Security issue - storing NTACL's in non-NT-security-namespace

Jeremy Allison jra at
Thu Dec 12 11:13:15 MST 2013

On Wed, Dec 11, 2013 at 11:13:21PM -0800, L.A. Walsh wrote:
> I upgraded a few things on my system and have noticed a problem.
> I saved a file from Win7 -> samba share (using XFS)
> With the file was saved "security.NTACL" (and 2 other xattrs).
> I wanted to work on the file on a different partition
> also using XFS.  The "mv" operation displayed an error that
> the "security.NTACL" xattr was not able to be set on the
> destination (permission denied).
> I also found doing a 'cp' from "theFile" => "thefile2"
> silently stripped the 'security.NTACL'.
> Is it intentional that NTACLs should be so easily stripped
> off by normal copy/move operations?
> I think, at issue, is that samba shouldn't use a 'root-priv-only'
> "security" xattr, to store an ***Application*** attribute.

The problem is that if these attributes are there, Samba
can make security decisions based on their contents
(who owns the file etc.).

So at least as far as Samba is concerned, these *are*
root-priv-only security attributes.


More information about the samba-technical mailing list