On Wed, Sep 2, 2009 at 3:22 PM, J. Bruce Fields<bfields@xxxxxxxxxxxx> wrote: > On Wed, Sep 02, 2009 at 01:56:23PM -0500, Steve French wrote: >> "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote on 09/02/2009 11:42:43 AM: >> > On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote: >> > > This patch series implement POSIX ACL support for NFSV4 clients >> > > using sideband protocol. >> > >> > What motivates this? Who exactly wants this and why? What would be >> > the advantages compared to other options, such as: >> >> The most obvious reason to me is that security information >> can be lost as the ACL which was generated by Linux utilities and >> client acl tools (which get/set posix acls) are converted by the Linux nfs >> v4 client > > The kernel v4 client doesn't do that--it passes untouched v4 acls to and > from userspace. 1) Passing untouched ACLs doesn't help as these ACLs would be NFS specific, and unrecognized by the default Linux tools and GUIs. Access Control on file and directory objects is a "system feature" - part of the OS (it has been that way since at least OS/2, not just Windows, MacOS, Solaris etc..) You wouldn't require the user to use different tools for modifying ACLs in Windows, MacOS and require that the user try to figure out the ACL model of the underlying file system before deciding what tool to use and what permissions to apply to his home directory 2) If POSIX->NFSv4 client mapping is done (as had been suggested IIRC by others in the past) at least you lose less data (NFSv4 ACLs are "richer" in function than POSIX ACLs - so at least with the POSIX->NFSv4->POSIX case you are limiting the user to the subset of choices which are actually going to be able to be stored, no inheritence etc.) -- Thanks, Steve -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
