Project

General

Profile

Bug #10994

Removal of "Read Attributes" prevents reading directory over SMB

Added by Gordon Ross 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Description:

Customer is restricting write permissions at the root of a share from an EMC VNX fileserver by only granting "List Folder / read data" ACL to Domain Users while still allowing read and possibly write access to subdirectories with appropriate ACLs. Users can mount the share and list contents but are not allowed to write to parent.

Upon copying data and permissions over to NexentaStor, the same users are able to mount the share but are unable to view contents or if share is mounted as a drive letter, they cannot change to that drive. However, they are still allowed to access any subdirectories that they are granted permissions to.

If "Read attributes" permission is added to the share, then NexentaStor grants access as the VNX does.

This isn't limited to VNX as the server. The same behavior can be reproduced with a Windows 2008 server.

Steps to Reproduce:

1. Create a share on Windows and NexentaStor.
2. At the root of the share, ONLY grant "List folder / read data" to the user or group of users.
3. Create a subdirectory on the share and grant full read-write permission to a user or group of users to that subdirectory only.
4. As the user, navigate to the share from Windows explorer and then to the subdirectory from both the Windows server and from the NexentaStor server.
5. Map the share from Windows and NexentaStor as a drive letter.
6. Attempt to change to that drive letter

Expected Results:

User should be able to navigate to the root of the share and the subdirectory on from both Windows and NexentaStor shares and be able to create files/directories only in the subdirectory.

As a mapped drive, user should be able to change to that drive and then chdir to the appropriate subdirectory without issues.

Actual Results:
The share from Windows shows no issues.

The share from NexentaStor disallows viewing of parent share via Windows explorer though direct navigation to subdirectory.
The share from NexentaStor, while being able to map share as drive letter, prevents navigating to it.

Upon adding "Read Attributes" to ACL at root of share from NexentaStor, behavior matches Windows.

History

#1

Updated by Gordon Ross 5 months ago

  • Description updated (diff)
  • Status changed from New to In Progress
#2

Updated by Gordon Ross 5 months ago

The reason this permissions configuration works on Windows is that Windows grants "Read_Attributes" permission on objects whose parent directory grants "List_Directory". If one denies List_Directory on the parent of the root of the share, the 'access denied' behavior is reproduced on Windows. This patch brings us in line with Windows behavior.

#3

Updated by Gordon Ross 5 months ago

Testing: (per description)
Fix in production since mid 2018

#4

Updated by Electric Monk 5 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 1123b34548c4c9754a6d1ab2763606002dad8ddf

commit  1123b34548c4c9754a6d1ab2763606002dad8ddf
Author: Matt Barden <matt.barden@nexenta.com>
Date:   2019-06-01T16:44:37.000Z

    10994 Removal of "Read Attributes" prevents reading directory over SMB
    Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
    Reviewed by: Evan Layton <evan.layton@nexenta.com>
    Approved by: Richard Lowe <richlowe@richlowe.net>

Also available in: Atom PDF