WIP: Ensure vfs_acl_xattr sets SEC_DESC_DACL_AUTO_INHERITED on the share root in a sane way
Possible fix for https://bugzilla.samba.org/show_bug.cgi?id=14631.
The problem is basically, that it's easy to end up with a configuration on a share using vfs_acl_xattr where SEC_DESC_DACL_AUTO_INHERITED is not set in the share root SD.
As a result, any object created in the share will also lack the ACE_INHERITED flag in all ACEs.
The acl_xattr VFS module will not return the flag by default when a share has just been created and configured, but no ACLs have been explicitly setup by an admin yet.
Example starting from scratch, no ACL configured yet:
smb.conf:
[test]
path = /srv/samba/test
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes
acl_xattr:default acl style = everyone
$ ls -al /srv/samba/test
total 16
drwxrwx---. 3 slow slow 4096 May 25 16:39 .
drwxr-xr-x. 7 root root 4096 May 17 12:29 ..
$ getfattr -m "" /srv/samba/test
getfattr: Removing leading '/' from absolute path names
security.selinux
$ bin/smbcacls -U "slow%Passw0rd" "//localhost/test" ""
REVISION:1
CONTROL:SR|DP
OWNER:SLOWSERVER\slow
GROUP:BUILTIN\Administrators
ACL:Everyone:ALLOWED/0x0/FULL
Later, if an admin configures an ACL on the share root and sets up ACEs as desired from a Windows system, the client will generally set the SEC_DESC_DACL_AUTO_INHERITED on the share root (DI).
$ bin/smbcacls -U "slow%Passw0rd" "//localhost/test" ""
REVISION:1
CONTROL:SR|PD|SI|DI|DP
OWNER:SLOWSERVER\slow
GROUP:BUILTIN\Administrators
ACL:Everyone:ALLOWED/0x0/FULL
ACL:S-1-5-21-1237673632-702085425-2222082532:ALLOWED/OI|CI/FULL
But when using eg smbcacls it's easy to miss this step of adding that flag and just add some ACEs. As a result, all objects created in the container will lack the INHERITED_ACE flag in all inherited ACEs which further deviates from the behaviour you would get from a Windows box by default.
To provide a better out-of-the-box experience, as long as there's no ACL set yet on the share root and we're either creating the ACL from the filesystem or we're synthesizing it in one of the default forms, we should set the flag SEC_DESC_DACL_AUTO_INHERITED.
Going to push updated patches to the MR associated with this bug in a second.