• Start
• Documentation
  • PostgreSQL
  • mnoGoSearch
  • Apache 2.4
  • FreeBSD handbook
  • FreeBSD Manual
  • FreeBSD Source
• Tools
• Search
• Protected Area

plain

FreeBSD manual

keyword 1 2 3 4 5 6 7 8 9 n l

download PDF document: vfs_freebsd.8.pdf

VFS_FREEBSD(8) System Administration tools VFS_FREEBSD(8)
NAME vfs_freebsd - FreeBSD-specific VFS functions
SYNOPSIS vfs objects = freebsd
DESCRIPTION This VFS module is part of the samba(7) suite.
The vfs_freebsd module implements some of the FreeBSD-specific VFS functions.
This module is stackable.
OPTIONS freebsd:extattr mode=[legacy|compat|secure] This parameter defines how the emulation of the Linux attr(5) extended attributes is performed through the FreeBSD native extattr(9) system calls.
Currently the security, system, trusted and user extended attribute(xattr) classes are defined in Linux. Contrary FreeBSD has only USER and SYSTEM extended attribute(extattr) namespaces, so mapping of one set into another isn't straightforward and can be done in different ways.
Historically the Samba(7) built-in xattr mapping implementation simply converted system and user xattr into corresponding SYSTEM and USER extattr namespaces, dropping the class prefix name with the separating dot and using attribute name only within the mapped namespace. It also rejected any other xattr classes, like security and trusted as invalid. Such behavior in particular broke AD provisioning on UFS2 file systems as essential security.NTACL xattr was rejected as invalid.
This module tries to address this problem and provide secure, where it's possible, way to map Linux xattr into FreeBSD's extattr.
When mode is set to the legacy (default) then modified version of built-in mapping is used, where system xattr is mapped into SYSTEM namespace, while secure, trusted and user xattr are all mapped into the USER namespace, dropping class prefixes and mix them all together. This is the way how Samba FreeBSD ports were patched up to the 4.9 version and that created multiple potential security issues. This mode is aimed for the compatibility with the legacy installations only and should be avoided in new setups.
The compat mode is mostly designed for the jailed environments, where it's not possible to write extattrs into the secure SYSTEM namespace, so all four classes are mapped into the USER namespace. To preserve information about origin of the extended attribute it is stored together with the class preffix in the class.attribute format.
The secure mode is meant for storing extended attributes in a secure manner, so that security, system and trusted are stored in the SYSTEM namespace, which can be modified only by root.
|user | USER; | USER; | USER; | USER; | | | attribute | attribute | user.attribute | user.attribute | +---------+-----------+-----------+--------------------+--------------------+ |system | SYSTEM; | SYSTEM; | USER; | SYSTEM; | | | attribute | attribute | system.attribute | system.attribute | +---------+-----------+-----------+--------------------+--------------------+ |trusted | FAIL | USER; | USER; | SYSTEM; | | | | attribute | trusted.attribute | trusted.attribute | +---------+-----------+-----------+--------------------+--------------------+ |security | FAIL | USER; | USER; | SYSTEM; | | | | attribute | security.attribute | security.attribute | +---------+-----------+-----------+--------------------+--------------------+
EXAMPLES Use secure method of setting extended attributes on the share:
[sysvol] vfs objects = freebsd freebsd:extattr mode = secure
VERSION This man page is part of version 4.10.5 of the Samba suite.
AUTHOR The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
This module was written by Timur I. Bakeyev
Samba 4.10.5 06/24/2019 VFS_FREEBSD(8)