Support NTACLs (vfs_acl_xattr) in containerized smbd. Currently, acl_xattr requires CAP_SYS_ADMIN which is undesirable.

[gd]

Preliminary work has been started to make the xattr attribute name configureable:
https://gitlab.com/samba-team/samba/-/merge_requests/1908

[gd]

Current patch has been deferred (Ralph wants to use a real not a parametric option for performance reason)

[gd]

New merge request (in favor of old one): https://gitlab.com/samba-team/samba/-/merge_requests/2557

[anoopcs9]

Now that required changes are in master, let's decide on a xattr name for storing NTACLs using newly added option acl_xattr:security_acl_name.

@gd @phlogistonjohn @spuiuk

[phlogistonjohn]

Sure. I propose user.ntacl

[anoopcs9]

Relevant section from upcoming 4.18 Samba release:

New option to change the NT ACL default location
------------------------------------------------

Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.

@spuiuk @phlogistonjohn Please vote for our preferred xattr name.

[anoopcs9]

Sure. I propose user.ntacl

user.NTACL 😜