Current approaches to ACL handling

Andrew Bartlett abartlet at samba.org
Mon Oct 8 19:42:02 MDT 2012 

On Mon, 2012-10-08 at 15:52 -0500, Christopher R. Hertel wrote:
> On 10/08/2012 03:19 PM, Marc Muehlfeld wrote:
> > Am 08.10.2012 18:05, schrieb Christopher R. Hertel:
> >> There is an inherent mismatch between the semantics of Windows ACLs and the
> >> models available in Linux/Unix, including the RichACL model.  There will
> >> never
> >> be a pure 1:1 mapping.
> >
> >
> > Sorry, if this is a stupid question from someone who isn't a developer:
> >
> > What about if the underlaying filesystem is NTFS? I mean if I e. g. have my
> > sysvol share on a NTFS formated partition on my s4 server. Wouldn't this be
> > a way where a mapping to unix ACLs are needless?
> >
> >
> > With ntfs-3g utils I can get the IDs of files on my NTFS volume:
> > # ntfs-3g.secaudit -vv bootmgr | grep ':dec'
> >      O:dec S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
> >      G:dec S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
> 
> Yes, that would give you Windows ACLs in the file system.
> 
> I am always ready to be hit with the clue-bat, but where I think there would 
> be trouble is in managing and enforcing those ACLs on the Linux side.  Local 
> users, NFS users, etc. ...  how do those interact?
> 
> I'm sure that the NTFS file system for Linux already has a way of mapping 
> the Windows ACLs to expected Linux/POSIX behaviors.  If so, I'm fairly sure 
> it would be another "adaptation", probably ignoring some permissions and 
> making guesses about others.  What happens, for instance, if a Linux process 
> creates a file on a mounted NTFS file system:
> 
>    :
>    path = "/mnt/wind/Users/Default/My Documents/foo.bar";
>    open( path, O_CREAT | O_TRUNC | O_WRONLY, 0764 );
>    :
> 
> I ask because I don't actually know the answer.  I'm not sure how the Linux 
> NTFS file system would interpret the above and what ACL it would create in 
> NTFS to represent it.

These things would indeed be a challenge, and as soon as there is a
local enforcement mechanism for NTFS ACLs, then most of the rest of our
ACL problems go away. 

What I've long dreamed about at least having our ACLs and dos attributes
transparent across the full stack of Samba or Wine -> NTFS / FAT / CIFS
and back again. 

Even without enforcement, it sure would be neat to be able to manipulate
NTFS and CIFS ACLs using Samba's 'samba-tool ntacl set' tool, and have
it understand our xattr name and format.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list