IETF Logo Mail Archive

Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready

"J. Bruce Fields" <bfields@fieldses.org> Wed, 26 July 2006 18:58 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5oaV-0004By-Jv; Wed, 26 Jul 2006 14:58:31 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5oaU-0004Bt-MD for nfsv4@ietf.org; Wed, 26 Jul 2006 14:58:30 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G5j3t-00070T-N6 for nfsv4@ietf.org; Wed, 26 Jul 2006 09:04:29 -0400
Received: from mail.fieldses.org ([66.93.2.214] helo=pickle.fieldses.org) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1G5j0M-0007a1-SH for nfsv4@ietf.org; Wed, 26 Jul 2006 09:00:52 -0400
Received: from bfields by pickle.fieldses.org with local (Exim 4.62) (envelope-from <bfields@fieldses.org>) id 1G5j0G-00069j-Ln; Wed, 26 Jul 2006 09:00:44 -0400
Date: Wed, 26 Jul 2006 09:00:44 -0400
To: Sam Falkner <Sam.Falkner@Sun.COM>
Subject: Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
Message-ID: <20060726130044.GA21273@fieldses.org>
References: <C98692FD98048C41885E0B0FACD9DFB8023DF6B9@exnane01.hq.netapp.com> <200607250232.37603.a.gruenbacher@computer.org> <04075B08-F57D-4842-A7B2-9467DF9A39A2@Sun.COM> <200607252215.16735.agruen@suse.de> <4654D18B-57AD-4779-80A6-BFD2FCEC4A69@Sun.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4654D18B-57AD-4779-80A6-BFD2FCEC4A69@Sun.COM>
User-Agent: Mutt/1.5.11+cvs20060403
From: "J. Bruce Fields" <bfields@fieldses.org>
X-Spam-Score: -2.6 (--)
X-Scan-Signature: d6b246023072368de71562c0ab503126
Cc: Lisa Week <Lisa.Week@Sun.COM>, nfsv4@ietf.org, nfs@lists.sourceforge.net, "Noveck, Dave" <Dave.Noveck@netapp.com>, Spencer Shepler <spencer.shepler@Sun.COM>, "Pawlowski, Brian" <beepy@netapp.com>, Andreas Gruenbacher <agruen@suse.de>
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org

On Tue, Jul 25, 2006 at 10:59:25PM -0600, Sam Falkner wrote:
> On Jul 25, 2006, at 2:15 PM, Andreas Gruenbacher wrote:
> >Maybe nobody explained to users how to properly use ACLs to prevent
> >this from happening? The behavior of Solaris chmod(1) is a potential
> >security  hole, although a small one only.
> 
> I remind you that in NFSv4, ACL is not a required attribute.

That's really a statement about servers, not clients, so I'm not
convinced it's relevant here.

It's true that servers are not required to support optional attributes.
But obviously clients may be required to do so if, for example, they
want full control over file permissions.

The chmod-modifies-group-bits scheme only removes one of the more
visible consequences of this fact.

--b.

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email