Return-Path: In-Reply-To: <20090902202206.GJ17884@fieldses.org> References: <524f69650909021156lf181c17uf800eba7c35a6f45@mail.gmail.com> <20090902202206.GJ17884@fieldses.org> Date: Wed, 2 Sep 2009 15:53:17 -0500 Message-ID: <524f69650909021353o1e055cbema16495c57cb9909b@mail.gmail.com> Subject: Re: POSIX ACL support for NFSV4 (using sideband protocol) From: Steve French To: "J. Bruce Fields" Cc: linux-nfs@vger.kernel.org, nfsv4@linux-nfs.org, Trond Myklebust , ffilzlnx@linux.vnet.ibm.com, jra@samba.org, agruen@suse.de List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Sender: nfsv4-bounces@linux-nfs.org Errors-To: nfsv4-bounces@linux-nfs.org MIME-Version: 1.0 List-ID: On Wed, Sep 2, 2009 at 3:22 PM, J. Bruce Fields wrote= : > On Wed, Sep 02, 2009 at 01:56:23PM -0500, Steve French wrote: >> "J. Bruce Fields" wrote on 09/02/2009 11:42:43 AM= : >> > On Wed, Sep 02, 2009 at 05:54:20PM +0530, Aneesh Kumar K.V wrote: >> > > This patch series implement POSIX ACL support for NFSV4 clients >> > > using sideband protocol. >> > >> > What motivates this? =A0Who exactly wants this and why? =A0 What would= be >> > the advantages compared to other options, such as: >> >> The most obvious reason to me is that security information >> can be lost as the ACL which was generated by Linux utilities and >> client acl tools (which get/set posix acls) are converted by the Linux n= fs >> v4 client > > The kernel v4 client doesn't do that--it passes untouched v4 acls to and > from userspace. 1) Passing untouched ACLs doesn't help as these ACLs would be NFS specific, and unrecognized by the default Linux tools and GUIs. Access Control on file and directory objects is a "system feature" - part of the OS (it has b= een that way since at least OS/2, not just Windows, MacOS, Solaris etc..) You wouldn't require the user to use different tools for modifying ACLs in Windows, MacOS and require that the user try to figure out the ACL model of the underlying file system before deciding what tool to use and what permis= sions to apply to his home directory 2) If POSIX->NFSv4 client mapping is done (as had been suggested IIRC by others in the past) at least you lose less data (NFSv4 ACLs are "richer" in function than POSIX ACLs - so at least with the POSIX->NFSv4->POSIX case you are limiting the user to the subset of choices which are actually going to be able to be stored, no inheritence etc.) --=20 Thanks, Steve _______________________________________________ NFSv4 mailing list NFSv4@linux-nfs.org http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4