I am wondering if there is a way to bypass Samba's ACL checks and delegate access control completely to the underlying file system.
My problem arises from the following scenario: Our file system implements ACLs that are to the best of my knowledge currently not readable by any of the existing VFS modules. When trying to access a file with an ACL going beyond the file's POSIX mode, access is denied by Samba. I guess this is caused by an mechanism to derive an NT ACL from the mode. Is there any possibility to skip Samba's permission checks?
On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
I am wondering if there is a way to bypass Samba's ACL checks anddelegate
access control completely to the underlying file system.
My problem arises from the following scenario: Our file system implements ACLs that are to the best of my knowledge currently not readable by anyof
the existing VFS modules. When trying to access a file with an ACL going beyond the file's POSIX mode, access is denied by Samba. I guess this is caused by an mechanism to derive an NT ACL from the mode. Is there any possibility to skip Samba's permission checks?
Not really anymore. What you could do is provide a vfs module that
returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?
On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl@samba.org> wrote:
On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
I am wondering if there is a way to bypass Samba's ACL checks anddelegate
access control completely to the underlying file system.
My problem arises from the following scenario: Our file system implements ACLs that are to the best of my knowledge currently not readable by anyof
the existing VFS modules. When trying to access a file with an ACL going beyond the file's POSIX mode, access is denied by Samba. I guess this is caused by an mechanism to derive an NT ACL from the mode. Is there any possibility to skip Samba's permission checks?
Not really anymore. What you could do is provide a vfs module that
returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?
Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via the nfs4-acl-tools.
I am wondering if there is a way to bypass Samba's ACL checks anddelegate
access control completely to the underlying file system.
implementsMy problem arises from the following scenario: Our file system
anyACLs that are to the best of my knowledge currently not readable by
goingof
the existing VFS modules. When trying to access a file with an ACL
this isbeyond the file's POSIX mode, access is denied by Samba. I guess
anycaused by an mechanism to derive an NT ACL from the mode. Is there
possibility to skip Samba's permission checks?
Not really anymore. What you could do is provide a vfs module that returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?
Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessedvia
the nfs4-acl-tools.
So the only supported way to retrieve ACLs is by running a separate executable?
On Mon, Mar 20, 2017 at 03:23:47PM +0100, Christoph Kleineweber wrote:
The nfs4-acl-tools make also use of xattrs to access ACLs. The ACL itself is XDR encoded, so access could be done directly by a VFS module and does not require the executable.
This sounds as if it would be possible to write a VFS module to access
the ACLs.
On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <vl@samba.org>
wrote:
On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber
wrote:
I am wondering if there is a way to bypass Samba's ACL checks and
delegate
access control completely to the underlying file system.
My problem arises from the following scenario: Our file system
implements
ACLs that are to the best of my knowledge currently not readable
by any
of
the existing VFS modules. When trying to access a file with an
ACL going
beyond the file's POSIX mode, access is denied by Samba. I guess
this is
caused by an mechanism to derive an NT ACL from the mode. Is
there any
possibility to skip Samba's permission checks?
Not really anymore. What you could do is provide a vfs module that
returns a "Everyone is allowed everything" ACL in the get_nt_acl
call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?
Thanks for clarifying. We use NFSv4 compliant ACLs that can be
accessed via
the nfs4-acl-tools.
I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr),
which
seems to be build on a different implementation. The referenced
website (
http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the
xattr
to access ACLs is different (system.nfs4acl for nfs4acl_xattr and system.nfs4_acl for nfs4-acl-tools). Is this a known issue?
Is it just an issue with the name, or is the on-disk format different
as well?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 52:29:52 |
Calls: | 6,650 |
Calls today: | 2 |
Files: | 12,200 |
Messages: | 5,330,388 |