Lower-level-Access Checks - avoid duplicate access checks on open

Steve French smfrench at gmail.com
Sun Apr 9 04:54:03 UTC 2017

Has anyone ever experimented with extending the syscalls (or adding
ioctls) for access() checking to allow access checks to be done once
rather than twice (in BOTH Samba and in the file system layer(s))?
Today access checks are done in the underlying fs and in Samba (e.g.
the se_file_access_checks that source3/smbd/open.c calls to check for
permissions on open/create).

Presumably access() could be tricked into passing more information -
but other than that are there other ways that have been explored to
disable all access checking and let lower levels do it?  If access
checks are simply disabled in Samba, presumably at least read/write
access flags (for data, not metadata) are already checkable, but
presumably you could never get delete permission right in the access
right without magic? Are there other obvious things which would fail?



More information about the samba-technical mailing list