On Tue, Jan 13, 2015 at 12:26:42PM -0800, Jeremy Allison wrote: > On Tue, Jan 13, 2015 at 11:53:42AM -0800, Frank Filz wrote: > > > On Tue, Jan 13, 2015 at 12:40:29PM -0500, J. Bruce Fields wrote: > > > > On Tue, Jan 13, 2015 at 06:23:26PM +0100, Andreas Gruenbacher wrote: > > > > > On 01/13/2015 05:48 PM, Jeremy Allison wrote: > > > > > >My understanding of Christoph's objection (although I'm sure he can > > > > > >chime in himself :-) was that he wanted to see POSIX ACLs reworked > > > > > >as a mapping on top of RichACLs, so that ultimately RichACLs would > > > > > >be the only on-disk format of the EA. > > > > > > > > > > > >I think that is doable, as I think any POSIX ACL can be represented > > > > > >as an underlying RichACL, just not the reverse. > > > > > > > > > > On of the differences is that permissions in POSIX ACLs do > > > > > accumulate, while in NFSv4 and CIFS ACLs, and therefore also > > > > > richacls, they do not. So the two models are really not > > > > > interchangeable, however annoying that may be. > > > > I think Andreas got do and do not reversed (though looks like everyone read > > it the right way...) > > > > > > > For example, with the following POSIX ACL, a non-root process in > > > > > group 5001 and 5002 would not be allowed to open f with O_RDWR, only > > > > > with O_RDONLY *or* O_WRONLY. > > > > > > > > > > # file: f > > > > > # owner: root > > > > > # group: root > > > > > user::rw- > > > > > group::rw- > > > > > group:5001:r-- > > > > > group:5002:-w- > > > > > mask::rw- > > > > > other::--- > > > > > > > > > > In all the other ACL models, the process would be allowed to open f > > > > > with O_RDWR. > > > > Hasn't this been resolved in in knfsd by use of DENY ACEs in converting the > > POSIX ACL to NFS v4? > > No, it can't work. > > Consider a non-root process in group 5001 and 5002. > > The obvious way to map the above POSIX ACL to NFSv4 > is: > > 1) group:5001:DENY:WRITE > 2) group:5001:ALLOW:READ > 3) group:5002:DENY:READ > 4) group:5001:ALLOW:WRITE Bah, got the group ID's wrong. Should be: 1) group:5001:DENY:WRITE 2) group:5001:ALLOW:READ 3) group:5002:DENY:READ 4) group:5002:ALLOW:WRITE of course. > But NFSv4/CIFS permissions are cummulative. So > requesting O_WRONLY will always fail as it runs > into rule number 1. > > So let's reorder it: > > 1) group:5002:DENY:READ > 2) group:5001:ALLOW:WRITE > 3) group:5001:DENY:WRITE > 4) group:5001:ALLOW:READ and: 1) group:5002:DENY:READ 2) group:5002:ALLOW:WRITE 3) group:5001:DENY:WRITE 4) group:5001:ALLOW:READ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
