[PATCH][RFC] hash the posix ACL not the SD for acl_xattr
Andrew Bartlett
abartlet at samba.org
Mon Sep 10 07:14:21 MDT 2012
On Mon, 2012-09-10 at 23:12 +1000, Andrew Bartlett wrote:
> The attached patch is much more than I would prefer to do at this point,
> but that's why I'm sending this out incomplete, to try and get some
> feedback.
The branch on which this is based an included is:
https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/acl-fixes-2
> This adds VFS methods to get a blob of the posix ACL. The idea is that
> we will hash that, if available, instead of the NT ACL it becomes. This
> in turn insulates the ACL from changes in our mapping code.
>
> I need this because in some situations I've seen this:
>
> get_nt_acl_internal: blob hash does not match for
> file /usr/local/samba/sysvol/weaubleau.k12.mo.us/ - returning file
> system SD mapping.
>
> This is for an ACL just set, and not changed. The (awaiting
> confirmation) issue seems to be idmap values that get into the cache as
> a both-way map, but were more than one SID maps onto a GID. Perhaps we
> should just fix that, but the need for the xattr hash to be based on the
> posix ACL has always been a bugbear of mine.
>
> A future version of this patch should probably also return:
> - the owner and mask
> - metadata to reconstruct the module stack (ie a tag like posixacl) in
> case we have to cope with changes here later.
>
> Then, we should hash this blob, and also hash the SD, and allow either
> to match in vfs_acl_common.
>
> Alternate, we can set "vfs_acl_xattr:ignore filesystem permissions=yes"
> on the [sysvol] share or thy and assert that the idmapping is reflexive
> at classicupgrade time.
>
> Thoughts very much welcome!
>
> Thanks,
>
> Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list