Veto Options Patch for Netatalk =============================== The patch at the below address adds a function similar to Samba's "veto files" option to Netatalk. It is not derived from Samba is anyway so GPL'ing Netatalk wasn't a factor. :-) http://ariel.ucs.unimelb.edu.au/~epl/netatalk/veto/netatalk-veto.diff For those people who do not use Samba, it allows the server to hide files which the user could otherwise access. Hopefully, if this patch works, clients will not be able to see any veto'ed files/directories. Nor will they be able to create, rename or move files/directories matching the veto'ed filespecs (on the Unix side). For example, if you use Samba and Netatalk, you would commonly have the following line in Samba's configuration files. That line hides the files on the filesystem which Netatalk/Mac client creates, but the Mac-user never sees. By hiding it, users cannot fiddle with these directories and nor will they confuse themselves by files appear in Windows which doesn't appear under Macs. veto files = /.AppleDouble/.AppleDesktop/Network Trash Folder/TheVolumeSettingsFolder/ Likewise, Windows often create some "special" files which you may wish to hide from mac users. Hence, the following line might be useful. veto:recycled/desktop.ini/Folder.htt/Folder Settings/ The option as implemented is case sensitive, so YMMV. Limitations and other notes =========================== - This patch may have a memory leak as a result of strdup()'ing v_veto, but not freeing it anywhere. I'm not sure if this is a practical problem, as presumably v_veto should be free()'ed when the user disconnects. Upon which the fork()'ed ``afpd'' will die and its memory resources reclaimed by the operating system. - This patch does not deal with wildcards at all. Once I've worked out a good design and algorithm, I might add it. It currently fulfills all my requirements. But if there is a demand for wildcard support, I'd be happy to spend additional time on this problem. Until then, I want to make sure that the rest of the code is correct. - In theory, (with the veto option of veto:foobar/) it would be able to create a filename named ":66oobar" on the unix side which will then appear to the mac client as "foobar". Due to other code in Netatalk (not related to this patch), this won't actually work. However, there is no fundamental reason why the mac client would not be able to read files which seemingly matched the veto filespec (from the mac). How was the patch made ====================== I did things in the following steps. 1) I added per-volume support for the "veto:string" option to ``volume.{c,h}''. 2) I determined that the veto option was functionally most similar to the "validupath()" function. Therefore, after every "validupath()" call, I added a "veto_file()". 3) I placed the "veto_file()" function in the ``etc/afpd/filedir.c'' source file. It could also be in any of the other files, but I figured that filedir.c was the best spot. The "veto_file()" function takes the "veto_str" parameter directly from value "string" in point 1) above. 4) Inside "veto_file()", uncomment the DEBUG code if you want. If you want more information, contact me at .