ACE ordering and vfs_richacl
Steve French
smfrench at gmail.com
Wed Aug 10 17:49:04 UTC 2016
Andreas,
Do you have any thoughts about reordering of ACEs inside vfs_richacl? and
where it should be done?
On files created outside of Samba (posix file create, or even after chmod),
the ACEs can be out of the normal order (ie deny ACEs intermixed with allow
ACEs) which will cause Windows to complain when it views permissions on
those files (unless vfs_richacl did a reordering of ACEs on every query).
Is it reasonable to ask file systems to put deny ACEs first on newly
created files by default? I realize that if an admin explicitly sets an
ACL (e.g. via setrichacl) then they may have a good reason for putting ACEs
in a different order than usual, but am worried that if Windows (and Mac)
is the main platform that uses ACLs today - and their tools pop up a
warning when deny ACEs are after allow then at least for the boring default
cases - it is a good idea to make sure that ACEs are in the intuitive order
(which is also the order that Windows expects) with deny aces first. See
https://blogs.msdn.microsoft.com/oldnewthing/20070608-00/?p=26503
Any thoughts on how to make sure that ACLs on newly created files have deny
ACEs first (and chmod as well) so we don't confuse users?
--
Thanks,
Steve
More information about the samba-technical
mailing list