libcephfs and supplimentary groups

Jeff Layton jlayton at samba.org
Thu Jul 25 18:34:13 UTC 2019


On Thu, 2019-07-25 at 17:07 +0200, David Disseldorp wrote:
> Hi,
> 
> Without calling ceph_mount_perms_set(), libcephfs consumers such as
> Samba can rely upon UserPerm::uid() and UserPerm::gid() to fallback to
> geteuid() and setegid() respectively for things such as ACL enforcement.
> However, there is no such fallback for supplementary groups, so ACL
> checks for a user which is only permitted path access via a
> supplementary group will result in a permission denied error.
> 
> Samba ticket: https://bugzilla.samba.org/show_bug.cgi?id=14053
> 
> I've written a patch to address this (it currently omits the get_gids()
> codepath):
> https://github.com/ddiss/ceph/commit/035a1785ec73d803fead42c7240df01b755a815b
> 
> Does this approach make sense, or should Samba go down the
> ceph_mount_perms_set() route to avoid this bug? The latter
> would likely be problematic, as user/group details for a mount will
> remain static.
> 

I think that a better approach would be to have samba just call
ceph_mount_perms_set to set the credentials soon after forking. Is there
some reason that doesn't work here?
--
Jeff Layton <jlayton at samba.org>




More information about the samba-technical mailing list