[Samba] domain-free multi-user use cases

Patrick Goetz pgoetz at math.utexas.edu
Thu Oct 28 14:47:34 UTC 2021



On 10/27/21 15:52, Jeremy Allison wrote:
> On Wed, Oct 27, 2021 at 02:51:39PM -0500, Patrick Goetz via samba wrote:
>>
>> It's a hot mess because the kernel developers refuse to acknowledge 
>> the need to incorporate a VFS permissions model closer to NFS or 
>> Windows ACLs. Really, this can be simplified to "the kernel needs to 
>> adopt NFS ACLs". Windows ACLs jumped the shark long ago, likely due to 
>> corporate customer requests to handle edge cases.  Other than the 
>> stuff no sane person would ever use, Windows and NFS ACLs are largely 
>> identical (since NFSv4 just copied Windows).
> 
> It's not all "the kernel developers" I'm afraid, just one very
> influential one :-(.

It's unfortunate that cooler heads aren't prevailing here. Even in a 
comparatively security lax academic environment, I've had to jump 
through hoops to meet some relatively minimal security considerations 
for certain users. ACLs seem like overkill ... until you start working 
with real users who need, for example, to have different groups with 
different levels of access to data.

I've gotten used to and don't mind using POSIX ACLs, but given that 
POSIX ACLs were never even formally standardized*, putting everyone at 
the mercy of every filesystem's individual implementation of a 
non-standard ....

* I think everyone assumed NFSv4 ACLs would be adopted by the kernel, so 
why bother?


That alone should be reason enough to move forward with a better ACL 
model.  The community has spoken implicitly. <:)

>>> This message is from an external sender. Learn more about why this <<
>>> matters at https://links.utexas.edu/rtyclf.                        <<
> 



More information about the samba mailing list