Is "acl_xattr:ignore system acl = yes" recommended?
Andrew Walker
awalker at ixsystems.com
Mon Jul 26 21:38:48 UTC 2021
On Mon, Jul 26, 2021 at 3:17 PM Rowland Penny via samba-technical <
samba-technical at lists.samba.org> wrote:
>
> To me, that means with 'acl_xattr:ignore system acls = yes' set, the
> normal Unix 'ugo' permissions are not changed, so where does the kernel
> come in ?
>
> Rowland
>
When acl_xattr:ignore_system_acls is set to "yes", create mask parameter is
set to 666 and directory mask parameter to 777. POSIX ACLs are enforced by
kernel (that's why they also apply to other processes / local access). It
may be a problematic recommendation because it leaves filesystem access
wide open. This is why I've been working quite a bit on NFSv4 ACLs in Linux
on TrueNAS SCALE (and why they exist on FreeBSD), you can get pretty close
to 1 to 1 mapping of a security descriptor to NFSv41 ACL with the result
that permissions behave same whether access is through Samba, NFS, or local.
More information about the samba-technical
mailing list