aboutsummaryrefslogtreecommitdiffstats
path: root/net/samba422/files/patch-docs-xml_manpages_vfs__freebsd.8.xml
blob: b19ecafd405673313a102d90d84fd959e572dd27 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

--- docs-xml/manpages/vfs_freebsd.8.xml.orig	2025-07-11 10:55:41 UTC
+++ docs-xml/manpages/vfs_freebsd.8.xml
@@ -0,0 +1,169 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="vfs_freebsd.8">
+
+<refmeta>
+	<refentrytitle>vfs_freebsd</refentrytitle>
+	<manvolnum>8</manvolnum>
+	<refmiscinfo class="source">Samba</refmiscinfo>
+	<refmiscinfo class="manual">System Administration tools</refmiscinfo>
+	<refmiscinfo class="version">&doc.version;</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+	<refname>vfs_freebsd</refname>
+	<refpurpose>FreeBSD-specific VFS functions</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>vfs objects = freebsd</command>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>This VFS module is part of the <citerefentry><refentrytitle>samba</refentrytitle>
+	<manvolnum>7</manvolnum></citerefentry> suite.</para>
+
+	<para>The <command>vfs_freebsd</command> module implements some of the FreeBSD-specific VFS functions.</para>
+
+	<para>This module is stackable.</para>
+</refsect1>
+
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+
+	<varlistentry>
+		<term>freebsd:extattr mode=[legacy|compat|secure]</term>
+		<listitem>
+		<para>This parameter defines how the emulation of the Linux attr(5) extended attributes
+		is performed through the FreeBSD native extattr(9) system calls.</para>
+
+		<para>Currently the <emphasis>security</emphasis>, <emphasis>system</emphasis>,
+		<emphasis>trusted</emphasis> and <emphasis>user</emphasis> extended attribute(xattr)
+		classes are defined in Linux. Contrary FreeBSD has only <emphasis>USER</emphasis>
+		and <emphasis>SYSTEM</emphasis> extended attribute(extattr) namespaces, so mapping
+		of one set into another isn't straightforward and can be done in different ways.</para>
+
+		<para>Historically the Samba(7) built-in xattr mapping implementation simply converted
+		<emphasis>system</emphasis> and <emphasis>user</emphasis> xattr into corresponding
+		<emphasis>SYSTEM</emphasis> and <emphasis>USER</emphasis> extattr namespaces, dropping
+		the class prefix name with the separating dot and using attribute name only within the
+		mapped namespace. It also rejected any other xattr classes, like <emphasis>security</emphasis>
+		and <emphasis>trusted</emphasis> as invalid. Such behavior in particular broke AD
+		provisioning on UFS2 file systems as essential <emphasis>security.NTACL</emphasis>
+		xattr was rejected as invalid.</para>
+
+		<para>This module tries to address this problem and provide secure, where it's possible,
+		way to map Linux xattr into FreeBSD's extattr.</para>
+
+		<para>When <emphasis>mode</emphasis> is set to the <emphasis>legacy (default)</emphasis>
+		then modified version of built-in mapping is used, where <emphasis>system</emphasis> xattr
+		is mapped into SYSTEM namespace, while <emphasis>secure</emphasis>, <emphasis>trusted</emphasis>
+		and <emphasis>user</emphasis> xattr are all mapped into the USER namespace, dropping class
+		prefixes and mix them all together. This is the way how Samba FreeBSD ports were patched
+		up to the 4.9 version and that created multiple potential security issues. This mode is aimed for
+		the compatibility with the legacy installations only and should be avoided in new setups.</para>
+
+		<para>The <emphasis>compat</emphasis> mode is mostly designed for the jailed environments,
+		where it's not possible to write extattrs into the secure SYSTEM namespace, so all four
+		classes are mapped into the USER namespace. To preserve information about origin of the
+		extended attribute it is stored together with the class preffix in the <emphasis>class.attribute</emphasis>
+		format.</para>
+
+		<para>The <emphasis>secure</emphasis> mode is meant for storing extended attributes in a secure
+		manner, so that <emphasis>security</emphasis>, <emphasis>system</emphasis> and <emphasis>trusted</emphasis>
+		are stored in the SYSTEM namespace, which can be modified only by root.
+		</para>
+		</listitem>
+	</varlistentry>
+
+
+	</variablelist>
+</refsect1>
+
+<refsect1>
+	<table frame="all" rowheader="firstcol">
+		<title>Attributes mapping</title>
+		<tgroup cols='5' align='left' colsep='1' rowsep='1'>
+		<thead>
+			<row>
+			<entry> </entry>
+			<entry>built-in</entry>
+			<entry>legacy</entry>
+			<entry>compat/jail</entry>
+			<entry>secure</entry>
+			</row>
+		</thead>
+		<tbody>
+			<row>
+			<entry>user</entry>
+			<entry>USER; attribute</entry>
+			<entry>USER; attribute</entry>
+			<entry>USER; user.attribute</entry>
+			<entry>USER; user.attribute</entry>
+			</row>
+			<row>
+			<entry>system</entry>
+			<entry>SYSTEM; attribute</entry>
+			<entry>SYSTEM; attribute</entry>
+			<entry>USER; system.attribute</entry>
+			<entry>SYSTEM; system.attribute</entry>
+			</row>
+			<row>
+			<entry>trusted</entry>
+			<entry>FAIL</entry>
+			<entry>USER; attribute</entry>
+			<entry>USER; trusted.attribute</entry>
+			<entry>SYSTEM; trusted.attribute</entry>
+			</row>
+			<row>
+			<entry>security</entry>
+			<entry>FAIL</entry>
+			<entry>USER; attribute</entry>
+			<entry>USER; security.attribute</entry>
+			<entry>SYSTEM; security.attribute</entry>
+			</row>
+		</tbody>
+		</tgroup>
+	</table>
+</refsect1>
+
+<refsect1>
+	<title>EXAMPLES</title>
+
+	<para>Use secure method of setting extended attributes on the share:</para>
+
+<programlisting>
+	<smbconfsection name="[sysvol]"/>
+	<smbconfoption name="vfs objects">freebsd</smbconfoption>
+	<smbconfoption name="freebsd:extattr mode">secure</smbconfoption>
+</programlisting>
+
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is part of version &doc.version; of the Samba suite.
+	</para>
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para>The original Samba software and related utilities
+	were created by Andrew Tridgell. Samba is now developed
+	by the Samba Team as an Open Source project similar
+	to the way the Linux kernel is developed.</para>
+
+	<para>This module was written by Timur I. Bakeyev</para>
+
+</refsect1>
+
+</refentry>