Re: [Lsf-pc] [LSF/MM ATTEND] Richacls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 13, 2015 at 12:26:42PM -0800, Jeremy Allison wrote:
> On Tue, Jan 13, 2015 at 11:53:42AM -0800, Frank Filz wrote:
> > > On Tue, Jan 13, 2015 at 12:40:29PM -0500, J. Bruce Fields wrote:
> > > > On Tue, Jan 13, 2015 at 06:23:26PM +0100, Andreas Gruenbacher wrote:
> > > > > On 01/13/2015 05:48 PM, Jeremy Allison wrote:
> > > > > >My understanding of Christoph's objection (although I'm sure he can
> > > > > >chime in himself :-) was that he wanted to see POSIX ACLs reworked
> > > > > >as a mapping on top of RichACLs, so that ultimately RichACLs would
> > > > > >be the only on-disk format of the EA.
> > > > > >
> > > > > >I think that is doable, as I think any POSIX ACL can be represented
> > > > > >as an underlying RichACL, just not the reverse.
> > > > >
> > > > > On of the differences is that permissions in POSIX ACLs do
> > > > > accumulate, while in NFSv4 and CIFS ACLs, and therefore also
> > > > > richacls, they do not. So the two models are really not
> > > > > interchangeable, however annoying that may be.
> > 
> > I think Andreas got do and do not reversed (though looks like everyone read
> > it the right way...)
> > 
> > > > > For example, with the following POSIX ACL, a non-root process in
> > > > > group 5001 and 5002 would not be allowed to open f with O_RDWR, only
> > > > > with O_RDONLY *or* O_WRONLY.
> > > > >
> > > > >   # file: f
> > > > >   # owner: root
> > > > >   # group: root
> > > > >   user::rw-
> > > > >   group::rw-
> > > > >   group:5001:r--
> > > > >   group:5002:-w-
> > > > >   mask::rw-
> > > > >   other::---
> > > > >
> > > > > In all the other ACL models, the process would be allowed to open f
> > > > > with O_RDWR.
> > 
> > Hasn't this been resolved in in knfsd by use of DENY ACEs in converting the
> > POSIX ACL to NFS v4?
> 
> No, it can't work.
> 
> Consider a non-root process in group 5001 and 5002.
> 
> The obvious way to map the above POSIX ACL to NFSv4
> is:
> 
> 1) group:5001:DENY:WRITE
> 2) group:5001:ALLOW:READ
> 3) group:5002:DENY:READ
> 4) group:5001:ALLOW:WRITE

Bah, got the group ID's wrong. Should be:

1) group:5001:DENY:WRITE
2) group:5001:ALLOW:READ
3) group:5002:DENY:READ
4) group:5002:ALLOW:WRITE

of course.

> But NFSv4/CIFS permissions are cummulative. So
> requesting O_WRONLY will always fail as it runs
> into rule number 1.
> 
> So let's reorder it:
> 
> 1) group:5002:DENY:READ
> 2) group:5001:ALLOW:WRITE
> 3) group:5001:DENY:WRITE
> 4) group:5001:ALLOW:READ

and:

1) group:5002:DENY:READ
2) group:5002:ALLOW:WRITE
3) group:5001:DENY:WRITE
4) group:5001:ALLOW:READ
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux