On Tue 13-01-15 12:40:29, J. Bruce Fields wrote: > On Tue, Jan 13, 2015 at 06:23:26PM +0100, Andreas Gruenbacher wrote: > > On 01/13/2015 05:48 PM, Jeremy Allison wrote: > > >My understanding of Christoph's objection (although I'm sure > > >he can chime in himself :-) was that he wanted to see POSIX > > >ACLs reworked as a mapping on top of RichACLs, so that ultimately > > >RichACLs would be the only on-disk format of the EA. > > > > > >I think that is doable, as I think any POSIX ACL can be represented > > >as an underlying RichACL, just not the reverse. > > > > On of the differences is that permissions in POSIX ACLs do > > accumulate, while in NFSv4 and CIFS ACLs, and therefore also > > richacls, they do not. So the two models are really not > > interchangeable, however annoying that may be. > > > > For example, with the following POSIX ACL, a non-root process in > > group 5001 and 5002 would not be allowed to open f with O_RDWR, only > > with O_RDONLY *or* O_WRONLY. > > > > # file: f > > # owner: root > > # group: root > > user::rw- > > group::rw- > > group:5001:r-- > > group:5002:-w- > > mask::rw- > > other::--- > > > > In all the other ACL models, the process would be allowed to open f > > with O_RDWR. > > If we modified the behavior to permit O_RDWR in this case, would that > cause anyone a problem? As others noted, this changes user visible behavior and I don't think we can do that. In the discussion about user namespaces, we for example specifically disallowed unpriviledged process to drop some group membership exactly because it can actually result in process suddently being able to access some files and reportedly there are setups which are using group membership to *restrict* access. > > The rationale for this behavior in POSIX ACLs was / is consistency > > with how the traditional POSIX file permission model works -- > > determine which of the (three) sets of permissions applies to a > > process, then check only that set. > > The "consistency" leads to kind of weird corner case here. I agree it's somewhat weird but it's how traditional unix permissions have worked since day one so we better get used to that ;) Honza -- Jan Kara <jack@xxxxxxx> SUSE Labs, CR -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
