[RFC 00/39] Richacls (2)

[Andreas Grünbacher]

2015-04-13 5:40 GMT+02:00 Steve French <smfrench at gmail.com>:
> On Sun, Apr 12, 2015 at 10:34 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>> Just a heads-up, mostly for the Samba Team (hence dropping a pile of
>> CC).  Samba has code that tries to use a system.nfs4acl attribute, and
>> stores our own implementation of an NFSv4 ACL, using NDR in that
>> attribute.  It isn't intended to be used in real systems however, I
>> wrote it to then be layered on top of a fake xattr layer, for use in our
>> testsuite.

Ah.

>> If at all possible, we should implement the new richacls format in IDL,
>> and then change to system.richacl, as then users may be able to use this
>> module in a real-world situation.

That's great. Samba will need librichacl for manipulating richacls and
librichacl already knows how to convert between the library's
in-memory and the xattr representation, so duplicating that in IDL
really makes no sense.

>>>  * It would make sense for CIFS to expose Windows ACLs as richacls as well.
>>>    Steve maybe?
>>
>> That would be really, really cool.
>
> Yes - I plan to do this as I have time (I think it is very important,
> more so for SMB3, but also for CIFS) and have also pinged Shirish
> about it.

Okay, let me try to describe how richacls fit into Samba.

A richacl consists of an NFSv4 ACL and three masks (one for the owner,
group, and other class). The masks can be computed from an NFSv4 ACL.
When file permissions are changed with chmod, this only changes the
masks. Permission checks are still possible, but the NFSv4 ACL alone
doesn't represent the permissions that the richacl grants. The masks
can be "applied" to the NFSv4 ACL though; this results in an NFSv4 ACL
that grants the appropriate permissions without the masks.

Samba doesn't have a way to transport richacl masks over the network.
Therefore, when it converts a Windows ACL into a richacl, it creates
the NFSv4 ACL and then computes the masks from that. (The masks then
also determine the file mode.) When converting a richacl to a Windows
ACL, Samba first needs to "apply" the masks.

Other than that, richacls are pretty similar to NFSv4 ACLs. Mapping
between Windows and NFSv4 permissions should be very simple. Richacls
store uids/gids, so SID to uid/gid conversion is needed. They have
OWNER@ and GROUP@ entries, so mapping between entries for the current
owner and owning group to OWNER@ and GROUP@ entries is needed.

Automatic inheritance is an interesting case that requires special
attention: when a file is created without explicit permissions under
Windows, it inherits its permissions from the parent directory. Later
when the permissions of the parent directory change, the change also
propagates to the new file. It is possible to define additional
non-inherited acl entries or to protect a file's acl from being
changed by automatic inheritance.

Under Linux, there is no such thing as creating a file without
permissions; all the relevant system calls have a create mode
parameter. Applying the create mode has the effect of setting the
richacl masks and protecting the acl -- which renders automatic
inheritance ineffective.

Samba can work around this by changing the richacl after creating a
file -- clear the RICHACL_PROTECTED flag and recompute the richacl
masks.

When a richacl is inherited through Automatic Inheritance at file
create time, the richacl masks and the RICHACL_PROTECTED flag are set,
the RICHACE_INHERITED flags are not removed from the inherited ACL
entries. I'm not sure if this bothers Windows; it may be necessary to
hide the flag from Windows in that case.

Thanks,
Andreas