Quantcast

Skip ACL checks

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Skip ACL checks

Samba - General mailing list
Hi all,

I am wondering if there is a way to bypass Samba's ACL checks and delegate
access control completely to the underlying file system.

My problem arises from the following scenario: Our file system implements
ACLs that are to the best of my knowledge currently not readable by any of
the existing VFS modules. When trying to access a file with an ACL going
beyond the file's POSIX mode, access is denied by Samba. I guess this is
caused by an mechanism to derive an NT ACL from the mode. Is there any
possibility to skip Samba's permission checks?

Thank you in advance,
Christoph



--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Skip ACL checks

Samba - General mailing list
On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
> I am wondering if there is a way to bypass Samba's ACL checks and delegate
> access control completely to the underlying file system.
>
> My problem arises from the following scenario: Our file system implements
> ACLs that are to the best of my knowledge currently not readable by any of
> the existing VFS modules. When trying to access a file with an ACL going
> beyond the file's POSIX mode, access is denied by Samba. I guess this is
> caused by an mechanism to derive an NT ACL from the mode. Is there any
> possibility to skip Samba's permission checks?

Not really anymore. What you could do is provide a vfs module that
returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
It would of course be much better to get a proper mapping. What do
your ACLs look like?

With best regards,

Volker Lendecke

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Skip ACL checks

Samba - General mailing list
On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <[hidden email]> wrote:

> On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
> > I am wondering if there is a way to bypass Samba's ACL checks and
> delegate
> > access control completely to the underlying file system.
> >
> > My problem arises from the following scenario: Our file system implements
> > ACLs that are to the best of my knowledge currently not readable by any
> of
> > the existing VFS modules. When trying to access a file with an ACL going
> > beyond the file's POSIX mode, access is denied by Samba. I guess this is
> > caused by an mechanism to derive an NT ACL from the mode. Is there any
> > possibility to skip Samba's permission checks?
>
> Not really anymore. What you could do is provide a vfs module that
> returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
> It would of course be much better to get a proper mapping. What do
> your ACLs look like?
>

Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via
the nfs4-acl-tools.

I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr), which
seems to be build on a different implementation. The referenced website (
http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the xattr
to access ACLs is different (system.nfs4acl for nfs4acl_xattr and
system.nfs4_acl for nfs4-acl-tools). Is this a known issue?

Kind regards,
Christoph



--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Skip ACL checks

Samba - General mailing list
On Mon, Mar 20, 2017 at 10:57:02AM +0100, Christoph Kleineweber wrote:

> On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <[hidden email]> wrote:
>
> > On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber wrote:
> > > I am wondering if there is a way to bypass Samba's ACL checks and
> > delegate
> > > access control completely to the underlying file system.
> > >
> > > My problem arises from the following scenario: Our file system implements
> > > ACLs that are to the best of my knowledge currently not readable by any
> > of
> > > the existing VFS modules. When trying to access a file with an ACL going
> > > beyond the file's POSIX mode, access is denied by Samba. I guess this is
> > > caused by an mechanism to derive an NT ACL from the mode. Is there any
> > > possibility to skip Samba's permission checks?
> >
> > Not really anymore. What you could do is provide a vfs module that
> > returns a "Everyone is allowed everything" ACL in the get_nt_acl call.
> > It would of course be much better to get a proper mapping. What do
> > your ACLs look like?
> >
>
> Thanks for clarifying. We use NFSv4 compliant ACLs that can be accessed via
> the nfs4-acl-tools.

So the only supported way to retrieve ACLs is by running a separate
executable?

With best regards,

Volker Lendecke

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Skip ACL checks

Samba - General mailing list
On Mon, Mar 20, 2017 at 3:29 PM, Volker Lendecke <[hidden email]> wrote:

> On Mon, Mar 20, 2017 at 03:23:47PM +0100, Christoph Kleineweber wrote:
> > The nfs4-acl-tools make also use of xattrs to access ACLs. The ACL itself
> > is XDR encoded, so access could be done directly by a VFS module and does
> > not require the executable.
>
> This sounds as if it would be possible to write a VFS module to access
> the ACLs.


Indeed. I may check if there are significant changes between the
nfs4-acl-tools compliant xattr format and the existing nfs4acl_xattr
module. Is there any reason to keep this module?

Christoph


--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Skip ACL checks

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 2017-03-20 at 10:57 +0100, Christoph Kleineweber via samba
wrote:

> On Fri, Mar 17, 2017 at 1:54 PM, Volker Lendecke <[hidden email]>
> wrote:
>
> > On Thu, Mar 16, 2017 at 05:38:57PM +0100, Christoph Kleineweber
> > wrote:
> > > I am wondering if there is a way to bypass Samba's ACL checks and
> >
> > delegate
> > > access control completely to the underlying file system.
> > >
> > > My problem arises from the following scenario: Our file system
> > > implements
> > > ACLs that are to the best of my knowledge currently not readable
> > > by any
> >
> > of
> > > the existing VFS modules. When trying to access a file with an
> > > ACL going
> > > beyond the file's POSIX mode, access is denied by Samba. I guess
> > > this is
> > > caused by an mechanism to derive an NT ACL from the mode. Is
> > > there any
> > > possibility to skip Samba's permission checks?
> >
> > Not really anymore. What you could do is provide a vfs module that
> > returns a "Everyone is allowed everything" ACL in the get_nt_acl
> > call.
> > It would of course be much better to get a proper mapping. What do
> > your ACLs look like?
> >
>
> Thanks for clarifying. We use NFSv4 compliant ACLs that can be
> accessed via
> the nfs4-acl-tools.
>
> I found the existing NFSv4 ACL VFS module in Samba (nfs4acl_xattr),
> which
> seems to be build on a different implementation. The referenced
> website (
> http://www.suse.de/~agruen/nfs4acl/) does not exist anymore and the
> xattr
> to access ACLs is different (system.nfs4acl for nfs4acl_xattr and
> system.nfs4_acl for nfs4-acl-tools). Is this a known issue?

Is it just an issue with the name, or is the on-disk format different
as well?

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Skip ACL checks

Samba - General mailing list
On Mon, Mar 20, 2017 at 9:13 PM, Andrew Bartlett <[hidden email]> wrote:
>
> Is it just an issue with the name, or is the on-disk format different
> as well?
>

The format is different as well. ACL specific fields are missing the the
nfs4-acl-tools format (version, flags, owner_mask, group_mask and
other_mask) and ACEs do not have an id field.

Christoph



--
Quobyte GmbH, Berlin, AG Charlottenburg HRB 149012 B, Jan Stender, Felix
Hupfeld, Bjoern Kolbeck
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...