From: Dave Chinner <david@fromorbit.com>
To: Jeremy Allison <jra@samba.org>
Cc: Christoph Hellwig <hch@infradead.org>,
Samba Technical <samba-technical@lists.samba.org>,
"L.A. Walsh" <samba@tlinx.org>, xfs-oss <xfs@oss.sgi.com>
Subject: Re: Security issue - storing NTACL's in non-NT-security-namespace
Date: Sat, 14 Dec 2013 10:20:00 +1100 [thread overview]
Message-ID: <20131213232000.GA10988@dastard> (raw)
In-Reply-To: <20131213220848.GG1005@samba2>
On Fri, Dec 13, 2013 at 02:08:48PM -0800, Jeremy Allison wrote:
> On Fri, Dec 13, 2013 at 01:32:12PM -0800, L.A. Walsh wrote:
> > Now NOTE: if I don't use "explicit action" (-a) in my copy:
> >
> > Ishtar:law/Documents> /usr/bin/cp testfile.txt testcopy.txt
> > Ishtar:law/Documents> attr -l testcopy.txt
> > Attribute "SGI_ACL_FILE" has a 76 byte value for testcopy.txt
> >
> > ONLY the root-namespace ACL is save -- the user and security
> > attributes are striped.
>
> What is the namespace for SGI_ACL_FILE ?
That's XFS's on-disk name for a posix ACL, which are kept the root
namespace. It's a file ACL, not a default ACL (which are named
SGI_ACL_DEFAULT), so it was placed there by the user after VFS
allowed it to be created.
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2013-12-13 23:20 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <52A96211.3050602@tlinx.org>
[not found] ` <20131212181315.GB20500@samba2>
[not found] ` <52AAC7CC.8000802@tlinx.org>
[not found] ` <20131213105314.GA2117@infradead.org>
2013-12-13 21:32 ` Security issue - storing NTACL's in non-NT-security-namespace L.A. Walsh
2013-12-13 22:08 ` Jeremy Allison
2013-12-13 22:14 ` L.A. Walsh
2013-12-13 23:20 ` Dave Chinner [this message]
2013-12-15 14:21 ` BTW - to xfs folk, 'security attr' doesn't seem very useful w/current copy policies L.A. Walsh
2013-12-15 23:54 ` Dave Chinner
2013-12-16 2:20 ` usefulness of 'security attr' being non-copiable on discretionary access linux LA Walsh
2013-12-16 3:02 ` Dave Chinner
2013-12-16 7:41 ` LA Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131213232000.GA10988@dastard \
--to=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=jra@samba.org \
--cc=samba-technical@lists.samba.org \
--cc=samba@tlinx.org \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox