[PATCH] Remvoe smb_acl_t manipulations from the VFS layer

Andrew Bartlett abartlet at samba.org
Mon Aug 13 05:10:59 MDT 2012 

On Mon, 2012-08-13 at 08:08 +1000, Andrew Bartlett wrote:
> This patch moves the declaration of smb_acl_t to IDL and changes the
> allocation code to use talloc.
> 
> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/posix-acl-provision-wip
> 
> The reason I'm doing this is that I want to have some tests on and
> confidence with the NT -> posix ACL conversions, particularly as I have
> had some patches changing behaviour here accepted.
> 
> The issue is that doing this as non-root has issues, so I want to
> emulate the whole ACL and ownership store by putting it on an xattr (and
> in turn in a tdb). 
> 
> To do this, I need to be able to marshal an smb_acl_t.  In turn, I
> should be able to parse it with python, which will help a lot with
> validating results.
> 
> It also means we can (later, or sooner if you request) take the step of
> enrolling the objects into the talloc tree correctly. 
> 
> Please carefully review this, and see what you think.  
> 
> It passes a full manual autobuild on sn-devel.

I've updated the branch, and it now contains a major VFS change.

Originally, when you added the posix ACL layer to the VFS, the VFS layer
provided hooks to allocate and manipulate all aspects of the ACL.

However, since then we have not seen any alternate implementations of
these APIs.  Instead, it seems that the (now?) standardised smb_acl_t
structure is converted at get/set time.

By removing these from the VFS this makes the ACL code much simpler, and
means that it is reasonable to read and write it via IDL and python.  It
also makes it much more practical to pass in a talloc parent to
sys_acl_init(), modifying only the VFS modules and the get/set VFS
hooks. 

I've split it up into patches for each function, and am running an
manual autobuild now. 

This is needed for the posix ACL support in provision work as I can't
write automated tests for it without this change.  

Please let me know what you think,

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list