Dear Tuxera,
I have discovered an issue with root SID's
To be exact, it's not a bug but problem.

ntfs-3g decodes the first records from ntfs-3g.secaudit -vv as user SID and group SID, in according to Unix mechanics.
When a NTFS file is owned by somebody who's a part of Administrator's group (a common case for Developer machine), the security data is encoded the following way:

owner sid: S-1-5-32-xxx
group sid: S-1-5-21-Machine, or
S-1-5-21-Actual user-sid
(no SACL)

{both machine sid and user sid were full-form SIDs, but owner id was a short-form one)

This makes a misunderstanding between Windows host and 3g-driver: Win32 doesn't consider a group as a something different from user
But ntfs-3g has a hardcoded value (acl.c) for adminsid and systemsid, so a Windows Admin owned file becomes a root-owned one.
However, no attribute can be changed for root files, even the group has ---rwx---
(the group is correctly recognised but one, possibly, won't change owner sid for thousands for files)

And yes, this cannot be overriden by gid and uid in fstab parameters because UserMapping cancels completely the gid/uid reassignment made by -o option

And yes, the decoded group is not root. Is a group of mine, a shared SAMBA user.

The problem is that i cannot use an Archive bit (owner-execute) with still retaining a correct Windows layout, because the file becomes a root-owned one. And a correct group doesn't make difference.

The user sid is S-1-5-32-544, Local administrators.
And yes, it cannot be redefined in UserMapping

The group is a Machine SID

Hi,


Please note I am not a Tuxera employee, though Tuxera sponsors the ntfs-3g project.



This is complicated to explain, if you do not show the full information (what is your user mapping file, how are your groups organized, what is the account used by Samba, etc.)
When you say you are a member of Administrator group, is this a Linux concept or a Windows concept ? You will not get interoperable results if you do not have the same user/group relations in both systems.
Also files are created with the default group, being a member of administrator group is not enough for root to be identified as group of file, your default group must be zero (this is the Posix way, I can do nothing about it).

Note : situations where root is owner or group are very complex, because the administrator has always full access even if permissions for owner or group do not allow, and yes, administrator SID has been hardcoded (by Microsoft).



Please post an actual and full example (user mapping, owner/group relations, command to change the permissions).

Regards

Jean-Pierre

Hi again,



Of course it cannot for a file owned by root. This has been defined by Microsoft, see http://support.microsoft.com/kb/243330

Do a chown to define another owner.

Regards

Jean-Pierre

Hi again,


This is a Samba feature, not ntfs-3g. Read the Samba layout in your recent post. Samba maps its archive bit onto permissions, not on archive bit, and this is not the correct Windows layout.

Please report to Samba.

Regards

Jean-Pierre

jpa, still not clear why i should reporting this to SAMBA when an ordinary chmod from Linux console cannot be excecuted with "No access rights" message?

Well, the file became root-owned in *Unix* terms, but it was a "Local administrators-owned" (secaudit user SID) and "Machine-owned" (secaudit group-SID) in Windows terminology.

Here is the acl.c code which recognizes both World and Local user (Windows terms) as linux "World" object:



But there is no way to redefine a correct UID for "world" object (who is world? if a disk has been taken from single-user Win32 machine).
And no a such a code for S-1-5-32-544 object, which is widely used too

I have only three ACLs in inode properties:
---------------------------------------------


(*** - replaced)

The S-1-5-32-544 cannot be used in UserMapping to define a correct user. It's ignored.
So here is exactly what i got in console, the problem:



User 'me' is a part of 'mygroup'. Note: messages are aproximate because of translation

Hi,

This means you do not have execution right on the parent directory. See
http://www.opengroup.org/onlinepubs/000 ... chown.html
and read the EACCES error condition.

Of course you cannot define world. world is defined by the code you displayed based on Microsoft specifications on standard SIDs, and world means any user.

As you can see, the Owner is administrator (S-1-5-32-544, and uid 0), and there is a user group. This is the correct Unix interpretation of the ACL. Where is the problem ?


You cannot. A plain user cannot be an administrator (it cannot be root and plain user). A user SID must start with S-1-5-21-... You did not what I told you. You have not posted the user mapping file, how on earth can I guess what you have done as you are not doing what I tell you.



You have not shown the permissions on parent directory, so I cannot comment, see the following example, and check how it behaves on ext3 (and the Posix page on chmod).



*edit*

Sorry, my example is not good,



The reason is different : you are user WD trying to change permissions on a file which is not yours (see the EPERM error on the Posix page)

Regards

Jean-Pierre

It's a file in drive's root directory.

[me@nas wd_500]$ ls -la
итого 4555012
drwxrwxrwx. 1 root root 4096 Дек 18 01:53 .
drwxr-xr-x. 7 root root 2048 Дек 3 20:28 ..
drwxrwxrwx. 1 root mygroup 0 Дек 12 17:51 1
drwxr-xr-x. 1 root mygroup 0 Дек 18 01:17 2804041
drwxr-xr-x. 1 root mygroup 0 Дек 18 01:53 3
drwxrwxrwx. 1 root root 4096 Дек 18 21:41 .NTFS-3G
drwxrwxrwx. 1 root mygroup 0 Дек 3 19:20 RECYCLER
-rwxrwxrwx. 1 root mygroup 4664068814 Дек 3 19:43 Video.rar
drwxrwxrwx. 1 root mygroup 0 Дек 12 19:07 .Virtual
drwxrwxrwx. 1 root mygroup 65536 Дек 12 17:52 Видео
drwxrwxrwx. 1 root mygroup 0 Дек 3 20:33 Новый
[me@nas wd_500]$


The problem is that an ordinary Windows user being a part of Administrators (again, it's a common case for Developers, when admin rights are retained in order to have full access) cannot access the drive moved to ntfs-3g with SAMBA. Nor with a regular user, except for su/root. Because of heavaily restricted rights on his own drive, with no workaround.

Why not allowing a direct mapping of each of SIDs in UserMapping table instead of hardcoding numeric constants??



A plain user cannot be administrator. But S-1-5-32-544 is just a SID, not an Administraror. Remember, the number itself has no meaning for Linux - but why not giving to user a full mapping table in UserMapping file, like in groups and passwd files?


Do you mean permissions of /mnt ? Or of /mnt/wd_500 drive?
Well, the first one is drwxr-xr-x root root,
and the second is drwxrwxrwx root root too.

When a gid/uid pair is overriden by UserMapping it seems not redefining drive's "/" owner and group anymore.

Here is a security record for the drive:
[root@nas wd_500]# ntfs-3g.secaudit -vv /mnt/wd_500
secaudit 1.3.9 : NTFS security data auditing
Directory /mnt/wd_500
000000 01000480 30000000 40000000 00000000
000010 14000000 02001c00 01000000 00031400
000020 ff011f00 01010000 00000001 00000000
000030 01020000 00000005 20000000 20020000
000040 01020000 00000005 20000000 20020000
Computed hash : 0x42dedda0
Windows attrib : 0x36
** Could not find the user mapping file
Global header
revision 1
flags 0x8004
DACL present
self relative descriptor
Off USID 0x30
Off GSID 0x40
Off SACL 0x0
Off DACL 0x14
User SID
Local admins SID
hex S-1-5-20-220
dec S-1-5-32-544
Group SID
Local admins SID
hex S-1-5-20-220
dec S-1-5-32-544
DACL
revision 2
ACL size 28
ACE cnt 1
ACE 1 at 0x1c
type 0
Access allowed
flags 0x3
Object inherits ACE
Container inherits ACE
Size 0x14
Acc rgts 0x1f01ff
Obj specific acc rgts 0x1ff
List directory
Add file
Add subdirectory
Read EA
Write EA
Traverse
Delete child
Read attributes
Write attributes
standard acc rgts 0x1f
Delete
Read control
Write DAC
Write owner
Synchronize
SID at 0x24
World SID
hex S-1-1-0
dec S-1-1-0
Summary : grant rwx inherited applied
No SACL
Interpreted Unix mode 0777 (owner and group are unmapped)
** 1 error was found
[root@nas wd_500]#[/code]


----------------


WD is *not* an user, is an acronym (a symlink) from my home directory, pointing to /mnt/wd_500
But i have the same from the drive itself:

Hi,


You see that the parent directory .. is owned by root and non-root users have no write access, so user "me" cannot change the permissions in that directory. The behavior is correct.
*edit* Hm I am getting tired.... Please post the full example : the file, the parent directory, and the command-line chmod which fails.

Please understand that "being part of Administrator" means being in the Administrator group. Administrators are plain users with standard SIDs, with privileges inherited from their Administrator group (at least on Windows XP and Vista). Beware : on Linux there is default group for each user and files get the default group only.

This is the case for all non-generic users and groups. But I have to stick to Microsoft specifications for generic users and groups (admin, world, etc.), to be interoperable with Windows. For instance if a make a file word-readable (mode 0444), any Windows system must be able to read the file, and refuse to execute or write.


All Windows system recognize "S-1-5-32-544" as meaning an Administrator. If I do differently, I break Windows interoperability.

Can you explain ? The UserMapping table is expected to contain a SID for each non-generic user or group, there is just an implicit rule to avoid defining users which have no meaning for Windows (user ftp, etc.). Generic users and group match Microsoft specifications to the extent allowed by the differences of concepts between Linux and Windows.


Ok, I meant "me", and "me" is not root, so it is not the owner of Video.rar, because the owner of Video.rar is root. I think I was right apart from writing WD instead of me, and I still think the behavior is correct. Please connect as root, change the owner to "me" and then change protections as the plain user "me".
if the result is not satisfactory, post your commands, the results, including the parent directory (double-dot) and the UserMapping file.

And have a nice week-end.

Jean-Pierre