Is "acl_xattr:ignore system acl = yes" recommended?
abartlet at samba.org
Mon Jul 26 21:42:18 UTC 2021
On Mon, 2021-07-26 at 17:38 -0400, Andrew Walker wrote:
> On Mon, Jul 26, 2021 at 3:17 PM Rowland Penny via samba-technical <
> samba-technical at lists.samba.org> wrote:
> > To me, that means with 'acl_xattr:ignore system acls = yes' set,
> > the
> > normal Unix 'ugo' permissions are not changed, so where does the
> > kernel
> > come in ?
> > Rowland
> When acl_xattr:ignore_system_acls is set to "yes", create mask
> parameter is set to 666 and directory mask parameter to 777. POSIX
> ACLs are enforced by kernel (that's why they also apply to other
> processes / local access). It may be a problematic recommendation
> because it leaves filesystem access wide open. This is why I've been
> working quite a bit on NFSv4 ACLs in Linux on TrueNAS SCALE (and why
> they exist on FreeBSD), you can get pretty close to 1 to 1 mapping of
> a security descriptor to NFSv41 ACL with the result that permissions
> behave same whether access is through Samba, NFS, or local.
Yeah, that's exactly my are of concern.
Also, the POSIX ACLs being enforced by the Kernel is also our fail-
safe, so I'm quite nervous to recommend bypassing that.
NFSv4 ACLs would be really good, I'm think Samba can be rightly quite
frustrated they have been so difficult to get traction on with the
Linux kernel community.
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
More information about the samba-technical