From: "Protopopov, Boris" <pboris@amazon.com>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Steve French <smfrench@gmail.com>,
Pavel Shilovsky <pshilovsky@samba.org>,
Shyam Prasad N <nspmangalore@gmail.com>,
"linux-cifs@vger.kernel.org" <linux-cifs@vger.kernel.org>,
samba-technical <samba-technical@lists.samba.org>
Subject: Re: [PATCH] cifs: fix set of group SID via NTSD xattrs
Date: Mon, 3 Jan 2022 18:31:40 +0000 [thread overview]
Message-ID: <916BEE4D-0F14-4978-8A4F-97E57D3DF108@amazon.com> (raw)
In-Reply-To: <CAOQ4uxjY3b5_1WCL3hpy27h3VkGfH1+6BTKF35aXexjuFvE+cA@mail.gmail.com>
Hi, Amir,
I agree the language is ambiguous. I also think that including the flag should not be harmful in any way (I do not recall observing any unwanted side effects).
Thanks for addressing the issue found in testing with Samba!
Boris.
On 1/3/22, 1:26 PM, "Amir Goldstein" <amir73il@gmail.com> wrote:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
On Mon, Jan 3, 2022 at 6:56 PM Protopopov, Boris <pboris@amazon.com> wrote:
>
> Hello, Amir,
>
> It has been a while, but I recall that from my reading of the MS docs, the notion of "owner" was supposed to include both user and the primary group SIDs, which is why the comments in the code did not call out groups explicitly.
> I also recall that during development, I tested with CIFS_ACL_GROUP flag against Windows 2012 and 2019 servers, and did not see a difference. I did not test against Samba, which clearly, showed an issue discussed below.
Interesting.
I admit that the language of the docs is ambiguous:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/ee9614c4-be54-4a3c-98f1-769a7032a0e4
"...flags indicating what security attributes MUST be applied".
So attributes whose flag is not set (e.g. group SID) MAY be applied or
MUST NOT be applied?
Perhaps samba would want to be as relaxed as Windows about the ACL_GROUP flag.
In any case, I don't see a reason not to set the flag when the group
SID information
is present.
Thanks,
Amir.
>
> Boris.
>
> On 1/3/22, 9:51 AM, "Amir Goldstein" <amir73il@gmail.com> wrote:
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
>
>
>
> 'setcifsacl -g <SID>' silently fails to set the group SID on server.
>
> Actually, the bug existed since commit 438471b67963 ("CIFS: Add support
> for setting owner info, dos attributes, and create time"), but this fix
> will not apply cleanly to kernel versions <= v5.10.
>
> Fixes: a9352ee926eb ("SMB3: Add support for getting and setting SACLs")
> Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> ---
>
> Boris,
>
> I am a little confused from the comments in the code an emails.
> In this thread [1] you wrote that you tested "setting/getting the owner,
> DACL, and SACL...".
>
> Does it mean that you did not test setting group SID?
>
> It is also confusing that comments in the code says /* owner plus DACL */
> and /* owner/DACL/SACL */.
> Does it mean that setting group SID is not supposed to be supported?
> Or was this just an oversight?
>
> Anyway, with this patch, setcifsacl -g <SID> works as expected,
> at least when the server is samba.
>
> Thanks,
> Amir.
>
>
> [1] https://lore.kernel.org/linux-cifs/CAHhKpQ7PwgDysS3nUAA0ALLdMZqnzG6q6wL1tmn3aqOPwZbyyg@mail.gmail.com/
>
> fs/cifs/xattr.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c
> index 7d8b72d67c80..9d486fbbfbbd 100644
> --- a/fs/cifs/xattr.c
> +++ b/fs/cifs/xattr.c
> @@ -175,11 +175,13 @@ static int cifs_xattr_set(const struct xattr_handler *handler,
> switch (handler->flags) {
> case XATTR_CIFS_NTSD_FULL:
> aclflags = (CIFS_ACL_OWNER |
> + CIFS_ACL_GROUP |
> CIFS_ACL_DACL |
> CIFS_ACL_SACL);
> break;
> case XATTR_CIFS_NTSD:
> aclflags = (CIFS_ACL_OWNER |
> + CIFS_ACL_GROUP |
> CIFS_ACL_DACL);
> break;
> case XATTR_CIFS_ACL:
> --
> 2.25.1
>
>
next prev parent reply other threads:[~2022-01-03 18:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-03 14:50 [PATCH] cifs: fix set of group SID via NTSD xattrs Amir Goldstein
2022-01-03 16:56 ` Protopopov, Boris
2022-01-03 18:25 ` Amir Goldstein
2022-01-03 18:31 ` Protopopov, Boris [this message]
2022-02-12 7:52 ` Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=916BEE4D-0F14-4978-8A4F-97E57D3DF108@amazon.com \
--to=pboris@amazon.com \
--cc=amir73il@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=nspmangalore@gmail.com \
--cc=pshilovsky@samba.org \
--cc=samba-technical@lists.samba.org \
--cc=smfrench@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).