Fwd: Re: smbcacls support for automatic inheritance propagation

Noel Power nopower at suse.com
Thu Nov 21 11:41:14 MST 2013


It appears the message ( with attachment ) broke some size limit and my
message is in the moderation queue, instead of the attached patch
mentioned in the mail below please instead see

http://cgit.freedesktop.org/~noelp/noelp-samba/log/?h=smbcalcs-inherit-squash-v2
and the commit range
929be157d8e6fe9614a071230b89b742395786be...3f77bf2ce318b51547c36f315b34a062ba7afccf
( or the top 5 commits if you prefer )

thanks,
Noel

-------- Original Message --------
Subject: 	Re: smbcacls support for automatic inheritance propagation
Date: 	Thu, 21 Nov 2013 17:52:44 +0000
From: 	Noel Power <nopower at suse.com>
Reply-To: 	noel.power at suse.com
To: 	Jeremy Allison <jra at samba.org>
CC: 	samba-technical at lists.samba.org



Hi Jeremy & list
On 07/11/13 09:48, Noel Power wrote:
> On 06/11/13 22:03, Jeremy Allison wrote:
>
> [...]
>>> >> I don't have time right now to do a full review, but as soon
>>> >> as I have a little more free time I'd be happy to work though
>>> >> getting this into the tree with you.
> that would be great, I really appreciate that
> >

So, here is version 2 of the smbcacls patch, mostly the behaviour is as
described previously, but the patch has changed quite a bit. Also I'd
like to clarify some of my original comments/concerns

> Firstly I am uncomfortable with '--set' in the context of
> '--propagate-inheritance' ...

Well, this is no longer true, my previous thoughts on this were coloured
by a misunderstanding of the behaviour when inheritance is
enabled/disabled (via DACL) at a dir/file.

> ... and make '-add,delete & modify' more restrictive in the context of
> inheritence related behaviour.

add/delete/set/modify are now not more restrictive than smbcacls without
the '--propagate-inheritance' option with a caveat, the caveat being
that an ACL with an ACE with (I) in it is rejected. This is because such
an ACE should not be directly applied but only 'inherited' from a parent
( via the inheritance rules '--propagate-inheritance' applies ) However,
it should be noted that I am slightly in two minds about this
restriction, I could be easily convinced to just warn and continue.

> There are comments in the patch that indicate an ultimate intention to
> remove the '--propagate-inheritance' and fold the inheritance
> awareness into the base behaviour of smbcacls, those comments pre-date
> some of the concerns previously expressed

Since the concerns I previously had have now been relieved, I no longer
have a firm opinion about the potential folding in of the
'--propagate-inheritance' behaviour into the base smbcacls behaviour, I
suppose the prudent thing to do is to keep the legacy base behaviour for
the moment. But, we could consider in the future removing the
'--propagate-inheritance' flag and instead provide a --legacy flag?

the previous patch can be disregarded, please find attached a new set of
patches ( including man page updates and selftests ). Comments welcome!
 
Thanks

Noel





More information about the samba-technical mailing list