Inheritable Permissions Issue
in [Samba]
|
Prev: [Samba] Samba in Active-Drirector environements with centralized sid to uid mapping
Next: [Samba] diagnosing cause of NT_STATUS_BAD_NETWORK_NAME error
From: mfs on 15 Apr 2008 13:30 Did you get to the root of the problem ? David Eisner-2 wrote: > > On Thu, Feb 28, 2008 at 6:51 PM, David Eisner <deisner(a)gmail.com> wrote: > >> Permissions tab of the Advanced Security Settings dialog, whenever I >> uncheck the "Allow inheritable permissions from the parent to >> propagate to this object and all child objects" checkbox, and hit >> Apply, the checkbox always returns to the checked state immediately. >> It is never possible to get it into an unchecked state. Is this the >> expected behavior? > > > Just an update. I've been peering through the code trying to debug > this problem. Here's what I've learned so far: > > 1. The value represented by the "inheritable permissions" checkbox is > stored in the security descriptor's SE_DACL_PROTECTED control flag. > [1] In the Samba code, these flags are stored in the SEC_DESC > struct's "type" member. > > 2. set_nt_acl() (in smbd/posix_acls.c) is responsible for handling the > request to set the security descriptor on the file. Among other > things, it calls append_parent_acl(). This function is clobbering the > SE_DESC_DACL_PROTECTED bit in psd->type. It has the correct value > before the call, but it winds up getting cleared. > > 3. I see this comment inside append_parent_acl(): > > /* > * Note that we're ignoring "inherit permissions" here > * as that really only applies to newly created files. JRA. > */ > > Is this a bug? > > I'll take a look at what's in git and do some more research. > > -David > > [1] http://tinyurl.com/2pt7nh > > > -- > David Eisner http://cradle.brokenglass.com > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > -- View this message in context: http://www.nabble.com/Inheritable-Permissions-Issue-tp15748956p16618682.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
From: David Eisner on 15 Apr 2008 14:40
On Thu, Apr 10, 2008 at 5:45 PM, mfs <farhan.sarwar(a)gmail.com> wrote: > Did you get to the root of the problem ? Yes and no. By modifying smbd/posix_acls.c, I could at least make it stop re-checking the checkbox, but that's not very useful as the inheritance semantics still aren't honored -- that would require some additional coding. I found a preexisting bug (which is still "NEW") and made some comments there: https://bugzilla.samba.org/show_bug.cgi?id=5052 In particular: ---8<--- Unfortunately, all my patch does is prevent the box from rechecking itself. It doesn't honor the semantics: The ACE's inherited from the parent folder (or higher) continue to be inherited, so it's pretty useless. You'd need additional code to honor that setting, and probably to recursively remove the inherited ACE's from descendants, if any. It's not clear to me if the Windows 2000+ semantics (NT4 only considers inheritance when an object is created) is even intended to be supported by the Samba developers. Perhaps somebody will chime in here. --->8--- Nobody from the Samba team has responded, though. If you look at the final comment, you'll see the original reporter says he was able to get it working by copying an old version of posix_acls.c over 3.0.28 (the most recent 3.0.x at the time): ---8<--- (In reply to comment #3) > (In reply to comment #2) >> Can you send me patch? >>> Unfortunately, all my patch does is prevent the box from rechecking itself. I copy source/smbd/posix_acls.c from 3.0.25 to 3.0.28 - and recompile it. I have correct works samba with correct inherit... ====== today i testing it with 50 users, and trough 3-5 day - production with 600 users... --->8--- I was uncomfortable doing that myself, but it may be the only option for now. -David -- David Eisner http://cradle.brokenglass.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |