. Do it differently
> >
> > 1. Revert it
> >
> > Brings back the original problem: not behaving as a Windows server and
> > in certain situations unexpectedly exposing system POSIX permissions
> > as described in the above bug.
> 
> I would not revert it, but per other recommendations, having a legacy
> option would be nice.
Yeah, as much as I'd like to avoid adding a new option, I guess we
have to do something about it, my latest take on this is

       acl_xattr:default acl style = [posix|windows]

           This parameter determines the type of ACL that is
           synthesized in case a file or directory lacks an
           security.NTACL xattr.

           When set to posix, an ACL will be synthesized based on the
           POSIX mode permissions for user, group and others, with an
           additional ACE for NT Authority\SYSTEM will full rights..

           When set to windows, an ACL is synthesized the same way
           Windows does it, only inclusing permissions for the owner
           and NT Authority\SYSTEM

           The default for this option is posix.

tldr: this reverts behaviour to what it was before #12028 and make the
behaviour introduced by #12028 optional.

Plan? Michael? Uri? Jeremy?

Cheerio!
-slow

On Wed, Aug 24, 2016 at 04:06:42PM +0200, Ralph Böhme via samba
wrote:
> 
> Yeah, as much as I'd like to avoid adding a new option, I guess we
> have to do something about it, my latest take on this is
> 
>        acl_xattr:default acl style = [posix|windows]
> 
>            This parameter determines the type of ACL that is
>            synthesized in case a file or directory lacks an
>            security.NTACL xattr.
> 
>            When set to posix, an ACL will be synthesized based on the
>            POSIX mode permissions for user, group and others, with an
>            additional ACE for NT Authority\SYSTEM will full rights..
> 
>            When set to windows, an ACL is synthesized the same way
>            Windows does it, only inclusing permissions for the owner
>            and NT Authority\SYSTEM
> 
>            The default for this option is posix.
> 
> tldr: this reverts behaviour to what it was before #12028 and make the
> behaviour introduced by #12028 optional.
> 
> Plan? Michael? Uri? Jeremy?
I like this. Puts the tweak in the right place IMHO.

Jeremy.