samba - May 2023 - O_PATH, FreeBSD & acl_xx_fd

On Tue, May 30, 2023 at 09:57:37AM +0200, Peter Eriksson via samba
wrote:
>I?ve been looking at an issue when compiling Samba on FreeBSD 13 with the
vfs_zfsacl module.
>
>It seems the logic that detect O_PATH support in Samba doesn?t work right
with FreeBSD 13 (since it has implemented O_PATH support) and especially with
the acl_get_fd() function. This is a bug (or rather a missing feature) in
FreeBSD that there is a patch for now (dunno when it?ll appear in a release
version).
>
>However, one question that has surfaced is if Samba also requires support to
change/set ACLs via O_PATH-opened file descriptors? I?m trying to test things
but figured I?d put this here too if someone with more internal knowledge of the
Samba VFS O_PATH-related stuff knows :-)
>
>
>https://bugzilla.samba.org/show_bug.cgi?id=15376?
>
>https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271704?
Samba uses a horrible hack, as far as I know Linux
specific, to do this.

Once it has a O_PATH fd, it then uses the path
based xattr call on the string /proc/<pid>/fd/<fdnum>
where fdnum is the O_PATH fd we already opened.
This is proven safe.

Urgh?

I modified the FreeBSD kernel to allow all_xx_fd() calls on O_PATH descriptors
and that seems make vfs_zfsacl to work fine. Not 100% tested but I could atleast
view and modify the ACL on some stuff from a Windows client via Samba that way.

I?m not sure I?ll be able to get them to implement this ?officially? though.
Reading ACLs via an O_PATH-opened descriptor seems to be on the way of being
added though. I can always use my custom kernel but? :-)

Regarding that Linux hack - I wonder if on FreeBSD one might use this to do
something similar:
>   A file descriptor created with the O_PATH flag can be opened into normal
>     (operable) file descriptor by specifying it as the fd argument to
>     openat() with empty path and flag O_EMPTY_PATH.  Such an open behaves
as
>     if the current path of the file referenced by fd is passed, except that
>     the path walk permissions are not checked.  See also the description of
>     AT_EMPTY_PATH flag for fstatat(2) and related syscalls.
Hmm? I?ll have to test it. Yes, this seems to work - after this I can read &
write ACLs and stuff:

   fd = openat(fd, ??, O_EMPTY_PATH);

- Peter

> On 30 May 2023, at 19:20, Jeremy Allison <jra at samba.org> wrote:
> 
> On Tue, May 30, 2023 at 09:57:37AM +0200, Peter Eriksson via samba wrote:
>> I?ve been looking at an issue when compiling Samba on FreeBSD 13 with
the vfs_zfsacl module.
>> 
>> It seems the logic that detect O_PATH support in Samba doesn?t work
right with FreeBSD 13 (since it has implemented O_PATH support) and especially
with the acl_get_fd() function. This is a bug (or rather a missing feature) in
FreeBSD that there is a patch for now (dunno when it?ll appear in a release
version).
>> 
>> However, one question that has surfaced is if Samba also requires
support to change/set ACLs via O_PATH-opened file descriptors? I?m trying to
test things but figured I?d put this here too if someone with more internal
knowledge of the Samba VFS O_PATH-related stuff knows :-)
>> 
>> 
>> https://bugzilla.samba.org/show_bug.cgi?id=15376?
>> 
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271704?
> 
> Samba uses a horrible hack, as far as I know Linux
> specific, to do this.
> 
> Once it has a O_PATH fd, it then uses the path
> based xattr call on the string /proc/<pid>/fd/<fdnum>
> where fdnum is the O_PATH fd we already opened.
> This is proven safe.