[PATCH] Restore mapping of "security." xattr namespace prefix to EXTATTR_NAMESPACE_USER on FreeBSD
Timur I. Bakeyev
timur at freebsd.org
Wed Jul 11 21:36:50 UTC 2018
On 7 July 2018 at 15:21, Ralph Böhme via samba-technical <
samba-technical at lists.samba.org> wrote:
> Hi,
>
> cf bug https://bugzilla.samba.org/show_bug.cgi?id=12912.
>
> I think we should push the attached patch to master.
>
> Thoughts?
>
Just would copy here, for reference:
While Andrew's concerns are valid and pretty serious, I have to confess
that for
Samba 4.7 and 4.8 FreeBSD ports were coming with the:
--- librpc/idl/xattr.idl.orig 2017-12-17 05:40:37 UTC
+++ librpc/idl/xattr.idl 2017-12-17
@@ -168,7 +168,7 @@ interface xattr
can discard if this doesn't match the underlying ACL
hash.
*/
- const char *XATTR_NTACL_NAME = "security.NTACL";
+ const char *XATTR_NTACL_NAME = "user.NTACL";
So proposed Ralph's patch doesn't change anything in the existing situation
security wise.
Keep in mind that this is a threat for UFS-only installations, which,
believed, are quite
uncommon nowadays. ZFS-based installations use NFSv4 ACLs instead to store
the
NTACLs and should be safe from that problem.
On a side note I wrote an VFS module which implements a bit more
sophisticated extattr
storing strategy, mapping security.* and trusted.* into SYSTEM name space,
hiding those
from the user.
With best regards,
Timur Bakeyev.
More information about the samba-technical
mailing list