What evaluates file perms when ACL's are involved?
abartlet at samba.org
Wed Mar 8 11:31:47 GMT 2006
On Tue, 2006-03-07 at 19:59 -0800, Jeremy Allison wrote:
> On Wed, Mar 08, 2006 at 02:09:45PM +1100, Tim Potter wrote:
> > On Tue, 2006-03-07 at 18:58 -0800, Jeremy Allison wrote:
> > > On Tue, Mar 07, 2006 at 09:19:31PM -0500, Michael Lueck wrote:
> > > >
> > > > With Windows clients accessing these files via Samba in a Samba PDC
> > > > environment, does Samba look to the filesystem / kernel to evaluate the
> > > > ACL's, or is it involved in the process directly?
> > >
> > > Samba only evaluates acls in userspace when it's trying to
> > > decide if a client has the ability to set the "delete on close"
> > > bit to remove a file - this has to be done at open time for Windows,
> > > thus the userspace check. Even if this passes Samba it's still
> > > up to the kernel to decide if that user can delete the file
> > > or not - it's done at close time instead.
> > Is it possible to map this to a call to access()? You can only check
> > one of readable, writable or executable though. It might not be enough
> > to remove this one userspace check.
> Nope. access checks the *real* uid, not the effective one, making
> it singularly useless in this case ;-).
But don't we set the real UID these days? I thought we did that on
systems where we can still get back root, to have the AFS kernel module
do the right thing.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060308/4e6f0f82/attachment.bin
More information about the samba-technical