lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH2r5mt18-CQLCMz0RHnK_sXW5oOFpf2kMVeWJRvrD3Vw2MWLw@mail.gmail.com>
Date:	Wed, 7 Oct 2015 10:15:19 -0500
From:	Steve French <smfrench@...il.com>
To:	Andreas Gruenbacher <agruenba@...hat.com>
Cc:	Christoph Hellwig <hch@...radead.org>,
	Andreas Dilger <adilger@...ger.ca>,
	Austin S Hemmelgarn <ahferroin7@...il.com>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	"Theodore Ts'o" <tytso@....edu>,
	"J. Bruce Fields" <bfields@...ldses.org>,
	Jeff Layton <jlayton@...chiereds.net>,
	Trond Myklebust <trond.myklebust@...marydata.com>,
	Anna Schumaker <anna.schumaker@...app.com>,
	linux-ext4 <linux-ext4@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>,
	linux-fsdevel <linux-fsdevel@...r.kernel.org>,
	"linux-nfs@...r.kernel.org" <linux-nfs@...r.kernel.org>,
	Linux API <linux-api@...r.kernel.org>,
	samba-technical <samba-technical@...ts.samba.org>
Subject: Re: [PATCH v8 00/41] Richacls

On Wed, Oct 7, 2015 at 8:38 AM, Andreas Gruenbacher <agruenba@...hat.com> wrote:
> On Wed, Oct 7, 2015 at 9:50 AM, Christoph Hellwig <hch@...radead.org> wrote:
>> On Tue, Oct 06, 2015 at 02:26:09PM -0600, Andreas Dilger wrote:
>>> And any disk filesystems that have their own non-POSIX ACLs, such as HFS, NTFS, ZFS would presumably also need to map the in-kernel Richacl format to their on-disk format.
>>
>> No, we did this mistake with Posix ACLs, and we're not going to repeat
>> it here.  Filesystems with their own slightly different ACLs must not
>> reuse the interface.
>
> Well, things may not be quite as clearly delineated. We currently have
> code in nfsd for mapping between NFSv4 ACLs on the wire and POSIX ACLs
> on local file systems. This mapping is problematic because of the
> semantic differences between NFSv4 ACLs and POSIX ACLs (different sets
> of permissions, access and default acl vs. inheritance flags,
> different permission check algorithm). I wish we could have avoided
> that.
>
> Richacls are designed to support NFSv4 ACLs on top of POSIX systems.
> This means that they should obviously be supported by the NFSv4 server
> and client (see the patches) and by the common local filesystems.
>
> ACLs on NTFS and ZFS mostly fit into the same model. The big remaining
> difference there is how users and groups are identified: NTFS used
> SIDs (https://en.wikipedia.org/wiki/Security_Identifier); ZFS could be
> said to use a hybrid UID / GID / SID model. Exposing those ACLs as
> richacls would make sense if we can find a clean way of handling this
> aspect.

Samba (e.g. winbind service) has mapping libraries for mapping SIDs to
UIDs (CIFS ACLs already have the same issue of SID to UID mapping
which we handle with upcalls) and Samba has various pluggable ways to
handle UID mapping and is easily extensible.  Similarly NFSv4 ACLs,
although closely related to CIFS/NTFS ACLs have to be map usernames to
uids.

-- 
Thanks,

Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ