info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Skip ACL checks
98 views
Skip to first unread message
Christoph Kleineweber via samba
Mar 16, 2017, 12:50:03 PM3/16/17
to
Hi all,
I am wondering if there is a way to bypass Samba's ACL checks and delegate
access control completely to the underlying file system.
My problem arises from the following scenario: Our file system implements
ACLs that are to the best of my knowledge currently not readable by any of
the existing VFS modules. When trying to access a file with an ACL going
beyond the file's POSIX mode, access is denied by Samba. I guess this is
caused by an mechanism to derive an NT ACL from the mode. Is there any
possibility to skip Samba's permission checks?
Thank you in advance,
Christoph
--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am wondering if there is a way to bypass Samba's ACL checks and delegate
access control completely to the underlying file system.
My problem arises from the following scenario: Our file system implements
ACLs that are to the best of my knowledge currently not readable by any of
the existing VFS modules. When trying to access a file with an ACL going
beyond the file's POSIX mode, access is denied by Samba. I guess this is
caused by an mechanism to derive an NT ACL from the mode. Is there any
possibility to skip Samba's permission checks?
Thank you in advance,
Christoph
--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Volker Lendecke via samba
Mar 17, 2017, 9:00:02 AM3/17/17
to
On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
> I am wondering if there is a way to bypass Samba's ACL checks and delegate
> access control completely to the underlying file system.
>
> My problem arises from the following scenario: Our file system implements
> ACLs that are to the best of my knowledge currently not readable by any of
> the existing VFS modules. When trying to access a file with an ACL going
> beyond the file's POSIX mode, access is denied by Samba. I guess this is
> caused by an mechanism to derive an NT ACL from the mode. Is there any
> possibility to skip Samba's permission checks?
Not really anymore. What you could do is provide a vfs module that
> I am wondering if there is a way to bypass Samba's ACL checks and delegate
> access control completely to the underlying file system.
>
> My problem arises from the following scenario: Our file system implements
> ACLs that are to the best of my knowledge currently not readable by any of
> the existing VFS modules. When trying to access a file with an ACL going
> beyond the file's POSIX mode, access is denied by Samba. I guess this is
> caused by an mechanism to derive an NT ACL from the mode. Is there any
> possibility to skip Samba's permission checks?
returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?
With best regards,
Volker Lendecke
Christoph Kleineweber via samba
Mar 20, 2017, 6:00:04 AM3/20/17
to
On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <v...@samba.org> wrote:
> On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
> > I am wondering if there is a way to bypass Samba's ACL checks and
> delegate
> > access control completely to the underlying file system.
> >
> > My problem arises from the following scenario: Our file system implements
> > ACLs that are to the best of my knowledge currently not readable by any
> of
> > the existing VFS modules. When trying to access a file with an ACL going
> > beyond the file's POSIX mode, access is denied by Samba. I guess this is
> > caused by an mechanism to derive an NT ACL from the mode. Is there any
> > possibility to skip Samba's permission checks?
>
> Not really anymore. What you could do is provide a vfs module that
> returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
> It would of course be much better to get a proper mapping. What do
> your ACLs look like?
>
Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via
> On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
> > I am wondering if there is a way to bypass Samba's ACL checks and
> delegate
> > access control completely to the underlying file system.
> >
> > My problem arises from the following scenario: Our file system implements
> > ACLs that are to the best of my knowledge currently not readable by any
> of
> > the existing VFS modules. When trying to access a file with an ACL going
> > beyond the file's POSIX mode, access is denied by Samba. I guess this is
> > caused by an mechanism to derive an NT ACL from the mode. Is there any
> > possibility to skip Samba's permission checks?
>
> Not really anymore. What you could do is provide a vfs module that
> returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
> It would of course be much better to get a proper mapping. What do
> your ACLs look like?
>
the nfs4-acl-tools.
I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr), which
seems to be build on a different implementation. The referenced website (
http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the xattr
to access ACLs is different (system.nfs4acl for nfs4acl_xattr and
system.nfs4_acl for nfs4-acl-tools). Is this a known issue?
Kind regards,
Christoph
--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
Volker Lendecke via samba
Mar 20, 2017, 10:00:04 AM3/20/17
to
On Mon, Mar 20, 2017 at 10:57:02AM +0100, Christoph Kleineweber wrote:
> On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <v...@samba.org> wrote:
>
> > On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
> > > I am wondering if there is a way to bypass Samba's ACL checks and
> > delegate
> > > access control completely to the underlying file system.
> > >
> > > My problem arises from the following scenario: Our file system implements
> > > ACLs that are to the best of my knowledge currently not readable by any
> > of
> > > the existing VFS modules. When trying to access a file with an ACL going
> > > beyond the file's POSIX mode, access is denied by Samba. I guess this is
> > > caused by an mechanism to derive an NT ACL from the mode. Is there any
> > > possibility to skip Samba's permission checks?
> >
> > Not really anymore. What you could do is provide a vfs module that
> > returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
> > It would of course be much better to get a proper mapping. What do
> > your ACLs look like?
> >
>
> Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via
> the nfs4-acl-tools.
So the only supported way to retrieve ACLs is by running a separate
> On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <v...@samba.org> wrote:
>
> > On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
> > > I am wondering if there is a way to bypass Samba's ACL checks and
> > delegate
> > > access control completely to the underlying file system.
> > >
> > > My problem arises from the following scenario: Our file system implements
> > > ACLs that are to the best of my knowledge currently not readable by any
> > of
> > > the existing VFS modules. When trying to access a file with an ACL going
> > > beyond the file's POSIX mode, access is denied by Samba. I guess this is
> > > caused by an mechanism to derive an NT ACL from the mode. Is there any
> > > possibility to skip Samba's permission checks?
> >
> > Not really anymore. What you could do is provide a vfs module that
> > returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
> > It would of course be much better to get a proper mapping. What do
> > your ACLs look like?
> >
>
> Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via
> the nfs4-acl-tools.
executable?
With best regards,
Volker Lendecke
Christoph Kleineweber via samba
Mar 20, 2017, 10:40:03 AM3/20/17
to
>
> > > > I am wondering if there is a way to bypass Samba's ACL checks and
> > > delegate
> > > > access control completely to the underlying file system.
> > > >
> > > > My problem arises from the following scenario: Our file system
> implements
> > > > ACLs that are to the best of my knowledge currently not readable by
> any
> > > of
> > > > the existing VFS modules. When trying to access a file with an ACL
> going
> > > > beyond the file's POSIX mode, access is denied by Samba. I guess
> this is
> > > > caused by an mechanism to derive an NT ACL from the mode. Is there
> any
> > > > possibility to skip Samba's permission checks?
> > >
> > > Not really anymore. What you could do is provide a vfs module that
> > > returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
> > > It would of course be much better to get a proper mapping. What do
> > > your ACLs look like?
> > >
> >
> > Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed
> via
> > the nfs4-acl-tools.
>
> So the only supported way to retrieve ACLs is by running a separate
> executable?
The nfs4-acl-tools make also use of xattrs to access ACLs. The ACL itself
> > > > I am wondering if there is a way to bypass Samba's ACL checks and
> > > delegate
> > > > access control completely to the underlying file system.
> > > >
> > > > My problem arises from the following scenario: Our file system
> implements
> > > > ACLs that are to the best of my knowledge currently not readable by
> any
> > > of
> > > > the existing VFS modules. When trying to access a file with an ACL
> going
> > > > beyond the file's POSIX mode, access is denied by Samba. I guess
> this is
> > > > caused by an mechanism to derive an NT ACL from the mode. Is there
> any
> > > > possibility to skip Samba's permission checks?
> > >
> > > Not really anymore. What you could do is provide a vfs module that
> > > returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
> > > It would of course be much better to get a proper mapping. What do
> > > your ACLs look like?
> > >
> >
> > Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed
> via
> > the nfs4-acl-tools.
>
> So the only supported way to retrieve ACLs is by running a separate
> executable?
is XDR encoded, so access could be done directly by a VFS module and does
not require the executable.
Christoph
--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
Christoph Kleineweber via samba
Mar 20, 2017, 11:00:04 AM3/20/17
to
On Mon, Mar 20, 2017 at 3:29 PM, Volker Lendecke <v...@samba.org> wrote:
> On Mon, Mar 20, 2017 at 03:23:47PM +0100, Christoph Kleineweber wrote:
> > The nfs4-acl-tools make also use of xattrs to access ACLs. The ACL itself
> > is XDR encoded, so access could be done directly by a VFS module and does
> > not require the executable.
>
> This sounds as if it would be possible to write a VFS module to access
> the ACLs.
Indeed. I may check if there are significant changes between the
nfs4-acl-tools compliant xattr format and the existing nfs4acl_xattr
module. Is there any reason to keep this module?
Christoph
--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
> On Mon, Mar 20, 2017 at 03:23:47PM +0100, Christoph Kleineweber wrote:
> > The nfs4-acl-tools make also use of xattrs to access ACLs. The ACL itself
> > is XDR encoded, so access could be done directly by a VFS module and does
> > not require the executable.
>
> the ACLs.
Indeed. I may check if there are significant changes between the
nfs4-acl-tools compliant xattr format and the existing nfs4acl_xattr
module. Is there any reason to keep this module?
Christoph
--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
Andrew Bartlett via samba
Mar 20, 2017, 4:20:04 PM3/20/17
to
On Mon, 2017-03-20 at 10:57 +0100, Christoph Kleineweber via samba
wrote:
Is it just an issue with the name, or is the on-disk format different
as well?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
wrote:
as well?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Christoph Kleineweber via samba
Mar 21, 2017, 11:30:03 AM3/21/17
to
On Mon, Mar 20, 2017 at 9:13 PM, Andrew Bartlett <abar...@samba.org> wrote:
>
> Is it just an issue with the name, or is the on-disk format different
> as well?
>
The format is different as well. ACL specific fields are missing the the
>
> Is it just an issue with the name, or is the on-disk format different
> as well?
>
nfs4-acl-tools format (version, flags, owner_mask, group_mask and
other_mask) and ACEs do not have an id field.
Christoph
--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
0 new messages