vfs_acl_[xattr|tdb] and timestamp in ACL hash

Ralph Boehme slow at samba.org
Fri Dec 18 15:31:33 UTC 2020 

Hi Jeremy,
hi Andrew,

here comes another question related to vfs_acl_xattr.

This is triggered by a customer request who is storing xattrs in some 
kind of database (external to Samba) and they're trying to leverage 
xattr deduping.

They have a xattr dedupe feature in their backend such then when to 
files have the same xattr it's only stored once in the backend.

But when using this with vfs_acl_xattr they stumbled upon the fact that 
we skew the ACL blob bash with timestamp, so even if two files have an 
identical ACL, they will have a different timestamp so the overall xattr 
blob will be different.

         typedef [public] struct {
                 security_descriptor *sd;
                 uint16 hash_type;
                 uint8 hash[64]; /* 64 bytes hash. */
                 utf8string description; /* description of what created
                                          * this hash (to allow
                                          * forensics later, if we have
                                          * a bug in one codepath */
                 NTTIME time;
                 uint8 sys_acl_hash[64]; /* 64 bytes hash. */
         } security_descriptor_hash_v4;

They can hack around this by applying a vendor specific patch that 
always sets time to 0.

Afaict the hash should not include the time of the creation of the ACL, 
the hash should just be over the ACL.

So the question is if we want to change our behaviour?

I wouldn't wanna go up to security_descriptor_hash_v5 that drops the 
time field, maybe just stay at v4, but set time to 0?

Thoughts?

Thanks!
-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xAA1E9B7126399E46.asc
Type: application/pgp-keys
Size: 8728 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20201218/fa8b2aa6/OpenPGP_0xAA1E9B7126399E46.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20201218/fa8b2aa6/OpenPGP_signature.sig>

More information about the samba-technical mailing list