ACLs - Konfiguration and Infos vor Developpers
==============================================
-ACL support for AFP is implemented with NFSv4 ACLs. Few filesystems and fewer OSes support
-these. At the time of implementation its only provided with ZFS on Solaris, Opensolaris and
-derived distributions.
+ACL support for AFP is implemented for Solaris/ZFS/NFSv4 ACLs and POSIX 1e ACLs.
Configuration
-------------
In order to be able to support ACLs, the following things have to be configured:
-1. ZFS Volumes
+1. For Solaris/ZFS: ZFS Volumes
2. Authentication Domain
3. Netatalk Volumes
In other words:
- you need an Open Directory Server or an LDAP server where you store UUIDs in some
- attribute
+ attribute
- your clients must be configured to use this server
- - your server should be configured to use this server via nsswitch and PAM. This
- however is not a strict requirement:
- if you create duplicates of every LDAP/OD user and group with identic attributes
- (name, uid, gid) in your local data store (/etc/[passwd|group]) things will work
-
- * as long as user/group names/ids in the filesystem are equal *
- * to their counterparts in the LDAP/OD datastore *
-
+ - your server should be configured to use this server via nsswitch and PAM
- configure Netatalk via afp_ldap.conf so that Netatalk is able to retrieve the UUID
- for users and groups via LDAP search queries
+ for users and groups via LDAP search queries
3. Netatalk Volumes
Basically as far as implementing AFP support is concerned they're equivalent.
Subtleties arise at other places:
- FPAccess
-
- The AFP client frequently checks the (DARWIN_)ACE_DELETE_CHILD right. This is most
- often not explicitly granted via an ACE. Therefor the client would get an no access
- error. The client in turn then declares the object in question read only.
- Thus we have to the check the mode for every directory and add ACE_DELETE_CHILD if
- the requestor has write permissions.
-
- FPGetFileDirParms
-
- 10.5 does not only use unix mode and FPAccess for permission check, but also OS 9
- access bits from FPGetFileDirParms. Thus we have to adjust the Access Rights bitmap
- user bits by including any ACL rigths.
+ * FPAccess:
+ The (10.5) AFP client frequently checks the (DARWIN_)ACE_DELETE_CHILD right. This is most
+ often not explicitly granted via an ACE. Therefor the client would get an no access
+ error. The client in turn then declares the object in question read only.
+ Thus we have to the check the mode for every directory and add ACE_DELETE_CHILD if
+ the requestor has write permissions.
+
+ * FPGetFileDirParms:
+ 10.5 does not only use unix mode and FPAccess for permission check, but also OS 9
+ access bits from FPGetFileDirParms. Thus we have to adjust the Access Rights bitmap
+ user bits by including any ACL rigths.
2. .AppleDouble VFS integration
#ifdef HAVE_POSIX_ACLS
static int check_acl_access(const char *path, const uuidp_t uuid, uint32_t requested_darwin_rights)
{
+ /*
+ * FIXME: for OS X >= 10.6 it seems fp_access isn't called anymore, instead
+ * the client just tries to perform any action, relying on the server
+ * to enforce permission (which the OS does for us), returning appropiate
+ * error codes in case the action failed.
+ * So to summarize: I think it's safe to not implement this function and
+ * just always return AFP_OK.
+ */
return AFP_OK;
}
#endif /* HAVE_POSIX_ACLS */