Subject: Re: Access Control Lists
To: Seth Long <>
From: Brett Lymn <>
List: tech-kern
Date: 05/02/2006 21:32:28
On Mon, May 01, 2006 at 11:25:55PM -0700, Seth Long wrote:
> My plan for implementing ACL's is to come up with a generic "ACL
> Layer" which exists just under VFS, and is capable of adding ACL
> capability to any filesystem which currently works with NetBSD.

Do you mean POSIX ACL's here?

>  So
> the ACL layer will have to determine, for each open call, 

and exec?

> .  The ACL could be stored in the filesystem in files
> without links from any directory, or somewhere like that.

ok but how to you find these chunks of data on the media if there are
no pointers to them?  How do you associate files in a file system with
a blob entry?  How are the tools that need to manipulate the ACL
entries going to find the ACL data on the media?

>  This way
> ACL's need implemented just once in order to provide ACL support in
> FFS, NFS, iso9660, etc.

iso9660?  Also, are you considering applying the ACL's server side on

> It would be nice to have the ACL layer recognize if the underlying
> filesystem already has an ACL implementation and made use of this
> existing implementation.  This way if a system had, say, an ext3
> partition shared between NetBSD and Linux, both operating systems
> would respect the permissions of the other.

That sounds nice but how are you going to determine that the
underlying file system supports ACL's?

> Does this seem like a reasonable project to finish in three months?

hard to say - possibly but we need to work on getting a better picture
of what you are proposing.

Brett Lymn