Handle IDMAP_BOTH in posix_acls.c

Andrew Bartlett abartlet at samba.org
Sun May 6 16:49:22 MDT 2012 

On Sun, 2012-05-06 at 16:43 +1000, Andrew Bartlett wrote:
> On Fri, 2012-05-04 at 21:07 +0200, Christian Ambach wrote:
> > On 05/04/2012 04:17 AM, Andrew Bartlett wrote:
> > 
> > > I've looked at this, and I have three concerns:
> > >   - How is this code tested
> > >   - What is the purpose of the sidmap?
> > 
> > I think the sidmap was initially added to give users the possibility to 
> > define that a certain SID should better be replaced by another one when 
> > compiling the ACL. I am not aware of anyone actually using the function 
> > and I have troubles remembering why this functionality was added five 
> > years ago. I have crawled my mail archives without success.
> > 
> > sidmap was added to the code in the process of syncing Tridge's 
> > samba-ctdb bzr tree to Samba, so the history is lost as the bzr repo is 
> > not accessible any more. Maybe someone still has a copy around?
> > 
> > Maybe it was meant to be able to deal with SIDs which cannot be mapped 
> > for whatever reason (e.g. somebody copies file from its local machine to 
> > the share and the ACLs contain SIDs of the local machine).
> > 
> > >   - What is the purpose of the lookup_sid() call?
> > I would guess this relates to the sidmapping functionality above: if the 
> > SID cannot be found, then check if there is a replacement to use defined 
> > in the sidmap database.
> > 
> > > On the last point, it seems we have a potentially quite inefficient
> > > lookup_sid call in nfs4_acls.c:smbacl4_fill_ace4().  This is called for
> > > every ACE on every ACL set.
> > >
> > > I'm hoping this was just added out of paranoia, but it seems to be tied
> > > in to the sidmap.  In any case the posix ACL code doesn't do this, and
> > > it would work best if we remove it to support IDMAP_BOTH (but, due to
> > > doing this lookup, it also means that idmap both will simply be ignored
> > > for nfs4 in the interim).
> > 
> > I would vote to remove the whole sidmap code. I do not think this has 
> > seen real use yet and usecases for it seem to be very rare.
> > It's also not documented in README.nfs4acls.txt
> 
> Removing the sidmap, and the lookup_sids calls would be great, and make
> this much easier to patch.

The attached, untested patch implements this.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-nfs4acls-Remove-lookup_sid-and-sidmap-from-NFSv4-.patch
Type: text/x-patch
Size: 5160 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120507/61bf99ad/attachment.bin>

More information about the samba-technical mailing list