These are good points and I agree with the plan. I would rename the option: "modefromace" -> ""modefromsid" to make the naming consistent with the existing "idsfromsid" and match the behavior closely: a mode is still technically from the special SID and that SID is from the special ACE. Other than that the patch looks good. -- Best regards, Pavel Shilovsky пн, 24 июн. 2019 г. в 13:25, Steve French <smfrench@xxxxxxxxx>: > > On Mon, Jun 24, 2019 at 2:07 PM Pavel Shilovsky <piastryyy@xxxxxxxxx> wrote: > > > > Can't we use the existing idfromsid for this purpose? We already have > > a plenty of mount options and the list keeps growing. > > That is a good question - and I am open to suggestions to remove some > mount options but > the general problem is that that mount option name could be very confusing - > "idsfromsid" doesn't really imply anything about how we handle > mode bits (we could save mode bits even if saving uid owner without > using the "idsfromsid" > mechanism) we want to allow: > > 1) query mode from special sid if present > or > 2) query mode from ACL (only check for perms on the three > user-owner/group-owner/EVERYONE SIDs), in this case we may chose to > mount noperm > or > 3) the default today - we set mode for files and directories to the > permissions supplied as "file_mode" and "dir_mode") > We by default do: > vol->dir_mode = vol->file_mode = S_IRUGO | S_IXUGO | S_IWUSR; > and we can mount with noperm to disable the client perm checks if the > checks on the client are not useful > or > 4) set the permissions (temporarily) locally only and cache them > (dynperm) - typically not recommended. > > Where I would like to get to is that we focus strongly on only the > first two common use cases: > 1) "client focused perm checks" - get/set mode from special SID > (server permission checks are not important in this case) > 2) "server focused perm checks" - get/set the three ACEs > (user-owner/group-owner/EVERYONE) in the ACL > > I would like to default to idsfromsid (setting the owner with if > looking up owner from Winbind or SSSD or falling back > to S-1-22-1 (Unmapped user's special SID) or S-1-5-88-1 (MS-NFS and > Apple style unmapped user's special SID). > > In a way I would like to remove "idsfromsid" (and do it by default), > and add the new mount point to distinguish between > > "client centric" mode bit evaluation (special mode SID) > vs. > "server centric" ACL evaluation (where mode bits are mapped into the 3 > usual ACEs - user/group/other) > > > > > пн, 24 июн. 2019 г. в 00:20, Steve French <smfrench@xxxxxxxxx>: > > > > > > See e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh509017(v=ws.10) > > > > > > where it describes use of an ACE with special SID S-1-5-88-3 to store the mode. > > > > > > Followon patches will add the support for chmod and query_info (stat) > > > > > > > > > > > > -- > > > Thanks, > > > > > > Steve > > > > -- > Thanks, > > Steve
