Subject: RE: UFS ACLs and Extended attributes
To: Jason Thorpe <thorpej@shagadelic.org>
From: Gordon Waidhofer <gww@traakan.com>
List: tech-kern
Date: 09/06/2005 10:17:02 
Please be sure to keep an eye on the NFSv4 ACL model.
It is greatly influenced by NT ACLs. I'm sure the Mac OS X
folks have a story for mapping between NFSv4 and MAC ACLs.
There are many papers on mapping between POSIX and NFSv4 ACLs
but it is generally considered to be awkward and inexact.

Similarly, keep an eye on how NFSv4 Named Attributes pair
with EXTATTRs. Solaris, NetApp, and NT are linking NFSv4
Named Attributes to what amounts to be subfiles. Linux and
BSD EXTATTRs are really not a match.

I believe it is probably too late to take POSIX ACLs seriously.
Yes, they can be done. Yes, there is some deployment. But to do
POSIX ACLs on NetBSD just means that NetBSD is signing up to do
ACLs twice. EXTATTRs should also be contemplated in an NFSv4
context and, I believe, found to be a bad idea. There is not
enough momentum around BSD/Linux EXTATTRs to worry about compatability.

See here for more details and references:
	http://www.nasconf.com/pres04/waidhofer.pdf

Regards,
	-gww


> -----Original Message-----
> From: tech-kern-owner@NetBSD.org [mailto:tech-kern-owner@NetBSD.org]On
> Behalf Of Jason Thorpe
> Sent: Tuesday, September 06, 2005 9:26 AM
> To: pavel.cahyna@st.cuni.cz
> Cc: tech-kern@netbsd.org
> Subject: Re: UFS ACLs and Extended attributes
> 
> 
> 
> On Sep 6, 2005, at 4:48 AM, Pavel Cahyna wrote:
> 
> > On Mon, 05 Sep 2005 18:10:43 -0700, Jason Thorpe wrote:
> >
> >> No, it does not.  I would strongly DISCOURAGE adopting the ACL model
> >> used by FreeBSD.  The ACL model used in Mac OS X 10.4 is MUCH better.
> >
> > Why do you consider it better? It has more features, sure, but to  
> > me, it
> > seems to be too complicated to be practical.
> 
> Finer-grained control.  Also, the way it is implemented (the  
> infrastructure in the kernel / VFS layer for evaluating permissions)  
> is much nicer than the traditional BSD way.
> 
> > BTW I think you misspelled it - you wrote "Mac OS X", while you should
> > have written "NT" :-)
> 
> NT doesn't have an implementation we can draw useful ideas from :-)
> 
> -- thorpej
> 
>