[Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

Wes Deviers wdevie at hrcsb.org
Thu Sep 17 08:28:49 MDT 2009

On Wednesday 16 September 2009 06:01:21 pm Miguel Medalha wrote:
> I am ignorant enough on these low-level matters. I "almost" understand 
> your statement. But... consider the following:
> - At the filesystem level ALL the permissions are 666 or 777
> - The above are ONLY seen by the VFS layer, not by the client side
> - The VFS module writes the real ACLs as extended attributes only (or 
> some other method), always setting  them as 666/777 at the filesystem level
> - Clients only see the ACLs provided to them *by the VFS layer* and 
> never directly from the filesystem
> Wouldn't this provide any desired type of ACLs? What am I missing here?
> Thank you

That's the direction I'm heading experimentally; there are a few shortcomings 
that I can think of right away, but they can be mitigated (and the upside is 
big from a usability standpoint, I think)

- If there's a flaw discovered in Samba that takes place in non-root code, the 
filesystem level ACLs will still prevent information disclosure.  If you turn 
over all ACL validation to Samba and that validation is what can be bypassed, 
then you've lost a layer of protection.

- POSIX ACLs mean that you can set permissions from Windows and those 
permissions will be also affect non-Samba services (FTP and such).  In lots of 
installations that's probably nice to have, but for a dedicated file server 
where the only user "interface" is Samba, it wouldn't matter.

- How to apply actions might be odd;  "Traverse Folders" is pretty self-
explanatory and is easy to manage in the virtual ACL database.  "Take 
Ownership" is slightly harder:  if you take ownership of a set of files, does 
that imply fake ownership in just ACLs, or real ownership at the POSIX layer?  
If "Take Ownership" doesn't change the UNIX owner, it means that any action on 
a file owned by POSIX user A but "owned" by NTACL user Z would have to be run 
as root.  Adding more root operations is generally considered Bad.

A bit farther on, and the logical next step, then, is that you don't actually 
need matching POSIX accounts anymore,  By the time you've implemented the VFS 
ACL the way you and I were thinking (and trust that it's secure) you can just 
run the entire Samba infrastructure as UID = samba, and let the VFS ACL layer 
take care of all access control.  Every file on the server is now owned by 
POSIX user "samba", libnss-ldap is no longer necessary....

Of course, that idea has been debated thoroughly both on mailing lists and 
anywhere two Samba users meet on the street, so I'm not touching it : )

Is that along the lines you were thinking, or did I totally miss?



More information about the samba mailing list