[Samba] security.NTACL Not Being Set Using LXC Containers
abartlet at samba.org
Fri Aug 9 00:15:52 MDT 2013
On Thu, 2013-08-08 at 22:54 +0100, chris.hayes at proporta.com wrote:
> On Thu, 08 Aug 2013 22:28:46 +0100, chris.hayes at proporta.com wrote:
> > Hi,
> > My Samba 3.6.6 file server isn't setting the security.NTACL extended
> > attribute. It can set the user.DOSATTRIB without any issue. This
> > appears to be an LXC container issue, as outside the container I can
> > set this using the setfattr command without issue, whereas I can't do
> > this inside.
> > Despite this not being a Samba issue, I was wondering whether anybody
> > has any encountered problems like this; and whether anyone could
> > offer
> > me their experience or advice?
> This can be worked around by allowing CAP_SYS_ADMIN; see the
> lxc.cap.drop declarations in your container configuration. Not
> necessarily a good idea, though as it appears to decrease the degree of
> container isolation from the host system.
> I don't believe there's any way to request that Samba use a different
> namespace, though. The only other option would be to not use the
> filesystem at all.
> Does anyone know how NTACLs in XATTR compare to using 'vfs objects =
> xattr_tdb' or any other options that I'm unaware of?
Using the TDB backend is a very poor second choice, because if something
other than Samba adds/deletes files, the inode-related entry may be
either be left dangling, or may suddenly apply to a different file. We
saw this in 'make test' where we have to use this, and it isn't pretty.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
More information about the samba