xfs
[Top] [All Lists]

Re: Security issue - storing NTACL's in non-NT-security-namespace

To: Jeremy Allison <jra@xxxxxxxxx>
Subject: Re: Security issue - storing NTACL's in non-NT-security-namespace
From: Dave Chinner <david@xxxxxxxxxxxxx>
Date: Sat, 14 Dec 2013 10:20:00 +1100
Cc: "L.A. Walsh" <samba@xxxxxxxxx>, Christoph Hellwig <hch@xxxxxxxxxxxxx>, Samba Technical <samba-technical@xxxxxxxxxxxxxxx>, xfs-oss <xfs@xxxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <20131213220848.GG1005@samba2>
References: <52A96211.3050602@xxxxxxxxx> <20131212181315.GB20500@samba2> <52AAC7CC.8000802@xxxxxxxxx> <20131213105314.GA2117@xxxxxxxxxxxxx> <52AB7CDC.5040801@xxxxxxxxx> <20131213220848.GG1005@samba2>
User-agent: Mutt/1.5.21 (2010-09-15)
On Fri, Dec 13, 2013 at 02:08:48PM -0800, Jeremy Allison wrote:
> On Fri, Dec 13, 2013 at 01:32:12PM -0800, L.A. Walsh wrote:
> > Now NOTE: if I don't use "explicit action" (-a) in my copy:
> > 
> > Ishtar:law/Documents> /usr/bin/cp testfile.txt testcopy.txt
> > Ishtar:law/Documents> attr -l testcopy.txt
> > Attribute "SGI_ACL_FILE" has a 76 byte value for testcopy.txt
> > 
> > ONLY the root-namespace ACL is save  -- the user and security
> > attributes are striped.
> 
> What is the namespace for SGI_ACL_FILE ?

That's XFS's on-disk name for a posix ACL, which are kept the root
namespace.  It's a file ACL, not a default ACL (which are named
SGI_ACL_DEFAULT), so it was placed there by the user after VFS
allowed it to be created.

Cheers,

Dave.
-- 
Dave Chinner
david@xxxxxxxxxxxxx

<Prev in Thread] Current Thread [Next in Thread>