From: Dave Chinner <david@fromorbit.com>
To: Linda Walsh <xfs@tlinx.org>
Cc: xfs-oss <xfs@oss.sgi.com>
Subject: Re: where/how is 'xattr' type=security enforced? (security attr stripped?)
Date: Tue, 10 Dec 2013 16:52:13 +1100 [thread overview]
Message-ID: <20131210055213.GD31386@dastard> (raw)
In-Reply-To: <52A65AD5.9070705@tlinx.org>
On Mon, Dec 09, 2013 at 04:05:41PM -0800, Linda Walsh wrote:
> I got a weird message that I've never seen before -- nothing
> life shattering, just a curiosity that I thought shouldn't happen.
>
>
> I stored a file in my /home partition FROM a Win7 client
> via samba 3.6.16.
>
> With that file were also stored xattrs:
>
> DOSATTRIB, SAMBA_PAI and NTACL. Since linux is the 'server',
> These are all likely set via samba.
>
> To work on the file more, I wanted to move it
> to /tmp.
>
> I use mv:
> >mv /home/law/tmp/oVars.pm /tmp
> mv: setting attribute ‘security.NTACL’ for ‘security.NTACL’: Operation not permitted
You need root permissions to set security namespace attributes.
$setfattr -n security.NTACL -v foobarchucky /mnt/test/foo
setfattr: /mnt/test/foo: Operation not permitted
$ sudo setfattr -n security.NTACL -v foobarchucky
/mnt/test/foo
$ getfattr -n security.NTACL /mnt/test/foo
getfattr: Removing leading '/' from absolute path names
# file: mnt/test/foo
security.NTACL="foobarchucky"
$
[ On a side note, there's some sooper seekrit voodoo there in
getfattr. I feel that my systems are so much more secure knowing
that getfattr is protecting me from \something/ so dangerous it
can't possibly be worked around with sed or --absolute-names. ]
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2013-12-10 5:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-10 0:05 where/how is 'xattr' type=security enforced? (security attr stripped?) Linda Walsh
2013-12-10 5:52 ` Dave Chinner [this message]
2013-12-11 0:15 ` LA Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131210055213.GD31386@dastard \
--to=david@fromorbit.com \
--cc=xfs@oss.sgi.com \
--cc=xfs@tlinx.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox