[nfsv4] Re: Minor Eccentrity of POSIX ACLs
Benny Halevy <bhalevy@panasas.com> Tue, 30 May 2006 06:14 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FkxUk-0008I8-H1; Tue, 30 May 2006 02:14:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FkxUi-0008I3-Ac for nfsv4@ietf.org; Tue, 30 May 2006 02:14:20 -0400
Received: from gw-e.panasas.com ([65.194.124.178] helo=cassoulet.panasas.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FkxUh-0004hw-2W for nfsv4@ietf.org; Tue, 30 May 2006 02:14:20 -0400
Received: from barrule.panasas.com (localhost.localdomain [127.0.0.1]) by cassoulet.panasas.com (8.12.10/8.12.10) with ESMTP id k4U6AvST032193; Tue, 30 May 2006 02:10:58 -0400
Received: from 172.17.1.104 ([172.17.1.104] helo=barrule.panasas.com) by ASSP-nospam; 30 May 2006 02:10:57 -0400
Received: from [192.168.0.3] (dynamic-vpn37.panasas.com [172.17.19.37]) by barrule.panasas.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id LQD4ZD3N; Tue, 30 May 2006 02:10:55 -0400
Message-ID: <447BE1CE.9050102@panasas.com>
Date: Tue, 30 May 2006 09:10:22 +0300
From: Benny Halevy <bhalevy@panasas.com>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "J. Bruce Fields" <bfields@fieldses.org>
References: <E1Fg5YP-0007lO-QI@stiedprstage1.ietf.org> <447AD2E5.2050700@panasas.com> <20060529154758.GA6832@fieldses.org>
In-Reply-To: <20060529154758.GA6832@fieldses.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 769a46790fb42fbb0b0cc700c82f7081
Cc: marius@citi.umich.edu, nfsv4@ietf.org
Subject: [nfsv4] Re: Minor Eccentrity of POSIX ACLs
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org
J. Bruce Fields wrote: > On Mon, May 29, 2006 at 01:54:29PM +0300, Benny Halevy wrote: > >>In draft-ietf-nfsv4-acl-mapping-04.txt, section 5 you say >>that the following POSIX semantics cannot be expressed with >>NFSv4 ACLs: >> >>| if a requester that is a member of more than one >>| group listed in the ACL requests multiple bits >>simultaneously, the >>| POSIX algorithm requires all of the bits to be granted >>simultaneously >>| by one of the group ACEs. Thus a POSIX ACL such as >>| >>| ACL_USER_OBJ: --- >>| ACL_GROUP_OBJ: --- >>| g1: r-- >>| g2: -w- >>| ACL_MASK: rw- >>| ACL_OTHER: --- >>| >>| will prevent a user that is a member of groups g1 and g2 >>from opening >>| a file for both read and write, even though read and >>write would be >>| individually permitted. >>| >>| The NFSv4 ACL permission-checking algorithm has the >>property that it >>| permits a group of bits whenever it would permit each bit >>| individually, so it is impossible to mimic this >>behaviour with an >>| NFSv4 ACL. >> >>Please correct me if I'm wrong but I think that this posix >>eccentricity can be expressed with NFSv4 ACLs by having >>explicit GROUP@ or group deny ACEs after each respective >>GROUP@ or group allow ACE. > > > No. Try writing down your example explicitly and tracing through the > algorithm described in rfc3530. There's just no way to make an NFSv4 > ACL deny a bitmask when it would permit each bit in the mask > individually. > Hmm, I see your point taking all order permutations into account. _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] I-D ACTION:draft-ietf-nfsv4-acl-mapping-0… Internet-Drafts
- Re: [nfsv4] I-D ACTION:draft-ietf-nfsv4-acl-mappi… J. Bruce Fields
- [nfsv4] Minor Eccentrity of POSIX ACLs Benny Halevy
- [nfsv4] Re: Minor Eccentrity of POSIX ACLs J. Bruce Fields
- [nfsv4] Re: Minor Eccentrity of POSIX ACLs Benny Halevy