From: "J. Bruce Fields" <bfields@fieldses.org>
To: Sam Falkner <Sam.Falkner@Sun.COM>
Cc: Brian Pawlowski <beepy@netapp.com>,
Spencer Shepler <spencer.shepler@Sun.COM>,
nfs@lists.sourceforge.net, nfsv4@ietf.org,
Lisa Week <Lisa.Week@Sun.COM>
Subject: Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
Date: Mon, 10 Jul 2006 10:15:41 -0400 [thread overview]
Message-ID: <20060710141541.GA978@fieldses.org> (raw)
In-Reply-To: <B0F5507F-A317-44F7-B6A3-A5005542A631@Sun.COM>
On Mon, Jul 10, 2006 at 07:29:56AM -0600, Sam Falkner wrote:
> On Jul 9, 2006, at 10:22 AM, Andreas Gruenbacher wrote:
> >According to section 5.1 of draft-ietf-nfsv4-acls [1], the
> >resulting file mode
> >permission bits for this acl shall be rw-r--r--.
>
> Your proposal would give this mode: rw-rw-r--. I think we should
> consider this more carefully.
As Andreas says, this is what the posix draft would have you do. It's
also what Linux (and, I assume, Solaris) do in the case of posix ACLs.
If the goals was compatibility with that posix draft, RFC3530 should
have specified that owner, other, and group bits be kept in sync with
(respectively) OWNER@, EVERYONE@, and the *maximum* of permissions given
to any other entity, rather than with OWNER@, EVERYONE@, and GROUP@.
> You would call it wrong that a chmod 770 would allow WRITE_DATA to
> members of the file's owning group?! The user did a chmod -- the
> user changed the permissions on the file!
That is how posix acl's work; again, the group mode bit really
corresponds to the mask, not to the group acl entry:
bfields@pickle:~$ getfacl foo
# file: foo
# owner: bfields
# group: bfields
user::rw-
user:bfields:r--
group::r--
mask::r--
other::---
bfields@pickle:~$ chmod 770 foo
bfields@pickle:~$ getfacl foo
# file: foo
# owner: bfields
# group: bfields
user::rwx
user:bfields:r--
group::r--
mask::rwx
other::---
Of course, "posix" acls aren't really posix, and we could do something
else if seems simpler. Neither behavior seems intuitive to me in all
situations.
--b.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
next prev parent reply other threads:[~2006-07-10 14:15 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-03 21:10 NFSv4 ACL and POSIX interaction / mask Andreas Gruenbacher
2006-07-07 11:55 ` NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready Andreas Gruenbacher
2006-07-08 3:45 ` Sam Falkner
2006-07-08 6:51 ` [nfsv4] " Lisa Week
2006-07-10 21:09 ` Andreas Gruenbacher
2006-07-08 14:32 ` Sam Falkner
2006-07-09 16:22 ` [nfsv4] " Andreas Gruenbacher
2006-07-10 13:29 ` Sam Falkner
2006-07-10 14:15 ` J. Bruce Fields [this message]
2006-07-10 15:32 ` Sam Falkner
2006-07-10 18:57 ` [NFS] " J. Bruce Fields
2006-07-10 22:26 ` [nfsv4] " Sam Falkner
2006-07-10 22:39 ` J. Bruce Fields
2006-07-10 22:43 ` J. Bruce Fields
2006-07-11 0:44 ` Andreas Gruenbacher
2006-07-11 0:15 ` Andreas Gruenbacher
2006-07-11 5:42 ` [nfsv4] " Sam Falkner
2006-07-11 8:05 ` Andreas Gruenbacher
2006-07-11 12:29 ` [nfsv4] " Sam Falkner
2006-07-11 13:46 ` J. Bruce Fields
2006-07-15 13:56 ` [nfsv4] " Sam Falkner
2006-07-11 0:01 ` Andreas Gruenbacher
2006-07-11 0:28 ` [nfsv4] " J. Bruce Fields
2006-07-11 0:48 ` Andreas Gruenbacher
2006-07-10 22:50 ` Andreas Gruenbacher
2006-07-11 6:17 ` [nfsv4] " Sam Falkner
2006-07-11 8:45 ` Andreas Gruenbacher
2006-07-11 12:44 ` [nfsv4] " Sam Falkner
2006-07-11 6:50 ` Lisa Week
2006-07-11 8:55 ` Andreas Gruenbacher
2006-07-27 0:59 ` Andreas Gruenbacher
2006-07-27 2:57 ` Andreas Gruenbacher
2006-07-28 6:32 ` Lisa Week
2006-08-01 10:36 ` [nfsv4] " Andreas Gruenbacher
2006-07-14 17:59 ` [NFS] " J. Bruce Fields
2006-07-14 18:22 ` J. Bruce Fields
2006-07-14 19:02 ` Andreas Gruenbacher
2006-07-14 19:13 ` J. Bruce Fields
-- strict thread matches above, loose matches on Subject: below --
2006-07-08 15:04 Noveck, Dave
2006-07-08 19:27 ` [nfsv4] " Lisa Week
2006-07-10 8:07 ` Andreas Gruenbacher
2006-07-14 18:29 Noveck, Dave
2006-07-14 18:32 ` J. Bruce Fields
2006-07-16 13:10 Noveck, Dave
2006-07-18 22:08 ` Sam Falkner
2006-07-21 15:10 Noveck, Dave
2006-07-21 18:10 ` J. Bruce Fields
2006-07-23 15:47 ` Sam Falkner
2006-07-25 0:32 ` [nfsv4] " a.gruenbacher
2006-07-25 4:26 ` Sam Falkner
2006-07-25 20:15 ` Andreas Gruenbacher
2006-07-26 4:59 ` Sam Falkner
2006-07-26 13:00 ` [nfsv4] " J. Bruce Fields
2006-08-03 13:46 ` Andreas Gruenbacher
2006-08-04 0:30 ` Andreas Gruenbacher
2006-08-04 1:37 ` Sam Falkner
2006-08-04 10:35 ` Andreas Gruenbacher
2006-08-04 11:19 ` Andreas Gruenbacher
2006-08-04 20:20 ` Sam Falkner
2006-07-21 17:16 Yoder, Alan
2006-07-23 15:45 ` [nfsv4] " Sam Falkner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060710141541.GA978@fieldses.org \
--to=bfields@fieldses.org \
--cc=Lisa.Week@Sun.COM \
--cc=Sam.Falkner@Sun.COM \
--cc=beepy@netapp.com \
--cc=nfs@lists.sourceforge.net \
--cc=nfsv4@ietf.org \
--cc=spencer.shepler@Sun.COM \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.