AAPL NFS ACE semantics.

Jeremy Allison jra at samba.org
Mon Feb 26 22:55:39 UTC 2018

On Mon, Feb 26, 2018 at 11:37:26PM +0100, Ralph Böhme via samba-technical wrote:
> Hi Jeremy,
> On Mon, Feb 26, 2018 at 01:35:51PM -0800, Jeremy Allison wrote:
> > I'm working on my SMB2-UNIX-Extensions tree,
> > and thought I might re-use the check_ms_nfs()
> > code from source3/modules/vfs_fruit.c to
> > allow UNIX chmod calls.
> haha, SambaXP is coming... :) I'm right in a night shift working on the
> persistent handles predecessor "unprotected handles" (durable handles that
> survive a process crash) that I've envisioned. :)

Sounds fun :-).

> > What are the exact semantics here ? I'm a
> > bit confused, as the fruit code seems
> > to pull out the mode is there's a
> > global_sid_Unix_NFS_Mode trustee in
> > the passed in dacl, but then pass the
> > whole thing to SMB_VFS_NEXT_FSET_NT_ACL()
> > before doing the chmod after.
> sorry, but this is probably just my lazy application of Darwin ACL/mode
> semantics on Linux. :( On Darwin ACL and POSIX mode are not intertwined like
> POSIX ACLs, NFSv4 or GPFS ACLs, they provide completely seperate
> security/authorisation tokens. Thus on Darwin you can safely chmod a file
> without affecting the file's ACL in any way.

Sure, and I can achieve the same inside SMB2 UNIX
extensions by hijacking the NTACL-set call in
the same way :-).

> > Are there any docs on how this chmod call
> > is supposed to work/interact with existing
> > ACLs.
> > 
> > It would seem to me that if you only
> > wanted a chmod call, you'd insist on
> > a one-element ACE with global_sid_Unix_NFS_Mode
> > only, but it looks like it's more complex
> > than that.
> Iirc Apple clients send the full SD plus the NFS ACEs stuff when I traced
> network traffic betweens a Mac client and a Mac SMB server. They first query the
> SD including NFS ACE, the if they're working as part of a chmod() syscall
> request modify only the contained NFS ACE and then send it all back to the
> server.

I see - so the semantics that have are that
they combine ACL-set with chmod, rather than
using a separate single-DACL-entry ACL set.
And doing a GETACL returns the mode as the
NFS ACE entry. Hmmmm. It might be easier
to spec out the SMB2 unix to do the same
thing (i.e. if someone does a GETACL on
a UNIX handle the mode is attached as the
NFS ACE entry) and then do the chmod set
on SETACL. I think it'd be better to have
logic where if *only* the NFS ACE entry
(chmod) is sent (a one-element ACL) then
the SETACL is skipped and only the chmod
is done. That would allow separation of
chmod from ACL set.


More information about the samba-technical mailing list