IETF Logo Mail Archive

Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready

"J. Bruce Fields" <bfields@fieldses.org> Mon, 10 July 2006 14:15 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FzwY7-0006y6-0g; Mon, 10 Jul 2006 10:15:47 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FzwY5-0006xy-VD for nfsv4@ietf.org; Mon, 10 Jul 2006 10:15:45 -0400
Received: from mail.fieldses.org ([66.93.2.214] helo=pickle.fieldses.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FzwY3-0001KY-LV for nfsv4@ietf.org; Mon, 10 Jul 2006 10:15:45 -0400
Received: from bfields by pickle.fieldses.org with local (Exim 4.62) (envelope-from <bfields@fieldses.org>) id 1FzwY1-0000bH-Vm; Mon, 10 Jul 2006 10:15:42 -0400
Date: Mon, 10 Jul 2006 10:15:41 -0400
To: Sam Falkner <Sam.Falkner@Sun.COM>
Subject: Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
Message-ID: <20060710141541.GA978@fieldses.org>
References: <200607032310.15252.agruen@suse.de> <200607071355.30624.agruen@suse.de> <B2F139E8-41BB-4657-B6FD-6738331C57E1@Sun.COM> <200607091822.44656.agruen@suse.de> <B0F5507F-A317-44F7-B6A3-A5005542A631@Sun.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B0F5507F-A317-44F7-B6A3-A5005542A631@Sun.COM>
User-Agent: Mutt/1.5.11+cvs20060403
From: "J. Bruce Fields" <bfields@fieldses.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc: Brian Pawlowski <beepy@netapp.com>, Spencer Shepler <spencer.shepler@Sun.COM>, nfs@lists.sourceforge.net, nfsv4@ietf.org, Lisa Week <Lisa.Week@Sun.COM>
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org

On Mon, Jul 10, 2006 at 07:29:56AM -0600, Sam Falkner wrote:
> On Jul 9, 2006, at 10:22 AM, Andreas Gruenbacher wrote:
> >According to section 5.1 of draft-ietf-nfsv4-acls [1], the  
> >resulting file mode
> >permission bits for this acl shall be rw-r--r--.
> 
> Your proposal would give this mode: rw-rw-r--.  I think we should  
> consider this more carefully.

As Andreas says, this is what the posix draft would have you do.  It's
also what Linux (and, I assume, Solaris) do in the case of posix ACLs.

If the goals was compatibility with that posix draft, RFC3530 should
have specified that owner, other, and group bits be kept in sync with
(respectively) OWNER@, EVERYONE@, and the *maximum* of permissions given
to any other entity, rather than with OWNER@, EVERYONE@, and GROUP@.

> You would call it wrong that a chmod 770 would allow WRITE_DATA to  
> members of the file's owning group?!  The  user did a chmod -- the  
> user changed the permissions on the file!

That is how posix acl's work; again, the group mode bit really
corresponds to the mask, not to the group acl entry:

	bfields@pickle:~$ getfacl foo
	# file: foo
	# owner: bfields
	# group: bfields
	user::rw-
	user:bfields:r--
	group::r--
	mask::r--
	other::---

	bfields@pickle:~$ chmod 770 foo
	bfields@pickle:~$ getfacl foo
	# file: foo
	# owner: bfields
	# group: bfields
	user::rwx
	user:bfields:r--
	group::r--
	mask::rwx
	other::---


Of course, "posix" acls aren't really posix, and we could do something
else if seems simpler.  Neither behavior seems intuitive to me in all
situations.

--b.

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email