ACL database

Matt Zinkevicius mattzink at qwest.net
Mon Mar 26 10:24:23 GMT 2001


I knew someone must have suggested this before :-) In my case I have no
choice though since our customers #1 requirement is full NT functionality,
and therefore performance, etc come second. As for the 660 permissions, I
can't do that since we allow NFS access to the box as well. I'm handling
unix->nt permission updating by running a daemon who watches the share using
kernel change notification and updates the acl in the database (maybe using
smbcacl if it stops dumping core on me :-)

--Matt

----- Original Message -----
From: "Mayers, Philip J" <p.mayers at ic.ac.uk>
To: <samba-technical at samba.org>
Sent: Monday, March 26, 2001 2:40 AM
Subject: RE: ACL database


> I suggested this a *long* time ago (couple of years, before the VFS layer
> IIRC) and was shot down in flames, for ease-of-use, engineering and
> performance reasons. I'll be very interested to see if this works.
>
> Re: the posix permissions - you could just ignore them, and ensure that
> they're set to 660 (but then of course you don't want to allow Unix
> logins...) - I'm sure there's a security hole there...
>
> Regards,
> Phil
>
> +----------------------------------+
> | Phil Mayers, Network Support     |
> | Centre for Computing Services    |
> | Imperial College                 |
> +----------------------------------+
>
> -----Original Message-----
> From: M Zinkevicius [mailto:mattzink at qwest.net]
> Sent: 26 March 2001 09:00
> To: samba-technical at lists.samba.org
> Subject: ACL database
>
>
> Hi gang,
> I just started implementing a database (tdb) in samba to hold security
> descriptors (NT ACLs) keyed on filename. I cannot use the POSIX ACL
mapping
> since they are a subset of true NT ACLs and result in permission
information
> loss, also my current filesystem (ReiserFS on linux) doesn't support POSIX
> ACLs anyway. Obviously the storage/retrieval of the ACLs should be easy
> enough, but will require manual enforcement within Samba itself (I've
doing
> this at the vfs wrapper layer). Does anybody see any major problems with
> this design? I already know that I'll have nightmares keeping synced up
with
> unix permission changes, but worth the hassle for file system agnostic
full
> NT ACL support.
>
> Is there any easy way in samba to get an entire security descriptor (ACL,
> ACE's, etc) into one contiguous memory space, which I can use to store the
> tdb value. Can I use parse_sec/sec_io_desc() or
parse_sec/sec_io_desc_buf()
> for this?
>
> Finally, below is a patch that changes
> nttrans/call_nt_transact_query_security_desc() to use the vfs instead of
> making a direct call.
>
> --Matt
>
> --- samba-2.2.0-orig/source/smbd/nttrans.c Wed Jan 31 05:17:13 2001
> +++ samba-2.2.0-ntacl/source/smbd/nttrans.c Sun Mar 25 10:04:27 2001
> @@ -1620,7 +1620,7 @@
>     * Get the permissions to return.
>     */
>
> -  if((sd_size = get_nt_acl(fsp, &psd)) == 0)
> +  if((sd_size = conn->vfs_ops.fget_nt_acl(fsp, 0, &psd)) == 0)
>      return(UNIXERROR(ERRDOS,ERRnoaccess));
>
>    DEBUG(3,("call_nt_transact_query_security_desc: sd_size =
> %d.\n",(int)sd_size));
>
>
>
>





More information about the samba-technical mailing list