AAPL NFS ACE semantics.

Ralph Böhme slow at samba.org
Mon Feb 26 22:37:26 UTC 2018

Hi Jeremy,

On Mon, Feb 26, 2018 at 01:35:51PM -0800, Jeremy Allison wrote:
> I'm working on my SMB2-UNIX-Extensions tree,
> and thought I might re-use the check_ms_nfs()
> code from source3/modules/vfs_fruit.c to
> allow UNIX chmod calls.

haha, SambaXP is coming... :) I'm right in a night shift working on the
persistent handles predecessor "unprotected handles" (durable handles that
survive a process crash) that I've envisioned. :)

> What are the exact semantics here ? I'm a
> bit confused, as the fruit code seems
> to pull out the mode is there's a
> global_sid_Unix_NFS_Mode trustee in
> the passed in dacl, but then pass the
> whole thing to SMB_VFS_NEXT_FSET_NT_ACL()
> before doing the chmod after.

sorry, but this is probably just my lazy application of Darwin ACL/mode
semantics on Linux. :( On Darwin ACL and POSIX mode are not intertwined like
POSIX ACLs, NFSv4 or GPFS ACLs, they provide completely seperate
security/authorisation tokens. Thus on Darwin you can safely chmod a file
without affecting the file's ACL in any way.

> Are there any docs on how this chmod call
> is supposed to work/interact with existing
> ACLs.
> It would seem to me that if you only
> wanted a chmod call, you'd insist on
> a one-element ACE with global_sid_Unix_NFS_Mode
> only, but it looks like it's more complex
> than that.

Iirc Apple clients send the full SD plus the NFS ACEs stuff when I traced
network traffic betweens a Mac client and a Mac SMB server. They first query the
SD including NFS ACE, the if they're working as part of a chmod() syscall
request modify only the contained NFS ACE and then send it all back to the


Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

More information about the samba-technical mailing list