should get_nt_acl_no_snum really avoid VFS modules?

[James Peach]

On 17/05/2007, at 5:15 PM, Jeremy Allison wrote:

> On Thu, May 17, 2007 at 03:17:57PM -0700, James Peach wrote:
>> Hi Jeremy,
>>
>> I just bumped into the get_nt_acl_no_snum() function, and it seems
>> that this always calls the POSIX ACL implementation.
>>
>> Since there's no guarantee that the file it is checking access to is
>> on a POSIX filesystem or that the platform even supports POSIX ACLs,
>> shouldn't this call SMB_VFS_GET_NT_ACL instead of get_nt_acl()?
>
> This is a local api for local people, there's nothing for
> you here ! :-).
>
> Seriously it's designed for smbd internal use, knowing it's
> accessing a local filesystem.... So I think it's just expecting
> a "standard" unix permset to be mapped into an NT ACL.

Hmm, so it doesn't really want to do what it actually does then?

> It doesn't matter if the path doesn't support POSIX ACLs
> as it'll translate mode_t into an NT ACL.

But if there is a non-Posix ACL, then whoever calls this probably has  
a reasonable expectation that the ACL actually does something.

I think that this should either explicitly look only at the mode bits  
or go through the SMB_VFS_GET_NT_ACL path. Do yo have a preference?

>> And shouldn't it use the dirname of the path it is checking for the
>> fake connectpath, rather than '/', since they could be different
>> filesystem types? And even that is a bit wonky, because it probably
>> assumes that the global ACLs module is appropriate for this path,
>> which might not be true.
>>
>> If you give me a hint, I'll code up a patch :)
>
> Hmmmm. Is it causing you grief at the moment ?

Not yet, though I guess it's possible that one day someone will call  
that code :) I was looking into ACL support and this looked weird.

--
James Peach | jpeach at samba.org