smbcacls support for automatic inheritance propagation
Noel Power
nopower at suse.com
Thu Nov 21 10:52:44 MST 2013
Hi Jeremy & list
On 07/11/13 09:48, Noel Power wrote:
> On 06/11/13 22:03, Jeremy Allison wrote:
>
> [...]
>>> >> I don't have time right now to do a full review, but as soon
>>> >> as I have a little more free time I'd be happy to work though
>>> >> getting this into the tree with you.
> that would be great, I really appreciate that
> >
So, here is version 2 of the smbcacls patch, mostly the behaviour is as
described previously, but the patch has changed quite a bit. Also I'd
like to clarify some of my original comments/concerns
> Firstly I am uncomfortable with '--set' in the context of
> '--propagate-inheritance' ...
Well, this is no longer true, my previous thoughts on this were coloured
by a misunderstanding of the behaviour when inheritance is
enabled/disabled (via DACL) at a dir/file.
> ... and make '-add,delete & modify' more restrictive in the context of
> inheritence related behaviour.
add/delete/set/modify are now not more restrictive than smbcacls without
the '--propagate-inheritance' option with a caveat, the caveat being
that an ACL with an ACE with (I) in it is rejected. This is because such
an ACE should not be directly applied but only 'inherited' from a parent
( via the inheritance rules '--propagate-inheritance' applies ) However,
it should be noted that I am slightly in two minds about this
restriction, I could be easily convinced to just warn and continue.
> There are comments in the patch that indicate an ultimate intention to
> remove the '--propagate-inheritance' and fold the inheritance
> awareness into the base behaviour of smbcacls, those comments pre-date
> some of the concerns previously expressed
Since the concerns I previously had have now been relieved, I no longer
have a firm opinion about the potential folding in of the
'--propagate-inheritance' behaviour into the base smbcacls behaviour, I
suppose the prudent thing to do is to keep the legacy base behaviour for
the moment. But, we could consider in the future removing the
'--propagate-inheritance' flag and instead provide a --legacy flag?
the previous patch can be disregarded, please find attached a new set of
patches ( including man page updates and selftests ). Comments welcome!
Thanks
Noel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smbcacls-auto-inherit.mbox
Type: application/mbox
Size: 117380 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131121/86bc3ac7/attachment-0001.bin>
More information about the samba-technical
mailing list