Current approaches to ACL handling
Christopher R. Hertel
crh at ubiqx.mn.org
Mon Oct 1 13:15:22 MDT 2012
On 10/01/2012 02:04 PM, simo wrote:
> On Mon, 2012-10-01 at 13:57 -0500, Christopher R. Hertel wrote:
>> On 10/01/2012 01:52 PM, Jeremy Allison wrote:
>>> On Mon, Oct 01, 2012 at 02:42:51PM -0400, simo wrote:
>>>> On Mon, 2012-10-01 at 13:28 -0500, Christopher R. Hertel wrote:
>>>>> What are the current best practices for ACL handling?
>>>>>
>>>>> To my knowledge, it's using EAs to store the ACLs. Is there any in-depth
>>>>> documentation on this implementation? Are there any other mechanisms in use?
>>>>
>>>> We store the Windows ACL in an EA and a matching posix ACL translation
>>>> on the file, plus a sha hash of the ACL so we can be sure they are in
>>>> sync.
>>>>
>>>> I am not aware of any other doc beyond the code.
>>>
>>> Well there are some SambaXP talks on it I did a while ago :-).
>>>
>>> Sorry.
>>
>> I'll look at the code and your talks. Those are the kinds of pointers I needed.
>>
>> Is there any reason to even consider the possibility of thinking about
>> pondering the idea of toying with the concept of somehow using TDB (CTDB) to
>> manage ACLs, or is that not a particularly rational approach?
>
> We had one TDB based, not really a good idea, EAs tend to move with
> files, TDB databases do not. Plus you really do not want to do
> enforcement of ACLs in user space. Ideally we should try to get RichACLs
> in the Linux kernel so we do not need to keep pairs in EAs.
Amen.
...but until we have RichACLs I have to come up with something. If the EA
approach is the current best practice, then I'll pursue that.
Thanks!
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list