From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andreas Gruenbacher <agruenba@redhat.com>
Subject: Re: [Lsf-pc] [LSF/MM ATTEND] Richacls
Date: Tue, 13 Jan 2015 18:23:26 +0100
Message-ID: <54B5548E.5030808@redhat.com>
References: <1626890778.1513173.1421087867777.JavaMail.zimbra@redhat.com> <1137663039.1544780.1421096804147.JavaMail.zimbra@redhat.com> <20150112223016.GB1940@fieldses.org> <20150113101435.GA28924@quack.suse.cz> <54B534C3.3090608@redhat.com> <20150113164802.GA5830@samba2>
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Jan Kara <jack@suse.cz>, "J. Bruce Fields" <bfields@fieldses.org>,
	linux-fsdevel@vger.kernel.org, lsf-pc@lists.linux-foundation.org
To: Jeremy Allison <jra@samba.org>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:46618 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751190AbbAMRXm (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 13 Jan 2015 12:23:42 -0500
In-Reply-To: <20150113164802.GA5830@samba2>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On 01/13/2015 05:48 PM, Jeremy Allison wrote:
> My understanding of Christoph's objection (although I'm sure
> he can chime in himself :-) was that he wanted to see POSIX
> ACLs reworked as a mapping on top of RichACLs, so that ultimately
> RichACLs would be the only on-disk format of the EA.
>
> I think that is doable, as I think any POSIX ACL can be represented
> as an underlying RichACL, just not the reverse.

On of the differences is that permissions in POSIX ACLs do accumulate, 
while in NFSv4 and CIFS ACLs, and therefore also richacls, they do not. 
So the two models are really not interchangeable, however annoying that 
may be.

For example, with the following POSIX ACL, a non-root process in group 
5001 and 5002 would not be allowed to open f with O_RDWR, only with 
O_RDONLY *or* O_WRONLY.

   # file: f
   # owner: root
   # group: root
   user::rw-
   group::rw-
   group:5001:r--
   group:5002:-w-
   mask::rw-
   other::---

In all the other ACL models, the process would be allowed to open f with 
O_RDWR.

The rationale for this behavior in POSIX ACLs was / is consistency with 
how the traditional POSIX file permission model works -- determine which 
of the (three) sets of permissions applies to a process, then check only 
that set.

Thanks,
Andreas