libcephfs and supplimentary groups

David Disseldorp ddiss at suse.de
Thu Jul 25 15:07:49 UTC 2019


Hi,

Without calling ceph_mount_perms_set(), libcephfs consumers such as
Samba can rely upon UserPerm::uid() and UserPerm::gid() to fallback to
geteuid() and setegid() respectively for things such as ACL enforcement.
However, there is no such fallback for supplementary groups, so ACL
checks for a user which is only permitted path access via a
supplementary group will result in a permission denied error.

Samba ticket: https://bugzilla.samba.org/show_bug.cgi?id=14053

I've written a patch to address this (it currently omits the get_gids()
codepath):
https://github.com/ddiss/ceph/commit/035a1785ec73d803fead42c7240df01b755a815b

Does this approach make sense, or should Samba go down the
ceph_mount_perms_set() route to avoid this bug? The latter
would likely be problematic, as user/group details for a mount will
remain static.

Cheers, David



More information about the samba-technical mailing list