> On Tue, Jan 13, 2015 at 12:26:42PM -0800, Jeremy Allison wrote: > > On Tue, Jan 13, 2015 at 11:53:42AM -0800, Frank Filz wrote: > > > > On Tue, Jan 13, 2015 at 12:40:29PM -0500, J. Bruce Fields wrote: > > > > > On Tue, Jan 13, 2015 at 06:23:26PM +0100, Andreas Gruenbacher > wrote: > > > > > > On 01/13/2015 05:48 PM, Jeremy Allison wrote: > > > > > > >My understanding of Christoph's objection (although I'm sure > > > > > > >he can chime in himself :-) was that he wanted to see POSIX > > > > > > >ACLs reworked as a mapping on top of RichACLs, so that > > > > > > >ultimately RichACLs would be the only on-disk format of the EA. > > > > > > > > > > > > > >I think that is doable, as I think any POSIX ACL can be > > > > > > >represented as an underlying RichACL, just not the reverse. > > > > > > > > > > > > On of the differences is that permissions in POSIX ACLs do > > > > > > accumulate, while in NFSv4 and CIFS ACLs, and therefore also > > > > > > richacls, they do not. So the two models are really not > > > > > > interchangeable, however annoying that may be. > > > > > > I think Andreas got do and do not reversed (though looks like > > > everyone read it the right way...) > > > > > > > > > For example, with the following POSIX ACL, a non-root process > > > > > > in group 5001 and 5002 would not be allowed to open f with > > > > > > O_RDWR, only with O_RDONLY *or* O_WRONLY. > > > > > > > > > > > > # file: f > > > > > > # owner: root > > > > > > # group: root > > > > > > user::rw- > > > > > > group::rw- > > > > > > group:5001:r-- > > > > > > group:5002:-w- > > > > > > mask::rw- > > > > > > other::--- > > > > > > > > > > > > In all the other ACL models, the process would be allowed to > > > > > > open f with O_RDWR. > > > > > > Hasn't this been resolved in in knfsd by use of DENY ACEs in > > > converting the POSIX ACL to NFS v4? > > > > No, it can't work. > > > > Consider a non-root process in group 5001 and 5002. > > > > The obvious way to map the above POSIX ACL to NFSv4 > > is: > > > > 1) group:5001:DENY:WRITE > > 2) group:5001:ALLOW:READ > > 3) group:5002:DENY:READ > > 4) group:5001:ALLOW:WRITE > > Bah, got the group ID's wrong. Should be: > > 1) group:5001:DENY:WRITE > 2) group:5001:ALLOW:READ > 3) group:5002:DENY:READ > 4) group:5002:ALLOW:WRITE > > of course. > > > But NFSv4/CIFS permissions are cummulative. So requesting O_WRONLY > > will always fail as it runs into rule number 1. > > > > So let's reorder it: > > > > 1) group:5002:DENY:READ > > 2) group:5001:ALLOW:WRITE > > 3) group:5001:DENY:WRITE > > 4) group:5001:ALLOW:READ > > and: > > 1) group:5002:DENY:READ > 2) group:5002:ALLOW:WRITE > 3) group:5001:DENY:WRITE > 4) group:5001:ALLOW:READ Oh , yea, I should have thought it all the way through... Did we make allowance in RichACL to represent the POSIX behavior? There's also the POSIX ACL mask. Of course if we did have a representation, we couldn't preserve the ACL when using NFS v4 to copy from one location to another. Frank -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html