tech-kern: Re: Support for ACLs

Subject: Re: Support for ACLs
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Aidan Cully <aidan@kublai.com>
List: tech-kern
Date: 03/10/2001 17:21:32
On Sat, Mar 10, 2001 at 01:01:40PM -0500, Thor Lancelot Simon wrote:
> On Sat, Mar 10, 2001 at 03:27:06PM +0700, Robert Elz wrote:
> > 
> > That's an orthogonal change to the filesystem.   It is certainly one
> > that would be useful to have, but it really hasn't got anything much to
> > do with any of the rest of this (except that ACLs and similar may
> > increase the number of very small non-empty files that exist).
> 
> To me, there is a simple and elegant solution available here: to define a
> new on-disk filesystem which is efficient for storing and accessing this
> kind of "additional metadata".  Then we could use our existing layered
> filesystem functionality to layer this new physical filesystem over our
> existing physical filesystem in any number of useful ways.
> 
> There is an obvious downside here: networked filesystems.  If you can't
> extend the basic NFS protocol, then you have a rather unpleasant choice
> of whether to do the layering on client or server.  If you do it on the
> server, things like ACLs are enforced but can't be manipulated (and
> data such as "resource forks" probably can't be accessed at all).  If you
> do it on the client, at least for purposes of access control you are
> forced to trust that the client will do the same data layering that you
> do.

There is at least one other, very important downside, which I think
I saw brought up: you need to ensure that all accesses to ACL-protected
data go through the ACL mechanism, and that ACLfs remains consistent
with the file-system underneath it.  I don't see how this can be
enforced easily with a layered filesystem, though it obviously can be
where ACLs are implemented inside the filesystem code directly...  This
is not an issue that exists (to the best of my knowledge) with the
current layered filesystems.

IMO, both approaches should be followed...  I see ACLs as a necessary
feature for some fairly common problem domains, and without a layering
system, I don't see how they can work at all over client-end NFSv3
(for example).  OTOH, I believe ACLs will operate better (in that
they'll avoid consistency problems completely) when they can be
integrated into a filesystem.

--aidan