Updated "modefromace" to "modefromsid" On Thu, Jul 4, 2019 at 3:52 PM Pavel Shilovsky <piastryyy@xxxxxxxxx> wrote: > > These are good points and I agree with the plan. > > I would rename the option: > > "modefromace" -> ""modefromsid" > > to make the naming consistent with the existing "idsfromsid" and match > the behavior closely: a mode is still technically from the special SID > and that SID is from the special ACE. Other than that the patch looks > good. > > -- > Best regards, > Pavel Shilovsky > > пн, 24 июн. 2019 г. в 13:25, Steve French <smfrench@xxxxxxxxx>: > > > > On Mon, Jun 24, 2019 at 2:07 PM Pavel Shilovsky <piastryyy@xxxxxxxxx> wrote: > > > > > > Can't we use the existing idfromsid for this purpose? We already have > > > a plenty of mount options and the list keeps growing. > > > > That is a good question - and I am open to suggestions to remove some > > mount options but > > the general problem is that that mount option name could be very confusing - > > "idsfromsid" doesn't really imply anything about how we handle > > mode bits (we could save mode bits even if saving uid owner without > > using the "idsfromsid" > > mechanism) we want to allow: > > > > 1) query mode from special sid if present > > or > > 2) query mode from ACL (only check for perms on the three > > user-owner/group-owner/EVERYONE SIDs), in this case we may chose to > > mount noperm > > or > > 3) the default today - we set mode for files and directories to the > > permissions supplied as "file_mode" and "dir_mode") > > We by default do: > > vol->dir_mode = vol->file_mode = S_IRUGO | S_IXUGO | S_IWUSR; > > and we can mount with noperm to disable the client perm checks if the > > checks on the client are not useful > > or > > 4) set the permissions (temporarily) locally only and cache them > > (dynperm) - typically not recommended. > > > > Where I would like to get to is that we focus strongly on only the > > first two common use cases: > > 1) "client focused perm checks" - get/set mode from special SID > > (server permission checks are not important in this case) > > 2) "server focused perm checks" - get/set the three ACEs > > (user-owner/group-owner/EVERYONE) in the ACL > > > > I would like to default to idsfromsid (setting the owner with if > > looking up owner from Winbind or SSSD or falling back > > to S-1-22-1 (Unmapped user's special SID) or S-1-5-88-1 (MS-NFS and > > Apple style unmapped user's special SID). > > > > In a way I would like to remove "idsfromsid" (and do it by default), > > and add the new mount point to distinguish between > > > > "client centric" mode bit evaluation (special mode SID) > > vs. > > "server centric" ACL evaluation (where mode bits are mapped into the 3 > > usual ACEs - user/group/other) > > > > > > > > > пн, 24 июн. 2019 г. в 00:20, Steve French <smfrench@xxxxxxxxx>: > > > > > > > > See e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh509017(v=ws.10) > > > > > > > > where it describes use of an ACE with special SID S-1-5-88-3 to store the mode. > > > > > > > > Followon patches will add the support for chmod and query_info (stat) > > > > > > > > > > > > > > > > -- > > > > Thanks, > > > > > > > > Steve > > > > > > > > -- > > Thanks, > > > > Steve -- Thanks, Steve
