[NT ACLS] Using the security.* namespace for NTACL considered improper

Matthieu Patou mat+Informatique.Samba at matws.net
Wed Jan 20 07:04:49 MST 2010 

On 20/01/2010 11:31, Jeremy Allison wrote:
> On Wed, Jan 20, 2010 at 09:19:28AM +0100, Stefan (metze) Metzmacher wrote:
>> simo schrieb:
>>> Tridge, Jeremy,
>>> I was following discussions on #samba-technical today and it came up
>>> that we have started using security.NTACL as the namespace where to
>>> store NT ACLs.
>>>
>>> Talking with Christoph Hellwig he said that security.* should *not* be
>>> used as it is reserved for LSM modules (like SeLinux).
>>>
>>> Looking at man 5 attr this is briefly hinted indeed, and after further
>>> discussion it became clear that we should used the trusted.* namespace
>>> instead as this is what the man page says about it:
>>>
>>>          Trusted  extended  attributes  are  visible and accessible only
>>>          to processes that have the CAP_SYS_ADMIN capability (the super
>>>          user  usually has  this  capability).  Attributes in this class
>>>          are used to implement mechanisms in user space (i.e., outside
>>>          the kernel) which keep information in extended attributes to
>>>          which ordinary processes should not have access.
>>>
>>>
>>> I think we should comply, and start moving NTACL to from security.NTACL
>>> to trusted.NTACL as soon as possible, before it get widely used.
>>>
>>> What do you think ?
>>
>> With trusted.* we need a become_root() each time we want to read the
>> security descriptor.
>
> We have to do that with security.* also - in fact we
> already do :-).
I am not sure that reading security.* imply to be root ie.

root at ares:/tmp# setfattr -n "trusted.pouet" -v "p" p
root at ares:/tmp# getfattr -d -m "" p
# file: p
trusted.pouet="p"

root at ares:/tmp# setfattr -n "security.pouet" -v "p" p
root at ares:/tmp# getfattr -d -m "" p
# file: p
security.pouet="p"
trusted.pouet="p"

mat at ares:~$ getfattr -d -m "" /tmp/p
getfattr: Removing leading '/' from absolute path names
# file: tmp/p
security.pouet="p"


Clearly me as a simple user I can read securiy.* but not trusted.*.

Matthieu.


>
>

More information about the samba-technical mailing list