vfs_acl_[xattr|tdb] and timestamp in ACL hash

Jeremy Allison jra at samba.org
Sat Dec 19 03:38:03 UTC 2020

On Fri, Dec 18, 2020 at 04:31:33PM +0100, Ralph Boehme wrote:
>Hi Jeremy,
>hi Andrew,
>here comes another question related to vfs_acl_xattr.
>This is triggered by a customer request who is storing xattrs in some 
>kind of database (external to Samba) and they're trying to leverage 
>xattr deduping.
>They have a xattr dedupe feature in their backend such then when to 
>files have the same xattr it's only stored once in the backend.
>But when using this with vfs_acl_xattr they stumbled upon the fact 
>that we skew the ACL blob bash with timestamp, so even if two files 
>have an identical ACL, they will have a different timestamp so the 
>overall xattr blob will be different.
>        typedef [public] struct {
>                security_descriptor *sd;
>                uint16 hash_type;
>                uint8 hash[64]; /* 64 bytes hash. */
>                utf8string description; /* description of what created
>                                         * this hash (to allow
>                                         * forensics later, if we have
>                                         * a bug in one codepath */
>                NTTIME time;
>                uint8 sys_acl_hash[64]; /* 64 bytes hash. */
>        } security_descriptor_hash_v4;
>They can hack around this by applying a vendor specific patch that 
>always sets time to 0.
>Afaict the hash should not include the time of the creation of the 
>ACL, the hash should just be over the ACL.
>So the question is if we want to change our behaviour?
>I wouldn't wanna go up to security_descriptor_hash_v5 that drops the 
>time field, maybe just stay at v4, but set time to 0?

Yes, along with what Andrew said - as we don't use it just setting
to zero when setting the ACL would work. That would still be
compatible with existing code reading existing ACLs.

More information about the samba-technical mailing list