[RFC 00/39] Richacls (2)

Andrew Bartlett abartlet at samba.org
Sun Apr 12 21:34:04 MDT 2015

On Fri, 2015-03-27 at 17:49 +0100, Andreas Gruenbacher wrote:
> Hello,
> here is an update to the richacl patch queue.  The changes since the last
> posting (https://lwn.net/Articles/634870/) include:
> * The ACL4_ and ACE4_ prefixes used for various richacl flags were renamed
>   to RICHACL_ and RICHACE_.  The flag values are still identical with NFSv4
>   for flags that exist in NFSv4.
> * The code is now uid/gid namespace aware.
> * The nfs server now uses richacls as its internal acl representation;
>   struct nfs4_acl is gone.  On the underlying file system, it uses either POSIX
>   ACLs or richacls depending on what that file system supports.
> * The nfs client now exports NFSv4 acls as richacls in the "system.richacl"
>   attribute instead of the nfs-specific "system.nfs4_acl" attribute, just like
>   local file systems.
> Note that the richacl xattr format has changed from the previous version and is
> incompatible.
> The git version is available here:
>   git://git.kernel.org/pub/scm/linux/kernel/git/agruen/linux-richacl.git \
> 	richacl-2015-03-27
> For comparison, the previous version is available here:
>   git://git.kernel.org/pub/scm/linux/kernel/git/agruen/linux-richacl.git \
> 	richacl-2015-02-26
> Things still to be done, or which I'm not entirely happy with:
>  * We may need to add back support for the "system.nfs4_acl" attribute
>    on nfs mounts for backwards compatible.  Is anyone actually using that
>    attribute?

Just a heads-up, mostly for the Samba Team (hence dropping a pile of
CC).  Samba has code that tries to use a system.nfs4acl attribute, and
stores our own implementation of an NFSv4 ACL, using NDR in that
attribute.  It isn't intended to be used in real systems however, I
wrote it to then be layered on top of a fake xattr layer, for use in our

If at all possible, we should implement the new richacls format in IDL,
and then change to system.richacl, as then users may be able to use this
module in a real-world situation. 

>  * It would make sense for CIFS to expose Windows ACLs as richacls as well.
>    Steve maybe?

That would be really, really cool.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list