Basic SACL support
Michael Krax
mk-samba at krax.net
Thu Aug 17 09:49:52 GMT 2006
Jerry,
as announced yesterday, I have got some rather basic support for SACL.
Check out my bzr tree at http://people.samba.org/bzr/mkrax/samba-soc/.
Let me just summarize what I have done so far:
* Added support for getting and setting SACLs to smbd/posix_acls.c.
Works with (my) XP Pro.
* SACLs are saved in an extended attribute "trusted.SAMBA_SACL". The
trusted namespace was choosen because NT SACLs are protected by the
SeSecurityPrivilege (as far as I understood), so only privileged
software/users should be able to read them.
* Added SeSecurityPrivilege to lib/privileges.c
* I did not try to understand the inheritance stuff, it is on my
todo-list, but with a rather low priority.
* Wrote (more or less copied vfs_full_audit) a vfs module to log what is
selected by the SACLs.
* Supporting functions are in lib/audit_sacl.c
What is working now:
* Reading and writing SACLs entries via the extended security dialog in
Windows XP, at least for single files. Multiple SACL entries per file
are possible.
* Logging access etc. to such files by a user. Writing an entry to
syslog:
> Aug 17 11:16:45 carmen smbd_audit: mkdom|192.168.18.133|Read \
> Control|ok|test/text.txt
SACL was: user mkdom log "full" on "success".
I am well aware that there is much work to be done. For now, focus is
on getting a useful representation between NT access rights and unix
accesses and to speed up things a little bit by implementing different
forms of caching. I am thinking about two forms:
a) Avoid same entry in logfile. For now, syslog is filled with a lot of
identical entries.
b) Keep SACL in memory.
As for now, documentation is non existant.
Add "vfs objects = sacl_audit" to any share for which you want to enable
sacl auditing support.
Acl support (compile time option) should be enabled. File system has to
support extended attributes (I am using xfs).
Any comments appreciated,
Michael
--
Michael Krax
Phone +49(0)30.76765923 Mobile +49(0)163.7325923
More information about the samba-technical
mailing list