[PATCH][WIP] Make vfs_acl_xattr use hash of the posix ACL
abartlet at samba.org
Fri Oct 12 14:09:11 MDT 2012
On Fri, 2012-10-12 at 14:18 +0200, Christian Ambach wrote:
> Hi Andrew,
> On 10/12/2012 01:26 PM, Andrew Bartlett wrote:
> > What I'm working on is an improved implementation of the hash in
> > vfs_acl_common.c. The new hash will be of the 'system' ACL, whatever
> > that is, rather than the NT ACL it maps to.
> And what is the problem this is supposed to solve? Sorry that I fail to
> see the need for this with the information I have up to now.
> That we can change the ACL->SD mappings without rendering all EAs invalid?
Yes. There is a very large body of code and configuration options that
could possibly render the EA invalid, and I want to reduce that.
> > By defining this interface, vfs_acl_common does not need to know what
> > the system ACL is, be it posix or nfsv4 or AFS. It can (if returned)
> > just hash the contents of the data_blob and store it.
> > At a later time, if the contents matches, then the exact NT ACL that
> > the windows client set is returned. If the hash does not match, the
> > the posix, NFSv4 or AFS ACL must have been changed outside Samba,
> > and an imperfect mapping to an NT ACL is returned instead. [...] I
> > would welcome patches to linearise NFSv4 into NDR in the same way I
> > did for posix ACLs in smb_acl.idl
> Shouldn't we better have one datatype that fits all variants instead of
> having datatypes for each style of ACL? And the common denominator here
> would be the general Windows SD format (as it has all fidelity).
Yes, that data type is DATA_BLOB. The hash code needs no more than that
(I initially proposed it to be the sha256, but was requested to pass up
> > The choice is quite deliberate. The upper case versions call the
> > next, or top module. This function calls the current module, which
> > often implements the sys_acl_get_file_fn, and which we then want to
> > call.
> > This allows one set of helper functions to assist all the different
> > posix ACL modules provide linearised ACLs as blobs.
> Ok, I understand why that style of calling the methods is used.
> But the approach that those modules include the vfs_acl_common.c file
> should IMHO be fixed as well.
The only modules that include vfs_acl_common is vfs_acl_tdb and
If you refer to the helper functions I added, these are in posix_acls.c,
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical