Bug #2039

Samba: file permissions not inherited when POSIX ACL is present

Added by Davide Principi about 8 years ago. Updated about 8 years ago.

Status:CLOSEDStart date:07/01/2013
Priority:NormalDue date:07/02/2013
Assignee:-% Done:

100%

Category:nethserver-samba
Target version:v6.4-beta2
Security class: Resolution:
Affected version:v6.4-beta1 NEEDINFO:No

Description

Step to reproduce

  1. Install nethserver-ibays-2.0.0, nethserver-samba-1.2.1
  2. Create user1 and group1 (user1 set as member)
  3. Create a "pub" ibay, with group1 as owner (write permissions)
  4. Upload a file

File permissions are inherited (0660) correctly. But if a POSIX ACL is set on the pub/ directory after a file has been transferred into "pub" folder, NT_STATUS_NOT_FOUND error is returned and POSIX ACL on the file is 

    # getfacl /var/lib/nethserver/ibay/pub/COPYING 
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/pub/COPYING
# owner: root
# group: group1
user::rwx
user:nobody:r-x            #effective:r--
group::rwx            #effective:r--
mask::r--
other::---

To set an ACL, for instance, you can grant read only access to guest users in from Shared folder UI module.

Associated revisions

Revision 4034e0f8
Added by Davide Principi about 8 years ago

/etc/samba/smb.conf template (ibay-default/20profile_default): Add group write bit to default create mask. Refs #2039

Revision e77cc0b2
Added by Davide Principi about 8 years ago

/etc/samba/smb.conf: Fixed "value is not boolean!" warning. Comments must begin a line. Refs #2039

History

#1 Updated by Davide Principi about 8 years ago

  • Description updated (diff)

NOTE: To set an ACL, for instance, you can grant read only access to guest users in from Shared folder UI module.

#2 Updated by Davide Principi about 8 years ago

  • Due date set to 07/02/2013
  • Status changed from NEW to TRIAGED
  • Assignee set to Davide Principi
  • Start date set to 07/01/2013
  • % Done changed from 0 to 20
  • Estimated time set to 6.00

#3 Updated by Davide Principi about 8 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

Seems that create mask parameter affects the permission mask despite inherit permissions = Yes and the smb.conf man page:

inherit permissions (S)

The permissions on new files and directories are normally governed by
create mask, directory mask, force create mode and force directory mode
but the boolean inherit permissions parameter overrides this.

See also create mask (S)

On samba.org website create mask is described differently:
http://www.samba.org/samba/docs/using_samba/ch08.html#samba2-CHP-8-TABLE-2

create mask
Maximum permissions for files created by Samba

Possible solution:
By setting create mask = 0764 file permissions are set correctly.

#4 Updated by Davide Principi about 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 70

#5 Updated by Davide Principi about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 80

In nethserver-testing:
nethserver-samba-1.3.4-1.ns6.noarch.rpm

#6 Updated by Davide Principi about 8 years ago

  • Assignee set to Davide Marini

Test case 0

Please, verify the test cases 1 and 1b fail with nethserver-samba < 1.3.4

  • test case 1 should succeed
  • test case 1b should fail

Test case 1

  1. Install nethserver-ibays = 2.0.0, nethserver-samba = 1.3.4
  2. Create user1 and group1 (user1 set as member)
  3. Create an ibay "test1", with group1 as owner (write permissions). Don't enable any service or additional ACL on it!
  4. Upload a file through smbclient

The upload should be OK

Test case 1b

  1. Create an ibay "test2", with group1 as owner (write permissions). Enable guest access read permission (to set some POSIX ACLs on the shared folder).
  2. Upload a file through smbclient

The upload should be OK

#7 Updated by Davide Principi about 8 years ago

Please note,

Davide Principi wrote:

Test case 0

Please, verify the test cases 1 and 1b fail with nethserver-samba < 1.3.4

test case 1 should succeed
test case 1b should fail

#8 Updated by Davide Principi about 8 years ago

A small syntax fix for smb.conf that does not alter the previous configuration...

In nethserver-testing:
nethserver-samba-1.3.5-1.ns6.noarch.rpm

#9 Updated by Davide Marini about 8 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 80 to 100

Now it works

#10 Updated by Davide Principi about 8 years ago

  • Assignee deleted (Davide Marini)

Can't release this package until other nethserver-samba tests are completed

#11 Updated by Davide Principi about 8 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Moved to nethserver-updates repository

Also available in: Atom PDF