PROPOSAL: extend UNIX_INFO2 to mark existence of ACLs

Christopher R. Hertel crh at ubiqx.mn.org
Wed Jan 23 02:11:12 GMT 2008 

James Peach wrote:
> On Jan 22, 2008, at 3:46 PM, Christopher R. Hertel wrote:
> 
>> Jeremy Allison wrote:
>>> On Tue, Jan 22, 2008 at 05:16:14PM -0600, Steve French wrote:
>>>> There are systems which support Unix Extensions but do not support
>>>> POSIX
>>>> ACLs.
>>
>> Yep.  I'm working with one such currently.
> 
> I intended that this bit would be set by any server that understood the
> UNIX_INFO2 info level and had a concept of (on-disk) ACLs the went
> further than a one-to-one mapping of the POSIX permissions bits.

The SNFS file system does not support POSIX ACLs but does understand the
POSIX permission bits.  The question of whether or not to support the Unix
Extensions in general has been raised.

> From a client point of view, the bit is flagging whether there is any
> more security information to fetch that isn't in the UNIX_INFO2
> response. Whether the extra security information is a POSIX ACL or a NT
> security descriptor doesn't mater all that much (ie. the server has to
> unify these somehow anyway).

Actually not.  Yes, I've already had this discussion and I appreciated the
points made, but under SNFS the POSIX and Windows access controls are kept
separate.  The task I have been given is to extend the Windows semantics to
CIFS clients.

This is also why I'm interested in the Unix extensions.  We have not yet
tackled that issue, but when we do I am hoping for some sort of
per-connection flag indicating whether the connection supports the Unix
extensions or not.

:
>> The proposal is to overload the Permissions field in the structure
>> returned by the UNIX_INFO2 call.
> 
> No, it's to define an extra bit in this field. The extra bit means
> "there are security attributes that aren't represented here".
>
> #define UNIX_EXTENDED_SECURITY (1<<63) /* choose a less generic name! */
> 
> If a client sees this bit, it can query the security descriptor or fetch
> the POSIX ACL, whichever it prefers. I expect that most clients that
> support the UNIX extensions would simply fetch the ACL.

Whether it's overloading or not depends on the original intent of the use of
that field, but I'm splitting hairs.  (I'm good at that.  :)

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list