> On Oct 29, 2024, at 10:43 PM, Rick Macklem <rick.macklem@xxxxxxxxx> wrote: > > Hi, > > I've run into a rough patch (no pun intended;-) w.r.t. the server > side implementation of the POSIX draft ACL attribute extension. > > (N)VERIFY operations need to compare attributes for "equal" and > that is not easy. > > First, the current server code compares raw XDR and that will > only compare "equal" if the ACEs are in the exact same order > and all the "who" strings (which represent users and groups) > are in the exact same format. > > It would be a lot of work to rewrite VERIFY so that it does not > compare raw XDR and, even then, any difference in the way > the "who" strings are expressed on-the-wire vs what is generated > from the server's current ACL (a number in a string vs user@domain > for example) would be difficult to compare. > > To avoid this problem, I am considering not allowing the POSIX > draft ACLs to be used for (N)VERIFY operations in the Internet > Draft. > > Does this sound reasonable? IMHO you should ask the WG first. Would NFSv4 ACLs have the same issues? -- Chuck Lever
