Samba ACL's and FreeBSD

Jeremy Allison jeremy at
Mon Apr 9 21:58:58 GMT 2001

Chris Faulhaber wrote:
> We are currently completing the initial ACL implementation in
> FreeBSD and looking forward to testing Samba.
> Currently all that is keeping us from compiling samba is
> the acl_get_perm() function.  Since this function is not
> part of the POSIX standard, it seems odd to expect it.

The reason is quite simple - it is needed to be able to
report actual permission bits back to a Windows client.

Without it there is no way to look up the current contents
of a permset so that it may be converted to a Windows ACL
bitmask. Well, actually you could use the API that converts a
ACL to a text representation and then search the string - but
this seemed so clumsy that I discarded the idea.

As POSIX ACL's are not a firm spec (ie. never got finalised)
I didn't think it too onerous to require it for Samba ACLs.

Does anyone know why this functionality (asking the "is this
value in this permset" question) was removed from the POSIX draft ?

> Implementing this function is trivial; however, since it is
> not a part of the standard, and therefore should not be
> expected to exist,

POSIX ACLs are a draft, not a standard, so I'm not too
worried about this.

> we would prefer it not be named in the
> ACL implementation namespace.  Currently we are naming
> non-standard functions with _np (non-portable).  And since
> OpenBSD is looking to use our implementation, along with a
> Darwin port that will be underway shortly, we are looking
> for the most portable way to implement this.
> Since an acl_get_entry() function already exists in
> lib/sysacls.c, it should not be too difficult to check
> for the function in the configure script and use the
> internal function as appropriate.  Unfortunately, I
> do not know how this may affect other ACL implementations.
> The other alternatives we are looking at are:
> 1) everyone use _np extension (not exactly realistic to
>    have everyone change their implementation).
> 2) check for the existance of acl_get_perm_np() in the
>    configure script and use that as appropriate.
> 3) #ifdef __FreeBSD__ (and any other OS's that may use our
>    implementation) and use acl_get_perm_np().  this can
>    quickly get messy :)
> In the interest of compatibility and keeping things simple,
> what would be the preferred method (from the Samba-
> developers' point-of-view) for implementation?

The ACL API's on all versions of UNIX are so messey anyway
(only Linux as far as I know has a "true" POSIX ACL patch)
that as far as Samba is concerned, I really don't care :-).

Whatever implmentation you use will have to be #ifdef'ed with
HAVE_BSD_ACLS or somesuch, unless your implementation is
identical enough to another (probably Linux) that it can
share the same code in lib/sysacl.c

This is the reason the wrapper file lib/sysacl.c was created
in the first place. Check how ugly it is in there already... :-).

> It has also been noted that acl_get_perm() depends on
> acl_perm_t being a bitmask-based implementation, which is
> not stated in the spec.  It will work for us (and
> apparently everyone else), but could cause problems if
> someone else does not make this assumption.

Well acl_get_perm doesn't force it to be a bitmask, it
is just doing a query of a permset_t with a constant.
It could be looked up in a remote LDAP database for all
the calling code cares :-). So I'm not sure that statement
is correct.

> Since this will be the first actual application to use our
> ACL implementation (other than the POSIX.2c utilities), we
> are quite anxious to make this work :)

Great ! I'm hoping Samba 2.2 will be a great help in getting
people to seriously use POSIX ACLs on UNIX.



Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list