lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHc6FU4W30vkDfjnh-a5dyi1vHBavmqa2Yt5Jn29AQn9FwHq_g@mail.gmail.com>
Date:	Tue, 22 Sep 2015 01:26:58 +0200
From:	Andreas Gruenbacher <agruenba@...hat.com>
To:	"J. Bruce Fields" <bfields@...ldses.org>
Cc:	linux-kernel@...r.kernel.org,
	linux-fsdevel <linux-fsdevel@...r.kernel.org>,
	linux-nfs@...r.kernel.org, linux-api@...r.kernel.org,
	linux-cifs@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [RFC v7 13/41] richacl: Check if an acl is equivalent to a file mode

2015-09-18 2:56 GMT+02:00 J. Bruce Fields <bfields@...ldses.org>:
> On Thu, Sep 17, 2015 at 02:22:19PM -0400, bfields wrote:
>> On Sat, Sep 05, 2015 at 12:27:08PM +0200, Andreas Gruenbacher wrote:
>> > ACLs are considered equivalent to file modes if they only consist of
>> > owner@, group@, and everyone@ entries, the owner@ permissions do not
>> > depend on whether the owner is a member in the owning group, and no
>> > inheritance flags are set.  This test is used to avoid storing richacls
>> > if the acl can be computed from the file permission bits.
>>
>> We're assuming here that it's OK for us to silently rearrange an ACL as
>> long as the result is still equivalent (in the sense that the permission
>> algorithm would always produce the same result).
>>
>> I guess that's OK by me, but it might violate user expectations in some
>> simple common cases, so may be worth mentioning in documentation
>> someplace if we don't already.
>
> Also your notion of mode-equivalence here is interesting, it's actually
> a strict subset of the ACLs that produce the same permission results as
> a mode.  (For example, everyone:rwx,bfields:rwx is equivalent to 0777
> but won't be considered mode-equivalent by this algorithm.)

Yes, the algorithm should better not surprise the user by being too clever.

> I think the choices you've made probably make the most sense, they just
> wouldn't have been obvious to me.  Anyway, so, OK by me:
>
>         Reviewed-by: J. Bruce Fields <bfields@...hat.com>

Thanks,
Andreas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ