mapping SYNCHRONIZE permission in NTFS ACL for ZFS
Jeremy Allison
jra at samba.org
Tue Jan 11 16:56:26 MST 2011
On Wed, Jan 12, 2011 at 12:39:42AM +0100, David Disseldorp wrote:
> Hi Paul,
>
> On Tue, 11 Jan 2011 13:35:19 -0800 (PST)
> "Paul B. Henson" <henson at acm.org> wrote:
> ...
> > I also noticed that whenever an acl is set from the windows side, it
> > also includes the SYNCHRONIZE permission for all entries. That
> > permission isn't listed in the GUI, although the command line icacs
> > program allows you to control it. It seems SYNCHRONIZE more or less
> > should always be on?
>
> The synchronize permission is a member of all Windows access limitation
> groups (Modify, Read & Execute, List Folder Content, Read and Write.
> I've not seen any reason to disable it, though that's not mean that
> nothing does.
>
> See http://technet.microsoft.com/en-us/library/cc732880.aspx
>
> > From MSDN:
> >
> > "The Synchronize permission allows or denies different threads to
> > wait on the handle for the file or folder and synchronize with
> > another thread that may signal it. This permission applies only to
> > multiple-threaded, multiple-process programs. "
> >
> > On the other hand, the syncronize permission under zfs is:
> >
> > synchronize (s) Permission to access file locally at
> > server with synchronize reads and
> > writes.
> >
> > Currently, this permission is not
> > supported.
> >
> > Not only is this completely different, it's not even implemented 8-/.
>
> This appears to be based on the original NFSv4 specification (rfc3530).
> FWIW the proposed NFSv4.1 spec (rfc5661) uses a completely different
> interpretation of the synchronize permission much closer in line with
> the Windows definition:
>
> Permission to use the file object as a synchronization
> primitive for interprocess communication. This permission is
> not enforced or interpreted by the NFSv4.1 server on behalf of
> the client.
> >
> > I don't really want the zfs syncronize permission set on all my zfs
> > stuff. It seems the best thing to do is to simply always flip that
> > bit on when the acl is sent to windows, and always flip it off when a
> > windows acl is written to a zfs object.
> >
> > I wrote a simple patch to do so. Any feedback on whether this is a
> > good solution, or recommendations on a better one, would be much
> > appreciated.
>
> This will not play nice with applications that explicitly disable the
> synchronize permission.
Actually I've yet to see any application do so - at least for file
permissions.
I'd probably recommend just always setting the SYNCHRONIZE_ACCESS
bit when returning an ACL from ZFS/NFSv4 within Samba, and just
ignoring whether it's set on or not on read.
Jeremy.
More information about the samba-technical
mailing list