[Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

Miguel Medalha miguelmedalha at sapo.pt
Wed Sep 16 16:01:21 MDT 2009

>> All files/dirs are 666 or 777.  According to my reading, since there are 
>> no POSIX extended ACLs, if the VFS layer "passes" an access, then it only 
>> should be compared against the standard UGO permissions.
> That's correct - but the problem isn't access, it's when the
> incoming ACL is "set" onto the underlying filesystem. Most
> ACLs can't be mapped onto ugw permissions.
> As I said, you need a vfs_acl_null module that will drop
> any set call, and will return Everyone:Full control on
> read.

I am ignorant enough on these low-level matters. I "almost" understand 
your statement. But... consider the following:

- At the filesystem level ALL the permissions are 666 or 777
- The above are ONLY seen by the VFS layer, not by the client side
- The VFS module writes the real ACLs as extended attributes only (or 
some other method), always setting  them as 666/777 at the filesystem level
- Clients only see the ACLs provided to them *by the VFS layer* and 
never directly from the filesystem

Wouldn't this provide any desired type of ACLs? What am I missing here?

Thank you

More information about the samba mailing list