Hi Justin, On Mon, Jul 28, 2008 at 03:07:51PM +0100, Justin Finkelstein wrote: > I've just recently upgraded one of our servers from Fedora Core to > CentOS 5.2 and a side effect of this is that Samba is now version > 3.0.28-1.el5_2.1. > > Following this upgrade, I have noticed an odd behaviour: samba ONLY uses > ACLs to provide permissions to XP clients connecting to the server. > > Some research as has said that this may be due to the deprecation of acl > group control, which is now replaced by the 'dos filemode' option. > However, changing this doesn't the desired affect. > > To be clear: the desired effect, for me, is to have owner and group > information (as well as ACLs) used to determine permissions for > connected users. > > I've yet to find an answer to this via google. > > Has anyone else experience this and have some feedback?
I think this one is fixed in 3.0.31 with the attached patch. Details can be found at https://bugzilla.samba.org/show_bug.cgi?id=5202. Can you try that? Karolin -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE
commit fbb1e2e358af892e121bb3e5e8587d4d5ace4132
Author: Jeremy Allison <[EMAIL PROTECTED]>
AuthorDate: Thu Jul 3 10:28:36 2008 -0700
Commit: Jeremy Allison <[EMAIL PROTECTED]>
CommitDate: Thu Jul 3 10:28:36 2008 -0700
Patch from SATOH Fumiyasu <[EMAIL PROTECTED]> for bug #5202. Re-activate
"acl group control"
parameter and make it only apply to owning group. Also added man page fix.
Jeremy.
---
docs-xml/smbdotconf/misc/dosfilemode.xml | 17 ++++++-----
docs-xml/smbdotconf/security/aclgroupcontrol.xml | 6 +++-
source/param/loadparm.c | 2 +-
source/smbd/posix_acls.c | 32 +++++++++++++--------
4 files changed, 34 insertions(+), 23 deletions(-)
diff --git a/docs-xml/smbdotconf/misc/dosfilemode.xml
b/docs-xml/smbdotconf/misc/dosfilemode.xml
index ae3b475..e67ccd9 100644
--- a/docs-xml/smbdotconf/misc/dosfilemode.xml
+++ b/docs-xml/smbdotconf/misc/dosfilemode.xml
@@ -3,15 +3,16 @@
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
- <para> The default behavior in Samba is to provide
- UNIX-like behavior where only the owner of a file/directory is
+ <para> The default behavior in Samba is to provide
+ UNIX-like behavior where only the owner of a file/directory is
able to change the permissions on it. However, this behavior
- is often confusing to DOS/Windows users. Enabling this parameter
- allows a user who has write access to the file (by whatever
- means) to modify the permissions (including ACL) on it. Note that a
user
- belonging to the group owning the file will not be allowed to
- change permissions if the group is only granted read access.
- Ownership of the file/directory may also be changed.</para>
+ is often confusing to DOS/Windows users. Enabling this parameter
+ allows a user who has write access to the file (by whatever
+ means, including an ACL permission) to modify the permissions
+ (including ACL) on it. Note that a user belonging to the group
+ owning the file will not be allowed to change permissions if
+ the group is only granted read access. Ownership of the
+ file/directory may also be changed.</para>
</description>
<value type="default">no</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml
b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
index e2600ca..6efd46d 100644
--- a/docs-xml/smbdotconf/security/aclgroupcontrol.xml
+++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
@@ -30,8 +30,10 @@
</para>
<para>
- This is parameter has been marked deprecated in Samba 3.0.23. The same
behavior is now
- implemented by the <parameter moreinfo="none">dos filemode</parameter>
option.
+ This is parameter has been was deprecated in Samba 3.0.23, but
re-activated in
+ Samba 3.0.31 and above, as it now only controls permission changes if
the user
+ is in the owning primary group. It is now no longer equivalent to the
+ <parameter moreinfo="none">dos filemode</parameter> option.
</para>
</description>
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index 4f44088..85f0217 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -922,7 +922,7 @@ static struct parm_struct parm_table[] = {
{"writable", P_BOOLREV, P_LOCAL, &sDefault.bRead_only, NULL, NULL,
FLAG_HIDE},
{"acl check permissions", P_BOOL, P_LOCAL,
&sDefault.bAclCheckPermissions, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL |
FLAG_SHARE},
- {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl,
NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED },
+ {"acl group control", P_BOOL, P_LOCAL, &sDefault.bAclGroupControl,
NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE },
{"acl map full control", P_BOOL, P_LOCAL, &sDefault.bAclMapFullControl,
NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
{"create mask", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL,
FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE},
{"create mode", P_OCTAL, P_LOCAL, &sDefault.iCreate_mask, NULL, NULL,
FLAG_HIDE},
diff --git a/source/smbd/posix_acls.c b/source/smbd/posix_acls.c
index f40a344..9913d5a 100644
--- a/source/smbd/posix_acls.c
+++ b/source/smbd/posix_acls.c
@@ -2289,18 +2289,26 @@ static BOOL current_user_in_group(gid_t gid)
}
/****************************************************************************
- Should we override a deny ? Check deprecated 'acl group control'
- and 'dos filemode'
+ Should we override a deny ? Check 'acl group control' and 'dos filemode'
****************************************************************************/
-static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid)
+static BOOL acl_group_override(connection_struct *conn, gid_t prim_gid, const
char *fname)
{
- if ( (errno == EACCES || errno == EPERM)
- && (lp_acl_group_control(SNUM(conn)) ||
lp_dos_filemode(SNUM(conn)))
- && current_user_in_group(prim_gid))
- {
+ SMB_STRUCT_STAT sbuf;
+
+ if ((errno != EPERM) && (errno != EACCES)) {
+ return False;
+ }
+
+ /* file primary group == user primary or supplementary group */
+ if (lp_acl_group_control(SNUM(conn)) &&
current_user_in_group(prim_gid)) {
return True;
- }
+ }
+
+ /* user has writeable permission */
+ if (lp_dos_filemode(SNUM(conn)) && can_write_to_file(conn, fname,
&sbuf)) {
+ return True;
+ }
return False;
}
@@ -2488,7 +2496,7 @@ static BOOL set_canon_ace_list(files_struct *fsp,
canon_ace *the_ace, BOOL defau
*pacl_set_support = False;
}
- if (acl_group_override(conn, prim_gid)) {
+ if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
int sret;
DEBUG(5,("set_canon_ace_list: acl group control
on and current user in file %s primary group.\n",
@@ -2519,7 +2527,7 @@ static BOOL set_canon_ace_list(files_struct *fsp,
canon_ace *the_ace, BOOL defau
*pacl_set_support = False;
}
- if (acl_group_override(conn, prim_gid)) {
+ if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
int sret;
DEBUG(5,("set_canon_ace_list: acl group control
on and current user in file %s primary group.\n",
@@ -3477,7 +3485,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32
security_info_sent, SEC_DESC *psd)
if
(SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) {
int sret = -1;
- if (acl_group_override(conn,
sbuf.st_gid)) {
+ if (acl_group_override(conn,
sbuf.st_gid, fsp->fsp_name)) {
DEBUG(5,("set_nt_acl:
acl group control on and "
"current user
in file %s primary group. Override delete_def_acl\n",
fsp->fsp_name
));
@@ -3524,7 +3532,7 @@ BOOL set_nt_acl(files_struct *fsp, uint32
security_info_sent, SEC_DESC *psd)
if(SMB_VFS_CHMOD(conn,fsp->fsp_name,
posix_perms) == -1) {
int sret = -1;
- if (acl_group_override(conn,
sbuf.st_gid)) {
+ if (acl_group_override(conn,
sbuf.st_gid, fsp->fsp_name)) {
DEBUG(5,("set_nt_acl:
acl group control on and "
"current user
in file %s primary group. Override chmod\n",
fsp->fsp_name
));
pgppoGAOPXm57.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
