vfs_fruit bug in ACL get/set - [PATCH] attached.
Jeremy Allison
jra at samba.org
Wed Mar 7 22:26:45 UTC 2018
On Wed, Mar 07, 2018 at 11:07:36PM +0100, Ralph Böhme wrote:
> On Wed, Mar 07, 2018 at 01:47:54PM -0800, Jeremy Allison wrote:
> >
> > Yes I'm sure.
> >
> > SMB2 is designed around SIDs - built into all
> > ACL and ownership and in all the RPC calls and pipes
> > (LSA/SAMR etc.). So for POSIX you *have* to have a local-server
> > uid/gid to SID mapping in order to work at all.
> >
> > Returning uids/gid to a client exposes that internal
> > mapping over the network to clients. This is duplicate
> > (and possibly incorrect) information. What if you decide
> > to change your SID -> uid/gid mapping and change the
> > uids on the server side. That can happen with company
> > splits/merges with overlapping uid spaces. If you've
> > exposed both SIDs (which you already have to do) as
> > well as uids/gids to the client, then you've got to change
> > this mapping on *all* clients too, rather than making a
> > server-contained change.
> >
> > The uid/gid <--> SID mapping needs to remain hidden
> > and server dependent. SIDs *only* on the wire, and
> > clients can store and depend on one user representation
> > and not have to cope with two. As I recall, that's why
> > NFSv4 uses only a string name format (although it's
> > broken in that I think it can be a numeric string :-).
>
> Ok, sounds reasonable.
Thanks. The ability to remap server uid/gid <--> SID
assignments is the really important concept that it
took me a while to get, but now I've got there I really
don't want to lose it :-).
> I guess we should write down the design somewhere.
I'm planning to once I've got working code :-).
Until I've got working code I don't know if the design
works :-).
> > But this isn't needed to review the specific patch
> > I sent (I think :-). That's only about preventing
> > round-tripping adding more and more extraneous
> > ACE entries into the ACL :-).
>
> yeah, currently reviewing. Generally looks good. Goint to push with a few
> cleanups.
Thanks !
> Guess we need another README.Coding guideline for multiline statements
> indentation:
>
> Stamement spanning multiple lines shall be indented by aligning at the scoping
> enclosing parenthesis, eg
>
> bool foo = false;
> bool bar = true;
> bool okey_dokey = (check_that_does_something_with_foo(foo) ||
> check_that_does_something_with_foo(bar));
>
>
> Function invocations can also be split at the initial parenthesis like this:
>
> foo = this_function_made_my_day(
> bar, baz, oink, grunz, 42, slow, no_more_args);
Hmmm. Good points !
More information about the samba-technical
mailing list