tech-kern: Re: UFS ACLs and Extended attributes

Subject: Re: UFS ACLs and Extended attributes
To: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
From: Daniel Carosone <dan@geek.com.au>
List: tech-kern
Date: 09/07/2005 07:45:57
--IpbVkmxF4tDyP/Kb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 06, 2005 at 08:44:28PM +0200, Pavel Cahyna wrote:
> I don't know anything about the implementation, but regarding the ACL
> model, from my reading of the manual pages and my experience with NT, this
> model still has the basic problem that inheritable permissions on
> directories don't automatically propagate to contained subdirectories and
> files. You have to reset inherited permissions on those subobjects
> manually.=20

This is only true if you have the contained subdirectories set to
block inheritance, or the ACEs marked not inheritable, in which case
you're getting exactly what you asked for.

Once inheritance is in use for an ACE, there are several other flags
that can qualify the inheritance pattern, too; they can be set to
apply only when inherited (only on children of the base object), and
further qualified to apply only to containers or noncontainers (files,
when applied in a filesystem context).

If you're having problems, you're probably doing something wrong or
misunderstanding the silly checkbox description text in the gui.

The main problem here is that the strict hierarchical container model
it implies runs afoul of hard links in the filesystem.  Rarely used,
NTFS has something it calls hard links, but they're really a kind of
symlink (with the canonical name of the file written to a special data
stream). This avoids inheritance ambiguity because the hard link nodes
don't have their own ACLs, they point to the ACL of the primary object
with its inheritance in its primary container, ignoring inheritance
from the link's container.

How would ACL inheritance work in a filesystem with real hard links,
where there's no way to recognise a 'primary' inheritance path or
location for a file?  What do MacOSX, NetApp and NFSv4 have to say?

> Novell Netware ACLs don't suffer from this problem.

Ok, but the other problems suffered by Netware users more than make
up for this :)

--
Dan.
--IpbVkmxF4tDyP/Kb
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iD8DBQFDHg4VEAVxvV4N66cRAnquAJ9J/xFny2WQmxK+ugczniz6tlGWiACfa0jd
mwxS5VgcOsGFMtqQSiJbxck=
=GBEQ
-----END PGP SIGNATURE-----

--IpbVkmxF4tDyP/Kb--