Bug 40892

Summary: extended ACL support for 2.2.* enabled servers
Product: [Frameworks and Libraries] kio-extras Reporter: Edoardo Causarano <curious.corn>
Component: SambaAssignee: Harald Sitter <sitter>
Status: RESOLVED FIXED    
Severity: wishlist CC: ferry.toth, nate, postix, sitter
Priority: NOR    
Version: 18.04.2   
Target Milestone: ---   
Platform: Mandrake RPMs   
OS: Linux   
Latest Commit: Version Fixed In: 22.12
Sentry Crash Report:

Description Edoardo Causarano 2002-04-13 10:50:58 UTC
(*** This bug was imported into bugs.kde.org ***)

Package:           kio-smb
Version:           KDE 3.0.0 
Severity:          wishlist
Installed from:    Mandrake RPMs
Compiler:          Not Specified
OS:                Linux
OS/Compiler notes: Not Specified

Hello KDE team

I'm very pleased & thankful for your effort. If the kio-smb supported extended ACL (included in sambas from 2.2.x up) I could deploy it in our office where such an enabled file server & PDC runs an NT domain (of course nfs4 would be the more correct answer in a UNIX environment but for the time being it's ok and it allows M$ machines to keep up)
Is there a chance to see such support soon?

Cheers
Edo

(Submitted via bugs.kde.org)
Comment 1 Nate Graham 2018-06-28 18:30:44 UTC
*** Bug 255002 has been marked as a duplicate of this bug. ***
Comment 2 Ferry 2018-06-30 13:39:15 UTC
Unfortunately this is still not implemented in 17.12.3 (Kubuntu Bionic).

I'll try to make the case for this functionality: on a shared file server (obviously sharing with Windows users), just giving the group read/write permissions is not always enough (for instance to change the owner of a file). The situation can be resolved using ACL's as that translates nicely to windows permissions. As ACL's can be made to inherit (on file/dir creation) all new files under a shared directory can have their correct ACL's set.

Of course if a sub directory is created without setting ACL's (by moving from another place without ACL's) these wrong settings also inherit. So it would be very nice to be able to correctly view and set them from within Dolphin.

Currently we work around this by mounting the server using smb4k so we don't need to use the kio slave.
Comment 3 Nate Graham 2018-06-30 13:47:57 UTC
Nobody objects to the feature; it's simply a matter of very limited development time for implementing it competing with 32 other Samba bugs, and approximately 25,000 other bugs of all sorts. :)

Patches are greatly appreciated!

FWIW, for now mounting the share locally is probably your best bet in general, since the KIOSlave has other issues (e.g. unavailable when using non-KDE software such as LibreOffice).
Comment 4 Harald Sitter 2020-02-14 17:01:42 UTC
Doc dump:

https://www.samba.org/samba/docs/current/man-html/smbcacls.1.html
https://www.samba.org/samba/docs/current/man-html/sharesec.1.html

libsmbc's smbc_getxattr respectively setxattr would be used. smbc_listxattr seems largely pointless, for some reason it always returns system.* no matter the server.

internally that drives through the IPC$ share, for some reason that entirely fails auth when kerberos is enabled though -> likely needs reworking of auth.cpp to "manually" try with and without kerberos or something. this happens with samba and windows hosts. all a bit strange

xattrs are as follows: (all + variants translate SIDs to pretty string, without + they are SIDs - SIDs are entirely pointless for libsmbc I think, we can't do anything with them as there is no API that accepts them) 

system.nt_sec_desc.owner+ => pretty name of owner "$SCOPE\$name (e.g. SMITH\me)
system.nt_sec_desc.group+ => pretty name of group "$SCOPE\$name" (e.g. Unix Group\me)
system.nt_sec_desc.acl.*+ => all ACLs separated by comma (e.g. SMITH\me:0/0/0x001f01ff,Unix Group\me:0/0/0x001f01ff,Unix Group\www-data:0/0/0x001f01ff,Unix Group\me:0/0/0x001200a9,\Everyone:0/0/0x001200a9)

ACLs are of the form <sid>:<type>/<flags>/<mask>
type => 0 for allowed, 1 for forbidden
flags => kinda undocumented? (see [1]) also on smbcacls manpage, not in any header?
mask => also undocumented? also context in [1]

biggest concern right now is getting a hold of the flags and masks defines, since they only seem to be available internally for samba I am not sure how exactly libsmbc expects one to use the output of getxattr. perhaps I am missing something?

Windows example acl*: WINDEV1905EVAL\puny:1/0/0x001f01ff,WINDEV1905EVAL\puny:0/16/0x001f01ff,NT AUTHORITY\SYSTEM:0/16/0x001f01ff,BUILTIN\Administrators:0/16/0x001f01ff,WINDEV1905EVAL\User:0/16/0x001f01ff

NB: for linux ACLs are the file system ACL (in so far as there are ACLs on the file system). on windows it seems a bit unclear but certainly looks like one gets both file and share ACL, the example above is of a file in dir that is shared with puny having only read access on the share level but full control the FS level. needs more inspection.

to model all this one could probably rely on KACL which implements POSIX ACL and should be good enough for the most relevant aspect of controlling R/W/X bits.
Buuuut that'd be distinctly less fine grained than windows still (e.g. windows has distinct permissions for deleting an object or changing its permissions), it may entirely make sense to forego KACL and by extension the stock KIO permissions tab and instead implement a bespoke dialog in kdenetwork-filesharing that fully models windows ACLs.
another option would be extending or abstracting KACL, which would only really make sense if dolphin wants to have first class windows support, in which case it needs to model NTFS ACLs anyway and we could share the implement. at that point we could still lift a bespoke model out of kdenetwork-filesharing though to bootstrap the KIO work. I find that option rather appealing.

for the KACL case as I understand it one can simply feed KACL stringy POSIX ACLs. 
i.e.
<type>:<object>:<mask>

type => u/g/o/m
object => uid/gid/uname/gnmae
mask => rwx/0

also see https://linuxgazette.net/152/prestia.html

[1] https://github.com/samba-team/samba/blob/2d5facc95478801580eb52d4d4441660c5fa2697/librpc/idl/security.idl#L480
Comment 5 Harald Sitter 2020-02-18 15:44:10 UTC
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-entries
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks
https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-ace_header
and maaaaaaaaaaaaaaaaaaaaaaany many more pages.

- type is a ACCESS_*_TYPE

- flags is a mask of AceFlags from winnt.h

- mask is a mask of an almost random assortment of bits that are documented here and there and everywhere and also appear under various names. for our purposes ACTRL_DIR_* and ACTRL_FILE_* seem the only relevant bits. 

winnth.h acccrtl.h in wine are pretty handy here
Comment 6 Harald Sitter 2020-02-20 16:02:24 UTC
This may need some improvements in libsmbc to become fully sustainable. From what I see xattr queries cannot be batched. Incredibly inefficient and since ACLs are generally determined at listing time it'd make listing super slow. Not really an option.
A stop gap measure would be to only request the ACL when the user opens the ACL tab in the properties dialog. That would mean we cannot actually try to break the ACL into POSIX r-w-x for the purposes of KIO though, i.e. still no useful way to judge if a user can write a given path/file or not. Not the greatest loss, but unfortunate. I am also not quite sure how we can get proprietary interaction between kdenetwork-filesharing and KIO smb.
Comment 7 Harald Sitter 2020-03-16 11:54:23 UTC
proof of concept code
https://invent.kde.org/sitter/kdenetwork-filesharing/-/tree/work/acl
needs kio smb from
https://invent.kde.org/sitter/kio-extras/-/tree/work/smb-xattr

Will definitely not make it into the 20.04 release though.
Comment 8 Bug Janitor Service 2022-06-07 23:29:17 UTC
A possibly relevant merge request was started @ https://invent.kde.org/network/kdenetwork-filesharing/-/merge_requests/27
Comment 9 Harald Sitter 2022-08-12 12:47:32 UTC
Git commit e9ccfd30c2e7958780f5cff7823144e04a8ada8b by Harald Sitter.
Committed on 12/08/2022 at 12:44.
Pushed by sitter into branch 'master'.

samba ACL support

depends on a proprietary kio-extras special() interface

implements a new plugin for remote permissions that shows SMB/NT ACEs
that either come from a samba server with posix ACL support or windows
proper

M  +3    -0    CMakeLists.txt
A  +11   -0    LICENSES/BSD-3-Clause.txt
A  +121  -0    LICENSES/CC0-1.0.txt
A  +175  -0    LICENSES/LGPL-2.1-only.txt
A  +304  -0    LICENSES/LGPL-3.0-only.txt
A  +12   -0    LICENSES/LicenseRef-KDE-Accepted-LGPL.txt
A  +9    -0    LICENSES/MIT.txt
M  +1    -0    samba/CMakeLists.txt
A  +15   -0    samba/aclproperties/CMakeLists.txt
A  +23   -0    samba/aclproperties/README.md
A  +119  -0    samba/aclproperties/acccrtl.h     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +36   -0    samba/aclproperties/ace.h     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +62   -0    samba/aclproperties/aceobject.cpp     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +95   -0    samba/aclproperties/aceobject.h     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +182  -0    samba/aclproperties/debug.cpp     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +11   -0    samba/aclproperties/debug.h     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +66   -0    samba/aclproperties/model.cpp     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +46   -0    samba/aclproperties/model.h     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +264  -0    samba/aclproperties/plugin.cpp     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +27   -0    samba/aclproperties/plugin.h     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +116  -0    samba/aclproperties/qml/ACEPage.qml     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +15   -0    samba/aclproperties/qml/LoadingPage.qml     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +42   -0    samba/aclproperties/qml/MainPage.qml     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +21   -0    samba/aclproperties/qml/NoDataPage.qml     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +58   -0    samba/aclproperties/qml/main.qml     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A  +13   -0    samba/aclproperties/qml/qml.qrc
A  +11   -0    samba/aclproperties/samba-acl.json
A  +2    -0    samba/aclproperties/samba-acl.json.license
A  +51   -0    samba/aclproperties/winnt.h     [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]

https://invent.kde.org/network/kdenetwork-filesharing/commit/e9ccfd30c2e7958780f5cff7823144e04a8ada8b