RE: [nfsv4] Re: Minor Eccentrity of POSIX ACLs
"Noveck, Dave" <Dave.Noveck@netapp.com> Mon, 29 May 2006 19:13 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FknAl-0000tj-3I; Mon, 29 May 2006 15:13:03 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FknAj-0000tW-EK for nfsv4@ietf.org; Mon, 29 May 2006 15:13:01 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FknAj-000741-Cu for nfsv4@ietf.org; Mon, 29 May 2006 15:13:01 -0400
Received: from mx2.netapp.com ([216.240.18.37]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Fkn1a-0001s9-Ei for nfsv4@ietf.org; Mon, 29 May 2006 15:03:37 -0400
Received: from smtp1.corp.netapp.com ([10.57.156.124]) by mx2.netapp.com with ESMTP; 29 May 2006 12:03:34 -0700
X-IronPort-AV: i="4.05,184,1146466800"; d="scan'208"; a="383598668:sNHT21704796"
Received: from svlexc03.hq.netapp.com (svlexc03.corp.netapp.com [10.57.156.149]) by smtp1.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id k4TJ3X6F029806; Mon, 29 May 2006 12:03:33 -0700 (PDT)
Received: from exsvlrb02.hq.netapp.com ([10.56.8.63]) by svlexc03.hq.netapp.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 29 May 2006 12:03:33 -0700
Received: from exnane01.hq.netapp.com ([10.97.0.61]) by exsvlrb02.hq.netapp.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 29 May 2006 12:03:31 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [nfsv4] Re: Minor Eccentrity of POSIX ACLs
Date: Mon, 29 May 2006 15:03:30 -0400
Message-ID: <C98692FD98048C41885E0B0FACD9DFB8023DF54F@exnane01.hq.netapp.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [nfsv4] Re: Minor Eccentrity of POSIX ACLs
Thread-Index: AcaDN4XbDQy6G0blRDOVlfPBeS5+6AAGkyNA
From: "Noveck, Dave" <Dave.Noveck@netapp.com>
To: "J. Bruce Fields" <bfields@fieldses.org>, Benny Halevy <bhalevy@panasas.com>
X-OriginalArrivalTime: 29 May 2006 19:03:31.0820 (UTC) FILETIME=[93E122C0:01C68352]
X-Spam-Score: -2.6 (--)
X-Scan-Signature: b4a0a5f5992e2a4954405484e7717d8c
Cc: marius@citi.umich.edu, nfsv4@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org
It doesn't seem that this eccentricity, or rather RFC3530's failure to emulate it, results in any negative security consequences. If you allow someone to open a file for reading and open that same file for writing, not allowing him to open for both, does not interfere with his access to the file, except in adding a degree of inconvenience. Everything you can do with a file open for read and for write can be done with two open files, one open for read and the other open for write. -----Original Message----- From: J. Bruce Fields [mailto:bfields@fieldses.org] Sent: Monday, May 29, 2006 11:48 AM To: Benny Halevy Cc: marius@citi.umich.edu; nfsv4@ietf.org Subject: [nfsv4] Re: Minor Eccentrity of POSIX ACLs On Mon, May 29, 2006 at 01:54:29PM +0300, Benny Halevy wrote: > In draft-ietf-nfsv4-acl-mapping-04.txt, section 5 you say > that the following POSIX semantics cannot be expressed with > NFSv4 ACLs: > > | if a requester that is a member of more than one > | group listed in the ACL requests multiple bits > simultaneously, the > | POSIX algorithm requires all of the bits to be granted > simultaneously > | by one of the group ACEs. Thus a POSIX ACL such as > | > | ACL_USER_OBJ: --- > | ACL_GROUP_OBJ: --- > | g1: r-- > | g2: -w- > | ACL_MASK: rw- > | ACL_OTHER: --- > | > | will prevent a user that is a member of groups g1 and g2 > from opening > | a file for both read and write, even though read and > write would be > | individually permitted. > | > | The NFSv4 ACL permission-checking algorithm has the > property that it > | permits a group of bits whenever it would permit each bit > | individually, so it is impossible to mimic this > behaviour with an > | NFSv4 ACL. > > Please correct me if I'm wrong but I think that this posix > eccentricity can be expressed with NFSv4 ACLs by having > explicit GROUP@ or group deny ACEs after each respective > GROUP@ or group allow ACE. No. Try writing down your example explicitly and tracing through the algorithm described in rfc3530. There's just no way to make an NFSv4 ACL deny a bitmask when it would permit each bit in the mask individually. --b. _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4 _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
- RE: [nfsv4] Re: Minor Eccentrity of POSIX ACLs Noveck, Dave
- Re: [nfsv4] Re: Minor Eccentrity of POSIX ACLs J. Bruce Fields