Ubuntu
cifs-utils package

setcifsacl: fix adding ACE when owner sid in unexpected location

Bug #1886548 reported by Rakesh Ginjupalli
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cifs-utils (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Eric Desrochers
Focal
Fix Released
Undecided
Unassigned
Groovy
Fix Released
Undecided
Unassigned

Bug Description

For Bionic release, current cifs-utils package version is 6.8-1. This version is missing an ACL tools fix that is needed for Azure xSMB.

Commit in question which needs to be backported: 0feb1a80f3777f4c244b46958aa9f730de9e18b6 setcifsacl: fix adding ACE when owner sid in unexpected location

[Impact]

 * The bug shows up with mounted cifs/smb filesystem, when a user tries to modify the DACL for the files/directories in the mount. If the owner/group ACEs do not appear first in the DACL (happens quite easily with Azure file shares). The setcifsacl command in cifs-utils fails in that case:

$ setcifsacl -a ‘ACL:MYDOMAIN\domuser:DENIED/0x0/FULL’ /mnt/test/abc
main: setxattr error: Invalid argument

 * With the fix available in commit 0feb1a80f3777f4c244b46958aa9f730de9e18b6, the above error is not returned, and the command works.

[Regression potential]

The fix has been created by Microsoft and approved by cifs-utils upstream maintainers.

The fix has been tested in ubuntu (a test package I have built in a ppa) pre-SRU by Microsoft/Azure themselves, and they confirm everything is working as expected with this fix using the test case above.

The fix is found in Ubuntu with Eoan and onwards.

[Other information]

# Upstream commit:
https://git.samba.org/?p=cifs-utils.git;a=commit;h=0feb1a80f3777f4c244b46958aa9f730de9e18b6

# git describe --contains 0feb1a80f3777f4c244b46958aa9f730de9e18b6
cifs-utils-6.9~14

# rmadison
 => cifs-utils | 2:6.8-1 | bionic
 cifs-utils | 2:6.9-1 | focal
 cifs-utils | 2:6.10-0ubuntu1 | groovy |

See original description
Eric Desrochers (slashd)
tags: added: seg sts
description: updated
Changed in cifs-utils (Ubuntu Groovy):
status: New → Fix Released
Changed in cifs-utils (Ubuntu Focal):
status: New → Fix Released
Changed in cifs-utils (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Eric Desrochers (slashd)
description: updated
Eric Desrochers (slashd)
description: updated
Revision history for this message
Eric Desrochers (slashd) wrote :

Uploaded in Bionic/18.04LTS.

It is now waiting for SRU team approval for the package to start building in bionic-proposed pocket for its testing/verification phase.

Regards,
Eric

description: updated
Eric Desrochers (slashd)
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Rakesh, or anyone else affected,

Accepted cifs-utils into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cifs-utils/2:6.8-1ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in cifs-utils (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

So I understand running `setcifsacl -a ‘ACL:MYDOMAIN\domuser:DENIED/0x0/FULL’ /mnt/test/abc` on a mounted cifs, while on an affected system? I assume it is easy to do with Azure file shares, but I'd also appreciate a bit more details about the testing needed to be done for verification. Could you update the description to include that missing information?

Anyway, this upload looks fine so I will approve it.

Revision history for this message
nspmangalore (nspmangalore) wrote :

I've verified the cifs-utils in bionic-proposed. It works.
I'll review the bug description and add as much details as I can.

Revision history for this message
nspmangalore (nspmangalore) wrote :

The version tested was cifs-utils 2:6.8-1ubuntu1.
Testing the fix involved mounting Azure file share from Ubuntu-18.04, create a file, then:
getcifsacl filename

Add a valid ACE which is not already a part of the above output.
setcifsacl -a ‘ACL:MYDOMAIN\domuser:DENIED/0x0/FULL' filename

And just for safe measure, removed and created the ACE again.
setcifsacl -D ‘ACL:MYDOMAIN\domuser:DENIED/0x0/FULL' filename
setcifsacl -a ‘ACL:MYDOMAIN\domuser:DENIED/0x0/FULL' filename

The above goes through without any error, which was not true without the fix.

Without the fix, I get this error:
setcifsacl -a ‘ACL:MYDOMAIN\domuser:DENIED/0x0/FULL’ /mnt/test/abc
main: setxattr error: Invalid argument

Eric Desrochers (slashd)
tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Eric Desrochers (slashd) wrote :

Thanks for your testing nspmangalore, much appreciated !

Revision history for this message
Eric Desrochers (slashd) wrote :

The release of 'cifs-utils' is likely to happen only next week.

As stated in the SRU policy guide :
"Please note that SRUs will not be published to the -updates pocket on Friday (or Saturday or Sunday). Any exception will need justification."

Let's circle back beginning of next week for its release.

- Eric

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cifs-utils - 2:6.8-1ubuntu1

---------------
cifs-utils (2:6.8-1ubuntu1) bionic; urgency=medium

  * d/p/setcifsacl-fix-adding-ACE-when-owner-sid-in-unexpect.patch:
    Fix adding ACE when owner sid in unexpected location (LP: #1886548)

 -- Eric Desrochers <email address hidden> Wed, 08 Jul 2020 17:44:31 +0000

Changed in cifs-utils (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for cifs-utils has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.