From: ebiederm@xmission.com (Eric W. Biederman)
To: "Andreas Grünbacher" <andreas.gruenbacher@gmail.com>
Cc: "Miklos Szeredi" <miklos@szeredi.hu>,
"Seth Forshee" <seth.forshee@canonical.com>,
fuse-devel <fuse-devel@lists.sourceforge.net>,
"Linux FS-devel Mailing List" <linux-fsdevel@vger.kernel.org>,
"Michael j Theall" <mtheall@us.ibm.com>,
"Jean-Pierre André" <jean-pierre.andre@wanadoo.fr>,
"Nikolaus Rath" <Nikolaus@rath.org>,
"Andreas Gruenbacher" <agruenba@redhat.com>
Subject: Re: [PATCH 0/2] Support for posix ACLs in fuse
Date: Wed, 21 Sep 2016 12:42:41 -0500 [thread overview]
Message-ID: <87bmzhdu9a.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CAHpGcM+kCo+RK=-qCEbQd3-pkz4JmXvgNvk7BGvTkAC171H3bQ@mail.gmail.com> ("Andreas \=\?utf-8\?Q\?Gr\=C3\=BCnbacher\=22's\?\= message of "Wed, 21 Sep 2016 19:24:08 +0200")
Andreas Grünbacher <andreas.gruenbacher@gmail.com> writes:
> 2016-09-21 17:40 GMT+02:00 Eric W. Biederman <ebiederm@xmission.com>:
>> Miklos Szeredi <miklos@szeredi.hu> writes:
>>> 3) How will richacl's fit into this?
>>
>> As best as I can read the situation richacl support has not yet been
>> merged into Linux yet.
>
> True. The patches are stuck in Al Viro's inbox since a very long time.
>
>> Last I was following the richacl discussion there were some fundamental
>> features of richacls that were incompatible with the expectations of
>> ordinary linux applications.
>
> Not true.
>
>> The negative acls if my memory serves.
>> That raised some concern if richacls could ever be safely be merged.
>>
>> As I recall Christoph Hellwig was a primary on raising those concerns,
>> and when I read those arguments they seemed persuasive to me.
>
> The whole point of Richacls is to be compatible with the POSIX file
> permission model. Entries that deny permissions are a necessary part
> of Richacls for various reasons. Christoph doesn't like them, but that
> doesn't make them any less necessary.
Negative access control permissions are extremly nasty, and cause a lot
of problems in the real world, especially where they have not existed
before. And sometimes where they are rare enough to not have existed
before.
I am would prefer you taking a measured approach rather than ignoring
people's concerns.
I certainly don't need any kind of ACLs for any kind of files I have
ever dealt with in practice. I deal with ACLs and make certain the
kernel supports them well to ensure there are not nasty bugs waiting
in the wings.
If my memory serves there are very funny corner cases between negative
uids ACLs and user namespaces. The kind that can lead to security
vulnerabilities etc.
The practical problem I would envision is users using user namespaces to
enable them to change their uid or gid and that in turn would result in
negative acls failing to contain deny users access to files.
So I would be very careful with adding negative permission checks that
are going to be (at best) very error prone to use to the current unix
permission model.
Eric
next prev parent reply other threads:[~2016-09-21 17:56 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-29 13:46 [PATCH 0/2] Support for posix ACLs in fuse Seth Forshee
2016-08-29 13:46 ` [PATCH 1/2] fuse: Use generic xattr ops Seth Forshee
2016-08-29 13:46 ` [PATCH 2/2] fuse: Add posix ACL support Seth Forshee
2016-09-07 3:32 ` [PATCH 0/2] Support for posix ACLs in fuse Nikolaus Rath
2016-09-07 12:32 ` Seth Forshee
2016-09-21 8:30 ` Miklos Szeredi
2016-09-21 12:25 ` Jean-Pierre André
2016-09-21 14:14 ` Miklos Szeredi
2016-09-21 20:50 ` [fuse-devel] " Michael Theall
2016-09-23 15:03 ` Miklos Szeredi
2016-09-21 13:41 ` Seth Forshee
2016-09-21 13:57 ` Miklos Szeredi
2016-09-28 19:34 ` Seth Forshee
2016-09-21 15:40 ` Eric W. Biederman
2016-09-21 17:24 ` Andreas Grünbacher
2016-09-21 17:42 ` Eric W. Biederman [this message]
2016-09-21 19:00 ` Jeremy Allison
2016-09-21 21:08 ` Andreas Grünbacher
2016-09-21 21:28 ` Andreas Grünbacher
2016-09-23 9:01 ` Miklos Szeredi
2016-09-23 9:15 ` Andreas Grünbacher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bmzhdu9a.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=Nikolaus@rath.org \
--cc=agruenba@redhat.com \
--cc=andreas.gruenbacher@gmail.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=jean-pierre.andre@wanadoo.fr \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=mtheall@us.ibm.com \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.