Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrustedBSD Supports Windows NT ACLs With Samba

Posted by Nik on from the rwxr-xr-x dept.

Anonymous Coward writes "Chris Faulhaber, one of the TrustedBSD developers, announced on the trustedbsd-discuss mailing list that Samba's POSIX.1e ACL support is now working on FreeBSD 5.0-CURRENT, and even has a screen shot. This has been a high-demand feature, apparently, and could be a big selling point for sites currently running Windows NT as their enterprise operating system.

Date: Tue, 24 Apr 2001 19:17:52 -0400
From: Chris Faulhaber <jedgar@fxp.org>
To: trustedbsd-discuss@TrustedBSD.org
Subject: Native ACL support for Samba

With the release of Samba 2.2.0, samba offers ACL support to remote clients. I just committed the changes to the FreeBSD CVS tree required to allow Samba to access the FreeBSD ACLs. With an updated -current system and samba-devel port (define WITH_ACL_SUPPORT), Windows NT 4.0 and 2000 clients can now remotely manipulate ACLs. Testing and comments are appreciated.

In addition, the ACL utilities, getfacl and setfacl, have been updated to fully make use of the ACL editing library. They should compile on most ACL-enabled systems (tested on Linux + ACL patches) with little or no change."

25 of 82 comments (clear)

  1. Re:Mirror of screen shot available by abischof · · Score: 2

    How ironic -- in a story about TrustedBSD, you post your resume in M$ DOC format ;). Kidding aside, I'm also looking for a new job, in Web Development.

    Alex Bischoff
    ---

    --

    Alex Bischoff
    HTML/CSS coder for hire

  2. Re:Can we really trust BSD? by jandrese · · Score: 2

    +1 Insightful?

    I don't even know what he's talking about with the anti-american stuff.

    +1 Insightful

    Metamod to the rescue!

    Down that path lies madness. On the other hand, the road to hell is paved with melting snowballs.

    --

    I read the internet for the articles.
  3. ACLs on Linux? by Ed+Avis · · Score: 3

    What's the state of ACL support with Linux? I heard that they were kinda-supported in 2.2 but not stored in the file system - what's it like with 2.4, and can Samba use them?

    Is this a first for TrustedBSD, or can you get the same ACL support with Solaris, Linux or other 'nixes?

    --
    -- Ed Avis ed@membled.com
    1. Re:ACLs on Linux? by Lazaru5 · · Score: 2
      ACLs are most commonly associated with Trusted Operating Systems (Where TrustedBSD gets it's name) ala the rainbow series of books.

      The NSA's SE Linux has been covered here many times.

      Also mentioned in the past is PitBull from Argus Systems (I work across the street from their offices) which stood up to the OpenHack III challenge a few moths back. PitBull gives Trusted OS extentions to Solaris, AIX and Linux. (There's free non-com licenses at Argus Revolution.)

      And Sun also already has a Trusted Solaris.

      There's others as well.

      It occurs to me that you might have meant is it a first to provide ACL support via Samba, in which case I appologize. This was of course already answered by someone else.

      --

      --

      --
      My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
    2. Re:ACLs on Linux? by Lazaru5 · · Score: 2
      What are you sorry for? I clearly referred to OpenHack III and not the InfoSec/London challenge.

      The flaw in the OS isn't Solaris specific. Any x86 OS is/was potentially at risk.

      For info on the LDT vulnerability, see this NetBSD Advisory.

      Additionally, Argus doesn't even sell a version of PitBull for Solaris/x86. Their Solaris/x86 version is only for R&D and it was the one that was used in the InfoSec challenge.

      --

      --

      --
      My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
    3. Re:ACLs on Linux? by zsazsa · · Score: 2

      Yes, it is WELL supported in both 2.2 and 2.4. Check out http://acl.bestbits.at/.

      And, yes, it is supported in Samba 2.2.

      zsazsa

  4. Re:Just what the doctor ordered... by Jeremy+Allison+-+Sam · · Score: 3

    The problem with the NetApp implementation is that if you change the unix perms it blows away the set NT perms. The solution I coded for Samba maps the NT perms into POSIX ACLs so the two co-exist.

    Of course the NetApp solution gives full NT ACL semantics, whereas the Samba solution doesn't, but I think the Samba solution gives better UNIX/NT integration.

    Also I don't know any NT admins who understand the full NT ACL semantics :-) :-).

    Cheers,

    Jeremy Allison,
    Samba Team.

  5. Re:Is it really good? by scrytch · · Score: 3

    > In my experience, most users of NT-based systems do not use ACLs

    Correct, admins use them, and when done properly, the users never know differently. Users still have uses for ACL's too, and it's really this simple, a question I got at least once a week when doing support for Sun: how to share some files of yours with a co-worker so he can read them but not change them, and with another co-worker that can read and write them (or some other combination of accesses). Answer: set up an ACL (no, we do not create groups every time there's a request for this kind of sharing). Thankfully dtfm could do one thing right, and that was manage ACL's with slightly less pain than manually using setfacl.
    --

    --
    I've finally had it: until slashdot gets article moderation, I am not coming back.
  6. Re:Windows version? by sharkey · · Score: 2

    It looks to me like NT 4.0 with either the Plus Pack installed or IE 4 w/Active Desktop, or both. Or, it could be a very early (read "smuggled") build of NT 5.0. They had NT 5 on display at ITEC in early 1998, and it looked like that, with the Win98/Plus Pack "sexy" icons.

    --

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  7. TrustedBSD, not Linux.. Linux has no ACLs! by cpeterso · · Score: 2

    Did you read the story, you know the words at the top of the page? This story is about Samba using TrustedBSD's ACLs. Linus' Linux doesn't even support ACLs without flaky, third-party patches. The Extended Attributes and Access Control Lists for Linux FAQ says:



    Q10 When will Posix ACLs be part of the kernel?

    There are multiple steps to getting ACLs into the kernel. The first step, which we are heavily debating on the mailing lists right now, is how to design the system call interface for extended attributes and ACLs. The next step will be to include the extended attribute code into the kernel, or create even better extended attribute code for that purpose. Then, on top of that, we can include ACLs for the ext2 and ext3 filesystems. Other filesystems such as XFS be able to support ACLs directly, without needing extended attributes.


    --
    cpeterso
  8. Snapshots by dcs · · Score: 2

    ...and, of course, snapshots are also supported by FreeBSD.

    --
    (8-DCS)
  9. No, but the current system is pathetic. by Nailer · · Score: 2

    Not to say that ACLs don't have their own problems, especially wrt to complexity. NT, for example, allows permissions on file/print shares, and those are often used instead of ACLs.

    Actually, NT uses thw following method to determialternative ne your access:

    1. Work out the greatest amount of privilege you have through ACLs
    2. Work out the greatest amount of privilege you have through shares
    3. The final privilege is the most restrictive of the two above

    Complex huh? But we don't have to emulate the share/ACL combo on Linux. We do, however, need a system which allows for basic, realistic, access control situations:

    * Some word processor templates are stored on a server
    * A group of users edit these templates
    * Another group of users can only read these templates
    * All other users may not view these templates at all, as they contain business sensitive information.

    A simple case found frequently in many offices. But not currently handled by RWX permissions at all, which are, in essence (and excuse the French) fucking pathetic.

    Thank God the Linux ACL project is going to be one of the first Linux Security Module's for the 2.4 kernel. Thankyou SGI and everyone else making this a reality. With any luck, Linux will have a permission system that doesn't suck RSN.

  10. No, but the current system is pathetic. by Nailer · · Score: 2

    Not to say that ACLs don't have their own problems, especially wrt to complexity. NT, for example, allows permissions on file/print shares, and those are often used instead of ACLs.

    Actually, NT uses thw following method to determialternative ne your access:

    1. Work out the greatest amount of privilege you have through ACLs
    2. Work out the greatest amount of privilege you have through shares
    3. The final privilege is the most restrictive of the two above

    Complex huh? But we don't have to emulate the share/ACL combo on Linux. We do, however, need a system which allows for basic, realistic, access control situations:

    * Some word processor templates are stored on a server
    * A group of users edit these templates
    * Another group of users can only read these templates
    * All other users may not view these templates at all, as they contain business sensitive information.

    A simple case found frequently in many offices. But not currently handled by RWX permissions at all, which are, in essence (and excuse the French) fucking pathetic.

    Thank God the Linux ACL project is going to be one of the first Linux Security Module's for the 2.4 kernel. Thankyou SGI and everyone else making this a reality. With any luck, Linux will have a permission system that doesn't suck RSN.

  11. Re:Is it really good? by Nailer · · Score: 2

    The bottom line is: ACL's are great and wonderful and all that. Force them on every file in the system however, and you're looking for big trouble and even bigger headaches.

    Why? A single line ACL is less complex than 3 sets of rwxs bits. It seems to me ACLs are as complex as you want them to be.

  12. Re:Windows version? by Nailer · · Score: 2

    Standard NT 4.0

    The icons are the high color icons available in Start -> Control Panel -> Display -> Effects, in the check box marked `show icons using all possible colors'.

  13. Is it really good? by Noryungi · · Score: 2

    Please note: this is not a flame, just an honest question.

    While adding functions to Open-Source system is certainly the whole point of FreeBSD, Linux, etc... I can't help but wonder why this particular function is interesting.

    In my experience, most users of NT-based systems do not use ACLs and never bother to set them correctly (if at all). Keeping those (unset) ACLs on a Samba-based BSD server therefore seems like a waste of time... =(

    Therefore, having Samba-based ACLs on a *BSD system seems to me totally uninteresting, except if, like a previous poster has remarked, you need some sort of TLA buzzword (Posix-compliant ACLs! Wow!) for your clueless PHB.

    Could anyone please explain the interest of such a thing? Many thanks in advance...

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    1. Re:Is it really good? by starseeker · · Score: 2

      Yes, it is really good. There are a number of reasons for this.

      1) Linux users tend to be highly technical people, and would almost certainly find uses for ACLs. They would put in the time to understand them properly, something (I suspect) many Windows NT people don't need or want to do. So the inclusion of ACLs in Samba might actually encourage better use of ACLs overall, as the unix people see the advantage and start to educate everyone else (especially whoever maintains the NT desktops.)

      2) Corporate use is one of the key target markets for Linux, and the corporate market is a market much more likely than desktop users to want and need ACLs. The PHB will only know that it is new and cool, but the techs in the back room can put it to real use. Any selling point such as ACLs is to be desired, since use in business will provide both a steady market and educate people about open source.

      3) More power in software is ALWAYS better than less power, unless it eats an insane amount of resources. This wouldn't.

      4) It might put more pressure on the general open source population to update their permissions system, which is also a good thing.

      --
      "I object to doing things that computers can do." -- Olin Shivers, lispers.org
    2. Re:Is it really good? by Ayende+Rahien · · Score: 2

      ACLs are being used extensively by many people.
      They can be misused, make no mistake, but used correctly, they are far superior to rwx method that is the prefered by the *nix people.

      --

      --
      Two witches watched two watches.
      Which witch watched which watch?
    3. Re:Is it really good? by glenebob · · Score: 2

      The trouble with ACL's on NT is that that's all you get. The vast, vast majority of files on a system don't need that kind of fine grained control, and the complexity of ACL's, in addition to the horrid file system organization of an NT system, makes security extremely tough to keep under control.

      On the other hand, posix ACL's are optional. You still get the old *nix style permission system, which is perfect for most files (/usr/bin/* for example). You simply add ACL's to certain files where they're needed and leave the rest of the filesystem alone.

      Using my home system as an example, I would probably use ACL's for all my html files, and for my cvs repository. Everything else would be left as-is.

      The bottom line is: ACL's are great and wonderful and all that. Force them on every file in the system however, and you're looking for big trouble and even bigger headaches. NT is a text-book example of bad design in this area (and maybe one or two others :-).

      --
      Damn it Jim, that's my sphincter, not a jelly donut!!!

    4. Re:Is it really good? by NutscrapeSucks · · Score: 2

      ACLs are the only real solution for the situation where you have one group with Read Only access and another group with Read/Write access, and yet another administrative group.

      There's also the kudgyness of creating groups just to solve a particular access control problem. Have many thousand users in a directory environment, and it just doesn't scale up.

      Not to say that ACLs don't have their own problems, especially wrt to complexity. NT, for example, allows permissions on file/print shares, and those are often used instead of ACLs.

      Not to mention that network types have gotten used to ACLs since Novell 3.x back in the early 90s. It has become a checkbox feature.

      --
      Whenever I hear the word 'Innovation', I reach for my pistol.
  14. Mirror of screen shot available by Tairan · · Score: 3
    at my site. Be sure to look around! I need a new job - see if you can offer me one.

    --
    /. is a commercial entity. goto slashdot.com
  15. Windows version? by Fervent · · Score: 2

    Exactly what version of Windows NT are they running in that VMWare screenshot? Those icons look like very early 4.0.

    --

    - I don't care if they globalize against free speech. All my best free thoughts are done in my head.

  16. Re:Did Slashdot Layout change? by micromoog · · Score: 2
    My whole front page is in itallics...

    Mine too. Fuck italics.

  17. Re:ACLs in NT by Zeinfeld · · Score: 4
    Does anyone actually bother to use them?

    I don't use them on my home machines, but I often wish I had - and that is with two users, both of whom know the root password.

    When I did sysadmin type stuff I used them extensively.

    NT ACLs are very usefull since if you run IIS the file permissions map right through to the web server.

    I agree however with a point raised by Butler Lampson several times, ACLs are a pain to manage they should not apply to files. Instead individual users should be allowed to define named access policies via an ACL and then apply the policy to the file.

    What this would mean is that if you decide to kick Alice off the system you can revoke all her ACLs at one time, or if you decide to give her special privs you can do it all in one.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  18. What `BSD' means in the context of Windows by scorcherer · · Score: 2
    Blue Screen of Death.

    And I thought you get enough BSDs on Windoze even without the official FreeBlueScreenofDeath `service pack'.

    --

    --

    --
    The Cap is nigh. Time to get a fresh new account.