lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHpGcMLBb+s7iSv9SN1eRX-46VU_wnbGX1nXrNkuaYVp8v0jYw@mail.gmail.com>
Date:	Wed, 13 May 2015 22:22:21 +0200
From:	Andreas Grünbacher <andreas.gruenbacher@...il.com>
To:	Frank Filz <ffilzlnx@...dspring.com>
Cc:	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	linux-nfs@...r.kernel.org
Subject: Re: [RFC v3 20/45] richacl: Automatic Inheritance

2015-05-13 20:01 GMT+02:00 Frank Filz <ffilzlnx@...dspring.com>:
> You might want to edit your commit message to use RICHACL_ instead of ACL4_
> constants...

Indeed, thanks.

>> Linux does not have a way of creating files without setting the file permission
>> bits, so all files created inside a directory with ACL4_AUTO_INHERIT set will
>> also have the ACL4_PROTECTED flag set.  This effectively disables Automatic
>> Inheritance.
>>
>> Protocols which support creating files without specifying permissions can
>> explicitly clear the ACL4_PROTECTED flag after creating a file and reset the file
>> masks to "undo" applying the create mode; see
>> richacl_compute_max_masks().
>> This is a workaround; a mechanism that would allow a process to indicate to
>> the kernel to ignore the create mode when there are inherited permissions
>> would fix this problem.
>
> I'm unclear what will actually be supported for inherited ACLs here. Is this
> saying that on a pure-Linux system even with Linux NFS client and Linux NFS
> server, we still would not see inheritance since the mode will always be
> present on create?

What do you mean by "we still would not see inheritance"? Inheritance
at file create time will still happen; a few extra flags will be set
when Automatic Inheritance is "on" in the parent directory as
indicated by the RICHACL_AUTO_INHERIT flag.

Files are inevitably created with defined permissions (the mode
parameter to system calls like creat and mkdir), which means that the
RICHACL_PROTECTED flag needs to be set, though. When someone changes
the permissions of an entire directory tree, that change will not
propagate to or below files with the protected flag set.

That being said, a daemon like Samba can "fake" full Automatic
Inheritance by creating files and then updating the inherited acls
appropriately. This will inevitably be racy, but unless someone
implements a way to create files without a mode, that's the closest
Samba can get.

Creating files atomically with explicitly defined acls is another
operation which NFSv4 does but the Linux kernel does not support.

> My interest here is in how we will tie the Ganesha user space NFS server
> into this feature.

I don't know, what do you currently do when somebody creates a file
without defining the permissions (mode, acl or dacl)? That's the
relevant case. The kernel nfs daemon currently creates a file with
mode 0 --- which doesn't seem right.

Andreas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ