From: "J. Bruce Fields" <bfields@fieldses.org>
To: Jan Kara <jack@suse.cz>
Cc: Andreas Gruenbacher <agruenba@redhat.com>,
Jeremy Allison <jra@samba.org>,
linux-fsdevel@vger.kernel.org, lsf-pc@lists.linux-foundation.org
Subject: Re: [Lsf-pc] [LSF/MM ATTEND] Richacls
Date: Tue, 13 Jan 2015 16:16:13 -0500 [thread overview]
Message-ID: <20150113211612.GD4156@fieldses.org> (raw)
In-Reply-To: <20150113210440.GG28924@quack.suse.cz>
On Tue, Jan 13, 2015 at 10:04:40PM +0100, Jan Kara wrote:
> On Tue 13-01-15 12:40:29, J. Bruce Fields wrote:
> > On Tue, Jan 13, 2015 at 06:23:26PM +0100, Andreas Gruenbacher wrote:
> > > On 01/13/2015 05:48 PM, Jeremy Allison wrote:
> > > >My understanding of Christoph's objection (although I'm sure
> > > >he can chime in himself :-) was that he wanted to see POSIX
> > > >ACLs reworked as a mapping on top of RichACLs, so that ultimately
> > > >RichACLs would be the only on-disk format of the EA.
> > > >
> > > >I think that is doable, as I think any POSIX ACL can be represented
> > > >as an underlying RichACL, just not the reverse.
> > >
> > > On of the differences is that permissions in POSIX ACLs do
> > > accumulate, while in NFSv4 and CIFS ACLs, and therefore also
> > > richacls, they do not. So the two models are really not
> > > interchangeable, however annoying that may be.
> > >
> > > For example, with the following POSIX ACL, a non-root process in
> > > group 5001 and 5002 would not be allowed to open f with O_RDWR, only
> > > with O_RDONLY *or* O_WRONLY.
> > >
> > > # file: f
> > > # owner: root
> > > # group: root
> > > user::rw-
> > > group::rw-
> > > group:5001:r--
> > > group:5002:-w-
> > > mask::rw-
> > > other::---
> > >
> > > In all the other ACL models, the process would be allowed to open f
> > > with O_RDWR.
> >
> > If we modified the behavior to permit O_RDWR in this case, would that
> > cause anyone a problem?
> As others noted, this changes user visible behavior and I don't think we
> can do that. In the discussion about user namespaces, we for example
> specifically disallowed unpriviledged process to drop some group membership
> exactly because it can actually result in process suddently being able to
> access some files and reportedly there are setups which are using group
> membership to *restrict* access.
Right, but look at the case above carefully again--it's *much* more
special than the one the container people hit.
You can absolutely still represent weird modes like 026 with a Richacl
and it will deny permissions in the traditional way.
What you can't do is represent the above POSIX ACL.
This is a case that you can *only* hit with POSIX ACLs (not with mode
bits). And that's because the POSIX ACL is doing something bizarre and
useless that I've never seen any other ACL system do (denying read and
write together when each would be permitted separately).
Using the usual "if a tree fell in a forest and nobody heard it..."
criterion, I think this change would be unlikely to cause us trouble.
Anyway, I don't think it's something to get hung up on, if we really had
to we could work out some sort of backwards compatibility here.
--b.
next prev parent reply other threads:[~2015-01-13 21:16 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1626890778.1513173.1421087867777.JavaMail.zimbra@redhat.com>
2015-01-12 21:06 ` [LSF/MM ATTEND] Richacls Andreas Gruenbacher
2015-01-12 21:54 ` Jeremy Allison
2015-01-12 22:30 ` J. Bruce Fields
2015-01-13 10:14 ` [Lsf-pc] " Jan Kara
2015-01-13 15:07 ` Andreas Gruenbacher
2015-01-13 16:48 ` Jeremy Allison
2015-01-13 17:23 ` Andreas Gruenbacher
2015-01-13 17:29 ` Jeremy Allison
2015-01-13 17:40 ` J. Bruce Fields
2015-01-13 18:04 ` Jeremy Allison
2015-01-13 19:53 ` Frank Filz
2015-01-13 20:24 ` 'J. Bruce Fields'
2015-01-13 20:26 ` Jeremy Allison
2015-01-13 20:30 ` Jeremy Allison
2015-01-13 20:35 ` Frank Filz
2015-01-14 7:57 ` Andreas Gruenbacher
2015-01-13 21:04 ` Jan Kara
2015-01-13 21:16 ` J. Bruce Fields [this message]
2015-01-13 21:20 ` Jeremy Allison
2015-01-13 21:27 ` Frank Filz
2015-01-13 21:31 ` Jan Kara
2015-01-14 8:53 ` Andreas Gruenbacher
2015-01-14 12:01 ` Jeff Layton
2015-01-14 16:11 ` J. Bruce Fields
2015-01-14 17:21 ` Frank Filz
2015-01-23 5:31 ` Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150113211612.GD4156@fieldses.org \
--to=bfields@fieldses.org \
--cc=agruenba@redhat.com \
--cc=jack@suse.cz \
--cc=jra@samba.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).