PROPOSAL: extend UNIX_INFO2 to mark existence of ACLs

James Peach jpeach at apple.com
Wed Jan 23 00:14:59 GMT 2008 

On Jan 22, 2008, at 3:46 PM, Christopher R. Hertel wrote:

> Jeremy Allison wrote:
>> On Tue, Jan 22, 2008 at 05:16:14PM -0600, Steve French wrote:
>>> There are systems which support Unix Extensions but do not support  
>>> POSIX
>>> ACLs.
>
> Yep.  I'm working with one such currently.

I intended that this bit would be set by any server that understood  
the UNIX_INFO2 info level and had a concept of (on-disk) ACLs the went  
further than a one-to-one mapping of the POSIX permissions bits.

 From a client point of view, the bit is flagging whether there is any  
more security information to fetch that isn't in the UNIX_INFO2  
response. Whether the extra security information is a POSIX ACL or a  
NT security descriptor doesn't mater all that much (ie. the server has  
to unify these somehow anyway).

>> Then they would have a zero in the "POSIX ACL exists" bit :-)
>
> As I understand it, the goal is to return a flag indicating whether  
> or not a
> Posix ACL (or similar Unixy ACL such as an NFSv4 ACL) exists  
> natively in the
> underlying file system on the server side.  This ACL would only be  
> used with
> the Unix extensions, and would provide Unix/Posix semantics.
>
> The proposal is to overload the Permissions field in the structure  
> returned
> by the UNIX_INFO2 call.

No, it's to define an extra bit in this field. The extra bit means  
"there are security attributes that aren't represented here".

#define UNIX_EXTENDED_SECURITY (1<<63) /* choose a less generic name! */

If a client sees this bit, it can query the security descriptor or  
fetch the POSIX ACL, whichever it prefers. I expect that most clients  
that support the UNIX extensions would simply fetch the ACL.

>
>
> Let me know how far off base I am.
>
> Shame there aren't any "reserved" fields in the return block.
>
> Chris -)-----
>
> -- 
> "Implementing CIFS - the Common Internet FileSystem"    ISBN:  
> 013047116X
> Samba Team -- http://www.samba.org/    -)-----     Christopher R.  
> Hertel
> jCIFS Team -- http://jcifs.samba.org/  -)-----  ubiqx development,  
> uninq
> ubiqx Team -- http://www.ubiqx.org/    -)-----          crh at ubiqx.mn.org
> OnLineBook -- http://ubiqx.org/cifs/   -)-----             crh at ubiqx.org

More information about the samba-technical mailing list