Problem
The UCS@School team was recently made aware of a problem that causes the ucs-school-umc-exam module in the to fail with an error message stating OSError: [Errno 28] No space left on device. This is caused by incorrect handling of NT ACLs. In this particular case, existing NT ACL ACEs were appended although they were already on the object and thus duplicated until the reserved space (4KB) was full.
09.10.24 17:05:29.022 MAIN ( ERROR ) :
('Interner Server-Fehler in "schoolexam/exam/start".\nRequest: schoolexam/exam/start\n\nTraceback (most recent call last):\n
File "/usr/lib/python3/dist-packages/univention/management/console/modules/decorators.py", line 259, in _run\n result = self._function(*args, **kwargs) # type: Union[BaseException, _T]\n
File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolexam/__init__.py", line 813, in _thread\n self.set_nt_acls_on_exam_folders(my.project.getRecipients())\n
File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolexam/__init__.py", line 289, in set_nt_acls_on_exam_folders\n self.deny_owner_change_permissions(filename=str(os.path.join(root, f)))\n
File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolexam/__init__.py", line 274, in deny_owner_change_permissions\n setntacl(self.lp, filename, new_sddl, owner_sid, system_session_unix())\n
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 227, in setntacl\n ndr_pack(ntacl))\n
OSError: [Errno 28] Auf dem Gerät ist kein Speicherplatz mehr verfügbar: \'/home/mejneschool2/lehrer/m.muster/windows-profiles/default.V6/Documents/desktop.ini\'',)
The behavior is described in Bug 57667 – Teacher home NT ACLs are changed on exam start and is fixed in version 18.0.15 of the
ucs-school-umc-exammodule.
Update to this package version will NOTfix and cleanup already duplicatedNT ACLs already existing on the system.
Solution
Therefore, the UCS@school team provides the following script to clean up the duplicated entries.
cleanup_ntacls.py (1.3 KB)
#!/bin/python3
from samba.auth_util import system_session_unix
from samba.ntacls import getntacl, setntacl
from samba.param import LoadParm
from argparse import ArgumentParser
import os
lp = LoadParm()
lp.load_default()
def _get_nt_acl(path:str):
return getntacl(lp,path,system_session_unix(),direct_db_access=True)
def remove_duplicate_aces(path:str):
acl = _get_nt_acl(path)
undiscovered_aces = []
for ace in acl.dacl.aces:
if ace not in undiscovered_aces:
undiscovered_aces.append(ace)
for ace in undiscovered_aces:
try:
acl.dacl_del_ace(ace)
except Exception as exc:
pass
for ace in undiscovered_aces:
try:
acl.dacl_add(ace)
except Exception as exc:
pass
setntacl(lp, path, acl.as_sddl(), acl.owner_sid, system_session_unix())
def get_nt_acls(base_path: str):
for root, _, files in os.walk(base_path):
for file in files:
try:
remove_duplicate_aces(os.path.join(root,file))
except OSError as exc:
pass
if __name__ == "__main__":
parser = ArgumentParser()
parser.add_argument(
"--homedir",
required=True,
nargs="?",
type=str
)
args = parser.parse_args()
get_nt_acls(args.homedir)
You can use the attached script like follows:
root@mejneschool2:~/univention-support# python3 cleanup_ntacls.py --help
usage: script.py [-h] --homedir [HOMEDIR]
optional arguments:
-h, --help show this help message and exit
--homedir [HOMEDIR]
Example:
python3 cleanup_ntacls.py --homedir /home/mejneschool2/lehrer
Investigation
You could check the ntacls like follows:
samba-tool ntacl get <path_to_the_file_in_the_homepath> --as-sddl
Before use this article, the ntacls could look like:
root@mejneschool2:/home/mejneschool2/lehrer/m.muster/windows-profiles# samba-tool ntacl get /root/univention-support/default.V6.old/Documents/desktop.ini --as-sddl
O:S-1-5-21-1150003711-260972013-2878653590-6456G:S-1-5-21-1150003711-260972013-2878653590-11611D:PAI(D;ID;WOWD;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-287
8653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(D;OICI;WOWD;;;S-1-5-21-1150003711-26097201
3-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711
-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1
150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S
-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001
301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A
;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301b
f;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;
0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;
WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)
(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013-28786535
90-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-260972013
-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-1150003711-
260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-1-5-21-11
50003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;;;;S-
1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;ID;0x001f01ff;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A
;ID;;;;S-1-5-21-1150003711-260972013-2878653590-11611)(A;ID;;;;WD)(A;ID;0x001301bf;;;OW)(A;ID;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;OICI;0x001301bf;;;OW)(A;OICI;0x001301bf;;;S-1-5-21-1150
003711-260972013-2878653590-6456)(A;OICI;0x001301bf;;;OW)(A;OICI;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)(A;OICI;0x001301bf;;;OW)(A;OICI;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6
456)(A;OICI;0x001301bf;;;OW)(A;OICI;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)
After using the cleanp_ntacls.py , the output should look like:
root@mejneschool2:/home/mejneschool2/lehrer/m.muster/windows-profiles# samba-tool ntacl get /home/mejneschool2/lehrer/s.gohmann/windows-profiles/default.V6/Documents/desktop.ini --as-sddl
O:S-1-5-21-1150003711-260972013-2878653590-6456G:S-1-5-21-1150003711-260972013-2878653590-11611D:PAI(A;OICI;0x001301bf;;;S-1-5-21-1150003711-260972013-2878653590-6456)