ACE ordering and vfs_richacl
Stefan Metzmacher
metze at samba.org
Thu Aug 11 03:05:32 UTC 2016
Am 10.08.2016 um 19:49 schrieb Steve French:
> Andreas,
> Do you have any thoughts about reordering of ACEs inside vfs_richacl? and
> where it should be done?
>
> On files created outside of Samba (posix file create, or even after chmod),
> the ACEs can be out of the normal order (ie deny ACEs intermixed with allow
> ACEs) which will cause Windows to complain when it views permissions on
> those files (unless vfs_richacl did a reordering of ACEs on every query).
>
> Is it reasonable to ask file systems to put deny ACEs first on newly
> created files by default? I realize that if an admin explicitly sets an
> ACL (e.g. via setrichacl) then they may have a good reason for putting ACEs
> in a different order than usual, but am worried that if Windows (and Mac)
> is the main platform that uses ACLs today - and their tools pop up a
> warning when deny ACEs are after allow then at least for the boring default
> cases - it is a good idea to make sure that ACEs are in the intuitive order
> (which is also the order that Windows expects) with deny aces first. See
>
> https://blogs.msdn.microsoft.com/oldnewthing/20070608-00/?p=26503
>
> Any thoughts on how to make sure that ACLs on newly created files have deny
> ACEs first (and chmod as well) so we don't confuse users?
Please put that logic only into the userspace tools not into the filesystem.
An SMB client can set any order and Samba needs to store it that way,
even if Windows tools would complain and reorder.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160811/d41d7fe2/signature.sig>
More information about the samba-technical
mailing list