Hi all,

I am wondering if there is a way to bypass Samba's ACL checks and delegate access control completely to the underlying file system.

My problem arises from the following scenario: Our file system implements
ACLs that are to the best of my knowledge currently not readable by any of
the existing VFS modules. When trying to access a file with an ACL going
beyond the file's POSIX mode, access is denied by Samba. I guess this is
caused by an mechanism to derive an NT ACL from the mode. Is there any possibility to skip Samba's permission checks?

Thank you in advance,
Christoph



--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:

I am wondering if there is a way to bypass Samba's ACL checks and delegate access control completely to the underlying file system.

My problem arises from the following scenario: Our file system implements ACLs that are to the best of my knowledge currently not readable by any of the existing VFS modules. When trying to access a file with an ACL going beyond the file's POSIX mode, access is denied by Samba. I guess this is caused by an mechanism to derive an NT ACL from the mode. Is there any possibility to skip Samba's permission checks?

Not really anymore. What you could do is provide a vfs module that
returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?

With best regards,

Volker Lendecke

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl@samba.org> wrote:

On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:

I am wondering if there is a way to bypass Samba's ACL checks and

delegate

access control completely to the underlying file system.

My problem arises from the following scenario: Our file system implements ACLs that are to the best of my knowledge currently not readable by any

of

the existing VFS modules. When trying to access a file with an ACL going beyond the file's POSIX mode, access is denied by Samba. I guess this is caused by an mechanism to derive an NT ACL from the mode. Is there any possibility to skip Samba's permission checks?

Not really anymore. What you could do is provide a vfs module that
returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?

Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via
the nfs4-acl-tools.

I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr), which
seems to be build on a different implementation. The referenced website ( http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the xattr
to access ACLs is different (system.nfs4acl for nfs4acl_xattr and system.nfs4_acl for nfs4-acl-tools). Is this a known issue?

Kind regards,
Christoph



--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Mar 20, 2017 at 10:57:02AM +0100, Christoph Kleineweber wrote:

On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl@samba.org> wrote:

On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:

I am wondering if there is a way to bypass Samba's ACL checks and

delegate

access control completely to the underlying file system.

My problem arises from the following scenario: Our file system implements ACLs that are to the best of my knowledge currently not readable by any

of

the existing VFS modules. When trying to access a file with an ACL going beyond the file's POSIX mode, access is denied by Samba. I guess this is caused by an mechanism to derive an NT ACL from the mode. Is there any possibility to skip Samba's permission checks?

Not really anymore. What you could do is provide a vfs module that
returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?

Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via the nfs4-acl-tools.

So the only supported way to retrieve ACLs is by running a separate
executable?

With best regards,

Volker Lendecke

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I am wondering if there is a way to bypass Samba's ACL checks and

delegate

access control completely to the underlying file system.

My problem arises from the following scenario: Our file system

implements

ACLs that are to the best of my knowledge currently not readable by

any

of

the existing VFS modules. When trying to access a file with an ACL

going

beyond the file's POSIX mode, access is denied by Samba. I guess

this is

caused by an mechanism to derive an NT ACL from the mode. Is there

any

possibility to skip Samba's permission checks?

Not really anymore. What you could do is provide a vfs module that returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?

Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed

via

the nfs4-acl-tools.

So the only supported way to retrieve ACLs is by running a separate executable?

The nfs4-acl-tools make also use of xattrs to access ACLs. The ACL itself
is XDR encoded, so access could be done directly by a VFS module and does
not require the executable.

Christoph


--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Mar 20, 2017 at 3:29 PM, Volker Lendecke <vl@samba.org> wrote:

On Mon, Mar 20, 2017 at 03:23:47PM +0100, Christoph Kleineweber wrote:

The nfs4-acl-tools make also use of xattrs to access ACLs. The ACL itself is XDR encoded, so access could be done directly by a VFS module and does not require the executable.

This sounds as if it would be possible to write a VFS module to access
the ACLs.

Indeed. I may check if there are significant changes between the
nfs4-acl-tools compliant xattr format and the existing nfs4acl_xattr
module. Is there any reason to keep this module?

Christoph


--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 2017-03-20 at 10:57 +0100, Christoph Kleineweber via samba
wrote:

On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl@samba.org>
wrote:

On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber
wrote:

I am wondering if there is a way to bypass Samba's ACL checks and

delegate

access control completely to the underlying file system.

My problem arises from the following scenario: Our file system
implements
ACLs that are to the best of my knowledge currently not readable
by any

of

the existing VFS modules. When trying to access a file with an
ACL going
beyond the file's POSIX mode, access is denied by Samba. I guess
this is
caused by an mechanism to derive an NT ACL from the mode. Is
there any
possibility to skip Samba's permission checks?

Not really anymore. What you could do is provide a vfs module that
returns a "Everyone is allowed everything" ACL in the get_nt_acl
call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?

Thanks for clarifying. We use NFSv4 compliant ACLs that can be
accessed via
the nfs4-acl-tools.

I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr),
which
seems to be build on a different implementation. The referenced
website (
http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the
xattr
to access ACLs is different (system.nfs4acl for nfs4acl_xattr and system.nfs4_acl for nfs4-acl-tools). Is this a known issue?

Is it just an issue with the name, or is the on-disk format different
as well?

Thanks,

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Mar 20, 2017 at 9:13 PM, Andrew Bartlett <abartlet@samba.org> wrote:

Is it just an issue with the name, or is the on-disk format different
as well?

The format is different as well. ACL specific fields are missing the the nfs4-acl-tools format (version, flags, owner_mask, group_mask and
other_mask) and ACEs do not have an id field.

Christoph



--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)