Bug 33785

Summary: Files on Samba 4.x shares not executable any longer without explicit "executable" permission
Product: UCS Reporter: Arvid Requate <requate>
Component: SambaAssignee: Felix Botner <botner>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: gohmann, walkenhorst
Version: UCS 3.2   
Target Milestone: UCS 3.2-2-errata   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=33918
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 35137    

Description Arvid Requate univentionstaff 2013-12-19 12:28:55 CET 
Samba 3.6 and earlier allowed open for execution when execute permissions are not present on a file. This has been fixed in Samba 4.0. This change caused an issue e.g. on Ticket#: 2013072221002032.

Starting with Samba 4.0.10 there is a new share option "acl allow execute always", which instructs smbd to skip the execute bit from the ACL check, re-establishing the old behaviour in this case.

Maybe we should make this configurable per share.
Comment 1 Janis Meybohm univentionstaff 2014-05-09 08:41:42 CEST 
2014050921003881

This is a quite invasive change to the behaviour between UCS 3.1 and UCS 3.2 that is not even mentioned in changelog/release notes.

Just to make this clear: "Samba 3" setups are affected too!

Workaround:

-- /etc/samba/local.conf
[global]
  acl allow execute always = True
--


I think we should, at least, add a this to the release notes.
Comment 2 Stefan Gohmann univentionstaff 2014-05-09 09:48:16 CEST 
Set to 3.2-2-errata otherwise it is out of my scope.
Comment 3 Felix Botner univentionstaff 2014-06-17 13:22:52 CEST 
Added samba/acl/allow/execute/always (default yes) to univention-samba to configure samba option "acl allow execute always" (global).

YAML: 2014-06-17-univention-samba.yaml
Comment 4 Arvid Requate univentionstaff 2014-06-25 17:35:30 CEST 
Ok, looks mostly good, for all four tests (s3,s4)x(master,backup,slave,member) it only failed once in the last 26 test runs. That singke failure was an authentication error during the test:

http://jenkins.knut.univention.de:8080/job/UCS%203.2-2%20Autotest%20MultiEnv/SambaVersion=s4,Systemrolle=slave/33/testReport/junit/10_ldap/74schema_update/test/

So verified for now.
Comment 5 Arvid Requate univentionstaff 2014-06-25 17:36:10 CEST 
Oops, wrong bug.. ignore the last comment.
Comment 6 Arvid Requate univentionstaff 2014-07-02 15:32:20 CEST 
Verified:
 * UCR variable is documented and set to yes on update
 * smb.conf template default is yes
 * A user logged on to a windows client can execute files without x-bit
 * setting the variable to no restores the old behaviour
 * Advisory ok
Comment 7 Janek Walkenhorst univentionstaff 2014-07-10 13:33:56 CEST 
http://errata.univention.de/ucs/3.2/140.html