Add option to sort dacl into canonical order in nfs4_acls

Christof Schmitt cs at samba.org
Wed Aug 28 16:43:35 UTC 2019 

On Tue, Aug 27, 2019 at 09:51:04AM -0700, Christof Schmitt via samba-technical wrote:
> On Tue, Aug 27, 2019 at 10:49:19AM -0400, Andrew Walker via samba-technical wrote:
> > There are many ways that applications can write NFS4 ACL entries in a
> > non-canonical order per MS-DTYP 2.4.5. It would be nice to have the option
> > to automatically sort these into canonical order so that Windows doesn't
> > complain when viewing these.  I'm honestly a bit torn regarding the best
> > path forward with this. It's easy to say "you're doing it wrong - fix your
> > ACLs", but I imagine that some admins would want a "stop nagging me" option.
> > 
> > Example of some operations resulting out-of-order ACEs:
> > # file: /mnt/dozer/share/inherited
> > # owner: root
> > # group: smbuser
> >       user:smbuser:rwxpDdaARWcCos:-------:allow
> >             owner@:rwxpDdaARWcCos:fd----I:allow
> >             group@:rwxpDdaARWcCos:fd----I:allow
> >          everyone@:--------------:fd----I:allow
> > root at freenas[/mnt/dozer]# setfacl -m u:root:full_set:fd:allow
> > /mnt/dozer/share/inherited
> > root at freenas[/mnt/dozer]# getfacl /mnt/dozer/share/inherited
> > 
> > # file: /mnt/dozer/share/inherited
> > # owner: root
> > # group: smbuser
> >          user:root:rwxpDdaARWcCos:fd-----:allow
> >       user:smbuser:rwxpDdaARWcCos:-------:allow
> >             owner@:rwxpDdaARWcCos:fd----I:allow
> >             group@:rwxpDdaARWcCos:fd----I:allow
> >          everyone@:--------------:fd----I:allow
> > root at freenas[/mnt/dozer]# chmod 777 /mnt/dozer/share/inherited
> > root at freenas[/mnt/dozer]# getfacl /mnt/dozer/share/inherited
> > # file: /mnt/dozer/share/inherited
> > # owner: root
> > # group: smbuser
> >          user:root:rwxpDdaARWcCos:fd-----:allow
> >       user:smbuser:rwxpDdaARWcCos:-------:allow
> >             owner@:rwxpDdaARWcCos:fdi---I:allow
> >             group@:rwxpDdaARWcCos:fdi---I:allow
> >          everyone@:--------------:fdi---I:allow
> >             owner@:rwxp--aARWcCos:-------:allow
> >             group@:rwxp--a-R-c--s:-------:allow
> >          everyone@:rwxp--a-R-c--s:-------:allow
> 
> 
> I am not quite familiar with the output here, but i assume this is about
> having inherited ACL entries after explicit ACL entries. If all entries
> are "allow", then reordering them should not be a problem. On the other
> hand, if there are "allow" and "deny" entries, then the order is
> important and reordering would change the meaning of the ACL.
> 
> What is the problem to solve here? That an administrator changes the ACL
> through setfacl while not adhering to the order expected by the Windows
> clients?  Ideally, there could be a way in setfacl or even in the file
> system to only allow the Windows ACL order. As this is likely not
> feasible, maybe the "sort_dacl" option could be restricted to only
> reorder if there are only "allow" entries, but skip the reordering if
> there are "deny" entries. With that, the meaning of the ACL would not
> change. In any case, the behavior should also be documented in the man
> pages.

And once we agree on a path forward, adding a unit test in
samba/source3/modules/test_nfs4_acls.c for the new codepath would also
be helpful.

Christof

More information about the samba-technical mailing list