[NT ACLS] Using the security.* namespace for NTACL considered improper

simo idra at samba.org
Wed Jan 20 06:24:55 MST 2010


On Wed, 2010-01-20 at 00:31 -0800, Jeremy Allison wrote:
> On Wed, Jan 20, 2010 at 09:19:28AM +0100, Stefan (metze) Metzmacher wrote:
> > simo schrieb:
> > > Tridge, Jeremy,
> > > I was following discussions on #samba-technical today and it came up
> > > that we have started using security.NTACL as the namespace where to
> > > store NT ACLs.
> > > 
> > > Talking with Christoph Hellwig he said that security.* should *not* be
> > > used as it is reserved for LSM modules (like SeLinux).
> > > 
> > > Looking at man 5 attr this is briefly hinted indeed, and after further
> > > discussion it became clear that we should used the trusted.* namespace
> > > instead as this is what the man page says about it:
> > > 
> > >         Trusted  extended  attributes  are  visible and accessible only
> > >         to processes that have the CAP_SYS_ADMIN capability (the super
> > >         user  usually has  this  capability).  Attributes in this class
> > >         are used to implement mechanisms in user space (i.e., outside
> > >         the kernel) which keep information in extended attributes to
> > >         which ordinary processes should not have access.
> > > 
> > > 
> > > I think we should comply, and start moving NTACL to from security.NTACL
> > > to trusted.NTACL as soon as possible, before it get widely used.
> > > 
> > > What do you think ?
> > 
> > With trusted.* we need a become_root() each time we want to read the
> > security descriptor.
> 
> We have to do that with security.* also - in fact we
> already do :-).

All we need for either security.* or trusted.* is SYS_CAP_ADMIN, so we
could avoid become_root() if letting the process retain SYS_CAP_ADMIN
does not have other unintended consequences.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list