Hi odi and all,
I've the same problem on Solaris 10 with samba 3.0.25c, interesting to read
that the problem exists also in later versions, due to the fact that I'm using
zfs and samba in production I've disabled nt acls on user shared shares with
nt acl support = no
This is not an option for the installation I work on.
I have more or less solved this issue, though I do think that the code changes
I've done will need a review (besides the fact that all of the permission
checking code should be refactored, but AFAIK the core team is working on some
mayor rewrite for 3.3).
Anyway, some detail:
* The primary issue here is that dos_mode_from_sbuf basically yields R/O if
the config parameter "map read only" is Yes and the owner does not have
write permission (irrespective of who the owner is, but that's something
for the major refactoring work)
So the first thing to do is to set
map read only = Permissions
to actually check the ACLs.
* The second issue is that various places call file_set_dosmode which in
turn calls umask(). This will most likely destroy your acl if you
don't use aclmode = passthrough.
Some of these cases can be avoided by setting
map archive = no
* The third and fourth issue are umask based access checks in
can_delete_file_in_directory() and can_access_file()
For the latter, I will attach a patch. Please note that removing the "Quick
Path" check from can_delete_file_in_directory() changes the semantics of the
function and will make it slower for many cases.
The change of can_access_file() somehow extends the semantics of "map read
only", but I think that's OK.
I'll try to find some time to open a bug soon (need to finish off for today,
almost 11pm here), but maybe obnox or someone else can tell us more about how
these things are going to be handled in later versions.
Thanks,
Nils
diff -rub /tmp/samba-3.0.32//source/smbd/posix_acls.c ./source/smbd/posix_acls.c
--- /tmp/samba-3.0.32//source/smbd/posix_acls.c Mon Aug 25 23:09:21 2008
+++ ./source/smbd/posix_acls.c Mon Nov 24 21:57:35 2008
@@ -4275,11 +4275,6 @@
return True;
}
- /* Check primary owner write access. */
- if (current_user.ut.uid == sbuf.st_uid) {
- return (sbuf.st_mode & S_IWUSR) ? True : False;
- }
-
#ifdef S_ISVTX
/* sticky bit means delete only by owner or root. */
if (sbuf.st_mode & S_ISVTX) {
@@ -4316,6 +4311,8 @@
BOOL can_access_file(connection_struct *conn, const char *fname,
SMB_STRUCT_STAT *psbuf, uint32 access_mask)
{
+ enum mapreadonly_options ro_opts = (enum
mapreadonly_options)lp_map_readonly(SNUM(conn));
+
if (!(access_mask & (FILE_READ_DATA|FILE_WRITE_DATA))) {
return False;
}
@@ -4339,7 +4336,8 @@
}
/* Check primary owner access. */
- if (current_user.ut.uid == psbuf->st_uid) {
+ if ((ro_opts == MAP_READONLY_YES) &&
+ (current_user.ut.uid == psbuf->st_uid)) {
switch (access_mask) {
case FILE_READ_DATA:
return (psbuf->st_mode & S_IRUSR) ? True :
False;
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
