--- docs-xml/manpages/vfs_freebsd.8.xml.orig 2025-07-11 10:55:41 UTC +++ docs-xml/manpages/vfs_freebsd.8.xml @@ -0,0 +1,169 @@ + + + + + + vfs_freebsd + 8 + Samba + System Administration tools + &doc.version; + + + + vfs_freebsd + FreeBSD-specific VFS functions + + + + + vfs objects = freebsd + + + + + DESCRIPTION + + This VFS module is part of the samba + 7 suite. + + The vfs_freebsd module implements some of the FreeBSD-specific VFS functions. + + This module is stackable. + + + + + OPTIONS + + + + + freebsd:extattr mode=[legacy|compat|secure] + + This parameter defines how the emulation of the Linux attr(5) extended attributes + is performed through the FreeBSD native extattr(9) system calls. + + Currently the security, system, + trusted and user extended attribute(xattr) + classes are defined in Linux. Contrary FreeBSD has only USER + and SYSTEM extended attribute(extattr) namespaces, so mapping + of one set into another isn't straightforward and can be done in different ways. + + Historically the Samba(7) built-in xattr mapping implementation simply converted + system and user xattr into corresponding + SYSTEM and USER extattr namespaces, dropping + the class prefix name with the separating dot and using attribute name only within the + mapped namespace. It also rejected any other xattr classes, like security + and trusted as invalid. Such behavior in particular broke AD + provisioning on UFS2 file systems as essential security.NTACL + xattr was rejected as invalid. + + This module tries to address this problem and provide secure, where it's possible, + way to map Linux xattr into FreeBSD's extattr. + + When mode is set to the legacy (default) + then modified version of built-in mapping is used, where system xattr + is mapped into SYSTEM namespace, while secure, trusted + and user xattr are all mapped into the USER namespace, dropping class + prefixes and mix them all together. This is the way how Samba FreeBSD ports were patched + up to the 4.9 version and that created multiple potential security issues. This mode is aimed for + the compatibility with the legacy installations only and should be avoided in new setups. + + The compat mode is mostly designed for the jailed environments, + where it's not possible to write extattrs into the secure SYSTEM namespace, so all four + classes are mapped into the USER namespace. To preserve information about origin of the + extended attribute it is stored together with the class preffix in the class.attribute + format. + + The secure mode is meant for storing extended attributes in a secure + manner, so that security, system and trusted + are stored in the SYSTEM namespace, which can be modified only by root. + + + + + + + + + + + Attributes mapping + + + + + built-in + legacy + compat/jail + secure + + + + + user + USER; attribute + USER; attribute + USER; user.attribute + USER; user.attribute + + + system + SYSTEM; attribute + SYSTEM; attribute + USER; system.attribute + SYSTEM; system.attribute + + + trusted + FAIL + USER; attribute + USER; trusted.attribute + SYSTEM; trusted.attribute + + + security + FAIL + USER; attribute + USER; security.attribute + SYSTEM; security.attribute + + + +
+ + + + EXAMPLES + + Use secure method of setting extended attributes on the share: + + + + freebsd + secure + + + + + + VERSION + + This man page is part of version &doc.version; of the Samba suite. + + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + This module was written by Timur I. Bakeyev + + + +