Re: POSIX ACL support for NFSV4 (using sideband protocol)

[Steve French <smfrench@gmail.com>]

On Wed, Sep 2, 2009 at 3:22 PM, J. Bruce Fields<bfields@fieldses.org> wrote=
:
> On Wed, Sep 02, 2009 at 01:56:23PM -0500, Steve French wrote:
>> "J. Bruce Fields" <bfields@fieldses.org> wrote on 09/02/2009 11:42:43 AM=
:
>> > On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote:
>> > > This patch series implement POSIX ACL support for NFSV4 clients
>> > > using sideband protocol.
>> >
>> > What motivates this? =A0Who exactly wants this and why? =A0 What would=
 be
>> > the advantages compared to other options, such as:
>>
>> The most obvious reason to me is that security information
>> can be lost as the ACL which was generated by Linux utilities and
>> client acl tools (which get/set posix acls) are converted by the Linux n=
fs
>> v4 client
>
> The kernel v4 client doesn't do that--it passes untouched v4 acls to and
> from userspace.

1) Passing untouched ACLs doesn't help as these ACLs would be NFS specific,
and unrecognized by the default Linux tools and GUIs.  Access Control on
file and directory objects is a "system feature" - part of the OS (it has b=
een
that way since at least OS/2, not just Windows, MacOS, Solaris etc..)
 You wouldn't require the user to use different tools for modifying ACLs in
Windows, MacOS and require that the user try to figure out the ACL model of
the underlying file system before deciding what tool to use and what permis=
sions
to apply to his home directory
2) If POSIX->NFSv4 client mapping is done (as had been suggested IIRC
by others in the past) at least you lose less data (NFSv4 ACLs are "richer"
in function than POSIX ACLs - so at least with the POSIX->NFSv4->POSIX
case you are limiting the user to the subset of choices which are actually
going to be able to be stored, no inheritence etc.)




--=20
Thanks,

Steve
_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4