Subject: Access Control Lists
To: None <>
From: Seth Long <>
List: tech-kern
Date: 05/01/2006 23:25:55

I'm hoping to implement access control lists in NetBSD as a combined
graduate project / summer of code project.

My plan for implementing ACL's is to come up with a generic "ACL
Layer" which exists just under VFS, and is capable of adding ACL
capability to any filesystem which currently works with NetBSD.  So
the ACL layer will have to determine, for each open call, whether or
not the file is associated with an ACL, and if so grant or deny access
as appropriate.  The ACL could be stored in the filesystem in files
without links from any directory, or somewhere like that.  This way
ACL's need implemented just once in order to provide ACL support in
FFS, NFS, iso9660, etc.

It would be nice to have the ACL layer recognize if the underlying
filesystem already has an ACL implementation and made use of this
existing implementation.  This way if a system had, say, an ext3
partition shared between NetBSD and Linux, both operating systems
would respect the permissions of the other.

Does this seem like a reasonable project to finish in three months?