Supporting SACLs using EAs and a VFS module?

tridge at tridge at
Wed Mar 15 03:32:13 GMT 2006


 > I'm not 100% convinced that putting everything into one blob
 > is good. For speed reasons this is probably the right thing,
 > but not for variability. For my taste this is too much of an
 > all-or-nothing thing. For example there are systems out
 > there now that do have a create time stamp. If we
 > unconditionally put that into that NTFS Inode blob EA I
 > could imagine turning individual features on and off becomes
 > more difficult.

I broke it up a little in Samba4, so that the NT ACL goes in a
separate security.NTACL xattr, the EAs go in user.DosEAs and the file
attributes go in user.DosAttrib.

So for the SACL data, that would logically be added to security.NTACL,
by extending the IDL and adding a new version (see the IDL switch in
my last email).

As you suggested, I put all the file attribute data (timestamps etc)
in user.DosAttrib as they tend to be all used at once. Clients ask for
a qfileinfo call, and that needs all (or nearly all) of the
attributes, so grouping them makes sense.

For the example like a create time stamp that isn't needed, there is a
flags field, and we can define a flag that says "this field is not
used". That should make it easy to enable/disable features without
breaking existing EAs in filesystems.

Cheers, Tridge

More information about the samba-technical mailing list