xfs
[Top] [All Lists]

Re: where/how is 'xattr' type=security enforced? (security attr stripped

To: Linda Walsh <xfs@xxxxxxxxx>
Subject: Re: where/how is 'xattr' type=security enforced? (security attr stripped?)
From: Dave Chinner <david@xxxxxxxxxxxxx>
Date: Tue, 10 Dec 2013 16:52:13 +1100
Cc: xfs-oss <xfs@xxxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <52A65AD5.9070705@xxxxxxxxx>
References: <52A65AD5.9070705@xxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)
On Mon, Dec 09, 2013 at 04:05:41PM -0800, Linda Walsh wrote:
> I got a weird message that I've never seen before -- nothing
> life shattering, just a curiosity that I thought shouldn't happen.
> 
> 
> I stored a file in my /home partition FROM a Win7 client
> via samba 3.6.16.
> 
> With that file were also stored xattrs:
> 
> DOSATTRIB, SAMBA_PAI and NTACL.  Since linux is the 'server',
> These are all likely set via samba.
> 
> To work on the file more, I wanted to move it
> to /tmp.
> 
> I use mv:
> >mv  /home/law/tmp/oVars.pm /tmp
> mv: setting attribute âsecurity.NTACLâ for âsecurity.NTACLâ: Operation not 
> permitted

You need root permissions to set security namespace attributes.

$setfattr -n security.NTACL -v foobarchucky /mnt/test/foo
setfattr: /mnt/test/foo: Operation not permitted
$ sudo setfattr -n security.NTACL -v foobarchucky
/mnt/test/foo
$ getfattr -n security.NTACL /mnt/test/foo
getfattr: Removing leading '/' from absolute path names
# file: mnt/test/foo
security.NTACL="foobarchucky"

$

[ On a side note, there's some sooper seekrit voodoo there in
getfattr.  I feel that my systems are so much more secure knowing
that getfattr is protecting me from \something/ so dangerous it
can't possibly be worked around with sed or --absolute-names. ]

Cheers,

Dave.
-- 
Dave Chinner
david@xxxxxxxxxxxxx

<Prev in Thread] Current Thread [Next in Thread>