Basic SACL support

Michael Krax mk-samba at
Thu Aug 17 09:49:52 GMT 2006


as announced yesterday, I have got some rather basic support for SACL.
Check out my bzr tree at

Let me just summarize what I have done so far:

* Added support for getting and setting SACLs to smbd/posix_acls.c.
  Works with (my) XP Pro.
* SACLs are saved in an extended attribute "trusted.SAMBA_SACL".  The
  trusted namespace was choosen because NT SACLs are protected by the
  SeSecurityPrivilege (as far as I understood), so only privileged
  software/users should be able to read them.  
* Added SeSecurityPrivilege to lib/privileges.c
* I did not try to understand the inheritance stuff, it is on my
  todo-list, but with a rather low priority.
* Wrote (more or less copied vfs_full_audit) a vfs module to log what is
  selected by the SACLs.
* Supporting functions are in lib/audit_sacl.c

What is working now:
* Reading and writing SACLs entries via the extended security dialog in
  Windows XP, at least for single files. Multiple SACL entries per file
  are possible.
* Logging access etc. to such files by a user.  Writing an entry to
> Aug 17 11:16:45 carmen smbd_audit: mkdom||Read \
> Control|ok|test/text.txt
  SACL was: user mkdom log "full" on "success".

I am well aware that there is much work to be done.  For now, focus is
on getting a useful representation between NT access rights and unix
accesses and to speed up things a little bit by implementing different
forms of caching.  I am thinking about two forms:
a) Avoid same entry in logfile. For now, syslog is filled with a lot of
identical entries.
b) Keep SACL in memory.

As for now, documentation is non existant.
Add "vfs objects = sacl_audit" to any share for which you want to enable
sacl auditing support.
Acl support (compile time option) should be enabled.  File system has to
support extended attributes (I am using xfs).

Any comments appreciated,


Michael Krax
Phone +49(0)30.76765923  Mobile +49(0)163.7325923

More information about the samba-technical mailing list