NTVFS vs S3 file server

Michael Adam obnox at samba.org
Thu Dec 8 03:46:58 MST 2011

Hi Tridge,

Andrew Tridgell wrote:
> Hi Metze,
> Thanks for the summary.
> One more thing in the s4 ntvfs file server that I think should be
> brought into the s3 file server (at least as an option), is the
> "raceless override" code. That is the code that allows s4 to safely
> allow for full NT ACLs in userspace.
> The basic idea is that if a file/directory has a NT ACL on it stored in
> a form that is not understood by the underlying filesystem, and that NT
> ACL would allow an operation, but the operation fails as the currently
> connected user, then the ntvfs backend can choose to 'override' the
> filesystem and allow the operation anyway. The key is to do this in a
> way that doesn't open up race conditions.
> Normally doing ACLs in user space is very prone to symlink races, but it
> is in fact possible to do operations in a raceless fashion, as long as
> the OS supports a couple of modern system calls (eg. fchown, fchmod and
> O_NOFOLLOW on open). That is what is implemented in
> ntvfs/posix/pvfs_sys.c.
> The big advantage of this approach is that it makes it possible to
> correctly implement NT ACLs without filesystem support, and without
> having to set the underlying file permissions very broadly (eg. without
> having to set "create mask = 777").

This is very interesting. In principle, the s3 smbd file server
has the foundations to implement this by virtue of the acl_xattr
(or even acl_tdb) vfs modules that intercept the set/get_nt_acl
vfs calls. This stores the native windows acls in xattrs (or a
tdb), mapping as much as possible down to the file system:
posix permissions, posix acls, nfs4 acls -- whatever is
available and configured in samba. The idea here is that when a
NT acl allows access, then the mapped file-system permission
should also allow it. The overriding is not done at
the moment (if I did not miss anything) but it should be not be
too difficult to add, if desired, but in any case, it should
possibly be an option that can be turned on:

I see a potential danger with interoperability in heterogenious
setups where cifs and nfs are served from the share at the same
time and other software might also want to change the permissions.
For this case, the acl_xattr module has the mechanism to fall
back to the permissions stored in the file system when they have
been changed externally with respect to the stored NT ACL. In these
mixed environments, the override mode is not an option, imho.

Cheers - Michael

> To avoid the races you do need to do quite a few extra system calls, but
> as its only called on a "slow path" where the operation as the connected
> user has failed, it doesn't really hurt performance.
> Cheers, Tridge
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111208/61e8a117/attachment.pgp>

More information about the samba-technical mailing list