linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: ronnie sahlberg <ronniesahlberg@gmail.com>
To: Stef Bon <stefbon@gmail.com>
Cc: linux-cifs <linux-cifs@vger.kernel.org>
Subject: Re: Question about parsing acl to get linux attributes.
Date: Sun, 1 Aug 2021 07:57:41 +1000	[thread overview]
Message-ID: <CAN05THS_KtutZxOOap7xPU3d+XfEJJTe7XT9sZ1tVZFMcLAYEA@mail.gmail.com> (raw)
In-Reply-To: <CANXojcy9sAY6Sd62Xs2nnjPNHWuUWQwcSpAAyAoT+VPDWizhOQ@mail.gmail.com>

On Sun, Aug 1, 2021 at 2:02 AM Stef Bon <stefbon@gmail.com> wrote:
>
> Hi,
>
> I'm working on a FUSE filesystem to browse and access SMB networks.
> I'm using libsmb2 for that. It's not online yet, but my software is here:
>
> https://github.com/stefbon/OSNS
>
> Now I found out that smb2/3 do not support posix like file attributes,
> but do (almost?) everything with acl's.
> Now I see the function parse_dacl in fs/cifs/cifsacl.c, which
> determines the permissions from the acl. I see also that when there
> are no acl's, the default is 0777. I made the same choice in my
> filesystem.
> I've got some questions:
>
> a. what does the sid_unix_NFS_mode stand for? Is it part of the "unix
> extensions module for Windows"?
>
> b. can you assume some order in the acl's, so you participate on that?
> I want to know there are optimizations possible.

The ACE entries in the ACL are processed in order, thus a user can
create very sophisticated
ACLs by ordering the entries carefully.

The ACEs are actually processed twice when access is evaluated.
First it handles all the DENY ACEs. So it goes through the ACL, only
looking a the DENY ACEs and ignoring all other ACEs.

Once it has processed the entire ACL this way, and IF the user was not
denied access,
then it will go through the entire ACL a second time, this time only
looking at the ALLOW ACE entries to see
if the user is granted access.


Example:
1, S-1-2-ALICE                  ALLOW   READ
2, S-1-2-BOB                     ALLOW  READ/WRITE
3, S-1-2-EVERYBODY      ALLOW   READ/WRITE
4, S-1-2-BOB                     DENY     WRITE

In this case, even though there are two ACEs that would grant BOB
WRITE access (the ACE for BOB and EVERYBODY), BOB is still denied
write access due to the presence of a DENY ACE for WRITE.

In this case the ACEs are evaluated in the following order
4, 1, 2, 3

>
> Thanks in advance,
>
> Stef Bon

  reply	other threads:[~2021-07-31 21:57 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-31 16:02 Question about parsing acl to get linux attributes Stef Bon
2021-07-31 21:57 ` ronnie sahlberg [this message]
2021-08-01  4:12   ` Stef Bon
2021-08-01  6:02     ` ronnie sahlberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAN05THS_KtutZxOOap7xPU3d+XfEJJTe7XT9sZ1tVZFMcLAYEA@mail.gmail.com \
    --to=ronniesahlberg@gmail.com \
    --cc=linux-cifs@vger.kernel.org \
    --cc=stefbon@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).