Current approaches to ACL handling

Christopher R. Hertel crh at
Mon Oct 1 13:15:22 MDT 2012

On 10/01/2012 02:04 PM, simo wrote:
> On Mon, 2012-10-01 at 13:57 -0500, Christopher R. Hertel wrote:
>> On 10/01/2012 01:52 PM, Jeremy Allison wrote:
>>> On Mon, Oct 01, 2012 at 02:42:51PM -0400, simo wrote:
>>>> On Mon, 2012-10-01 at 13:28 -0500, Christopher R. Hertel wrote:
>>>>> What are the current best practices for ACL handling?
>>>>> To my knowledge, it's using EAs to store the ACLs.  Is there any in-depth
>>>>> documentation on this implementation?  Are there any other mechanisms in use?
>>>> We store the Windows ACL in an EA and a matching posix ACL translation
>>>> on the file, plus a sha hash of the ACL so we can be sure they are in
>>>> sync.
>>>> I am not aware of any other doc beyond the code.
>>> Well there are some SambaXP talks on it I did a while ago :-).
>>> Sorry.
>> I'll look at the code and your talks.  Those are the kinds of pointers I needed.
>> Is there any reason to even consider the possibility of thinking about
>> pondering the idea of toying with the concept of somehow using TDB (CTDB) to
>> manage ACLs, or is that not a particularly rational approach?
> We had one TDB based, not really a good idea, EAs tend to move with
> files, TDB databases do not. Plus you really do not want to do
> enforcement of ACLs in user space. Ideally we should try to get RichACLs
> in the Linux kernel so we do not need to keep pairs in EAs.

...but until we have RichACLs I have to come up with something.  If the EA 
approach is the current best practice, then I'll pursue that.


"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list