[PATCH][WIP] Make vfs_acl_xattr use hash of the posix ACL

Christian Ambach ambi at samba.org
Thu Oct 18 13:52:01 MDT 2012

Hi Andrew,

On 10/17/2012 11:57 AM, Andrew Bartlett wrote:

>> So vfs_acl_xattr would work like this:
>> 1. let VFS store the ACL
>> 2. ask for the native blob in the file system
>> 3. store native blob + Windows SD in EA
> I think you mean the hash of the native blob, but this looks correct to
> me.

Right, I realized that directly after hitting the send button.

>> This way we wouldn't have to render EAs invalid if we change the mapping
>> algorithms from native -> Windows SD and we still will be able to detect
>> any changes that were performed on the file system directly.
>> So for POSIX ACLs, we would store whatever acl_get_file(3) returns, for
>> other platforms like GPFS, we would store the blob that the filesystem
>> returns. They all are able to return a blob of some sort or another and
>> it would be up to the filesystem module maintainers to choose the most
>> appropriate one.
>> This would eliminate various conversions and should still address your
>> needs. What do you think?
> This is exactly what we do, and exactly why we do it (in my proposal).
> acl_get_file() returns a structure, but smb_acl.idl encodes essentially
> the same structure, with only one-to-one translation from the per-vendor
> acl_t on all our posix ACL implementations.

It took a while, but now I have understood what you were after :)
Thanks for not stopping giving answers (that were most probably 
repetitions of explanations found somewhere else in this monster thread).

> The the only reason we have any 'intermediate
> representation' (smb_acl_wrapper) is to capture the extra things that
> are part of the acl, but not actually in the ACL (user/group/mode) and
> to have something we can linearise trivially into NDR.

Some other file systems (e.g. NFSv4 file systems, I checked GPFS and
JFS2) would also need to store the owner/group information as the ACL
does not contain that information but the mode is redundant and derived
from the ACL.
OpenAFS seems to need to store the complete owner/group/mask combination.

To avoid code duplication across the modules to make up their own
structures (which are then hashed), would it make sense to make
smb_acl_wrapper more generic so it can be used by all modules?


More information about the samba-technical mailing list