[Samba] Issue with acl_xattr:ignore system acls in 4.5rc2
Ralph Böhme
slow at samba.org
Wed Aug 24 14:06:42 UTC 2016
Hi Eric,
On Thu, Aug 18, 2016 at 07:57:36AM -0600, Eric Eastman wrote:
> >> The line causing the problem with 4.5rc2 is:
> >> acl_xattr:ignore system acls = yes
> >
> > this change was introduced in
> > <https://bugzilla.samba.org/show_bug.cgi?id=12028>
> >
> > Before explaining the gory details, one question: why are you setting
> > this option?
>
> I am setting this option per the vfs_acl_xattr.8 man page
> recommendations. Using a Windows system I setup a Home directory under
> the root directory, /zzz/Home in this case, and that directory gets
> the needed NT ACLs when it is created. Not having access to /zzz on
> my Windows AD was a surprise when I started testing 4.5, as this has
> worked for me since 4.1.x. Other then creating /zzz, all access to the
> /zzz/Home tree is done using shared SMB mounts from Linux and Windows.
ok, thanks for that.
> > As this severly impacts existing setups, we have three options to
> > address this:
> >
> > 1. Revert it,
> > 2. Document it, or
> > 3. Do it differently
> >
> > 1. Revert it
> >
> > Brings back the original problem: not behaving as a Windows server and
> > in certain situations unexpectedly exposing system POSIX permissions
> > as described in the above bug.
>
> I would not revert it, but per other recommendations, having a legacy
> option would be nice.
Yeah, as much as I'd like to avoid adding a new option, I guess we
have to do something about it, my latest take on this is
acl_xattr:default acl style = [posix|windows]
This parameter determines the type of ACL that is
synthesized in case a file or directory lacks an
security.NTACL xattr.
When set to posix, an ACL will be synthesized based on the
POSIX mode permissions for user, group and others, with an
additional ACE for NT Authority\SYSTEM will full rights..
When set to windows, an ACL is synthesized the same way
Windows does it, only inclusing permissions for the owner
and NT Authority\SYSTEM
The default for this option is posix.
tldr: this reverts behaviour to what it was before #12028 and make the
behaviour introduced by #12028 optional.
Plan? Michael? Uri? Jeremy?
Cheerio!
-slow
More information about the samba
mailing list