Jeremy Allison ha scritto: > On Fri, Aug 15, 2008 at 11:52:17AM +0200, Abramo Bagnara wrote: >> Sorry to show me dense, but I don't see the problem: the request to >> allow FILE_READ_ATTRIBUTES only would generate a 000 perms just as if >> map_nt_perms was called with only permissions not handled there. >> >> I'd say that to ask to allow FILE_READ_ATTRIBUTES only don't have to >> generate any ACE at all (as this request under an Unix permission model >> point of view don't give to user/group any further right). >> >> Could you explain how a possible conflict with a requested DENY ACE >> could happens? > > Existing file has FILE_READ_DATA|FILE_WRITE_DATA|FILE_READ_ATTRIBUTES. > Acl comes in to change this to FILE_READ_ATTRIBUTES. Samba has to map > this to '---' according to you. Oops. Instant deny ACL. Not what was > intended.
I try to detail your example as it seems there is some misunderstanding: NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES FILE_WRITE_DATA Current samba perms for owner, group or others: rw- Current samba posix acl: user:abramo:rw- Current new NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES FILE_READ_EA FILE_GENERIC_READ FILE_WRITE_DATA FILE_APPEND_DATA FILE_WRITE_ATTRIBUTES FILE_WRITE_EA FILE_GENERIC_WRITE Proposed is the same as current NT ACL: Allow SID FILE_READ_ATTRIBUTES Current samba perms for owner, group or others: r-- Current samba posix acl: user:abramo:r-- Current new NT ACL: Allow SID FILE_READ_DATA FILE_READ_ATTRIBUTES FILE_READ_EA FILE_GENERIC_READ Proposed samba perms for owner, group or others: --- Proposed samba posix acl: entry is removed Proposed new NT ACL for owner, group or others: Allow SID EMPTY Proposed new NT ACL: ACE is removed Simply I'm suggesting that this case is treated as it was a request to have an empty list of accesses for that SID. IOW the FILE_READ_ATTRIBUTES FILE_READ_EA FILE_WRITE_ATTRIBUTES FILE_WRITE_EA are masked out when received by samba server if they are not available in underlying file system permission model. They really follow the FILE_READ_DATA/FILE_WRITE_DATA. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
