[Samba] VFS ACL modules - question to developers

Jeremy Allison jra at samba.org
Mon Dec 5 11:27:11 MST 2011


On Tue, Dec 06, 2011 at 02:16:34AM +0800, David Roid wrote:
> Hi Jeremy,
> 
> I can understand the limit of acl_xattr because every specific file system may
> impose a limit on number of extended attributes. But now that with acl_tdb ACLs
> are stored in tdb file, should not there be nothing to do with file system?

The acl_tdb module layers a storage of the pristine Windows ACL
into a tdb, but in order for the underlying file system permissions
to accurately reflect those Windows permissions we still have
to map the Windows ACL onto the underlying file system ACL.

If we didn't do this NFS access or local process access
would completely ignore the Windows permissions (which is
not what most people want).

We could extend the acl_tdb and acl_xattr modules so
that they never consider the underlying file system permissions,
but that would completely divorce the Windows permissions
from the local filesystem permissions. We dont' do that
yet (it would need some additional coding) as no one has
ever demanded that as a feature.

It would only work for a Windows-only (CIFS/SMB/SMB2-only)
fileserver with no NFS or local access allowed.

Jeremy.


More information about the samba mailing list