libcephfs and supplimentary groups
Stefan Metzmacher
metze at samba.org
Thu Jul 25 18:25:03 UTC 2019
Hi David,
> Without calling ceph_mount_perms_set(), libcephfs consumers such as
> Samba can rely upon UserPerm::uid() and UserPerm::gid() to fallback to
> geteuid() and setegid() respectively for things such as ACL enforcement.
> However, there is no such fallback for supplementary groups, so ACL
> checks for a user which is only permitted path access via a
> supplementary group will result in a permission denied error.
>
> Samba ticket: https://bugzilla.samba.org/show_bug.cgi?id=14053
>
> I've written a patch to address this (it currently omits the get_gids()
> codepath):
> https://github.com/ddiss/ceph/commit/035a1785ec73d803fead42c7240df01b755a815b
>
> Does this approach make sense, or should Samba go down the
> ceph_mount_perms_set() route to avoid this bug? The latter
> would likely be problematic, as user/group details for a mount will
> remain static.
Without looking at the details ceph_mount_perms_set() would be the long
term way to go. My goal is to do impersonation only where needed and not
always by default.
But the patch to ceph would also be good.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190725/e65fb799/signature.sig>
More information about the samba-technical
mailing list