Default ACLs and the ACL hash in vfs_xattr_common
Andrew Bartlett
abartlet at samba.org
Fri Oct 5 14:50:50 MDT 2012
On Fri, 2012-10-05 at 08:41 -0700, Jeremy Allison wrote:
> On Fri, Oct 05, 2012 at 03:47:20PM +1000, Andrew Bartlett wrote:
> > Jeremy,
> >
> > I've been looking over the ACL mapping code and in particular the
> > hash-based method in vfs_xattr_common.
> >
> > It is complex code, and so I'm trying to validate what I'm reading. As
> > far as I see it, the inclusion (or not) of the default ACL on a
> > directory in the ACL calculation depends on if we call
> > fget_nt_acl_common or get_nt_acl_common.
> >
> > This in turn makes me worry that the hashed SD (created with
> > fget_nt_acl_common) will not match for directories where we call
> > get_nt_acl_common, which might consider a default posix ACL.
> >
> > This is due to the difference between posix_fget_nt_acl() and
> > posix_get_nt_acl() in posix_acls.c
> >
> > The reason this comes to light for me now is that I'm looking to make
> > this more reliable, and hash the posix ACL. I've made preparations
> > before rc1, but I need to finish the work, and noticed the need to
> > consider these default ACLs.
> >
> > I'll keep digging, but I just thought I might raise the issue.
>
> Thanks for checking, but I don't think this occurs.
>
> posix_get_nt_acl() reads the default ACL if it's a directory.
>
> Inside posix_fget_nt_acl() we have:
>
> if (fsp->is_directory || fsp->fh->fd == -1) {
> return posix_get_nt_acl(fsp->conn, fsp->fsp_name->base_name,
> security_info, ppdesc);
> }
>
> So if it is a directory (which we know from the fsp pointer, and is
> the only case where we can have a default ACL) then we simply return
> posix_get_nt_acl(), which does fetch the default ACL.
>
> I think you missed that in the control flow.
Yes, I missed that. Thanks!
It's a pity given the possibility of renames that the acl_get_fd()
function can't take a type. I guess it's because you 'normally' don't
open a directory to get an fd. Should we re-stat the fd here to be sure
we know the right name, or has it already been done recently by a
caller?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list