[nfsv4] Re: Minor Eccentrity of POSIX ACLs
"J. Bruce Fields" <bfields@fieldses.org> Mon, 29 May 2006 15:48 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FkjyQ-0003Qu-1w; Mon, 29 May 2006 11:48:06 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FkjyP-0003Oh-Js for nfsv4@ietf.org; Mon, 29 May 2006 11:48:05 -0400
Received: from mail.fieldses.org ([66.93.2.214] helo=pickle.fieldses.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FkjyN-0001RT-A7 for nfsv4@ietf.org; Mon, 29 May 2006 11:48:05 -0400
Received: from bfields by pickle.fieldses.org with local (Exim 4.62) (envelope-from <bfields@fieldses.org>) id 1FkjyI-0001t4-MI; Mon, 29 May 2006 11:47:58 -0400
Date: Mon, 29 May 2006 11:47:58 -0400
To: Benny Halevy <bhalevy@panasas.com>
Message-ID: <20060529154758.GA6832@fieldses.org>
References: <E1Fg5YP-0007lO-QI@stiedprstage1.ietf.org> <447AD2E5.2050700@panasas.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <447AD2E5.2050700@panasas.com>
User-Agent: Mutt/1.5.11+cvs20060403
From: "J. Bruce Fields" <bfields@fieldses.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9
Cc: marius@citi.umich.edu, nfsv4@ietf.org
Subject: [nfsv4] Re: Minor Eccentrity of POSIX ACLs
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org
On Mon, May 29, 2006 at 01:54:29PM +0300, Benny Halevy wrote: > In draft-ietf-nfsv4-acl-mapping-04.txt, section 5 you say > that the following POSIX semantics cannot be expressed with > NFSv4 ACLs: > > | if a requester that is a member of more than one > | group listed in the ACL requests multiple bits > simultaneously, the > | POSIX algorithm requires all of the bits to be granted > simultaneously > | by one of the group ACEs. Thus a POSIX ACL such as > | > | ACL_USER_OBJ: --- > | ACL_GROUP_OBJ: --- > | g1: r-- > | g2: -w- > | ACL_MASK: rw- > | ACL_OTHER: --- > | > | will prevent a user that is a member of groups g1 and g2 > from opening > | a file for both read and write, even though read and > write would be > | individually permitted. > | > | The NFSv4 ACL permission-checking algorithm has the > property that it > | permits a group of bits whenever it would permit each bit > | individually, so it is impossible to mimic this > behaviour with an > | NFSv4 ACL. > > Please correct me if I'm wrong but I think that this posix > eccentricity can be expressed with NFSv4 ACLs by having > explicit GROUP@ or group deny ACEs after each respective > GROUP@ or group allow ACE. No. Try writing down your example explicitly and tracing through the algorithm described in rfc3530. There's just no way to make an NFSv4 ACL deny a bitmask when it would permit each bit in the mask individually. --b. _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] I-D ACTION:draft-ietf-nfsv4-acl-mapping-0… Internet-Drafts
- Re: [nfsv4] I-D ACTION:draft-ietf-nfsv4-acl-mappi… J. Bruce Fields
- [nfsv4] Minor Eccentrity of POSIX ACLs Benny Halevy
- [nfsv4] Re: Minor Eccentrity of POSIX ACLs J. Bruce Fields
- [nfsv4] Re: Minor Eccentrity of POSIX ACLs Benny Halevy