From: "J. Bruce Fields" <bfields@fieldses.org>
To: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Trond Myklebust <trond.myklebust@netapp.com>, linux-nfs@vger.kernel.org
Subject: Re: Umask and ACL on NFS
Date: Thu, 2 Dec 2010 17:30:04 -0500 [thread overview]
Message-ID: <20101202223004.GH8583@fieldses.org> (raw)
In-Reply-To: <m3tyiw4ejo.fsf@linux.vnet.ibm.com>
On Thu, Dec 02, 2010 at 04:39:15PM +0530, Aneesh Kumar K.V wrote:
>
> Hi,
>
> POSIX ACL and Richacl want to apply umask on file creation only when we don't have any
> inheritable ACEs on the parent directory. Currently with nfsv4 code we do
> check for POSIX ACL in nfs_atomic_lookup,
Huh. Do you understand what that check is for? I'm guessing it's just
a mistake, but I don't know....
> but i don't find where we set
> the MS_POSIXACL bit for the nfsv4 code.
>
> Even if we try to do something like below
>
> if (nfs4_server_supports_acls(..))
> sb->s_flags |= MS_POSIXACL;
>
> I guess we could get it wrong. The above implies we may end up not
> applying umask for a server supporting ACL even if the parent
> directory don't have inheritable ACEs.
Yeah, that doesn't look right.
> I found a proposal to add umask attribute at
> http://www.ietf.org/mail-archive/web/nfsv4/current/msg07159.html
> http://www.ietf.org/proceedings/74/slides/nfsv4-3.pdf
>
> So what is the expected behaviour for NFS. Should we always apply
> umask (which is what it currently does) irrespective of whether
> parent directory have inheritable ACEs or not ?
I don't know.
So I guess the problems with aplying the umask are:
- It's impossible then for inheritable ACEs to influence the
GROUP@ permission bits. (Hm, I had some idea that 4.1
mode_set_masked helped here, but nope, can't see that it
does.)
- If the umask group bit is nonzero then you likely end up with
inheritable ACEs for named users and groups being ineffective.
People hae indeed complained about this before; see e.g.
http://marc.info/?t=123739823200003&r=1&w=2
for some previous discussion. I think there are some others back there
someplace too.
--b.
prev parent reply other threads:[~2010-12-02 22:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-02 11:09 Umask and ACL on NFS Aneesh Kumar K.V
2010-12-02 22:30 ` J. Bruce Fields [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101202223004.GH8583@fieldses.org \
--to=bfields@fieldses.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=linux-nfs@vger.kernel.org \
--cc=trond.myklebust@netapp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).