samba - Aug 2002 - Samba and ACLs with XFS [WAS: Samba and RSBAC or LSM]

>>  Hi,
 >>  sorry I forget to specify OS.

 >>  I'm using:

 >>  RH 7.2 kernel 2.4.9
 >>  FS - XFS 1.0.2=20
 >>  Samba 2.2.3a

 >>  I'm using XFS ACL, but I need set EA(ACL) to Change (read - yes,
write -
 >>  yes, delete - no, execute - no).
 >>  I don't know how to set this with standard UNIX permissions
(rwx).=20
 >>  AFAIK XFS didn't help me with this trouble, maybe I'm wrong.

 >>  Applications what we use are made for use in single user (DOS). These
 >>  applications must have RW access to all files. I don't want users
to be
 >>  able to delete any of these files.

 >>  Thanks,

 >>  David.

 >>  P.S. - English is not my native language.

David,

(The below sounds pendantic.  I don't mean to be, but ACLs under Linux are a
complex subject.)  :(

First ACLs are not part of standard UNIX permissions.  They are an extension,
and there is a "withdrawn Posix standard" related to them. =20

They should offer you the ability to do what you need, but NTFS does have a few
specialized ACL capabilities that are beyond the withdrawn posix standard, and
thus are not supported by Samba.

ACL support is available in several UNIX flavors, but is just coming out in
Linux.  It is not yet in the standard Linux kernel.  (Nor is XFS as you know). 
ACL support is in the 2.5 kernel series (i.e. the unstable series), and will be
in the 2.6 kernel series (i.e. the next stable series).  I don't know if it
will ever officially make it into the 2.4 series. =20

XFS has supported ACLs in Linux from day one from what I understand, but the ACL
aspect of XFS is only now becoming stable under Linux.  i.e. It was buggy as
recently as March 2002.

I consider ACLs in Linux bleeding edge, but many people have them in production
environments.  FYI: Mandrake supports them. SuSE calls them experimental.  RH
does not support them at all.  (SGI adds the ACL support to RH after the fact.)

As to your current environment:

Native RH 7.2 does not support ACLs.

You must have the SGI supplied XFS enable RH kernel though.

I'm not 100% positive, but I'm pretty sure that does support ACLs.  (XFS
has had ACL support under IRIX for sometime, so it came in the package when it
was ported to Linux.)

Unfortunately, xfsdump and xfsrestore had a bug until March of this year and
they don't save/restore ACLs.  Normal Linux backup/restore programs
definitely don't support ACLs. =20

If you are going to backup/restore via another server on the network, it is not
a problem.  If you are going to use Linux Tools to do backup/restore, you will
need to upgrade to at least the XFS 1.1 release with the 2.4.18 kernel.  (You
may have to have the CVS version, I don't know for sure when the bug was
fixed.) Hopefully they will have a XFS 1.2 release shortly after the 2.4.19
kernel is released.

Regardless:

You should have tools like chacl, getfacl, and setfacl.  (I do with SuSE.) 
These allow you to set/check acls natively from Linux.

Then you should also have the libattr.so and libacl.so packages.  SGI should
have put them on the ISOs.  These are required by Samba to access the ACL info.
and must be on your system at Samba compile time.

Since you have an older kernel you need older libraries.  Version 2 libs will
NOT work.  i.e. Version 1 libs and Version 2 libs are NOT binary compatible. 
Version 2 libs were introduced by SGI with XFS 1.1

Once you have all the pieces, you add --with-acl-support to your ./configure
line, and recompile Samba.  See there's nothing to this process. :)

If all of the above scares you off, I'm hoping that SuSE 8.1 (due in Sept.)
will have everything setup and ready to use.  They tried in 8.0, but they ended
up with the ACL backup/restore failure bug, and the problem is in the kernel
unfortunately. =20

Redhat has not committed to supporting ACLs to the best of my knowledge, but the
SGI people are still putting out XFS enabled RH ISOs, so you can go that way as
well.  (I don't know if the latest XFS enabled RH ISO's have the ACL
backup/restore bug or not.)

Good Luck,
Greg Freemyer
Internet Engineer
Deployment and Integration Specialist
Compaq ASE - Tru64 v4, v5
Compaq Master ASE - SAN Architect
The Norcross Group
www.NorcrossGroup.com

> David,
> 
> (The below sounds pendantic.  I don't mean to be, but ACLs under Linux
are a complex subject.)  :(
> 
> First ACLs are not part of standard UNIX permissions.  They are an
extension, and there is a "withdrawn Posix standard" related to them.
> 
> They should offer you the ability to do what you need, but NTFS does have a
few specialized ACL capabilities that are beyond the withdrawn posix standard,
and thus are not supported by Samba.
> 
> ACL support is available in several UNIX flavors, but is just coming out in
Linux.  It is not yet in the standard Linux kernel.  (Nor is XFS as you know). 
ACL support is in the 2.5 kernel series (i.e. the unstable series), and will be
in the 2.6 kernel series (i.e. the next stable series).  I don't know if it
will ever officially make it into the 2.4 series.
> 
> XFS has supported ACLs in Linux from day one from what I understand, but
the ACL aspect of XFS is only now becoming stable under Linux.  i.e. It was
buggy as recently as March 2002.
> 
> I consider ACLs in Linux bleeding edge, but many people have them in
production environments.  FYI: Mandrake supports them. SuSE calls them
experimental.  RH does not support them at all.  (SGI adds the ACL support to RH
after the fact.)
> 
> As to your current environment:
> 
> Native RH 7.2 does not support ACLs.
> 
> You must have the SGI supplied XFS enable RH kernel though.
> 
> I'm not 100% positive, but I'm pretty sure that does support ACLs. 
(XFS has had ACL support under IRIX for sometime, so it came in the package when
it was ported to Linux.)
> 
> Unfortunately, xfsdump and xfsrestore had a bug until March of this year
and they don't save/restore ACLs.  Normal Linux backup/restore programs
definitely don't support ACLs.
> 
> If you are going to backup/restore via another server on the network, it is
not a problem.  If you are going to use Linux Tools to do backup/restore, you
will need to upgrade to at least the XFS 1.1 release with the 2.4.18 kernel. 
(You may have to have the CVS version, I don't know for sure when the bug
was fixed.) Hopefully they will have a XFS 1.2 release shortly after the 2.4.19
kernel is released.
> 
> Regardless:
> 
> You should have tools like chacl, getfacl, and setfacl.  (I do with SuSE.) 
These allow you to set/check acls natively from Linux.
> 
> Then you should also have the libattr.so and libacl.so packages.  SGI
should have put them on the ISOs.  These are required by Samba to access the ACL
info. and must be on your system at Samba compile time.
> 
> Since you have an older kernel you need older libraries.  Version 2 libs
will NOT work.  i.e. Version 1 libs and Version 2 libs are NOT binary
compatible.  Version 2 libs were introduced by SGI with XFS 1.1
> 
> Once you have all the pieces, you add --with-acl-support to your
./configure line, and recompile Samba.  See there's nothing to this process.
:)
> 
> If all of the above scares you off, I'm hoping that SuSE 8.1 (due in
Sept.) will have everything setup and ready to use.  They tried in 8.0, but they
ended up with the ACL backup/restore failure bug, and the problem is in the
kernel unfortunately.
> 
> Redhat has not committed to supporting ACLs to the best of my knowledge,
but the SGI people are still putting out XFS enabled RH ISOs, so you can go that
way as well.  (I don't know if the latest XFS enabled RH ISO's have the
ACL backup/restore bug or not.)
> 
> Good Luck,
> Greg Freemyer
> Internet Engineer
> Deployment and Integration Specialist
> Compaq ASE - Tru64 v4, v5
> Compaq Master ASE - SAN Architect
> The Norcross Group
> www.NorcrossGroup.com
> .
Greg,

thanks for your answer.

I think we talk at cross purposes.

I know ACLs are extension and they are not in vanilla kernel. (I can use
http://acl.bestbits.at or I can use XFS).

I'm using XFS only for ACLs, good performance and good support in Linux
and Samba.
I have 4 servers with RH+XFS+Samba. Some of them are installed by SGI
Installer, some of them I upgraded myself (patching kernel with XFS,
compiling and installing cmds).

XFS ACLs doesn't help me with my trouble, because it's only addition to
standard permissions. (Using only rwx permissions.)

I found some projects like RSBAC or LSM, that have fine grained EAs.
They have for example: READ, WRITE, DELETE, EXECUTE, MOUNT, TRUNCATE and
others.

But the point of my original question was if Samba supports this EAs
(from RSBAC or LSM or any other similar project), or only supports POSIX
ACLs.

Maybe this question should be posted to the technical list.

But thanks for your answers.

David.

>>  XFS ACLs doesn't help me with my trouble, because it's only
addition to
 >>  standard permissions. (Using only rwx permissions.)

 >>  I found some projects like RSBAC or LSM, that have fine grained EAs.
 >>  They have for example: READ, WRITE, DELETE, EXECUTE, MOUNT, TRUNCATE
and
 >>  others.

 >>  But the point of my original question was if Samba supports this EAs
 >>  (from RSBAC or LSM or any other similar project), or only supports
POSIX
 >>  ACLs.

 >>  Maybe this question should be posted to the technical list.

 >>  But thanks for your answers.

 >>  David.

David,

Feel free to post on the technical list.  I for one am not an expert in this
area, but I have done a lot of research on the topic of EAs/ACLs.

To the best of my knowledge, both the XFS and bestbits patched ext2/3
filesystems support a full range of arbitrary EAs.  i.e. an EA is a simple name
value pair and can be used for any purpose.

ACLs are a specific set of filesystem defined EAs that are used to enforce
access rules.

I do NOT know if either filesystem will enforce any non-posix ACLs.

To the best of my knowledge, samba only supports Posix ACLs.

If I were you, I would ask on the bestbits mailing list if either filesystem
will support the non-posix ACLs you want.  FYI: bestbits now supports the
userland tools for EAs and ACLs for both the patched ext2/3 and xfs filesystems.
(SGI no longer has any support for user-land EA/ACL tools, instead they maintain
compatibility with the bestbit tools.)

Regardless of the underlying filesystems support for non-posix ACLs, your apps
will still NOT be able to set them because Samba does not support them.

If the bestbits people are providing the appropriate tools and the underlying
filesystem will enforce them, you could still set the non-posix ACLs on the
backside manually.

I have never worked with non-posix ACLs behind Samba, so I cannot tell you how
well/poorly it will work.

Greg Freemyer
Internet Engineer
Deployment and Integration Specialist
Compaq ASE - Tru64 v4, v5
Compaq Master ASE - SAN Architect
The Norcross Group
www.NorcrossGroup.com