[Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr
Miguel Medalha
miguelmedalha at sapo.pt
Wed Sep 16 16:01:21 MDT 2009
>> All files/dirs are 666 or 777. According to my reading, since there are
>> no POSIX extended ACLs, if the VFS layer "passes" an access, then it only
>> should be compared against the standard UGO permissions.
>>
>
> That's correct - but the problem isn't access, it's when the
> incoming ACL is "set" onto the underlying filesystem. Most
> ACLs can't be mapped onto ugw permissions.
>
> As I said, you need a vfs_acl_null module that will drop
> any set call, and will return Everyone:Full control on
> read.
>
I am ignorant enough on these low-level matters. I "almost" understand
your statement. But... consider the following:
- At the filesystem level ALL the permissions are 666 or 777
- The above are ONLY seen by the VFS layer, not by the client side
- The VFS module writes the real ACLs as extended attributes only (or
some other method), always setting them as 666/777 at the filesystem level
- Clients only see the ACLs provided to them *by the VFS layer* and
never directly from the filesystem
Wouldn't this provide any desired type of ACLs? What am I missing here?
Thank you
More information about the samba
mailing list