Message ID | 20220103145025.3867146-1-amir73il@gmail.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | cifs: fix set of group SID via NTSD xattrs | expand |
Hello, Amir,
It has been a while, but I recall that from my reading of the MS docs, the notion of "owner" was supposed to include both user and the primary group SIDs, which is why the comments in the code did not call out groups explicitly.
I also recall that during development, I tested with CIFS_ACL_GROUP flag against Windows 2012 and 2019 servers, and did not see a difference. I did not test against Samba, which clearly, showed an issue discussed below.
Boris.
On 1/3/22, 9:51 AM, "Amir Goldstein" <amir73il@gmail.com> wrote:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
'setcifsacl -g <SID>' silently fails to set the group SID on server.
Actually, the bug existed since commit 438471b67963 ("CIFS: Add support
for setting owner info, dos attributes, and create time"), but this fix
will not apply cleanly to kernel versions <= v5.10.
Fixes: a9352ee926eb ("SMB3: Add support for getting and setting SACLs")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
---
Boris,
I am a little confused from the comments in the code an emails.
In this thread [1] you wrote that you tested "setting/getting the owner,
DACL, and SACL...".
Does it mean that you did not test setting group SID?
It is also confusing that comments in the code says /* owner plus DACL */
and /* owner/DACL/SACL */.
Does it mean that setting group SID is not supposed to be supported?
Or was this just an oversight?
Anyway, with this patch, setcifsacl -g <SID> works as expected,
at least when the server is samba.
Thanks,
Amir.
[1] https://lore.kernel.org/linux-cifs/CAHhKpQ7PwgDysS3nUAA0ALLdMZqnzG6q6wL1tmn3aqOPwZbyyg@mail.gmail.com/
fs/cifs/xattr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c
index 7d8b72d67c80..9d486fbbfbbd 100644
--- a/fs/cifs/xattr.c
+++ b/fs/cifs/xattr.c
@@ -175,11 +175,13 @@ static int cifs_xattr_set(const struct xattr_handler *handler,
switch (handler->flags) {
case XATTR_CIFS_NTSD_FULL:
aclflags = (CIFS_ACL_OWNER |
+ CIFS_ACL_GROUP |
CIFS_ACL_DACL |
CIFS_ACL_SACL);
break;
case XATTR_CIFS_NTSD:
aclflags = (CIFS_ACL_OWNER |
+ CIFS_ACL_GROUP |
CIFS_ACL_DACL);
break;
case XATTR_CIFS_ACL:
--
2.25.1
On Mon, Jan 3, 2022 at 6:56 PM Protopopov, Boris <pboris@amazon.com> wrote: > > Hello, Amir, > > It has been a while, but I recall that from my reading of the MS docs, the notion of "owner" was supposed to include both user and the primary group SIDs, which is why the comments in the code did not call out groups explicitly. > I also recall that during development, I tested with CIFS_ACL_GROUP flag against Windows 2012 and 2019 servers, and did not see a difference. I did not test against Samba, which clearly, showed an issue discussed below. Interesting. I admit that the language of the docs is ambiguous: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/ee9614c4-be54-4a3c-98f1-769a7032a0e4 "...flags indicating what security attributes MUST be applied". So attributes whose flag is not set (e.g. group SID) MAY be applied or MUST NOT be applied? Perhaps samba would want to be as relaxed as Windows about the ACL_GROUP flag. In any case, I don't see a reason not to set the flag when the group SID information is present. Thanks, Amir. > > Boris. > > On 1/3/22, 9:51 AM, "Amir Goldstein" <amir73il@gmail.com> wrote: > > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > 'setcifsacl -g <SID>' silently fails to set the group SID on server. > > Actually, the bug existed since commit 438471b67963 ("CIFS: Add support > for setting owner info, dos attributes, and create time"), but this fix > will not apply cleanly to kernel versions <= v5.10. > > Fixes: a9352ee926eb ("SMB3: Add support for getting and setting SACLs") > Signed-off-by: Amir Goldstein <amir73il@gmail.com> > --- > > Boris, > > I am a little confused from the comments in the code an emails. > In this thread [1] you wrote that you tested "setting/getting the owner, > DACL, and SACL...". > > Does it mean that you did not test setting group SID? > > It is also confusing that comments in the code says /* owner plus DACL */ > and /* owner/DACL/SACL */. > Does it mean that setting group SID is not supposed to be supported? > Or was this just an oversight? > > Anyway, with this patch, setcifsacl -g <SID> works as expected, > at least when the server is samba. > > Thanks, > Amir. > > > [1] https://lore.kernel.org/linux-cifs/CAHhKpQ7PwgDysS3nUAA0ALLdMZqnzG6q6wL1tmn3aqOPwZbyyg@mail.gmail.com/ > > fs/cifs/xattr.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c > index 7d8b72d67c80..9d486fbbfbbd 100644 > --- a/fs/cifs/xattr.c > +++ b/fs/cifs/xattr.c > @@ -175,11 +175,13 @@ static int cifs_xattr_set(const struct xattr_handler *handler, > switch (handler->flags) { > case XATTR_CIFS_NTSD_FULL: > aclflags = (CIFS_ACL_OWNER | > + CIFS_ACL_GROUP | > CIFS_ACL_DACL | > CIFS_ACL_SACL); > break; > case XATTR_CIFS_NTSD: > aclflags = (CIFS_ACL_OWNER | > + CIFS_ACL_GROUP | > CIFS_ACL_DACL); > break; > case XATTR_CIFS_ACL: > -- > 2.25.1 > >
Hi, Amir, I agree the language is ambiguous. I also think that including the flag should not be harmful in any way (I do not recall observing any unwanted side effects). Thanks for addressing the issue found in testing with Samba! Boris. On 1/3/22, 1:26 PM, "Amir Goldstein" <amir73il@gmail.com> wrote: CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. On Mon, Jan 3, 2022 at 6:56 PM Protopopov, Boris <pboris@amazon.com> wrote: > > Hello, Amir, > > It has been a while, but I recall that from my reading of the MS docs, the notion of "owner" was supposed to include both user and the primary group SIDs, which is why the comments in the code did not call out groups explicitly. > I also recall that during development, I tested with CIFS_ACL_GROUP flag against Windows 2012 and 2019 servers, and did not see a difference. I did not test against Samba, which clearly, showed an issue discussed below. Interesting. I admit that the language of the docs is ambiguous: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/ee9614c4-be54-4a3c-98f1-769a7032a0e4 "...flags indicating what security attributes MUST be applied". So attributes whose flag is not set (e.g. group SID) MAY be applied or MUST NOT be applied? Perhaps samba would want to be as relaxed as Windows about the ACL_GROUP flag. In any case, I don't see a reason not to set the flag when the group SID information is present. Thanks, Amir. > > Boris. > > On 1/3/22, 9:51 AM, "Amir Goldstein" <amir73il@gmail.com> wrote: > > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > 'setcifsacl -g <SID>' silently fails to set the group SID on server. > > Actually, the bug existed since commit 438471b67963 ("CIFS: Add support > for setting owner info, dos attributes, and create time"), but this fix > will not apply cleanly to kernel versions <= v5.10. > > Fixes: a9352ee926eb ("SMB3: Add support for getting and setting SACLs") > Signed-off-by: Amir Goldstein <amir73il@gmail.com> > --- > > Boris, > > I am a little confused from the comments in the code an emails. > In this thread [1] you wrote that you tested "setting/getting the owner, > DACL, and SACL...". > > Does it mean that you did not test setting group SID? > > It is also confusing that comments in the code says /* owner plus DACL */ > and /* owner/DACL/SACL */. > Does it mean that setting group SID is not supposed to be supported? > Or was this just an oversight? > > Anyway, with this patch, setcifsacl -g <SID> works as expected, > at least when the server is samba. > > Thanks, > Amir. > > > [1] https://lore.kernel.org/linux-cifs/CAHhKpQ7PwgDysS3nUAA0ALLdMZqnzG6q6wL1tmn3aqOPwZbyyg@mail.gmail.com/ > > fs/cifs/xattr.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c > index 7d8b72d67c80..9d486fbbfbbd 100644 > --- a/fs/cifs/xattr.c > +++ b/fs/cifs/xattr.c > @@ -175,11 +175,13 @@ static int cifs_xattr_set(const struct xattr_handler *handler, > switch (handler->flags) { > case XATTR_CIFS_NTSD_FULL: > aclflags = (CIFS_ACL_OWNER | > + CIFS_ACL_GROUP | > CIFS_ACL_DACL | > CIFS_ACL_SACL); > break; > case XATTR_CIFS_NTSD: > aclflags = (CIFS_ACL_OWNER | > + CIFS_ACL_GROUP | > CIFS_ACL_DACL); > break; > case XATTR_CIFS_ACL: > -- > 2.25.1 > >
tentatively merged into cifs-2.6.git for-next pending testing If you have ideas on how to add a test case for this, that would be helpful (we have some cifs.ko specific tests we run in addition to the usual xfstests and git filesystem regression tests). On Mon, Jan 3, 2022 at 8:50 AM Amir Goldstein <amir73il@gmail.com> wrote: > > 'setcifsacl -g <SID>' silently fails to set the group SID on server. > > Actually, the bug existed since commit 438471b67963 ("CIFS: Add support > for setting owner info, dos attributes, and create time"), but this fix > will not apply cleanly to kernel versions <= v5.10. > > Fixes: a9352ee926eb ("SMB3: Add support for getting and setting SACLs") > Signed-off-by: Amir Goldstein <amir73il@gmail.com> > --- > > Boris, > > I am a little confused from the comments in the code an emails. > In this thread [1] you wrote that you tested "setting/getting the owner, > DACL, and SACL...". > > Does it mean that you did not test setting group SID? > > It is also confusing that comments in the code says /* owner plus DACL */ > and /* owner/DACL/SACL */. > Does it mean that setting group SID is not supposed to be supported? > Or was this just an oversight? > > Anyway, with this patch, setcifsacl -g <SID> works as expected, > at least when the server is samba. > > Thanks, > Amir. > > > [1] https://lore.kernel.org/linux-cifs/CAHhKpQ7PwgDysS3nUAA0ALLdMZqnzG6q6wL1tmn3aqOPwZbyyg@mail.gmail.com/ > > fs/cifs/xattr.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c > index 7d8b72d67c80..9d486fbbfbbd 100644 > --- a/fs/cifs/xattr.c > +++ b/fs/cifs/xattr.c > @@ -175,11 +175,13 @@ static int cifs_xattr_set(const struct xattr_handler *handler, > switch (handler->flags) { > case XATTR_CIFS_NTSD_FULL: > aclflags = (CIFS_ACL_OWNER | > + CIFS_ACL_GROUP | > CIFS_ACL_DACL | > CIFS_ACL_SACL); > break; > case XATTR_CIFS_NTSD: > aclflags = (CIFS_ACL_OWNER | > + CIFS_ACL_GROUP | > CIFS_ACL_DACL); > break; > case XATTR_CIFS_ACL: > -- > 2.25.1 >
diff --git a/fs/cifs/xattr.c b/fs/cifs/xattr.c index 7d8b72d67c80..9d486fbbfbbd 100644 --- a/fs/cifs/xattr.c +++ b/fs/cifs/xattr.c @@ -175,11 +175,13 @@ static int cifs_xattr_set(const struct xattr_handler *handler, switch (handler->flags) { case XATTR_CIFS_NTSD_FULL: aclflags = (CIFS_ACL_OWNER | + CIFS_ACL_GROUP | CIFS_ACL_DACL | CIFS_ACL_SACL); break; case XATTR_CIFS_NTSD: aclflags = (CIFS_ACL_OWNER | + CIFS_ACL_GROUP | CIFS_ACL_DACL); break; case XATTR_CIFS_ACL:
'setcifsacl -g <SID>' silently fails to set the group SID on server. Actually, the bug existed since commit 438471b67963 ("CIFS: Add support for setting owner info, dos attributes, and create time"), but this fix will not apply cleanly to kernel versions <= v5.10. Fixes: a9352ee926eb ("SMB3: Add support for getting and setting SACLs") Signed-off-by: Amir Goldstein <amir73il@gmail.com> --- Boris, I am a little confused from the comments in the code an emails. In this thread [1] you wrote that you tested "setting/getting the owner, DACL, and SACL...". Does it mean that you did not test setting group SID? It is also confusing that comments in the code says /* owner plus DACL */ and /* owner/DACL/SACL */. Does it mean that setting group SID is not supposed to be supported? Or was this just an oversight? Anyway, with this patch, setcifsacl -g <SID> works as expected, at least when the server is samba. Thanks, Amir. [1] https://lore.kernel.org/linux-cifs/CAHhKpQ7PwgDysS3nUAA0ALLdMZqnzG6q6wL1tmn3aqOPwZbyyg@mail.gmail.com/ fs/cifs/xattr.c | 2 ++ 1 file changed, 2 insertions(+)