[PATCH][WIP] Make vfs_acl_xattr use hash of the posix ACL

Christian Ambach ambi at samba.org
Fri Oct 12 05:11:33 MDT 2012

Hi Andrew,

On 10/09/2012 01:58 PM, Andrew Bartlett wrote:
> This patch (still a work in progress, as I know it fails some tests)
> is what I've been talking about for months, and which I got VFS
> changes in (almost - one small change in this patch) into 4.0.0rc1.
> The idea is simple, have the ACL modules (the posix ACL modules in
> particular) provide a blob form of the ACL, and then hash that,
> rather than an NT ACL that might change if our ACL mapping code
> changes.

I am not sure I am getting the problem you are trying to solve here.
What is the benefit of adding another representation of an ACL that is
just intermediate?

Can you give some more explanations that go further than the commit
message in your attachment?

> So far I've made it simply fall back in the NFSv4 case, but we can
> define these in IDL as well if we want to do the same there.

Depending on the use-case you are attempting to solve, I wouldn't
necessarily agree here. NFSv4 is almost the same as a Windows SD, but
not completely and there might be potential changes to the mapping
algorithm, too. There is some work ongoing in that regard (see Alexander
Werth's patches he sent around a few weeks back).

> The idea is to insulate these on-disk values from any required
> change we have to make.

> Any thoughts or comments most appreciated.
+ acl_wrapper.access_acl
+ = talloc_steal(frame,
+ smb_vfs_call_sys_acl_get_file(handle,
+ path_p,

For me such code would be easier to read if you would use the upper-case
variant of VFS calls, such as SMB_VFS_SYS_ACL_GET_FILE().

This makes it much easier to spot the actual calls into the VFS (and
that convention is used in the whole codebase I have looked into yet).


More information about the samba-technical mailing list