[PATCH][WIP] Make vfs_acl_xattr use hash of the posix ACL

Andrew Bartlett abartlet at samba.org
Fri Oct 12 14:09:11 MDT 2012

On Fri, 2012-10-12 at 14:18 +0200, Christian Ambach wrote:
> Hi Andrew,
> On 10/12/2012 01:26 PM, Andrew Bartlett wrote:
> > What I'm working on is an improved implementation of the hash in
> > vfs_acl_common.c.  The new hash will be of the 'system' ACL, whatever
> > that is, rather than the NT ACL it maps to.
> And what is the problem this is supposed to solve? Sorry that I fail to
> see the need for this with the information I have up to now.
> That we can change the ACL->SD mappings without rendering all EAs invalid?

Yes.  There is a very large body of code and configuration options that
could possibly render the EA invalid, and I want to reduce that.  

> > By defining this interface, vfs_acl_common does not need to know what
> > the system ACL is, be it posix or nfsv4 or AFS.  It can (if returned)
> > just hash the contents of the data_blob and store it.
> >
> > At a later time, if the contents matches, then the exact NT ACL that
> > the windows client set is returned.  If the hash does not match, the
> > the posix, NFSv4 or AFS ACL must have been changed outside Samba,
> > and an imperfect mapping to an NT ACL is returned instead. [...] I
> > would welcome patches to linearise NFSv4 into NDR in the same way I
> > did for posix ACLs in smb_acl.idl
> Shouldn't we better have one datatype that fits all variants instead of
> having datatypes for each style of ACL? And the common denominator here
> would be the general Windows SD format (as it has all fidelity).

Yes, that data type is DATA_BLOB.  The hash code needs no more than that
(I initially proposed it to be the sha256, but was requested to pass up
the data_blob). 

> > The choice is quite deliberate.  The upper case versions call the
> > next, or top module.  This function calls the current module, which
> > often implements the sys_acl_get_file_fn, and which we then want to
> > call.
> >
> > This allows one set of helper functions to assist all the different
> > posix ACL modules provide linearised ACLs as blobs.
> Ok, I understand why that style of calling the methods is used.
> But the approach that those modules include the vfs_acl_common.c file
> should IMHO be fixed as well.

The only modules that include vfs_acl_common is vfs_acl_tdb and

If you refer to the helper functions I added, these are in posix_acls.c,
not vfs_acl_common.c

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list