[PATCH] Restore mapping of "security." xattr namespace prefix to EXTATTR_NAMESPACE_USER on FreeBSD

Timur I. Bakeyev timur at freebsd.org
Wed Jul 11 21:36:50 UTC 2018

On 7 July 2018 at 15:21, Ralph Böhme via samba-technical <
samba-technical at lists.samba.org> wrote:

> Hi,
> cf bug https://bugzilla.samba.org/show_bug.cgi?id=12912.
> I think we should push the attached patch to master.
> Thoughts?

Just would copy here, for reference:

While Andrew's concerns are valid and pretty serious, I have to confess
that for
Samba 4.7 and 4.8 FreeBSD ports were coming with the:

--- librpc/idl/xattr.idl.orig   2017-12-17 05:40:37 UTC
+++ librpc/idl/xattr.idl        2017-12-17
@@ -168,7 +168,7 @@ interface xattr
                      can discard if this doesn't match the underlying ACL

-       const char *XATTR_NTACL_NAME = "security.NTACL";
+       const char *XATTR_NTACL_NAME = "user.NTACL";

So proposed Ralph's patch doesn't change anything in the existing situation
security wise.

Keep in mind that this is a threat for UFS-only installations, which,
believed, are quite
uncommon nowadays. ZFS-based installations use NFSv4 ACLs instead to store
NTACLs and should be safe from that problem.

On a side note I wrote an VFS module which implements a bit more
sophisticated extattr
storing strategy, mapping security.* and trusted.* into SYSTEM name space,
hiding those
from the user.

With best regards,
Timur Bakeyev.

More information about the samba-technical mailing list