2 ACLs - Konfiguration and Infos vor Developpers
3 ==============================================
5 ACL support for AFP is implemented for Solaris/ZFS/NFSv4 ACLs and POSIX 1e ACLs.
10 In order to be able to support ACLs, the following things have to be configured:
12 1. For Solaris/ZFS: ZFS Volumes
13 2. Authentication Domain
18 You MUST configure two ACL parameters for any volume you want to use with Netatalk:
20 aclinherit = passthrough
23 For an explanation of what these parameters mean and how to apply them see, your hosts
24 ZFS documentation (e.g. man zfs).
26 2. Authentication Domain
28 Your server and the clients must be part of a security association where identity data
29 is coming from a common source. ACLs in Darwin are based on UUIDs and so is the ACL
30 specification in AFP 3.2. Therefor your source of identity data has to provide an
31 attribute for every user and group where a UUID is stored as a ASCII string.
34 - you need an Open Directory Server or an LDAP server where you store UUIDs in some
36 - your clients must be configured to use this server
37 - your server should be configured to use this server via nsswitch and PAM
38 - configure Netatalk via afp_ldap.conf so that Netatalk is able to retrieve the UUID
39 for users and groups via LDAP search queries
41 ALL USERS AND GROUPS USED ON VOLUMES WHERE ACLS ARE USED SHOULD THEN COME FROM
42 THE SHARED AUTHENTICATION DOMAIN !
46 Finally you can add "options:acls" to your volume defintions to add ACL support.
47 In case your volume basedir doesn't grant read permissions via mode (like: 0700 root:adm)
48 but only via ACLs, you MUST add the "nostat" option to the volume defintion.
53 Some implementation details that are buried in the code are worthwhile to be documented.
55 1. Darwin ACEs vs NFSv4 ACEs
56 2. .AppleDouble VFS integration
58 1. Darwin ACEs vs NFSv4 ACEs
60 Basically as far as implementing AFP support is concerned they're equivalent.
61 Subtleties arise at other places:
64 The (10.5) AFP client frequently checks the (DARWIN_)ACE_DELETE_CHILD right. This is most
65 often not explicitly granted via an ACE. Therefor the client would get an no access
66 error. The client in turn then declares the object in question read only.
67 Thus we have to the check the mode for every directory and add ACE_DELETE_CHILD if
68 the requestor has write permissions.
71 10.5 does not only use unix mode and FPAccess for permission check, but also OS 9
72 access bits from FPGetFileDirParms. Thus we have to adjust the Access Rights bitmap
73 user bits by including any ACL rigths.
75 2. .AppleDouble VFS integration
77 FPSetACL sets ACLs on files and dirs. Our implementation also sets the same ACL on the
78 .AppleDouble file for files and on the .AppleDouble dir itself for dirs.
80 Thereafter ACLs for created files is taken care of by ACLs own inheritance rules.
82 For dirs on the other hand whe have to make sure that any ACL the dir inherits is
83 copied verbatim to its .AppleDouble dir.