Group folders ACL not working for user permissions inheritance

[iwrbr]

Hi all,

Nextcloud: 20.0.6
Group folders: 8.2.0

For a group folder hierarchy, permissions granted for user groups are inherited by subsequent subfolders and files, but permissions granted for particular users are not inherited in the same manner.

I.E:
For some folder (called "Archive") in the group folder hierarchy, if I grant only read permission for group "USERS" (which the user "John" is part of) and grant all rights for user "John" (there are more users in the "USERS" group than "John" and I want only "John" to modify this particular folder), then "John" will have all rights in the "Archive" folder.
Then I create subfolder "2020" inside "Archive" folder (using the admin user, so there will be /Archive/2020/) without touching permissions for this folder.
Then "John" can see the folder "2020" and it's content (granted by both permission for group "USERS" and by permission for user "John"), but cannot write/delete/create into it, even if the permissions "John" sees for folder "2020" are "inherited" write/delete/create.

This means the rights of the group "USERS" overwrites the rights of the user "John" for the subsequest subfolders and files

I believe this is a bug

[D3nnis3n]

As an extension of that. If i gave the group "users" rights to only share and write to a group folder and then want to give a user in that group via advanced permissions the right to delete in a specific subfolder like /a/b/c, then the user can still not delete (and hence not move or rename, as that for some weird reason seems to be tied to delete) any files in there, as the group rights with no deleting overwrite the specific user right with yes for deleting.

So my only option is to allow deleting in general for that whole groupfolder to the group and then prohibit the group from deleting everywhere via advanced permissions and then add on top the permission for that specific user. That on the other hand, makes all users of that group able to delete any files out of the trashbin, even those deleted in folders they do not have delete access to and even then when they do not have delete access on any folder. Extremely big security issue.

Step to reproduce:

1. Create groupfolder "test" and group "test"
2. Give test access to that group folder and make it have write and share, but not delete permissions
3. Via advanced permissions give user "test" the permission to delete for subfolder /a/b/c
4. Try to delete something in that folder -> Be presented with "permission denied"

Workaround:

1. Create groupfolder "test" and group "test"
2. Give test access to that group folder and make it have write, share and delete permissions.
3. Via advanced permissions take the delete permission from group test on the main group folder with inheritance.
4. Via advanced permissions give user "test" the permission to delete for subfolder /a/b/c
5. Try to delete something in that folder -> Works for user test, but not for any other users in group test, as intended.
   BUT: All users of group test can now delete stuff from the trashbin, even if they have no delete permissions ANYWHERE.
   => Big security issue resulting

[fschrempf]

I think this is a duplicate of #1212 and/or #598.
@iwrbr Can you please check these issues and the PR #1654 and see if this covers your issue? Thanks!

[fschrempf]

@D3nnis3n What you describe above is considered expected behavior. The groupfolder permissions always describe the maximum permissions that can be assigned via ACL.

[D3nnis3n]

I'm not sure you understood what I was saying - it is not possible to do what I want to achieve without a security issue and is a very common use case, which to me is a clear bug. Or are you saying a security issue is expected behaviour?

[fschrempf]

I'm not sure you understood what I was saying - it is not possible to do what I want to achieve without a security issue and is a very common use case, which to me is a clear bug. Or are you saying a security issue is expected behaviour?

Sorry, but I don't get it. Can you please open a new issue and fill in the template? Please describe where you see a security issue and describe how to trigger it. Thanks!

[fschrempf]

Closing in favor of #1757.