* BUG: ACL's are a security attribute. They belong in the Security attrib space, not the Root-attrib space. @ 2013-07-23 21:29 Linda Walsh 2013-07-24 4:05 ` Dave Chinner 0 siblings, 1 reply; 3+ messages in thread From: Linda Walsh @ 2013-07-23 21:29 UTC (permalink / raw) To: xfs-oss Currently there are 3 disjoint attribute spaces on files -- user, root and security. (there is a misprint in the manual that says there is 2, but later, it gives talks about using no switch giving the User attrib space, -R for Root attrib space, and -S for the Security attrib space). Of these, the ACL's are being placed in the root, which might describe file types, or other OS related info, but not security attributes like ACL's. They should be in the Security attrib space (otherwise what is the point of a Security attribute space). _______________________________________________ xfs mailing list xfs@oss.sgi.com http://oss.sgi.com/mailman/listinfo/xfs ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: BUG: ACL's are a security attribute. They belong in the Security attrib space, not the Root-attrib space. 2013-07-23 21:29 BUG: ACL's are a security attribute. They belong in the Security attrib space, not the Root-attrib space Linda Walsh @ 2013-07-24 4:05 ` Dave Chinner 2013-07-24 4:37 ` Linda Walsh 0 siblings, 1 reply; 3+ messages in thread From: Dave Chinner @ 2013-07-24 4:05 UTC (permalink / raw) To: Linda Walsh; +Cc: xfs-oss On Tue, Jul 23, 2013 at 02:29:42PM -0700, Linda Walsh wrote: > > Currently there are 3 disjoint attribute spaces on files -- user, root and security. > > (there is a misprint in the manual that says there is 2, but later, it gives > talks about using no switch giving the User attrib space, -R for Root attrib > space, and -S for the Security attrib space). You're confusing on-disk formats used to store attributes with namepaces used to report and access them. Linux has security, system, trusted and user namespaces, while on disk XFS has "root", "secure", and "user" spaces. i.e. Linux attr XFS on disk system root security secure trusted root user user > Of these, the ACL's are being placed in the root, which might describe > file types, or other OS related info, but not security attributes like ACL's. > They should be in the Security attrib space (otherwise what is the point of a > Security attribute space). Posix ACLS are defined by the *kernel* to be in the "system" namespace: #define POSIX_ACL_XATTR_ACCESS "system.posix_acl_access" #define POSIX_ACL_XATTR_DEFAULT "system.posix_acl_default" IOWs, the Linux *kernel* doesn't consider ACLs to be part of the security namespace, and so neither does XFS. Cheers, Dave. -- Dave Chinner david@fromorbit.com _______________________________________________ xfs mailing list xfs@oss.sgi.com http://oss.sgi.com/mailman/listinfo/xfs ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: BUG: ACL's are a security attribute. They belong in the Security attrib space, not the Root-attrib space. 2013-07-24 4:05 ` Dave Chinner @ 2013-07-24 4:37 ` Linda Walsh 0 siblings, 0 replies; 3+ messages in thread From: Linda Walsh @ 2013-07-24 4:37 UTC (permalink / raw) Cc: xfs-oss Dave Chinner wrote: > On Tue, Jul 23, 2013 at 02:29:42PM -0700, Linda Walsh wrote: > > Currently there are 3 disjoint attribute spaces on files -- user, root and security. > > > > (there is a misprint in the manual that says there is 2, but later, it gives > > talks about using no switch giving the User attrib space, -R for Root attrib > > space, and -S for the Security attrib space). > > You're confusing on-disk formats used to store attributes with > namepaces used to report and access them. Linux has security, > system, trusted and user namespaces, while on disk XFS has "root", > "secure", and "user" spaces. > > i.e. > > Linux attr XFS on disk > system root > security secure > trusted root > user user ----- That makes the man page even more dated... Why don't we copy your explanation into the manpage! It's certainly more clear! ;-) > > > Of these, the ACL's are being placed in the root, which might describe > > file types, or other OS related info, but not security attributes like ACL's. > > They should be in the Security attrib space (otherwise what is the point of a > > Security attribute space). > > Posix ACLS are defined by the *kernel* to be in the "system" > namespace: ---- Likely because the system namespace predates the secur[e/ity] namespace, which seems like it might have been the timeframe that part in the "attr" manpage, saying there were only 2 namespaces, was written? > > #define POSIX_ACL_XATTR_ACCESS "system.posix_acl_access" > #define POSIX_ACL_XATTR_DEFAULT "system.posix_acl_default" > > IOWs, the Linux *kernel* doesn't consider ACLs to be part of the > security namespace, and so neither does XFS. ----- Well, of the kernel I can understand why ... and then it makes sense that XFS would have followed the kernel through its evolution...;-) So that still leaves the Q's about the -l (--list) function no longer being maitained, and the suggested alternates having no similar functionality nor any for the 'root' or 'secur' namespaces. Maybe not important, but sometimes linux security looks a bit like it is partaking of security through obscurity...or it could just be generally obscure engineer writing...;-) _______________________________________________ xfs mailing list xfs@oss.sgi.com http://oss.sgi.com/mailman/listinfo/xfs ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-07-24 4:38 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-07-23 21:29 BUG: ACL's are a security attribute. They belong in the Security attrib space, not the Root-attrib space Linda Walsh 2013-07-24 4:05 ` Dave Chinner 2013-07-24 4:37 ` Linda Walsh
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox