From: Jan Kara <jack@suse.cz>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Jan Kara <jack@suse.cz>,
Andreas Gruenbacher <agruenba@redhat.com>,
Jeremy Allison <jra@samba.org>,
linux-fsdevel@vger.kernel.org, lsf-pc@lists.linux-foundation.org
Subject: Re: [Lsf-pc] [LSF/MM ATTEND] Richacls
Date: Tue, 13 Jan 2015 22:31:03 +0100 [thread overview]
Message-ID: <20150113213103.GH28924@quack.suse.cz> (raw)
In-Reply-To: <20150113211612.GD4156@fieldses.org>
On Tue 13-01-15 16:16:13, J. Bruce Fields wrote:
> On Tue, Jan 13, 2015 at 10:04:40PM +0100, Jan Kara wrote:
> > On Tue 13-01-15 12:40:29, J. Bruce Fields wrote:
> > > On Tue, Jan 13, 2015 at 06:23:26PM +0100, Andreas Gruenbacher wrote:
> > > > On 01/13/2015 05:48 PM, Jeremy Allison wrote:
> > > > >My understanding of Christoph's objection (although I'm sure
> > > > >he can chime in himself :-) was that he wanted to see POSIX
> > > > >ACLs reworked as a mapping on top of RichACLs, so that ultimately
> > > > >RichACLs would be the only on-disk format of the EA.
> > > > >
> > > > >I think that is doable, as I think any POSIX ACL can be represented
> > > > >as an underlying RichACL, just not the reverse.
> > > >
> > > > On of the differences is that permissions in POSIX ACLs do
> > > > accumulate, while in NFSv4 and CIFS ACLs, and therefore also
> > > > richacls, they do not. So the two models are really not
> > > > interchangeable, however annoying that may be.
> > > >
> > > > For example, with the following POSIX ACL, a non-root process in
> > > > group 5001 and 5002 would not be allowed to open f with O_RDWR, only
> > > > with O_RDONLY *or* O_WRONLY.
> > > >
> > > > # file: f
> > > > # owner: root
> > > > # group: root
> > > > user::rw-
> > > > group::rw-
> > > > group:5001:r--
> > > > group:5002:-w-
> > > > mask::rw-
> > > > other::---
> > > >
> > > > In all the other ACL models, the process would be allowed to open f
> > > > with O_RDWR.
> > >
> > > If we modified the behavior to permit O_RDWR in this case, would that
> > > cause anyone a problem?
> > As others noted, this changes user visible behavior and I don't think we
> > can do that. In the discussion about user namespaces, we for example
> > specifically disallowed unpriviledged process to drop some group membership
> > exactly because it can actually result in process suddently being able to
> > access some files and reportedly there are setups which are using group
> > membership to *restrict* access.
>
> Right, but look at the case above carefully again--it's *much* more
> special than the one the container people hit.
>
> You can absolutely still represent weird modes like 026 with a Richacl
> and it will deny permissions in the traditional way.
Ah, OK. You are right that Rich ACLs can express the use of a group to
restrict permissions.
> Using the usual "if a tree fell in a forest and nobody heard it..."
> criterion, I think this change would be unlikely to cause us trouble.
On a second thought I agree.
Honza
--
Jan Kara <jack@suse.cz>
SUSE Labs, CR
next prev parent reply other threads:[~2015-01-13 21:31 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1626890778.1513173.1421087867777.JavaMail.zimbra@redhat.com>
2015-01-12 21:06 ` [LSF/MM ATTEND] Richacls Andreas Gruenbacher
2015-01-12 21:54 ` Jeremy Allison
2015-01-12 22:30 ` J. Bruce Fields
2015-01-13 10:14 ` [Lsf-pc] " Jan Kara
2015-01-13 15:07 ` Andreas Gruenbacher
2015-01-13 16:48 ` Jeremy Allison
2015-01-13 17:23 ` Andreas Gruenbacher
2015-01-13 17:29 ` Jeremy Allison
2015-01-13 17:40 ` J. Bruce Fields
2015-01-13 18:04 ` Jeremy Allison
2015-01-13 19:53 ` Frank Filz
2015-01-13 20:24 ` 'J. Bruce Fields'
2015-01-13 20:26 ` Jeremy Allison
2015-01-13 20:30 ` Jeremy Allison
2015-01-13 20:35 ` Frank Filz
2015-01-14 7:57 ` Andreas Gruenbacher
2015-01-13 21:04 ` Jan Kara
2015-01-13 21:16 ` J. Bruce Fields
2015-01-13 21:20 ` Jeremy Allison
2015-01-13 21:27 ` Frank Filz
2015-01-13 21:31 ` Jan Kara [this message]
2015-01-14 8:53 ` Andreas Gruenbacher
2015-01-14 12:01 ` Jeff Layton
2015-01-14 16:11 ` J. Bruce Fields
2015-01-14 17:21 ` Frank Filz
2015-01-23 5:31 ` Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150113213103.GH28924@quack.suse.cz \
--to=jack@suse.cz \
--cc=agruenba@redhat.com \
--cc=bfields@fieldses.org \
--cc=jra@samba.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).