On Wed, Sep 02, 2009 at 03:53:17PM -0500, Steve French wrote: > On Wed, Sep 2, 2009 at 3:22 PM, J. Bruce Fields<bfields@xxxxxxxxxxxx> wrote: > > On Wed, Sep 02, 2009 at 01:56:23PM -0500, Steve French wrote: > >> "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote on 09/02/2009 11:42:43 AM: > >> > On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote: > >> > > This patch series implement POSIX ACL support for NFSV4 clients > >> > > using sideband protocol. > >> > > >> > What motivates this? Who exactly wants this and why? What would be > >> > the advantages compared to other options, such as: > >> > >> The most obvious reason to me is that security information > >> can be lost as the ACL which was generated by Linux utilities and > >> client acl tools (which get/set posix acls) are converted by the Linux nfs > >> v4 client > > > > The kernel v4 client doesn't do that--it passes untouched v4 acls to and > > from userspace. > > 1) Passing untouched ACLs doesn't help as these ACLs would be NFS specific, > and unrecognized by the default Linux tools and GUIs. Access Control on > file and directory objects is a "system feature" - part of the OS (it has been > that way since at least OS/2, not just Windows, MacOS, Solaris etc..) > You wouldn't require the user to use different tools for modifying ACLs in > Windows, MacOS and require that the user try to figure out the ACL model of > the underlying file system before deciding what tool to use and what permissions > to apply to his home directory > 2) If POSIX->NFSv4 client mapping is done (as had been suggested IIRC > by others in the past) at least you lose less data (NFSv4 ACLs are "richer" > in function than POSIX ACLs - so at least with the POSIX->NFSv4->POSIX > case you are limiting the user to the subset of choices which are actually > going to be able to be stored, no inheritence etc.) If I remember correctly, Linux's posix acl support was added at about the same time the NFSv4.0 spec was being written--I seem to recall the first ACL patches being merged around the same time as the first NFSv4 patches? At which point it was reasonable to say that nobody really used "POSIX" ACLs, and nobody could ever even agree on a single standard for them, so why bother? So another way to state your argument #1 would be to say that a lot has changed since then: Linux administrators have gotten used to ACLs, v2/v3 and CIFS have gained support for them, etc., so they're established now and we have to support them. I think that argument would need to be made to nfsv4@xxxxxxxx, and will need some evidence to back it up. (Unfortunately, I see that on my very recent (Ubuntu 9.10 alpha) linux desktop, acl support on the filesystem isn't turned on, and nautilus doesn't appear to know how to edit acls. On the other hand, everything's compiled against libacl, and the commandline utilities appear to have been installed by default.) --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
