Is "acl_xattr:ignore system acl = yes" recommended?
Uri Simchoni
uri at samba.org
Tue Jul 27 05:56:21 UTC 2021
On 7/26/21 9:23 PM, Andrew Bartlett via samba-technical wrote:
> In our wiki:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> there is the fairly strong suggestion to set:
>
> acl_xattr:ignore system acl = yes
>
> I feel like this is a fairly bad idea, we should defer to the kernel
> unless we really know that just doesn't work.
>
> But I don't fileserver every day, so I wanted to ask first.
>
> What is the broader view on this option?
>
> Andrew Bartlett
>
I'm not recommending one way or the other because I don't remember the
full set of implications, and it depends on use case, but in general,
the system ACLs can get in the way of emulating a Windows file server
using acl_xattr. If the files are to be accessed only via SMB and full
NT emulation is desired, then we're better off ignoring system ACLs.
When system ACLs are ignored, the file has ugo permissions as set by
smb.conf settings, SMB ACL modifications just change the xattr, and
fetching the security descriptor for the purpose of access check is a
matter of reading and parsing the xattr, and comparing the SIDs with the
ones in the token. Notice that no network activity is involved here. If
the xattr does not exist, the generated default ACL is something that
makes sense in the Windows world.
When system ACLs are not ignored, the vfs_acl_xattr module also sets
POSIX ACLs in a best effort way, but this doesn't always work well
because the NT mode is much richer. One prominent thing that affects
security is deny lists. POSIX ACLs are not (AFAIK) in common use, this
hasn't even made it into a POSIX standard, so poking in them could be
surprising to sys admins.
The translation from SID to unix ID could involve network traffic (if
only to determine whether the SID is a user or group SID), could result
attempt to contact a foreign domain, and I don't remember what happen if
those fail - whether the operation is failed or we skip failed entries.
Additionally, if the POSIX acls are modified externally or by an SMB1
client with POSIX extensions, smbd "forgets" the xattr blob and uses
something derived from POSIX ACLs.
Finally, the default ACL used if the xattr blob doesn't exist is derived
from system ACL and that's not always desirable - see
https://bugzilla.samba.org/show_bug.cgi?id=12028
Uri.
More information about the samba-technical
mailing list