From: Andreas Gruenbacher <agruen@suse.de>
To: Sam Falkner <Sam.Falkner@sun.com>
Cc: Lisa Week <Lisa.Week@sun.com>,
nfsv4@ietf.org, "J. Bruce Fields" <bfields@fieldses.org>,
nfs@lists.sourceforge.net,
Spencer Shepler <spencer.shepler@sun.com>,
Brian Pawlowski <beepy@netapp.com>
Subject: Re: Re: NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
Date: Tue, 11 Jul 2006 10:05:21 +0200 [thread overview]
Message-ID: <200607111005.22200.agruen@suse.de> (raw)
In-Reply-To: <3E4B637E-57AC-4E2B-A2C8-EDCFF35A5D84@Sun.COM>
On Tuesday, 11. July 2006 07:42, Sam Falkner wrote:
> >> I think having chmod be functional, i.e. chmod 770 gives write
> >> permission to the owning group, and an "ls -l" shows "rwxrwx---",
> >> would be best by far.
> >
> > It screws you when you want to give the owning group fewer permissions
> > than other users in the File Group Class. This can be worked around by
> > creating a dummy group with no members, or one group that only contains
> > a single user for each user, and changing the owning group of files, but
> > the owning group already has other defined uses in POSIX (think of SETG=
ID
> > for files and directories), and so it's not desirable and not always
> > possible to change the owning group to such a dummy group.
>
> No -- if you want owning group to have fewer permissions than other
> users, you're using an ACL. You use tools that manipulate ACLs.
Sorry, but while this may look like a good idea at first, it doesn't work v=
ery=20
well. Let's look at an example:
OWNER@:READ_DATA/WRITE_DATA::ALLOW
GROUP@:READ_DATA/WRITE_DATA::ALLOW
user@domain:READ_DATA/WRITE_DATA::ALLOW
EVERYONE:READ_DATA::ALLOW
The mode is rw-rw-r--. Now we use ACL tools to change the ACL to give the=20
owning group fewer permissions than user@domain as you say:
OWNER@:READ_DATA/WRITE_DATA::ALLOW
GROUP@:READ_DATA::ALLOW
user@domain:READ_DATA/WRITE_DATA::ALLOW
EVERYONE:READ_DATA::ALLOW
The mode must still be rw-rw-r-- because otherwise, user@domain wouldn't ha=
ve=20
WRITE_DATA access. Now a nasty, evil POSIX application that doesn't know=20
anything about ACLs comes along and does a chmod(file, 0600), chmod(file,=20
0664). What should be the appropriate result? If changing the group file mo=
de=20
permission bits writes through to the GROUP@ entry as you say, then we woul=
d=20
end up with the following *effective* permissions:
OWNER@:READ_DATA/WRITE_DATA::ALLOW
GROUP@:READ_DATA/WRITE_DATA::ALLOW
user@domain:READ_DATA/WRITE_DATA::ALLOW
EVERYONE:READ_DATA::ALLOW
(The effective permissions are the same no matter how permissions are maske=
d=20
in the ACL, be it via DENY ACEs or via masks. In the case of DENY ACEs, the=
=20
ACL would contain DENY entries, but those wouldn't mask any permissions in=
=20
this case. The example is slightly more difficult to think through with DEN=
Y=20
ACEs because they contain some redudancy and potential for inconsistencies,=
=20
but the result is the same.)
=46rom the POSIX application's point of view, the file has the same permiss=
ions=20
before and after the chmod. The POSIX application cannot be held guilty;=20
after all it doesn't know about ACLs by definition. Yet the acl actually=20
grants more permissions after the chmods, and the change we did to give the=
=20
owning group fewer permissions with ACL tools is lost. This can be quite=20
serious.
We can play the same example with MAY_WRITE vs. MAY_APPEND: if the group fi=
le=20
mode permission bits write through to the owning group permissions, a POSIX=
=20
chmod may convert a MAY_APPEND owning group ACE into a MAY_WRITE owning gro=
up=20
ACE.
> Solaris' POSIX-draft ACLs have the property that chmod works (i.e.
> you can set group permissions), and you use setfacl if you want to
> change other entries. It's perfectly easy to have owning group have=20
> fewer permissions than supplimental users.
That's a bug, and draft 17 of POSIX 1003.1e (withdrawn) has this bug fixed.
> The bottom line is that chmod must set the mode, rather than "set the
> mode, unless there's some sort of ACL thingy, in which case the group
> bits aren't the group bits but are instead the mask bits".
We may be misunderstanding here: I agree that chmod must set the file mode=
=20
(permission bits as well as special bits). The point is that the group file=
=20
mode permission bits can no longer be the same as the owning group=20
permissions with ACLs, or else innocent POSIX applications may cause=20
unintended side effects as in the example.
Andreas
=2D-=20
Andreas Gruenbacher <agruen@suse.de>
Novell / SUSE Labs
_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4
next prev parent reply other threads:[~2006-07-11 8:05 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-03 21:10 NFSv4 ACL and POSIX interaction / mask Andreas Gruenbacher
2006-07-07 11:55 ` NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready Andreas Gruenbacher
2006-07-08 3:45 ` Sam Falkner
2006-07-08 6:51 ` [nfsv4] " Lisa Week
2006-07-10 21:09 ` Andreas Gruenbacher
2006-07-08 14:32 ` Sam Falkner
2006-07-09 16:22 ` [nfsv4] " Andreas Gruenbacher
2006-07-10 13:29 ` Sam Falkner
2006-07-10 14:15 ` [nfsv4] " J. Bruce Fields
2006-07-10 15:32 ` Sam Falkner
2006-07-10 18:57 ` [NFS] " J. Bruce Fields
2006-07-10 22:26 ` [nfsv4] " Sam Falkner
2006-07-10 22:39 ` J. Bruce Fields
2006-07-10 22:43 ` J. Bruce Fields
2006-07-11 0:44 ` Andreas Gruenbacher
2006-07-11 0:15 ` Andreas Gruenbacher
2006-07-11 5:42 ` [nfsv4] " Sam Falkner
2006-07-11 8:05 ` Andreas Gruenbacher [this message]
2006-07-11 12:29 ` Sam Falkner
2006-07-11 13:46 ` J. Bruce Fields
2006-07-15 13:56 ` [nfsv4] " Sam Falkner
2006-07-11 0:01 ` Andreas Gruenbacher
2006-07-11 0:28 ` [nfsv4] " J. Bruce Fields
2006-07-11 0:48 ` Andreas Gruenbacher
2006-07-10 22:50 ` Andreas Gruenbacher
2006-07-11 6:17 ` [nfsv4] " Sam Falkner
2006-07-11 8:45 ` Andreas Gruenbacher
2006-07-11 12:44 ` [nfsv4] " Sam Falkner
2006-07-11 6:50 ` Lisa Week
2006-07-11 8:55 ` Andreas Gruenbacher
2006-07-27 0:59 ` Andreas Gruenbacher
2006-07-27 2:57 ` Andreas Gruenbacher
2006-07-28 6:32 ` Lisa Week
2006-08-01 10:36 ` [nfsv4] " Andreas Gruenbacher
2006-07-14 17:59 ` [NFS] " J. Bruce Fields
2006-07-14 18:22 ` J. Bruce Fields
2006-07-14 19:02 ` Andreas Gruenbacher
2006-07-14 19:13 ` J. Bruce Fields
-- strict thread matches above, loose matches on Subject: below --
2006-07-08 15:04 Noveck, Dave
2006-07-10 8:07 ` [nfsv4] " Andreas Gruenbacher
2006-07-10 14:24 ` J. Bruce Fields
2006-07-10 15:25 ` Spencer Shepler
2006-07-10 23:48 ` Andreas Gruenbacher
2006-07-11 0:09 ` J. Bruce Fields
2006-07-19 1:48 Noveck, Dave
2006-07-20 22:57 ` Sam Falkner
2006-07-21 15:10 Noveck, Dave
2006-07-21 18:10 ` J. Bruce Fields
2006-07-23 15:47 ` Sam Falkner
2006-07-25 0:32 ` [nfsv4] " a.gruenbacher
2006-07-25 4:26 ` Sam Falkner
2006-07-25 20:15 ` Andreas Gruenbacher
2006-07-26 4:59 ` Sam Falkner
2006-07-21 17:16 Yoder, Alan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200607111005.22200.agruen@suse.de \
--to=agruen@suse.de \
--cc=Lisa.Week@sun.com \
--cc=Sam.Falkner@sun.com \
--cc=beepy@netapp.com \
--cc=bfields@fieldses.org \
--cc=nfs@lists.sourceforge.net \
--cc=nfsv4@ietf.org \
--cc=spencer.shepler@sun.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox