On Wed, Jul 24, 2013 at 7:46 PM, Glenn Fowler <[email protected]> wrote:
>
> On Wed, 24 Jul 2013 18:52:57 +0200 Tina Harriott wrote:
>> On 23 July 2013 20:43, Glenn Fowler <[email protected]> wrote:
>> >
>> > On Tue, 23 Jul 2013 19:16:43 +0200 Tina Harriott wrote:
>> >> I hope this is the right place to report to. On Suse Linux nfs4 ACL
>> >> lists are not preserved if I copy files with ksh's builtin cp command.
>> >
>> >> To demonstrate:
>> >> 1. touch aaa
>> >
>> >> 2. nfs4_setfacl -a A::testuser@localdomain:RX aaa
>> >
>> >> 3. nfs4_getfacl aaa
>> >> D::OWNER@:x
>> >> A::OWNER@:rwatTcCy
>> >> A::1000:rxtcy <----- new ACL entry
>> >> A::GROUP@:rtcy
>> >> A::EVERYONE@:rtcy
>> >
>> >> 4. ksh -c 'builtin cp; cp aaa aaa_copy'
>> >
>> >> 5. nfs4_getfacl aaa_copy
>> >> D::OWNER@:x
>> >> A::OWNER@:rwatTcCy
>> >> A::GROUP@:rxtcy
>> >> A::EVERYONE@:rtcy
>> >
>> >> The new ACL entry is missing in the copy. cp options -a and -p have no
>> >> effect.
>> >
>> >> Is this functionality missing or just broken. ACL support is IMO a
>> >> mandatory enterprise system feature and needs to be supported.
>> >
>> > missing
>> > on the todo list
>
>> How long will it take to implement it?
>
> acls have always been a portability sore point
> we avoided doing anything because no-one has presented an api
> that handles all our needs across varying architectures/implementations
>
> in particular we need an api that
> converts a string rep to binary
> converts a binary rep to string
> applies a binary acl to a file/fd
> retrives a binary acl from a file/fd
Grumpf... there is no binary representation. All of the modern ACL
APIs (ZFS, NFSv4, Windows) take a text chunk as input and generate
some sort of "ACL handle" (=object) out of it and then you can use
|acl_set()|/|acl_get()| to modify this object... or try to apply this
object to a file or file descriptor or obtain an object from a
file/file descriptor.
Creating a single unified API for this is easy. The trouble starts if
you want to have a "portable" text representation of the ACLs. The old
POSIX-draft ACLs can be transformed into NFSv4/ZFS ACLs but not
backwards... and Windows file ACLs are similar enough that they can be
applied to NFSv4 ACLs and backwards.
All possible... but someone has to write it. Technically I can do
it... but I need a Windows system with UWIN and Cygwin installed for
more research about the details...
> I don't use acls because whenever they have been forced on me
> I manage to get painted into all sorts of corners that prevent work at
> inopportune times
>
> a thing I really don't like is they bleed into non-acl apis/commands in
> strange ways
> should ls/chown/chmod/mv/ln grok acls?
Yes... they should... see Solaris >= 11.0 how this should work. On
Solaris 11 ACLs seem to work quite smoothly across { ZFS, NFSv4 and
SMBFS } for all these five utilities.
> what about other commands/apis that copy files and don't use cp(1) or pax(1)?
> how much stuff needs to be added around each open(O_CREAT) to make acls
> seamless?
Erm... NFSv4 ACLs don't work like that. Technically if the parent
directory mandates a default ACL it will be applied automagically...
> is there an acl equivalent to umask(1)/umask(2)?
For NFSv4 ACLs the answer is "no". The ACLs themselves have masks but
umask is still homored.
BTW: Just to give an impression how this looks like (GoogleMail is
likely going to ruin the text layout... ;-(( ) on Solaris 11:
-- snip --
$ ls -V
total 76
drwxr-xr-x 2 test001 users 12 Jul 20 22:21 bin
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
drwxr-xr-x 16 test001 users 203 Jul 29 09:22 download
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
drwxr-xr-x 59 test001 users 61 Jul 29 09:21 ksh93
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
drwxr-xr-x 4 test001 users 7 Aug 1 19:03 tmp
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
$ ls -/v
total 76
drwxr-xr-x 2 test001 users 12 Jul 20 22:21 bin
{archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink}
drwxr-xr-x 16 test001 users 203 Jul 29 09:22 download
{archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink}
drwxr-xr-x 59 test001 users 61 Jul 29 09:21 ksh93
{archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink}
drwxr-xr-x 4 test001 users 7 Aug 1 19:03 tmp
{archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink}
$ ls -/c
total 76
drwxr-xr-x 2 test001 users 12 Jul 20 22:21 bin
{A------m--}
drwxr-xr-x 16 test001 users 203 Jul 29 09:22 download
{A------m--}
drwxr-xr-x 59 test001 users 61 Jul 29 09:21 ksh93
{A------m--}
drwxr-xr-x 4 test001 users 7 Aug 1 19:03 tmp
{A------m--}
-- snip --
> ast encompasses a lot of apis/commands
Uhm... { ls, chown, chmod, mv, ln, pax, find } ... anything else ? For
example pax(1) may be half-easy because it "only" has to store a text
representation of the ACLs.
> the main reason behind doing it in the first place is uniform semantics
> across all of ast
> I don't see uniformity in acls at the moment
> but I can be convinced ...
Anyone have a spare Windows box with install media and has interest to
ship it to me ?
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) [email protected]
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 3992797
(;O/ \/ \O;)
_______________________________________________
ast-users mailing list
[email protected]
http://lists.research.att.com/mailman/listinfo/ast-users
