ACLs for CIFS/SMB shares [PSARC/2008/641 FastTrack timeout 10/27/2008]

Nicolas Williams Nicolas.Williams at sun.com
Mon Oct 20 09:57:20 PDT 2008 

On Mon, Oct 20, 2008 at 10:43:31AM -0600, Tim Haley wrote:
> 	During SMB "tree connect" is will be necessary to get the ACL
> 	that is set on a share and use it to setup the initial access.
> 	The ACLs are expected to be stored in objects within a new
> 	directory under .zfs. /dataset/.zfs/shares/ will contain
> 	objects with names that match the shares defined on that
> 	dataset. Just before the tree connect, the sharename will be
> 	looked up in the .zfs/shares directory, the ACLs obtained and
> 	then processed relative to the user making the tree
> 	connect. The result of processing the ACL will be used to
> 	determine access.
> 
> 	The ZFS changes will include a means to create/remove the
> 	share objects within the new .zfs/shares directory. Once
> 	created, it will also be possible to use the standard ACL
> 	interfaces to get/set ACLs on these new objects. That is,
> 	chmod and ls will be used.

NFS supports share ACLs of a sort now in the form of host/negroup lists.

Shouldn't CIFS also support such an ACL mechanism?

> 	Note that there can be multiple shares (resources) for any
> 	given path that is shared. This mechanism allows setting
> 	different ACLs for the same path depending on the name it is
> 	associated with.

Interesting.  I believe there's nothing in the NFSv4 protocol precluding
the same feature, but that our NFS server doesn't have this.

Out of curiosity: is there a need for this (multiple shares for a given
path/dataset) in NFS?

> 	CIFS is the only protocol we currently support that has the
> 	concept of shares (resources in sharemgr/share terms) so this
> 	implementation will initially only provide support for CIFS.

I pointed out that NFS has a notion of shares and share ACLs, but I see
that the notion of share ACLs for CIFS is based on Windows file ACLs, as
opposed to the NFS share-ACL-as-host/netgroup-list that we have now.

In NFS there's no TreeConnect-type operation, but a share-level ACL can
still be applied in operations that deal with paths.

Nico
--

More information about the opensolaris-arc mailing list