On Wed, 14 Jan 2015 09:53:10 +0100 Andreas Gruenbacher <agruenba@xxxxxxxxxx> wrote: > On 01/13/2015 10:31 PM, Jan Kara wrote: > > On Tue 13-01-15 16:16:13, J. Bruce Fields wrote: > >> On Tue, Jan 13, 2015 at 10:04:40PM +0100, Jan Kara wrote: > >>> On Tue 13-01-15 12:40:29, J. Bruce Fields wrote: > >>>> If we modified the behavior to permit O_RDWR in this case, would that > >>>> cause anyone a problem? > >>> As others noted, this changes user visible behavior and I don't think we > >>> can do that. In the discussion about user namespaces, we for example > >>> specifically disallowed unpriviledged process to drop some group membership > >>> exactly because it can actually result in process suddently being able to > >>> access some files and reportedly there are setups which are using group > >>> membership to *restrict* access. > >> > >> Right, but look at the case above carefully again--it's *much* more > >> special than the one the container people hit. > >> > >> You can absolutely still represent weird modes like 026 with a Richacl > >> and it will deny permissions in the traditional way. > > Ah, OK. You are right that Rich ACLs can express the use of a group to > > restrict permissions. > > > >> Using the usual "if a tree fell in a forest and nobody heard it..." > >> criterion, I think this change would be unlikely to cause us trouble. > > On a second thought I agree. > > I really don't think that changing the existing POSIX ACL behavior is an > option here, or that representing POSIX ACLs as richacls internally > makes a lot of sense. We'll be much better off having both models side > by side. > > Converting existing POSIX ACLs into richacls, for example for converting > an entire file system, possibly offline, is relatively simple and > straight forward -- and will be needed -- with the caveat that > permissions will then start to accumulate. > > Converting richacls into POSIX ACLs may occasionally be needed when > migrating something back as well, but this operation is lossy in > general, likely slow, there could be different policies like failing or > dropping permissions when something cannot be represented exactly. By > representing POSIX ACLs as richacls internally, that more complicated > conversion would be needed all the time, even in the kernel, though. > FWIW, at the last LSF we had a discussion around richacls and Aneesh was present. The tentative decision at that time was that filesystems should store _either_ richacls or posix acls, and that decision should be made at fs creation time. If you need to convert to the other scheme, then the understanding was that you'd either recreate the filesystem, or potentially do some sort of in-place conversion with a specialized tool. I think aiming for that sort of scheme makes the most sense as it covers the vast majority of use-cases and keeps undue complexity out of the kernel. -- Jeff Layton <jlayton@xxxxxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
