On Sun, Aug 1, 2021 at 2:02 AM Stef Bon <stefbon@xxxxxxxxx> wrote: > > Hi, > > I'm working on a FUSE filesystem to browse and access SMB networks. > I'm using libsmb2 for that. It's not online yet, but my software is here: > > https://github.com/stefbon/OSNS > > Now I found out that smb2/3 do not support posix like file attributes, > but do (almost?) everything with acl's. > Now I see the function parse_dacl in fs/cifs/cifsacl.c, which > determines the permissions from the acl. I see also that when there > are no acl's, the default is 0777. I made the same choice in my > filesystem. > I've got some questions: > > a. what does the sid_unix_NFS_mode stand for? Is it part of the "unix > extensions module for Windows"? > > b. can you assume some order in the acl's, so you participate on that? > I want to know there are optimizations possible. The ACE entries in the ACL are processed in order, thus a user can create very sophisticated ACLs by ordering the entries carefully. The ACEs are actually processed twice when access is evaluated. First it handles all the DENY ACEs. So it goes through the ACL, only looking a the DENY ACEs and ignoring all other ACEs. Once it has processed the entire ACL this way, and IF the user was not denied access, then it will go through the entire ACL a second time, this time only looking at the ALLOW ACE entries to see if the user is granted access. Example: 1, S-1-2-ALICE ALLOW READ 2, S-1-2-BOB ALLOW READ/WRITE 3, S-1-2-EVERYBODY ALLOW READ/WRITE 4, S-1-2-BOB DENY WRITE In this case, even though there are two ACEs that would grant BOB WRITE access (the ACE for BOB and EVERYBODY), BOB is still denied write access due to the presence of a DENY ACE for WRITE. In this case the ACEs are evaluated in the following order 4, 1, 2, 3 > > Thanks in advance, > > Stef Bon
