On Tue, Mar 24, 2009 at 06:22:47PM -0400, Trond Myklebust wrote: > On Tue, 2009-03-24 at 18:15 -0400, J. Bruce Fields wrote: > > On Tue, Mar 24, 2009 at 05:44:07PM -0400, Trond Myklebust wrote: > > > On Tue, 2009-03-24 at 16:10 -0400, J. Bruce Fields wrote: > > > > On Tue, Mar 24, 2009 at 02:56:25AM +0100, Alex Bremer wrote: > > > > > >> How do other people share public files with NFS4? If there is no other > > > > > >> way than setting the users's umask to 002, this would practically > > > > > >> limit the use of NFS4 to private shares like home directories. > > > > > > > > > > > > I don't understand why--can't you use the user-private-group trick?: > > ... > > > > > - we actually have directories where files should only be group readable. > > > > > > > > I don't get it--why not set an inheritable acl on those directories that > > > > permits only read to the group? > > > > > > That only works if the client actually respects the acl... > > > > I don't understand. ACL enforcement and inheritance are both done on > > the server side. > > > > The problem is just that the umask is applied on the client side. But > > if the umask is 002, and an inheritable ACL permits only read, then the > > result of inheritance and umask-application will be an ACL that permits > > reads (and only reads) to the group owner (and to any named users and > > groups). > > The client currently always sends a mode. My interpretation of RFC3530 > is that this will always override the inherited ACL (see the discussion > in OP_OPEN and OP_CREATE w.r.t. the createattrs field). Depends on what you mean by "override". It shouldn't be replacing the inherited ACL wholesale; see 6.4.3. And I don't think we'd want to *entirely* stop sending the mode. With POSIX ACLs the compromise is to ignore the umask, but continue to respect the creat()/open() mode. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
