... and ask for a paycheck, together with the Windows machine, to cover a month? This is, together with Windows ACL, and pax support, at least a man month of work.
Olga On Tue, Aug 6, 2013 at 4:53 AM, Roland Mainz <[email protected]> wrote: > On Wed, Jul 24, 2013 at 7:46 PM, Glenn Fowler <[email protected]> wrote: >> >> On Wed, 24 Jul 2013 18:52:57 +0200 Tina Harriott wrote: >>> On 23 July 2013 20:43, Glenn Fowler <[email protected]> wrote: >>> > >>> > On Tue, 23 Jul 2013 19:16:43 +0200 Tina Harriott wrote: >>> >> I hope this is the right place to report to. On Suse Linux nfs4 ACL >>> >> lists are not preserved if I copy files with ksh's builtin cp command. >>> > >>> >> To demonstrate: >>> >> 1. touch aaa >>> > >>> >> 2. nfs4_setfacl -a A::testuser@localdomain:RX aaa >>> > >>> >> 3. nfs4_getfacl aaa >>> >> D::OWNER@:x >>> >> A::OWNER@:rwatTcCy >>> >> A::1000:rxtcy <----- new ACL entry >>> >> A::GROUP@:rtcy >>> >> A::EVERYONE@:rtcy >>> > >>> >> 4. ksh -c 'builtin cp; cp aaa aaa_copy' >>> > >>> >> 5. nfs4_getfacl aaa_copy >>> >> D::OWNER@:x >>> >> A::OWNER@:rwatTcCy >>> >> A::GROUP@:rxtcy >>> >> A::EVERYONE@:rtcy >>> > >>> >> The new ACL entry is missing in the copy. cp options -a and -p have no >>> >> effect. >>> > >>> >> Is this functionality missing or just broken. ACL support is IMO a >>> >> mandatory enterprise system feature and needs to be supported. >>> > >>> > missing >>> > on the todo list >> >>> How long will it take to implement it? >> >> acls have always been a portability sore point >> we avoided doing anything because no-one has presented an api >> that handles all our needs across varying architectures/implementations >> >> in particular we need an api that >> converts a string rep to binary >> converts a binary rep to string >> applies a binary acl to a file/fd >> retrives a binary acl from a file/fd > > Grumpf... there is no binary representation. All of the modern ACL > APIs (ZFS, NFSv4, Windows) take a text chunk as input and generate > some sort of "ACL handle" (=object) out of it and then you can use > |acl_set()|/|acl_get()| to modify this object... or try to apply this > object to a file or file descriptor or obtain an object from a > file/file descriptor. > > Creating a single unified API for this is easy. The trouble starts if > you want to have a "portable" text representation of the ACLs. The old > POSIX-draft ACLs can be transformed into NFSv4/ZFS ACLs but not > backwards... and Windows file ACLs are similar enough that they can be > applied to NFSv4 ACLs and backwards. > > All possible... but someone has to write it. Technically I can do > it... but I need a Windows system with UWIN and Cygwin installed for > more research about the details... > >> I don't use acls because whenever they have been forced on me >> I manage to get painted into all sorts of corners that prevent work at >> inopportune times >> >> a thing I really don't like is they bleed into non-acl apis/commands in >> strange ways >> should ls/chown/chmod/mv/ln grok acls? > > Yes... they should... see Solaris >= 11.0 how this should work. On > Solaris 11 ACLs seem to work quite smoothly across { ZFS, NFSv4 and > SMBFS } for all these five utilities. > >> what about other commands/apis that copy files and don't use cp(1) or pax(1)? >> how much stuff needs to be added around each open(O_CREAT) to make acls >> seamless? > > Erm... NFSv4 ACLs don't work like that. Technically if the parent > directory mandates a default ACL it will be applied automagically... > >> is there an acl equivalent to umask(1)/umask(2)? > > For NFSv4 ACLs the answer is "no". The ACLs themselves have masks but > umask is still homored. > > BTW: Just to give an impression how this looks like (GoogleMail is > likely going to ruin the text layout... ;-(( ) on Solaris 11: > -- snip -- > $ ls -V > total 76 > drwxr-xr-x 2 test001 users 12 Jul 20 22:21 bin > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow > drwxr-xr-x 16 test001 users 203 Jul 29 09:22 download > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow > drwxr-xr-x 59 test001 users 61 Jul 29 09:21 ksh93 > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow > drwxr-xr-x 4 test001 users 7 Aug 1 19:03 tmp > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow > $ ls -/v > total 76 > drwxr-xr-x 2 test001 users 12 Jul 20 22:21 bin > > {archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink} > drwxr-xr-x 16 test001 users 203 Jul 29 09:22 download > > {archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink} > drwxr-xr-x 59 test001 users 61 Jul 29 09:21 ksh93 > > {archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink} > drwxr-xr-x 4 test001 users 7 Aug 1 19:03 tmp > > {archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink} > $ ls -/c > total 76 > drwxr-xr-x 2 test001 users 12 Jul 20 22:21 bin > {A------m--} > drwxr-xr-x 16 test001 users 203 Jul 29 09:22 download > {A------m--} > drwxr-xr-x 59 test001 users 61 Jul 29 09:21 ksh93 > {A------m--} > drwxr-xr-x 4 test001 users 7 Aug 1 19:03 tmp > {A------m--} > -- snip -- > >> ast encompasses a lot of apis/commands > > Uhm... { ls, chown, chmod, mv, ln, pax, find } ... anything else ? For > example pax(1) may be half-easy because it "only" has to store a text > representation of the ACLs. > >> the main reason behind doing it in the first place is uniform semantics >> across all of ast >> I don't see uniformity in acls at the moment >> but I can be convinced ... > > Anyone have a spare Windows box with install media and has interest to > ship it to me ? > > ---- > > Bye, > Roland > > -- > __ . . __ > (o.\ \/ /.o) [email protected] > \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer > /O /==\ O\ TEL +49 641 3992797 > (;O/ \/ \O;) > _______________________________________________ > ast-users mailing list > [email protected] > http://lists.research.att.com/mailman/listinfo/ast-users -- , _ _ , { \/`o;====- Olga Kryzhanovska -====;o`\/ } .----'-/`-/ [email protected] \-`\-'----. `'-..-| / http://twitter.com/fleyta \ |-..-'` /\/\ Solaris/BSD//C/C++ programmer /\/\ `--` `--` _______________________________________________ ast-users mailing list [email protected] http://lists.research.att.com/mailman/listinfo/ast-users
