vfs_acl_[xattr|tdb] and timestamp in ACL hash
Ralph Boehme
slow at samba.org
Fri Dec 18 15:31:33 UTC 2020
Hi Jeremy,
hi Andrew,
here comes another question related to vfs_acl_xattr.
This is triggered by a customer request who is storing xattrs in some
kind of database (external to Samba) and they're trying to leverage
xattr deduping.
They have a xattr dedupe feature in their backend such then when to
files have the same xattr it's only stored once in the backend.
But when using this with vfs_acl_xattr they stumbled upon the fact that
we skew the ACL blob bash with timestamp, so even if two files have an
identical ACL, they will have a different timestamp so the overall xattr
blob will be different.
typedef [public] struct {
security_descriptor *sd;
uint16 hash_type;
uint8 hash[64]; /* 64 bytes hash. */
utf8string description; /* description of what created
* this hash (to allow
* forensics later, if we have
* a bug in one codepath */
NTTIME time;
uint8 sys_acl_hash[64]; /* 64 bytes hash. */
} security_descriptor_hash_v4;
They can hack around this by applying a vendor specific patch that
always sets time to 0.
Afaict the hash should not include the time of the creation of the ACL,
the hash should just be over the ACL.
So the question is if we want to change our behaviour?
I wouldn't wanna go up to security_descriptor_hash_v5 that drops the
time field, maybe just stay at v4, but set time to 0?
Thoughts?
Thanks!
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xAA1E9B7126399E46.asc
Type: application/pgp-keys
Size: 8728 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20201218/fa8b2aa6/OpenPGP_0xAA1E9B7126399E46.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20201218/fa8b2aa6/OpenPGP_signature.sig>
More information about the samba-technical
mailing list