From: Andreas Gruenbacher <agruen@suse.de>
To: "Aneesh Kumar K. V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Jeff Layton <jlayton@redhat.com>,
sfrench@us.ibm.com, ffilz@us.ibm.com, adilger@sun.com,
sandeen@redhat.com, tytso@mit.edu, bfields@citi.umich.edu,
linux-fsdevel@vger.kernel.org, nfsv4@linux-nfs.org,
linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH -V4 07/11] vfs: Make acl_permission_check() work for richacls
Date: Mon, 27 Sep 2010 15:03:49 +0200 [thread overview]
Message-ID: <201009271503.49193.agruen@suse.de> (raw)
In-Reply-To: <m3y6ar9djc.fsf@linux.vnet.ibm.com>
On Friday 24 September 2010 20:55:51 Aneesh Kumar K. V wrote:
> To be POSIX compatible we need to ensure that additional file access
> control mechanisms may only further restrict the access permissions defined
> by the file permission bits.
That's true but I don't think it fully answers Jeff's question.
With POSIX ACLs, the owner file permission bits are always identical to the
permissions that the owner is granted through the ACL. Therefore, when
acl_permission_check() is invoked on behalf of the owner, the ACL does not
need to be consulted at all. For non-owners, the ACL always needs to be
checked. This optimization is also true for richacls for the base permissions
(read, write, execute), but:
* Some permissions are more fine-grained than the file mode permission
bits: richacls distinguish between write and append, and between creating
directories and non-directories.
* Some permissions go beyond what the owner is implicitly allowed or what can
be expressed with read, write, execute: in a richacl, a user can be granted
the right to delete a specific file even without write access to the
containing directory and to take ownership of a file
(* In addition, a richacl can grant the right to chmod and set the acl of a
file, and to explicitly set the file timestamps. These are permissions
which the owner is implicitly allowed anyway, so they are not relevant to
this change to acl_permission_check().)
To handle those cases correctly too, we always look at the acl for richacls,
even for the owner. (We could still skip the acl check in some, but fewer,
cases.)
Thanks,
Andreas
next prev parent reply other threads:[~2010-09-27 13:03 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-24 12:48 [PATCH -V4 00/11] New ACL format for better NFSv4 acl interoperability Aneesh Kumar K.V
2010-09-24 12:48 ` [PATCH -V4 01/11] vfs: Indicate that the permission functions take all the MAY_* flags Aneesh Kumar K.V
2010-09-24 12:48 ` [PATCH -V4 02/11] vfs: Pass all mask flags down to iop->check_acl Aneesh Kumar K.V
2010-09-24 12:48 ` [PATCH -V4 03/11] vfs: Add a comment to inode_permission() Aneesh Kumar K.V
2010-09-24 12:48 ` [PATCH -V4 04/11] vfs: Add generic IS_ACL() test for acl support Aneesh Kumar K.V
2010-09-24 12:48 ` [PATCH -V4 05/11] vfs: Add IS_RICHACL() test for richacl support Aneesh Kumar K.V
2010-09-24 12:48 ` [PATCH -V4 06/11] vfs: Optimize out IS_RICHACL() if CONFIG_FS_RICHACL is not defined Aneesh Kumar K.V
2010-09-24 12:48 ` [PATCH -V4 07/11] vfs: Make acl_permission_check() work for richacls Aneesh Kumar K.V
2010-09-24 15:50 ` Jeff Layton
2010-09-24 18:55 ` Aneesh Kumar K. V
2010-09-27 13:03 ` Andreas Gruenbacher [this message]
2010-09-24 12:48 ` [PATCH -V4 08/11] vfs: Add new file and directory create permission flags Aneesh Kumar K.V
2010-09-24 15:54 ` Jeff Layton
2010-09-24 19:16 ` Aneesh Kumar K. V
2010-09-24 19:23 ` Jeff Layton
2010-09-27 13:14 ` Andreas Gruenbacher
2011-01-02 23:21 ` Ted Ts'o
2011-01-03 5:20 ` Andreas Dilger
2011-01-03 5:59 ` Andreas Dilger
2011-01-03 14:20 ` Aneesh Kumar K. V
2010-09-24 12:48 ` [PATCH -V4 09/11] vfs: Add delete child and delete self " Aneesh Kumar K.V
2010-09-24 12:48 ` [PATCH -V4 10/11] vfs: Make the inode passed to inode_change_ok non-const Aneesh Kumar K.V
2010-09-24 12:48 ` [PATCH -V4 11/11] vfs: Add permission flags for setting file attributes Aneesh Kumar K.V
2010-10-12 0:24 ` [PATCH -V4 00/11] New ACL format for better NFSv4 acl interoperability J. Bruce Fields
2010-10-12 7:17 ` Aneesh Kumar K. V
2010-10-12 15:35 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201009271503.49193.agruen@suse.de \
--to=agruen@suse.de \
--cc=adilger@sun.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=bfields@citi.umich.edu \
--cc=ffilz@us.ibm.com \
--cc=jlayton@redhat.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nfsv4@linux-nfs.org \
--cc=sandeen@redhat.com \
--cc=sfrench@us.ibm.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).