POSIX ACL to NT ACL bugs in get_nt_acl()
Hello , the described bellow happens both in samba 2.2.7a and 3.0-alfa22. ( --with-acl-support) First bug: As it is easy to check smbd , when asked about ACL entry of a file never sends to the client OS DENY Access Control Entries , only ALLOW. so for example for a XFS file with acl: # owner: a user::r-- group::rwx other::rwx Win2K security tab shows for user a: Read exec = nothing here Read= Allowed Write = nothing here But in fact, POSIX ACL will allow user a to read from the file and deny write or execute the file , as posix acl will not consult any other ACL entries, after founding appropriate user:: entry. Not lets see , what Win2K user will expect, when watching this shown ACL. As NT ACL logic suppose, in case nothing here father ACL entries will be consulted, so in this case NT user suppose that he has rwx rights on the file due to other::rwx rule , shown in Win2K security tab as Everybody: Full Access=Allowed but when tried to write - receive Permission Denied. So this situation is plain wrong sent to Win2K flags must have been instead : Read exec = Deny Read= Allowed Write = Deny So that is a samba bug, as samba must have send DENY for write and execute and ALLOW for read for this user's file (user::r--) , but now it just sends ALLOW for read. Second bug: Take ownership flag is curerntly always set ALLOWED for EVERY ACE but actually only root user can take ownership of the file under Unix, so this is plain wrong. As far as I see, this bug was introduced because of the first bug AND NT4 denying to show empty ACL. Third Bug: In POSIX every user which can see a file , can also always 1) Read ACL for the file 2) Read attributes for the file. so SMBD should always show that these things are allowed , but it failes to do that. Of course due to the FIRST BUG this is not very annoying, as there are no entries showed, that this is forbidden. In the next e-mail I will send patches fixing all 3 bugs in samba 2.2.7a 3.0 alfa 22 -- Zhitomirsky Sergey.
ACL bug FIXes for get_nt_acl()
Two patches below for samba 2.2.7a and 3.0-alfa22, that I've made today, fix 3 bugs mentioned in my previous e-mail. 1) For each file in addition to ALLOW ACE proper DENY ACE is created. 2) Take ownership is shown DENIED for all except root ACEs 3) Read Permissions and read attributes are always shown as allowed, as they are actually allowed. -- Zhitomirsky Sergey. --- samba-3.0alpha22/source/smbd/posix_acls.c Mon Feb 24 18:12:33 2003 +++ samba-3.0alpha22-fixed/source/smbd/posix_acls.c Thu Mar 6 17:09:56 2003 -354,15 +354,19 not get. Deny entries are implicit on get with ace-perms = 0. / -static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace *ace) +static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace *ace, + SEC_ACCESS* sa_deny, int *pacl_type_deny) { SEC_ACCESS sa; uint32 nt_mask = 0; - - *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED; + uint32 nt_mask_deny = 0; + + *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED; + *pacl_type_deny = SEC_ACE_TYPE_ACCESS_DENIED; if ((ace-perms ALL_ACE_PERMS) == ALL_ACE_PERMS) { - nt_mask = UNIX_ACCESS_RWX; + nt_mask = UNIX_ACCESS_RWX; + nt_mask_deny = WRITE_OWNER_ACCESS; } else if ((ace-perms ALL_ACE_PERMS) == (mode_t)0) { /* * Windows NT refuses to display ACEs with no permissions in them (but -377,15 +381,31 nt_mask = UNIX_ACCESS_NONE; else nt_mask = 0; + + nt_mask_deny = UNIX_ACCESS_RWX; + } else { nt_mask |= ((ace-perms S_IRUSR) ? UNIX_ACCESS_R : 0 ); nt_mask |= ((ace-perms S_IWUSR) ? UNIX_ACCESS_W : 0 ); nt_mask |= ((ace-perms S_IXUSR) ? UNIX_ACCESS_X : 0 ); + + nt_mask_deny = ~nt_mask UNIX_ACCESS_RWX; } - DEBUG(10,(map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n, - (unsigned int)ace-perms, (unsigned int)nt_mask )); + /* READ ACL Read Attributes afai see are always allowed in POSIX */ + nt_mask_deny = ~( READ_CONTROL_ACCESS | FILE_READ_ATTRIBUTES); + nt_mask |= READ_CONTROL_ACCESS | FILE_READ_ATTRIBUTES; + /* workaround for take ownership for root's ACE */ + if (ace-owner_type == UID_ACE !ace-unix_ug.uid) { + nt_mask_deny = ~WRITE_OWNER_ACCESS; + nt_mask |= WRITE_OWNER_ACCESS;//UNIX_ACCESS_NONE; + } + + DEBUG(10,(map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x ~%x\n, + (unsigned int)ace-perms, (unsigned int)nt_mask, (unsigned int)nt_mask_deny)); + + init_sec_access(sa_deny, nt_mask_deny); init_sec_access(sa,nt_mask); return sa; } -2208,6 +2228,7 { canon_ace *ace; int nt_acl_type; + int nt_acl_type_deny; int i; if (nt4_compatible_acls()) { -2292,12 +2313,12 num_dir_acls = count_canon_ace_list(dir_ace); /* Allocate the ace list. */ - if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_profile_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) { + if ((nt_ace_list = (SEC_ACE *)malloc((2 * num_acls + num_profile_acls + 2 * num_dir_acls)*sizeof(SEC_ACE))) == NULL) { DEBUG(0,(get_nt_acl: Unable to malloc space for nt_ace_list.\n)); goto done; } - memset(nt_ace_list, '\0', (num_acls + num_dir_acls) * sizeof(SEC_ACE) ); + memset(nt_ace_list, '\0', (num_acls + num_dir_acls) * 2 * sizeof(SEC_ACE) ); /* * Create the NT ACE list from the canonical ace lists. -2307,8 +2328,10 for (i = 0; i num_acls; i++, ace = ace-next) { SEC_ACCESS acc; - - acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace ); + SEC_ACCESS acc_deny; + + acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace , acc_deny, nt_acl_type_deny); + init_sec_ace(nt_ace_list[num_aces++], ace-trustee, nt_acl_type_deny, acc_deny, 0); init_sec_ace(nt_ace_list[num_aces++], ace-trustee, nt_acl_type, acc, 0); } -2324,8 +2347,11 for (i = 0; i num_dir_acls; i++, ace = ace-next) { SEC_ACCESS acc; - - acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace ); + SEC_ACCESS acc_deny; + +
[Samba] POSIX ACL to NT ACL bugs in get_nt_acl()
Hello , the described bellow happens both in samba 2.2.7a and 3.0-alfa22. First bug: As it is easy to check smbd , when asked about ACL entry of a file never sends to the client OS DENY Access Control Entries , only ALLOW. so for example for a XFS file with acl: # owner: a user::r-- group::rwx other::rwx Win2K security tab shows for user a: Read exec = nothing here Read= Allowed Write = nothing here But in fact, POSIX ACL will allow user a to read from the file and deny write or execute the file , as posix acl will not consult any other ACL entries, after founding appropriate user:: entry. Not lets see , what Win2K user will expect, when watching this shown ACL. As NT ACL logic suppose, in case nothing here father ACL entries will be consulted, so in this case NT user suppose that he has rwx rights on the file due to other::rwx rule , shown in Win2K security tab as Everybody: Full Access=Allowed but when tried to write - receive Permission Denied. So this situation is plain wrong sent to Win2K flags must have been instead : Read exec = Deny Read= Allowed Write = Deny So that is a samba bug, as samba must have send DENY for write and execute and ALLOW for read for this user's file (user::r--) , but now it just sends ALLOW for read. Second bug: Take ownership flag is curerntly always set ALLOWED for EVERY ACE but actually only root user can take ownership of the file under Unix, so this is plain wrong. As far as I see, this bug was introduced because of the first bug AND NT4 denying to show empty ACL. Third Bug: In POSIX every user which can see a file , can also always 1) Read ACL for the file 2) Read attributes for the file. so SMBD should always show that these things are allowed , but it failes to do that. Of course due to the FIRST BUG this is not very annoying, as there are no entries showed, that this is forbidden. In the next e-mail I will send patches fixing all 3 bugs in samba 2.2.7a 3.0 alfa 22 -- Zhitomirsky Sergey. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ACL bug FIXes for get_nt_acl()
Two attached patches for samba 2.2.7a and 3.0-alfa22, that I've made today, fix 3 bugs mentioned in my previous e-mail. 1) For each file in addition to ALLOW ACE proper DENY ACE is created. 2) Take ownership is shown DENIED for all except root ACEs 3) Read Permissions and read attributes are always shown as allowed, as they are actually allowed. -- Zhitomirsky Sergey. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ACL bug FIXes for get_nt_acl() (resend)
It seems attached patches were lost, resending inline : Two attached patches for samba 2.2.7a and 3.0-alfa22, that I've made today, fix 3 bugs mentioned in my previous e-mail. 1) For each file in addition to ALLOW ACE proper DENY ACE is created. 2) Take ownership is shown DENIED for all except root ACEs 3) Read Permissions and read attributes are always shown as allowed, as they are actually allowed. -- Zhitomirsky Sergey. --- samba-3.0alpha22/source/smbd/posix_acls.c Mon Feb 24 18:12:33 2003 +++ samba-3.0alpha22-fixed/source/smbd/posix_acls.c Thu Mar 6 17:09:56 2003 -354,15 +354,19 not get. Deny entries are implicit on get with ace-perms = 0. / -static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace *ace) +static SEC_ACCESS map_canon_ace_perms(int *pacl_type, DOM_SID *powner_sid, canon_ace *ace, + SEC_ACCESS* sa_deny, int *pacl_type_deny) { SEC_ACCESS sa; uint32 nt_mask = 0; - - *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED; + uint32 nt_mask_deny = 0; + + *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED; + *pacl_type_deny = SEC_ACE_TYPE_ACCESS_DENIED; if ((ace-perms ALL_ACE_PERMS) == ALL_ACE_PERMS) { - nt_mask = UNIX_ACCESS_RWX; + nt_mask = UNIX_ACCESS_RWX; + nt_mask_deny = WRITE_OWNER_ACCESS; } else if ((ace-perms ALL_ACE_PERMS) == (mode_t)0) { /* * Windows NT refuses to display ACEs with no permissions in them (but -377,15 +381,31 nt_mask = UNIX_ACCESS_NONE; else nt_mask = 0; + + nt_mask_deny = UNIX_ACCESS_RWX; + } else { nt_mask |= ((ace-perms S_IRUSR) ? UNIX_ACCESS_R : 0 ); nt_mask |= ((ace-perms S_IWUSR) ? UNIX_ACCESS_W : 0 ); nt_mask |= ((ace-perms S_IXUSR) ? UNIX_ACCESS_X : 0 ); + + nt_mask_deny = ~nt_mask UNIX_ACCESS_RWX; } - DEBUG(10,(map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x\n, - (unsigned int)ace-perms, (unsigned int)nt_mask )); + /* READ ACL Read Attributes afai see are always allowed in POSIX */ + nt_mask_deny = ~( READ_CONTROL_ACCESS | FILE_READ_ATTRIBUTES); + nt_mask |= READ_CONTROL_ACCESS | FILE_READ_ATTRIBUTES; + /* workaround for take ownership for root's ACE */ + if (ace-owner_type == UID_ACE !ace-unix_ug.uid) { + nt_mask_deny = ~WRITE_OWNER_ACCESS; + nt_mask |= WRITE_OWNER_ACCESS;//UNIX_ACCESS_NONE; + } + + DEBUG(10,(map_canon_ace_perms: Mapped (UNIX) %x to (NT) %x ~%x\n, + (unsigned int)ace-perms, (unsigned int)nt_mask, (unsigned int)nt_mask_deny)); + + init_sec_access(sa_deny, nt_mask_deny); init_sec_access(sa,nt_mask); return sa; } -2208,6 +2228,7 { canon_ace *ace; int nt_acl_type; + int nt_acl_type_deny; int i; if (nt4_compatible_acls()) { -2292,12 +2313,12 num_dir_acls = count_canon_ace_list(dir_ace); /* Allocate the ace list. */ - if ((nt_ace_list = (SEC_ACE *)malloc((num_acls + num_profile_acls + num_dir_acls)* sizeof(SEC_ACE))) == NULL) { + if ((nt_ace_list = (SEC_ACE *)malloc((2 * num_acls + num_profile_acls + 2 * num_dir_acls)*sizeof(SEC_ACE))) == NULL) { DEBUG(0,(get_nt_acl: Unable to malloc space for nt_ace_list.\n)); goto done; } - memset(nt_ace_list, '\0', (num_acls + num_dir_acls) * sizeof(SEC_ACE) ); + memset(nt_ace_list, '\0', (num_acls + num_dir_acls) * 2 * sizeof(SEC_ACE) ); /* * Create the NT ACE list from the canonical ace lists. -2307,8 +2328,10 for (i = 0; i num_acls; i++, ace = ace-next) { SEC_ACCESS acc; - - acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace ); + SEC_ACCESS acc_deny; + + acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace , acc_deny, nt_acl_type_deny); + init_sec_ace(nt_ace_list[num_aces++], ace-trustee, nt_acl_type_deny, acc_deny, 0); init_sec_ace(nt_ace_list[num_aces++], ace-trustee, nt_acl_type, acc, 0); } -2324,8 +2347,11 for (i = 0; i num_dir_acls; i++, ace = ace-next) { SEC_ACCESS acc; - - acc = map_canon_ace_perms(nt_acl_type, owner_sid, ace ); +
Re: [Samba] POSIX to NT ACL bug
On Mon, 3 Mar 2003, Brad Sagowitz wrote: I JUST got over this problem with help here on the mailing list... what version/distro of linux are you running? Brad Sagowitz I use samba 2.2.7a downloaded from samba.org on Suse 8.0 Sergey Zhitomirsky wrote: Hello recently I set up XFS share under samba , and played from Win2K with ACL entries of shared files, and noticed that Win2K never DENY ACL entries , so for example for a XFS file with acl: # owner: a user::r-- group::rwx other::rwx Win2K security tab shows for user a: Read exec = nothing here Read= Allowed Write = nothing here But in fact, POSIX ACL will allow user a to read from the file and deny write or execute the file , as posix acl will not consult any other ACL entries, after founding appropriate user: entry. So, shown by Win2K flags are wrong, and must be instead : Read exec = Deny Read= Allowed Write = Deny as NT ACL logic suppose, as far as know(?), that in case nothing here father ACL entries will be consulted, so in this case NT user suppose that he has rwx rights on the file due to other::rwx rule (- Everybody, Full Access=Allowed) but when tried to write - receive Permission Denied. So that is a samba bug, as samba must have send DENY for write and execute and ALLOW for read for this user's file (user::r--) , but now it just sends ALLOW for read. I have samba-2.2.7a, ./configure --with-acl-support --with-ssl --with-smbmount --disable-cups --with-smbwrapper --with-vfs --with-libsmbclient --disable-swat Sergey. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] POSIX to NT ACL bug
Hello recently I set up XFS share under samba , and played from Win2K with ACL entries of shared files, and noticed that Win2K never DENY ACL entries , so for example for a XFS file with acl: # owner: a user::r-- group::rwx other::rwx Win2K security tab shows for user a: Read exec = nothing here Read= Allowed Write = nothing here But in fact, POSIX ACL will allow user a to read from the file and deny write or execute the file , as posix acl will not consult any other ACL entries, after founding appropriate user: entry. So, shown by Win2K flags are wrong, and must be instead : Read exec = Deny Read= Allowed Write = Deny as NT ACL logic suppose, as far as know(?), that in case nothing here father ACL entries will be consulted, so in this case NT user suppose that he has rwx rights on the file due to other::rwx rule (- Everybody, Full Access=Allowed) but when tried to write - receive Permission Denied. So that is a samba bug, as samba must have send DENY for write and execute and ALLOW for read for this user's file (user::r--) , but now it just sends ALLOW for read. I have samba-2.2.7a, ./configure --with-acl-support --with-ssl --with-smbmount --disable-cups --with-smbwrapper --with-vfs --with-libsmbclient --disable-swat Sergey. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba