Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2091838rwd; Wed, 17 May 2023 05:47:28 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ42BPm6NAaFbKL1KNMJMPT4bmuaD1OlmM94MhFctJGPPdB+qM517zRKKlQCa0bAYiZfPSr/ X-Received: by 2002:a17:90a:dd88:b0:252:e7e2:fefe with SMTP id l8-20020a17090add8800b00252e7e2fefemr12647299pjv.2.1684327647752; Wed, 17 May 2023 05:47:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684327647; cv=none; d=google.com; s=arc-20160816; b=fDqaNi9AslDh8a+L3ljl3L6I6e9911XxkCVsAf2juXNdbURhX7X8NG403KTanwaO4f ADdnez4/FcQ8mqx7cI7Fobc2aEQw7o/2S7zZHmWzQUjMTiqTm1ppikSkihlWv0AKYze6 ZYFJ3ZBgzQB+NdTE3gEMPWcdtp8ucuRG5rU3ORiLF7w5o6jWlM/CO9c36r0S3sAJomwq dZHt4/uKu2LpNobEK6txw1/WO6CAnztY7mIRWPTOums2C7JefFWQwuysq7u4/E3xlYKg qAhMdlAi3QXYQU/kj227nywIzBbzgFVpmlRXRYJB/HioBAkGDDMcK4jIhKfwi0Hf/5Fp PDmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=zB3NDRPxq6MYoxevq1HGj40hrXlXLj7oBFmH79jVKps=; b=rR0F99jXhwl0xtAoWGR5yCfmjoNiymFwoKKA/G99KDsRMHtku0Ga8UEJlFuQeEvnot e4WH5rH3o8MrH9+JKTS9VX2uEz8vJ5KYB0F223foQ7Nz9IXHNEnB/QcWk7d/8W0lxWYt Bao8UD3L+ccczcSfcD/K/qKQKz7/nVW4M8krQmvU55nxGOoAciR+gLybSf5kZl4G2xso zaxiN9AYpkYmc3uqmwj/xC0A6cxm2rceMm14IZN/R+On7OrROEkS/pi9tRsUmtlGBBaQ GBowKZPBm44BPN2hRfh63n5oTq/rpefwBEZnqqrHXiKWhslmSndM0Grvs7DkF56F7Fme TOPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=WWgyH7CU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q23-20020a638c57000000b0051b54dccffbsi20803173pgn.859.2023.05.17.05.47.14; Wed, 17 May 2023 05:47:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=WWgyH7CU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231701AbjEQMjk (ORCPT + 99 others); Wed, 17 May 2023 08:39:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229962AbjEQMjj (ORCPT ); Wed, 17 May 2023 08:39:39 -0400 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 061401FFC for ; Wed, 17 May 2023 05:39:37 -0700 (PDT) Received: from cwcc.thunk.org (pool-173-48-120-46.bstnma.fios.verizon.net [173.48.120.46]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 34HCdE3j020485 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 May 2023 08:39:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1684327157; bh=zB3NDRPxq6MYoxevq1HGj40hrXlXLj7oBFmH79jVKps=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=WWgyH7CULPNoM2VYokIIWTxWmj9cbi81gKXBKYw7kMUIQN3TYy4vOLxrFbi1XfXR3 HwMdUFEWdel6hZawKtdWpO9qz7W9RXJaxFddb24VKKmM97rmUMckzzOGuaBSRWxBQI ixlHhzpOnH2HvRqtMzIV4QAsKy7pBlOquo3MhmC454u8zDPNgtI28H+etJlTCJXaEd Pz39tqrOe7Bh0qKRQA22g6LH/4IOwhNgWLAczpirprViUL9UoMPZcj5GqDcilTdPUQ qRTGOgCTsCX9TX/8TzeB45MCP4Kax2JBf87OUzSPwEZoEnrjezRxIS0QmWfzzFQ6Uf 1qyAJuh3Juq4A== Received: by cwcc.thunk.org (Postfix, from userid 15806) id 9D1DD15C0529; Wed, 17 May 2023 08:39:14 -0400 (EDT) Date: Wed, 17 May 2023 08:39:14 -0400 From: "Theodore Ts'o" To: Christian Brauner Cc: Jeff Layton , Ondrej Valousek , "trondmy@hammerspace.com" , "linux-fsdevel@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: A pass-through support for NFSv4 style ACL Message-ID: <20230517123914.GA4578@mit.edu> References: <20230516124655.82283-1-jlayton@kernel.org> <20230516-notorisch-geblickt-6b591fbd77c1@brauner> <20230517-herstellen-zitat-21eeccd36558@brauner> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230517-herstellen-zitat-21eeccd36558@brauner> X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 17, 2023 at 09:42:59AM +0200, Christian Brauner wrote: > > I have no idea about the original flame war that ended RichACLs in > additition to having no clear clue what RichACLs are supposed to > achieve. My current knowledge extends to "Christoph didn't like them". As to what RichACL's are supposed to achieve.... Windows/NFSv4 -style ACL's are very different from POSIX semantics, in a gazillion ways. For example, if you set a top-level acl, it will automatically affect all of the ACL's in the subhierarcy. This is trivially easy in Windows given that apparently ACL's are evaluated by path every time you try to operate on a file (or at least, that's how it works effectively; having not taken a look at Windows source code, I can't vouch for how it is actually implemented.) This is, of course, a performance disaster and doesn't work all that well for Linux where we can do things like like fchdir() and use O_PATH file descriptors and *at() system calls. Moreover, Windows doesn't have things like the mode parameter to open(2) and mkdir(2) system calls. As a result, RichACL's are quite a bit more complicated than Posix ACL's or the Windows-style ACL's from which they were derived because they have to compromise between the Windows authorization model and the Posix/Linux authorization model while being expressive enough to mostly emulate Windows-style ACL's. For example, instead of implementing Windows-style "automatic inheritance", setrichacl(1) will do the moral equivalent of chmod -R, and then add a lot of hair in the form of "file_inherit, dir_inherit, no_propagate, and inherit_only" flags to each ACL entry, which are all there to try to mostly (but not completely) handle make Windows-style and Linux/POSIX acl's work within the same file system. There's a lot more detail of the hair documented here[1]. [1] https://www.systutorials.com/docs/linux/man/7-richacl/ I'll note most of this complexity is only necessary if you want to have local file access to the file system work with similar semantics as what would get exported via NFSv4. If you didn't, you could just store the Windows-style ACL in an xattr and just let it be set via the remote file system, and return it when the remote file system queries it. The problem comes when you want to have "RichACLs" actually influence the local Linux permissions check. Personally, I think this is rarely needed, since (a) most people implementing a Windows-style filer for Windows client are doing so on a dedicated file server, and local access to the exported files are rarely needed. Secondly, (b) Windows-style access need to be expressed in terms of Windows-style Security ID's for large complex enterprise deployment where you have nested Windows-style domains, and how you map a 128+ bit Windows SID to a local Unix UID is a previously unsolved problem. So it's a pretty rare niche use case, and *I've* never thought that this is all that important. On the other hand, for those people who believe that "This is the year of the Linux Desktop", and who might want to export their local Linux directories on their Desktop to a set of peer Windows clients, and who are using complex Windows-style ACL's (but not *too* complex such that they have nested domain identifiers), then RichACL's might be just the ticket. Furthermore, RichACL's are apparently an out-of-tree patch maintained by some distros in their distro kernel, so maybe they know something I don't. Add to that the issues of the implementation level concerns which Cristoph has already described, and it's really not all that surprising that the progress on the patchset kind of stalled.... - Ted