From: "bfields@fieldses.org" <bfields@fieldses.org>
To: Trond Myklebust <trondmy@hammerspace.com>
Cc: "guy@vastdata.com" <guy@vastdata.com>,
"schumakeranna@gmail.com" <schumakeranna@gmail.com>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] nfs: we don't support removing system.nfs4_acl
Date: Thu, 28 Jan 2021 21:35:27 -0500 [thread overview]
Message-ID: <20210129023527.GA11864@fieldses.org> (raw)
In-Reply-To: <cbc7115cc5d5aeb7ffb9e9b3880e453bf54ecbdb.camel@hammerspace.com>
On Fri, Jan 29, 2021 at 01:37:10AM +0000, Trond Myklebust wrote:
> On Fri, 2021-01-29 at 01:34 +0200, guy keren wrote:
> > On 1/29/21 12:36 AM, J. Bruce Fields wrote:
> > From: "J. Bruce Fields" <bfields@redhat.com>
> >
> > The NFSv4 protocol doesn't have any notion of reomoving an attribute,
> > so
> > removexattr(path,"system.nfs4_acl") doesn't make sense.
> >
> > There's no documented return value. Arguably it could be EOPNOTSUPP
> > but
> > I'm a little worried an application might take that to mean that we
> > don't support ACLs or xattrs. How about EINVAL?
> >
> > Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> > ---
> > fs/nfs/nfs4proc.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
> > index 2f4679a62712..d50dea5f5723 100644
> > --- a/fs/nfs/nfs4proc.c
> > +++ b/fs/nfs/nfs4proc.c
> > @@ -5895,6 +5895,9 @@ static int __nfs4_proc_set_acl(struct inode
> > *inode, const void *buf, size_t bufl
> > unsigned int npages = DIV_ROUND_UP(buflen, PAGE_SIZE);
> > int ret, i;
> >
> > + /* You can't remove system.nfs4_acl: */
> > + if (buflen == 0)
> > + return -EINVAL;
> > if (!nfs4_server_supports_acls(server))
> > return -EOPNOTSUPP;
> > if (npages > ARRAY_SIZE(pages))
> >
> > question: what happens if someone is attempting to create an empty
> > ACL on a file? as far as i know, this is legal.
> > won't you arrive into this position with a buflen of 0? it should be
> > similar to 'chmod 0 <file>'.
> >
>
> Agreed. If the server doesn't support removing the ACL then it should
> be up to it to enforce that condition. I see nothing in the NFS
> protocol that says it is up to the NFS client to act as the enforcer
> here.
Agreed.
Note that this patch doesn't prevent an application from setting a
zero-length ACL. The xattr format is XDR with the first four bytes
representing the number of ACEs, so you'd set a zero-length ACL by
passing down a 4-byte all-zero buffer as the new value of the
system.nfs4_acl xattr.
A zero-length NULL buffer is what's used to implement removexattr:
int
__vfs_removexattr(struct dentry *dentry, const char *name)
{
...
return handler->set(handler, dentry, inode, name, NULL, 0, XATTR_REPLACE);
}
That's the case this patch covers.
--b.
next prev parent reply other threads:[~2021-01-29 2:36 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-28 22:36 [PATCH] nfs: we don't support removing system.nfs4_acl J. Bruce Fields
[not found] ` <95e5f9e4-76d4-08c4-ece3-35a10c06073b@vastdata.com>
2021-01-29 1:37 ` Trond Myklebust
2021-01-29 2:35 ` bfields [this message]
2021-01-29 2:50 ` bfields
2021-01-31 20:41 ` Trond Myklebust
2021-01-31 21:58 ` bfields
2021-02-03 20:07 ` bfields
2021-02-08 19:31 ` Trond Myklebust
2021-02-08 22:08 ` bfields
2021-02-11 18:54 ` bfields
2021-03-04 2:30 ` Murphy Zhou
2021-03-12 15:43 ` Anna Schumaker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210129023527.GA11864@fieldses.org \
--to=bfields@fieldses.org \
--cc=guy@vastdata.com \
--cc=linux-nfs@vger.kernel.org \
--cc=schumakeranna@gmail.com \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox