vfs_full_audit annoyances on major version upgrades

Andrew Bartlett abartlet at samba.org
Fri Mar 26 15:14:53 UTC 2021

On Fri, 2021-03-26 at 08:38 -0400, Andrew Walker via samba-technical
> I've noticed that several users (including one in the samba lists just now)
> got bitten by vfs_full_audit on major version upgrades. Due to VFS
> modernization, user's full_audit:success / failure configuration strings
> may be invalid post-upgrade. A concrete example is "full_audit:success =
> unlink". What makes this particularly painful is that full_audit will
> default to logging _everything_ if it encounters an unrecognized parameter.
> What do you think of doing something like the following:
> https://github.com/truenas/ports/blob/truenas/12.0-stable/net/samba/files/patch-source3__modules__vfs_full_audit.c
> Basically:
> 1) expand table for vfs_op_names to include an "old" name to use for
> lookups as well (so that "unlink" logs "unlinkat")
> 2) fail Tree Connect with a concrete error message printed at DBG_ERR if
> logging parameters are invalid.

There certainly is a good case to be made that the difference between
rename and renameat is not important for the audit logs, so shouldn't
be exposed to the user.

I've not looked at the code, but other than the name is there any
difference in what is output?  If not, then an alias makes a lot of

I also agree that failing to start up is a much better option than
abandoning the logging filter.

Andrew Bartlett

Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba-technical mailing list