ACLs for CIFS/SMB shares [PSARC/2008/641 FastTrack timeout 10/27/2008]

Doug McCallum Doug.McCallum at sun.com
Mon Oct 20 10:25:28 PDT 2008 

Nicolas Williams wrote:
> On Mon, Oct 20, 2008 at 10:43:31AM -0600, Tim Haley wrote:
>   
>> 	During SMB "tree connect" is will be necessary to get the ACL
>> 	that is set on a share and use it to setup the initial access.
>> 	The ACLs are expected to be stored in objects within a new
>> 	directory under .zfs. /dataset/.zfs/shares/ will contain
>> 	objects with names that match the shares defined on that
>> 	dataset. Just before the tree connect, the sharename will be
>> 	looked up in the .zfs/shares directory, the ACLs obtained and
>> 	then processed relative to the user making the tree
>> 	connect. The result of processing the ACL will be used to
>> 	determine access.
>>
>> 	The ZFS changes will include a means to create/remove the
>> 	share objects within the new .zfs/shares directory. Once
>> 	created, it will also be possible to use the standard ACL
>> 	interfaces to get/set ACLs on these new objects. That is,
>> 	chmod and ls will be used.
>>     
>
> NFS supports share ACLs of a sort now in the form of host/negroup lists.
>
> Shouldn't CIFS also support such an ACL mechanism?
>   
The NFS host based access control will be putback into Nevada in build 102.
It has been a long standing case for adding Montana equivalent support 
to NFS and CIFS.
>   
>> 	Note that there can be multiple shares (resources) for any
>> 	given path that is shared. This mechanism allows setting
>> 	different ACLs for the same path depending on the name it is
>> 	associated with.
>>     
>
> Interesting.  I believe there's nothing in the NFSv4 protocol precluding
> the same feature, but that our NFS server doesn't have this.
>
> Out of curiosity: is there a need for this (multiple shares for a given
> path/dataset) in NFS?
>   
There may not be anything that precludes it, but tI don't know of any 
implementations
that provide for it.  NFS essentially uses the "path" as the share name 
while SMB doesn't
advertise the underlying path.

If NFS implements an equivalent mechanism, this implementation would 
allow for it to
be added.
>   
>> 	CIFS is the only protocol we currently support that has the
>> 	concept of shares (resources in sharemgr/share terms) so this
>> 	implementation will initially only provide support for CIFS.
>>     
>
> I pointed out that NFS has a notion of shares and share ACLs, but I see
> that the notion of share ACLs for CIFS is based on Windows file ACLs, as
> opposed to the NFS share-ACL-as-host/netgroup-list that we have now.
>
> In NFS there's no TreeConnect-type operation, but a share-level ACL can
> still be applied in operations that deal with paths.
>   
Correct.

Doug

More information about the opensolaris-arc mailing list