smbcacls support for automatic inheritance propagation
Noel Power
nopower at suse.com
Fri Jan 31 02:56:03 MST 2014
Hi David
On 30/01/14 17:20, David Disseldorp wrote:
> On Thu, 30 Jan 2014 15:41:00 +0000, Noel Power wrote:
>
>> On 29/01/14 17:50, David Disseldorp wrote:
[...]
>>> - What happens in the following scenario:
>>> parent_dir
>>> +---child_dir
>>> +-----nested_file
>>> 1) setacl(parent_dir, allow:ddiss:read, OI)
>>> 2) setacl(child_dir, allow:noelp:write, OI)
>>> Does nested_file end up with both allow: ACEs, or would propagation
>>> during setacl(child_dir,...) remove the inherited allow:ddiss ACE?
>> it would remove it (if set would work) but remember from above
>> attempting to set is prohibited
> Would it remain on --add, --modify and --delete?
I'm not sure the example above is immediately transferable (with a
useful result) but... it I see what you are getting at, I think the
question you are really asking is,
"are inherited attributes from the parent of the container the smbcalcs
operation is applied to taken into account?" The answer is no. the
result of the smbcacl operation (with '--propagate-inheritence') on the
parent is the same[1] as when you issue smbcacls (without
'--propagate-inheritence') The propagation result is applied 'after' to
all children. So I think now the I actually meant to remove the '--set'
error (sorry I am struggling to recall after the time that has passed).
However, that said I do believe taking the parent container into account
is better and I think I should try to incorporate that. In other words
with '--propagate-inheritence' mode first apply the operation as normal
smbcacls would (noting 'b' from [1]) and then subsequently apply any
inherited attributes from the parent, next the 'propagate-inheritance'
part would proceed as previously at each child. Not sure how much that
will change the implementation, I'm hoping not much at all
Noel
[1] there are 2 differences e.g. a) the error out with '--set' mentioned
previously (which on second thoughts seems inconsistent)
& b) we reject modifying inherited attributes (which I still think is
a good thing in '--propagate-inheritence' mode)
More information about the samba-technical
mailing list