Default ACLs and the ACL hash in vfs_xattr_common
Jeremy Allison
jra at samba.org
Fri Oct 5 09:41:32 MDT 2012
On Fri, Oct 05, 2012 at 03:47:20PM +1000, Andrew Bartlett wrote:
> Jeremy,
>
> I've been looking over the ACL mapping code and in particular the
> hash-based method in vfs_xattr_common.
>
> It is complex code, and so I'm trying to validate what I'm reading. As
> far as I see it, the inclusion (or not) of the default ACL on a
> directory in the ACL calculation depends on if we call
> fget_nt_acl_common or get_nt_acl_common.
>
> This in turn makes me worry that the hashed SD (created with
> fget_nt_acl_common) will not match for directories where we call
> get_nt_acl_common, which might consider a default posix ACL.
>
> This is due to the difference between posix_fget_nt_acl() and
> posix_get_nt_acl() in posix_acls.c
>
> The reason this comes to light for me now is that I'm looking to make
> this more reliable, and hash the posix ACL. I've made preparations
> before rc1, but I need to finish the work, and noticed the need to
> consider these default ACLs.
>
> I'll keep digging, but I just thought I might raise the issue.
Thanks for checking, but I don't think this occurs.
posix_get_nt_acl() reads the default ACL if it's a directory.
Inside posix_fget_nt_acl() we have:
if (fsp->is_directory || fsp->fh->fd == -1) {
return posix_get_nt_acl(fsp->conn, fsp->fsp_name->base_name,
security_info, ppdesc);
}
So if it is a directory (which we know from the fsp pointer, and is
the only case where we can have a default ACL) then we simply return
posix_get_nt_acl(), which does fetch the default ACL.
I think you missed that in the control flow.
Cheers,
Jeremy.
More information about the samba-technical
mailing list