[NT ACLS] Using the security.* namespace for NTACL considered improper
tridge at samba.org
tridge at samba.org
Tue Jan 19 14:06:30 MST 2010
Hi Simo,
> Talking with Christoph Hellwig he said that security.* should *not* be
> used as it is reserved for LSM modules (like SeLinux).
As I mentioned on IRC (sending here so others can see it), the
original reason for choosing security.* was that it was intended that
we eventually implement a LSM module that understands these
ACLs. Interpreting them in smbd was a stop-gap measure.
We haven't actually built the LSM, but for secure ACLs we really
should. Having ACLs only interpreted in user space is always a
suboptimal solution, especially with mixtures of local login, NFS and
SMB access.
Cheers, Tridge
More information about the samba-technical
mailing list