[NT ACLS] Using the security.* namespace for NTACL considered improper

tridge at samba.org tridge at samba.org
Tue Jan 19 14:06:30 MST 2010

Hi Simo,

 > Talking with Christoph Hellwig he said that security.* should *not* be
 > used as it is reserved for LSM modules (like SeLinux).

As I mentioned on IRC (sending here so others can see it), the
original reason for choosing security.* was that it was intended that
we eventually implement a LSM module that understands these
ACLs. Interpreting them in smbd was a stop-gap measure.

We haven't actually built the LSM, but for secure ACLs we really
should. Having ACLs only interpreted in user space is always a
suboptimal solution, especially with mixtures of local login, NFS and
SMB access.

Cheers, Tridge

More information about the samba-technical mailing list