On Jan 24, 2014, at 7:28, Malahal Naineni <malahal@xxxxxxxxxx> wrote: > Trond Myklebust [trond.myklebust@xxxxxxxxxxxxxxx] wrote: >> >> On Jan 23, 2014, at 20:50, Malahal Naineni <malahal@xxxxxxxxxx> wrote: >> >>> Currently we support ACLs if the NFS server file system supports >>> ALLOW and DENY ACE types. This patch makes the Linux client work with >>> ACLs if the server supports either ALLOW or DENY ACE types. >> >> According to RFC5661, the behaviour if you don’t have ALLOW aces is to deny all access. How does it make sense to accept that? > > I have a server that only returned 'ALLOW' type support probably due to > a bug! There is nothing in the spec that said a server 'MUST' support > 'ALLOW' and 'DENY' ACE types (RFC5661 does say 'SHOULD' though!). That > was my reasoning to fix the client to be more liberal/lenient. > > Can a server implicitly construct 'ALLOW' ACEs based on mode and not > support explicitly setting such ACEs by a client? I am not too familiar > with ACLs, if you think we should only check for 'ALLOW' support flag, I > can re-spin the patch but I think it is better to be more lenient > specially if it is not incorrect by being more lenient! The way I read the spec, the default behaviour is to disallow access unless you have sufficient ALLOW aces for the behaviour that you want. The DENY aces are optional, and are there in order to explicitly deny a user or group a particular behaviour that they would otherwise be allowed due to some subsequent combination of ALLOW aces. So, I accept that a server could function while only supporting ALLOW aces, but I don’t see how it could work at all with only DENY ace support. Cheers Trond -- Trond Myklebust Linux NFS client maintainer -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html