get_nt_acl()
Jeremy Allison
jra at samba.org
Wed Sep 30 09:38:21 MDT 2009
On Wed, Sep 30, 2009 at 05:11:14AM -0400, Simo Sorce wrote:
> On Tue, 2009-09-29 at 12:40 -0700, Jeremy Allison wrote:
> > On Tue, Sep 29, 2009 at 02:58:42AM -0400, Novgorodsky, Sergey wrote:
> > >
> > > Hi -
> > >
> > > I have my VFS module, it doesn't support ACLs -
> > > I set errno=ENOTSUP and return NULL/-1 in all POSIX ACL operations.
> > > I do the same in NT ACL functions (get_nt_acl, fget_nt_acl, fset_net_acl) - set ENOTSUP and return
> > > map_nt_error_from_unix(errno), but that seems to cause problems on Win 2003 server, some
> > > applications receive NT_ACCESS_DENIED error when trying to delete or create file on my Samba share.
> > > I can see in log.smbd that it happens after get_nt_acl() call in my module.
> > >
> > > Is it correct to return ENOTSUP from get_nt_acl() in my module? Should I somehow disable ACL support to
> > > avoid these problems?
> >
> > In 3.4.x you can't just return ENOTSUP from get_nt_acl() - just
> > return an acl containing "Everyone:Full Access" and you should
> > be fine.
>
> Jeremy,
> wouldn't it be better if we faked Everyone:Full Access when we get back
> ENOTSUP instead ?
>
> That way we can control exactly what permissions we want to grant if
> ACLs are not supported without having to change all modules in case we
> want to change it.
I'm a bit wary of that. If we return Everyone:Full Access we're
essentially failing open, rather than doing what we do now which
is a default mapping from u:g:w perms.
Jeremy.
More information about the samba-technical
mailing list