0mp port
This commit is contained in:
Xavier Beaudouin
172
net/samba422/files/patch-docs-xml_manpages_vfs__freebsd.8.xml
Normal file
172
net/samba422/files/patch-docs-xml_manpages_vfs__freebsd.8.xml
Normal file
@ -0,0 +1,172 @@
|
||||
--- docs-xml/manpages/vfs_freebsd.8.xml.orig 2025-07-11 10:55:41 UTC
|
||||
+++ docs-xml/manpages/vfs_freebsd.8.xml
|
||||
@@ -0,0 +1,169 @@
|
||||
+<?xml version="1.0" encoding="iso-8859-1"?>
|
||||
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
||||
+<refentry id="vfs_freebsd.8">
|
||||
+
|
||||
+<refmeta>
|
||||
+ <refentrytitle>vfs_freebsd</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum>
|
||||
+ <refmiscinfo class="source">Samba</refmiscinfo>
|
||||
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
|
||||
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
|
||||
+</refmeta>
|
||||
+
|
||||
+<refnamediv>
|
||||
+ <refname>vfs_freebsd</refname>
|
||||
+ <refpurpose>FreeBSD-specific VFS functions</refpurpose>
|
||||
+</refnamediv>
|
||||
+
|
||||
+<refsynopsisdiv>
|
||||
+ <cmdsynopsis>
|
||||
+ <command>vfs objects = freebsd</command>
|
||||
+ </cmdsynopsis>
|
||||
+</refsynopsisdiv>
|
||||
+
|
||||
+<refsect1>
|
||||
+ <title>DESCRIPTION</title>
|
||||
+
|
||||
+ <para>This VFS module is part of the <citerefentry><refentrytitle>samba</refentrytitle>
|
||||
+ <manvolnum>7</manvolnum></citerefentry> suite.</para>
|
||||
+
|
||||
+ <para>The <command>vfs_freebsd</command> module implements some of the FreeBSD-specific VFS functions.</para>
|
||||
+
|
||||
+ <para>This module is stackable.</para>
|
||||
+</refsect1>
|
||||
+
|
||||
+
|
||||
+<refsect1>
|
||||
+ <title>OPTIONS</title>
|
||||
+
|
||||
+ <variablelist>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>freebsd:extattr mode=[legacy|compat|secure]</term>
|
||||
+ <listitem>
|
||||
+ <para>This parameter defines how the emulation of the Linux attr(5) extended attributes
|
||||
+ is performed through the FreeBSD native extattr(9) system calls.</para>
|
||||
+
|
||||
+ <para>Currently the <emphasis>security</emphasis>, <emphasis>system</emphasis>,
|
||||
+ <emphasis>trusted</emphasis> and <emphasis>user</emphasis> extended attribute(xattr)
|
||||
+ classes are defined in Linux. Contrary FreeBSD has only <emphasis>USER</emphasis>
|
||||
+ and <emphasis>SYSTEM</emphasis> extended attribute(extattr) namespaces, so mapping
|
||||
+ of one set into another isn't straightforward and can be done in different ways.</para>
|
||||
+
|
||||
+ <para>Historically the Samba(7) built-in xattr mapping implementation simply converted
|
||||
+ <emphasis>system</emphasis> and <emphasis>user</emphasis> xattr into corresponding
|
||||
+ <emphasis>SYSTEM</emphasis> and <emphasis>USER</emphasis> extattr namespaces, dropping
|
||||
+ the class prefix name with the separating dot and using attribute name only within the
|
||||
+ mapped namespace. It also rejected any other xattr classes, like <emphasis>security</emphasis>
|
||||
+ and <emphasis>trusted</emphasis> as invalid. Such behavior in particular broke AD
|
||||
+ provisioning on UFS2 file systems as essential <emphasis>security.NTACL</emphasis>
|
||||
+ xattr was rejected as invalid.</para>
|
||||
+
|
||||
+ <para>This module tries to address this problem and provide secure, where it's possible,
|
||||
+ way to map Linux xattr into FreeBSD's extattr.</para>
|
||||
+
|
||||
+ <para>When <emphasis>mode</emphasis> is set to the <emphasis>legacy (default)</emphasis>
|
||||
+ then modified version of built-in mapping is used, where <emphasis>system</emphasis> xattr
|
||||
+ is mapped into SYSTEM namespace, while <emphasis>secure</emphasis>, <emphasis>trusted</emphasis>
|
||||
+ and <emphasis>user</emphasis> xattr are all mapped into the USER namespace, dropping class
|
||||
+ prefixes and mix them all together. This is the way how Samba FreeBSD ports were patched
|
||||
+ up to the 4.9 version and that created multiple potential security issues. This mode is aimed for
|
||||
+ the compatibility with the legacy installations only and should be avoided in new setups.</para>
|
||||
+
|
||||
+ <para>The <emphasis>compat</emphasis> mode is mostly designed for the jailed environments,
|
||||
+ where it's not possible to write extattrs into the secure SYSTEM namespace, so all four
|
||||
+ classes are mapped into the USER namespace. To preserve information about origin of the
|
||||
+ extended attribute it is stored together with the class preffix in the <emphasis>class.attribute</emphasis>
|
||||
+ format.</para>
|
||||
+
|
||||
+ <para>The <emphasis>secure</emphasis> mode is meant for storing extended attributes in a secure
|
||||
+ manner, so that <emphasis>security</emphasis>, <emphasis>system</emphasis> and <emphasis>trusted</emphasis>
|
||||
+ are stored in the SYSTEM namespace, which can be modified only by root.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+
|
||||
+ </variablelist>
|
||||
+</refsect1>
|
||||
+
|
||||
+<refsect1>
|
||||
+ <table frame="all" rowheader="firstcol">
|
||||
+ <title>Attributes mapping</title>
|
||||
+ <tgroup cols='5' align='left' colsep='1' rowsep='1'>
|
||||
+ <thead>
|
||||
+ <row>
|
||||
+ <entry> </entry>
|
||||
+ <entry>built-in</entry>
|
||||
+ <entry>legacy</entry>
|
||||
+ <entry>compat/jail</entry>
|
||||
+ <entry>secure</entry>
|
||||
+ </row>
|
||||
+ </thead>
|
||||
+ <tbody>
|
||||
+ <row>
|
||||
+ <entry>user</entry>
|
||||
+ <entry>USER; attribute</entry>
|
||||
+ <entry>USER; attribute</entry>
|
||||
+ <entry>USER; user.attribute</entry>
|
||||
+ <entry>USER; user.attribute</entry>
|
||||
+ </row>
|
||||
+ <row>
|
||||
+ <entry>system</entry>
|
||||
+ <entry>SYSTEM; attribute</entry>
|
||||
+ <entry>SYSTEM; attribute</entry>
|
||||
+ <entry>USER; system.attribute</entry>
|
||||
+ <entry>SYSTEM; system.attribute</entry>
|
||||
+ </row>
|
||||
+ <row>
|
||||
+ <entry>trusted</entry>
|
||||
+ <entry>FAIL</entry>
|
||||
+ <entry>USER; attribute</entry>
|
||||
+ <entry>USER; trusted.attribute</entry>
|
||||
+ <entry>SYSTEM; trusted.attribute</entry>
|
||||
+ </row>
|
||||
+ <row>
|
||||
+ <entry>security</entry>
|
||||
+ <entry>FAIL</entry>
|
||||
+ <entry>USER; attribute</entry>
|
||||
+ <entry>USER; security.attribute</entry>
|
||||
+ <entry>SYSTEM; security.attribute</entry>
|
||||
+ </row>
|
||||
+ </tbody>
|
||||
+ </tgroup>
|
||||
+ </table>
|
||||
+</refsect1>
|
||||
+
|
||||
+<refsect1>
|
||||
+ <title>EXAMPLES</title>
|
||||
+
|
||||
+ <para>Use secure method of setting extended attributes on the share:</para>
|
||||
+
|
||||
+<programlisting>
|
||||
+ <smbconfsection name="[sysvol]"/>
|
||||
+ <smbconfoption name="vfs objects">freebsd</smbconfoption>
|
||||
+ <smbconfoption name="freebsd:extattr mode">secure</smbconfoption>
|
||||
+</programlisting>
|
||||
+
|
||||
+</refsect1>
|
||||
+
|
||||
+<refsect1>
|
||||
+ <title>VERSION</title>
|
||||
+
|
||||
+ <para>This man page is part of version &doc.version; of the Samba suite.
|
||||
+ </para>
|
||||
+</refsect1>
|
||||
+
|
||||
+<refsect1>
|
||||
+ <title>AUTHOR</title>
|
||||
+
|
||||
+ <para>The original Samba software and related utilities
|
||||
+ were created by Andrew Tridgell. Samba is now developed
|
||||
+ by the Samba Team as an Open Source project similar
|
||||
+ to the way the Linux kernel is developed.</para>
|
||||
+
|
||||
+ <para>This module was written by Timur I. Bakeyev</para>
|
||||
+
|
||||
+</refsect1>
|
||||
+
|
||||
+</refentry>
|
||||
Reference in New Issue
Block a user