ACCESS_DENIED ACL to POSIX Perms conversion.

Kenny Dinh kdinh at peaxy.net
Wed Feb 11 12:40:53 MST 2015


I tried out your simpler patch. I allowed me to perform translation
from Windows permissions to POSIX permissions, when Windows
user send exactly u/g/o ACEs.

Unfortunately, this patch does not report error when Windows user
sends more than u/g/o ACEs.  I tried sending 4 ACEs (u/g/o + extra ACE for
new user),
the request completed successfully instead of reporting an error.
I suspect customer would want to see the error but this may or
may not be a big deal.

The simplicity of this patch is very appealing.
I'll keep this in mind.

Thanks!

On Wed, Feb 11, 2015 at 9:49 AM, Jeremy Allison <jra at samba.org> wrote:

> On Tue, Feb 10, 2015 at 10:26:13PM -0800, Kenny Dinh wrote:
> > Attached is the level 10 log.  If you search "set_nt_acl", you
> will
> > find the entry of function where the operation begins.
> >
> > "Ah I see. But isn't that still going to fail
> > against your FUSE filesystem that doesn't allow
> > more than u/g/o"
> > Yes, the request will fail if the user sends an ACL that does not have
> exactly
> > u/g/o.
> >
> > What I wanted the code to do was trying to make the "best
> effort" in
> > the fall back logic.
> > Since the back end does not support POSIX ACLs, and IFF there are
> exactly u/g/
> > o ACEs in the DACL,
> > I would attempt to translate the permissions.
> >
> > It is clear to me now that this 'hack' applies only a very limited set
> of use
> > case.
> >
> > Thanks again for your time, Jeremy!
>
> No problem - I still think a less intrusive change
> that would have the same effect is the following:
>
> Let me know if this works for you (it can't go into
> mainline, but it's a much smaller seperate patch to
> carry if you need to keep this going forward).
>


More information about the samba-technical mailing list