Re: UID/GID support

[Jeff Hanson]

On Thu, Feb 10, 2011 at 8:06 AM,  sf...@users.sourceforge.net wrote:
 find /srv/wine/wine-Diablo_II -type d -exec chmod ugo+rwX '{}' \;
 find /srv/wine/wine-Diablo_II -type f -exec chmod ugo+rwX '{}' \;

 I'd suggest you to do it carefully.
 - giving unnecessary permission bits can be a problem for security.
 - As you did chown -R, you will be able to run chmod -R here.


With the chmod permission changes the chown is not necessary.  The ro
branch files in the squashfs are owned by wineadmin.  The permissions
are not a problem since the squashfs is a ro loop mount.  Any writes
will be to the aufs rw branch that the user owns.

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[sfjro]

Jeff Hanson:
 With the chmod permission changes the chown is not necessary.  The ro
 branch files in the squashfs are owned by wineadmin.  The permissions
 are not a problem since the squashfs is a ro loop mount.  Any writes
 will be to the aufs rw branch that the user owns.

If you have very important file for security such like /etc/passwd, then
the permission bits in the ro squashfs can be a problem. As you know,
passwd file is world-readble but only an administrator can write.
If you set it world writable in the lower ro branch and provide users
aufs, then users can modify the file in aufs. Of course it is limited
within the rw branch and aufs world, and highly depending upon the
meaning of the file.
And I just pointed out you may be able to -R for chmod.


J. R. Okajima

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[sfjro]

Jeff Hanson:
 The aufs mount point.  That is what the users will be working with.

Do you mean only the directory?
If so, aufs does copyup the dir only, and I don't think it fills up the
rw branch.


 Some is the problem.  I can't predict which files out of the ro
:::

Right. How many files will be copied-up? will be a problem.
But I don't think the problem will be solved even if aufs supports
uid-mapping (or faking).


 Using Diablo II (http://en.wikipedia.org/wiki/Diablo_II) as an example
:::

Ok, you don't want to spend 11GB, and you could reduce to 2.3GB by
mounting aufs for each user.

 For deployment, I copy .wine-Diablo_II to
 /srv/wine/.wine-Diablo_II and remove symlinks specific to wineadmin
 which are for special folders like My Documents.  Diablo license
 keys in this copy of the Wine registry are purged.  All
 files/directories are owned by wineadmin with file permissions of 644
 (rw-r--r--) and directory permissions of 755 (rwx-r-xr-x).


 Next I need to install a popular mod, Median XL
:::

Ok, you made changes to the original Diablo II files with changing the
dir. While I don't know where the original ~wineadmin/.wine-Diablo_II
went, but I hope users who are playing Diablo II right now can keep
playing.

By the way, if you want, you may be able to provide both of the original
Diablo II and Median XL-ed one by aufs.

- you already have $srv/Diablo_II which contains the original
  one. create a new $srv/Diablo_II_Median_XL with keeping $srv/Diablo_II
  unchanged.
  mkdir $srv/Diablo_II_Median_XL
  mount -t aufs -o br:$srv/Diablo_II_Median_XL:$srv/Diablo_II \
none $srv/Diablo_II_Median_XL
  (apply Median XL and the changed files are stored in $srv/Diablo_II_Median_XL)
  mount -o remount,ro $srv/Diablo_II_Median_XL
  (now you have $srv/Diablo_II and $srv/Diablo_II_Median_XL which are to
   be shared and provied to users. and $srv/Diablo_II_Median_XL holds
   the diff from the original only)

- provide users the original.
  mount -t aufs -o br:~user/Diablo_II:$srv/Diablo_II none ~user/Diablo_II

- provide users the Median XL-ed one.
  mount -t aufs -o br:~user/Diablo_II_Median_XL:$srv/Diablo_II_Median_XL \
none ~user/Diablo_II_Median_XL

Additionally, because you may want to keep the shared files unchanged,
there are options to make them readonly. For example, make an ext2
image.
  dd if=/dev/null of=Diablo_II.ext2 bs=... count=...
  mkfs -t ext2 Diablo_II.ext2
  mount -o loop Diablo_II.ext2 /mnt
  cp -pr $srv/Diablo_II /mnt
  umount /mnt
  losetup -r /dev/loop0 Diablo_II.ext2
  mount -o ro /dev/loop0 $srv/Diablo_II
Now you have $srv/Diablo_II dir from a single file Diablo_II.ext2. And
the mount option 'ro' is specified. Also /dev/loop0 is bound as readonly
too (losetup -r). So under $srv/Diablo_II no one can make modification
even if you set all permissions to world-writable.
Of course, you can make any filesystem instead of ext2. You may want to
try isofs, squashfs or something.


 The problem is that none of this actually functions with the current
 aufs.  The /home/administrator/.wine-Diablo_II directory and files
 are owned by wineadmin so the administrator account can't modify
 the Wine registry or any files even though it owns
 /home/administrator/.wine-Diablo_II_rw.  The only solution is to
:::

Then I'd suggest you to try the approach like above, world-writable
files and readonly mount for the ro branch.


 Correct although in my example the ro branch is owned by wineadmin.

It doesn't matter.


J. R. Okajima

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[Michael S. Zick]

On Tue February 8 2011, Jeff Hanson wrote:
 On Tue, Feb 8, 2011 at 3:59 PM, Michael S. Zick a...@morethan.org wrote:
  That is a property of inode file systems - only one location for 
  ownership.
  Symbolic link chain at the directory name level -
  Hard links are many names-to-single inode - with one location for ownership.
 
  There are file systems (on non-*nix systems) that can clone the
  data branch independent of the meta-data - just not under *nix (I.E: 
  Linux).
 
  The work around for that inherent property of inode file systems is
  the various systems of ACL meta-data.
  I.E: What you seem to want is a per-user Access Control List (ACL) that
  is created on-demand (rather than the data copied on-demand).
 
  Should not result in the entire directory contents, only the files that
  where changed.  And nothing except a rootkit should be writing to 
  executables.
 
 
 Actually I just want to fake user ownership in the mount point so that
 userspace applications (like Wine) can write to it (which ends up in
 the rw branch).  Currently the ownership and permissions come from the
 ro branch which the user doesn't have write permission to.  Wine
 can't/won't write to the mount point even if the user has ownership of
 the rw branch.  Since the ro branch is set ro and owned by a different
 account (or root) and the aufs mount point in the user's directory is
 mounted by root (fstab or pam_mount), there is no risk to the system
 by faking different ownership there.  Any writes are going to be in
 the rw branch.  It does work when looped through CIFS/SMB but that's
 an overcomplicated (and ugly due to the Gnome gvfs bug) solution.
 
 I'm not familiar with ACL capabilities on Linux.  Does aufs support
 ACLs?  The web page section seems to indicate no with Features or
 just an idea in the future (see also design/*.txt),
 http://aufs.sourceforge.net/


Sorry if what I wrote sounded like auFS supported stacked Access Control Lists 
(ACLs).

I don't think it does, I don't think it should.
The problems with trying to consolidate changes in multiple ACL controlled
rw branches back into the single (master) ro branch seems mind-boggling (to me).

For that use case, jro's suggestion of a custom, fuse based, file system layer
that translates the current-user-specfic section of the master file's ACLs
into current-user permissions may be what you need.
As a WAFG, I suspect it would not be a trivial file system to write. ;-)

You might also have to make some custom extensions to the ACL entries to help
your fuse based system deal with things like: user-1 has mod-x, version-10 
installed
and user-3 has mod-x, version-15 installed.
I.E: Manage per-user symbolic links for the file(s) related to mod-x
based on the meta-data entries of the master's ACLs.

As to ACL support in Linux - I think most of the major file systems have full
ACL support (as a kernel compile time option - usually turned off).

At this point I have to depend on my memory (a flaky thing to depend on) -
I think that either (both?) VMS and Plan-9 file systems can do what you need
for access control - but stackable under Linux - I think not.  ;-)

Mike
  Keep in mind that you don't want to disable the handling of single use
  restrictions for executables which are licensed that way.
  Many commercial programs that can be run with Wine on a multi-user machine
  are not (commonly) licensed for multiple concurrent use on a single machine.
 
  A common example is any Microsoft DLLs you let Wine access.  They are almost
  always single use per machine licensed.
 
 
 Most Linux desktops have switch-user functionality so multiple users
 can be logged in but only one has keyboard/mouse access.
 
 A lot of older applications are supported well enough in Wine that
 additional dlls are not needed.  Any with licensing that strict will
 have DRM with centrally registered key servers so concurrent usage
 license violations within a single site are unlikely.
 
 With internally developed applications the licensing is not an issue.
 Many businesses have such legacy applications that function on Wine
 and aren't worth rewriting.
 
 



--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[sfjro]

Michael S. Zick:
 For that use case, jro's suggestion of a custom, fuse based, file system la=
 yer
 that translates the current-user-specfic section of the master file's ACLs
 into current-user permissions may be what you need.
 As a WAFG, I suspect it would not be a trivial file system to write. ;-)

Maybe you are right. :-)
But what I suggested to him is different a little bit.
Since he mentioned about sshfs (fuse based), I am thinking to extract
the related parts from sshfs and create a new fuse based one.
Doesn't it sound easier than developing fuse based ACL converter?


J. R. Okajima

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[Jeff Hanson]

On Wed, Feb 9, 2011 at 3:34 AM,  sf...@users.sourceforge.net wrote:

 Jeff Hanson:
 The aufs mount point.  That is what the users will be working with.

 Do you mean only the directory?
 If so, aufs does copyup the dir only, and I don't think it fills up the
 rw branch.


mount -v -t aufs -o
br:/home/administrator/.wine-Diablo_II_rw=rw:/srv/wine/.wine-Diablo_II=ro
none /home/administrator/.wine-Diablo_II
chown -R administrator:administrator /home/administrator/.wine-Diablo_II


 Some is the problem.  I can't predict which files out of the ro
        :::

 Right. How many files will be copied-up? will be a problem.
 But I don't think the problem will be solved even if aufs supports
 uid-mapping (or faking).


I don't fully understand how aufs handles ownership and permissions.
From what Mike said it seems it just passes them through from the
branch filesystems.  What happens if the same file exists in two ro
branches and they have different ownership?  Does the order of the
branches when mounting determine which one gets priority in the mount
point?


 Using Diablo II (http://en.wikipedia.org/wiki/Diablo_II) as an example
        :::

 Ok, you don't want to spend 11GB, and you could reduce to 2.3GB by
 mounting aufs for each user.


Correct.  It saves space and with some scripting it should save
deployment time also.


 Next I need to install a popular mod, Median XL
        :::

 Ok, you made changes to the original Diablo II files with changing the
 dir. While I don't know where the original ~wineadmin/.wine-Diablo_II
 went, but I hope users who are playing Diablo II right now can keep
 playing.


The shared copy is now in /srv/wine and users don't have access to the
original in /home/wineadmin.  I just moved the original so I can reuse
the same path for a new mount point.  The goal is to get the diff of
the original Diablo file structure (now mounted through aufs from
/srv/wine) and Median XL in the new rw branch.

 By the way, if you want, you may be able to provide both of the original
 Diablo II and Median XL-ed one by aufs.

 - you already have $srv/Diablo_II which contains the original
  one. create a new $srv/Diablo_II_Median_XL with keeping $srv/Diablo_II
  unchanged.
  mkdir $srv/Diablo_II_Median_XL
  mount -t aufs -o br:$srv/Diablo_II_Median_XL:$srv/Diablo_II \
        none $srv/Diablo_II_Median_XL
  (apply Median XL and the changed files are stored in 
 $srv/Diablo_II_Median_XL)
  mount -o remount,ro $srv/Diablo_II_Median_XL
  (now you have $srv/Diablo_II and $srv/Diablo_II_Median_XL which are to
   be shared and provied to users. and $srv/Diablo_II_Median_XL holds
   the diff from the original only)

 - provide users the original.
  mount -t aufs -o br:~user/Diablo_II:$srv/Diablo_II none ~user/Diablo_II

 - provide users the Median XL-ed one.
  mount -t aufs -o br:~user/Diablo_II_Median_XL:$srv/Diablo_II_Median_XL \
        none ~user/Diablo_II_Median_XL

That is another way of doing the same thing I described.  I think I
used the copy approach because I was concerned that the .wh.* files in
the rw branch would cause problems if the branch was reused as an ro
branch.

 Additionally, because you may want to keep the shared files unchanged,
 there are options to make them readonly. For example, make an ext2
 image.
  dd if=/dev/null of=Diablo_II.ext2 bs=... count=...
  mkfs -t ext2 Diablo_II.ext2
  mount -o loop Diablo_II.ext2 /mnt
  cp -pr $srv/Diablo_II /mnt
  umount /mnt
  losetup -r /dev/loop0 Diablo_II.ext2
  mount -o ro /dev/loop0 $srv/Diablo_II
 Now you have $srv/Diablo_II dir from a single file Diablo_II.ext2. And
 the mount option 'ro' is specified. Also /dev/loop0 is bound as readonly
 too (losetup -r). So under $srv/Diablo_II no one can make modification
 even if you set all permissions to world-writable.
 Of course, you can make any filesystem instead of ext2. You may want to
 try isofs, squashfs or something.


That is not something I though of and may solve my problem.  It could
also allow me to use squashfs to reduce the size further.

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[sfjro]

Jeff Hanson:
 chown -R administrator:administrator /home/administrator/.wine-Diablo_II

Because you add -R, chown handles all of the specified dir, the files
and the sub-dirs under it recursively and unconditionally. But what I
suggested is to chown only the file which a user is going to modify.


 I don't fully understand how aufs handles ownership and permissions.
 From what Mike said it seems it just passes them through from the
 branch filesystems.  What happens if the same file exists in two ro
 branches and they have different ownership?  Does the order of the
 branches when mounting determine which one gets priority in the mount
 point?

(from the aufs manual)
--
The test for permission bits has two cases. One is for a directory,
and the other is for a non-directory. In the case of a directory, aufs
checks the permission bits of all existing directories. It means you
need the correct privilege for the directories including the lower
branches.
The test for a non-directory is more simple. It checks only the
topmost inode.
--


J. R. Okajima

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[Jeff Hanson]

On Wed, Feb 9, 2011 at 8:38 PM,  sf...@users.sourceforge.net wrote:

 Jeff Hanson:
 chown -R administrator:administrator /home/administrator/.wine-Diablo_II

 Because you add -R, chown handles all of the specified dir, the files
 and the sub-dirs under it recursively and unconditionally. But what I
 suggested is to chown only the file which a user is going to modify.


Because of the complexity of the applications, number of files, and
built-in updaters, I can't predict which files need to be modified so
I have to assume all of them.

 (from the aufs manual)
 --
 The test for permission bits has two cases. One is for a directory,
 and the other is for a non-directory. In the case of a directory, aufs
 checks the permission bits of all existing directories. It means you
 need the correct privilege for the directories including the lower
 branches.
 The test for a non-directory is more simple. It checks only the
 topmost inode.
 --

Ownership handled the same as permissions?


I tried an ext2 image.  It worked but is complicated to set up as I
have to accurately determine the size of the application files when
creating it else it either doesn't have enough space or wastes space.
I tried squashfs and found it was much easier to create as the
mksquashfs tool takes the source directory, compresses it as it reads
and writes it to the image file (which it creates).  Plus it saves
space with compression although only a little with Diablo II as its
media files are already compressed (2GB vs. 2.3GB).

find /srv/wine/wine-Diablo_II -type d -exec chmod ugo+rwX '{}' \;
find /srv/wine/wine-Diablo_II -type f -exec chmod ugo+rwX '{}' \;
mksquashfs /srv/wine/.wine-Diablo_II /srv/wine/Diablo_II-sqfs.img
mount /srv/wine/Diablo_II-sqfs.img /srv/wine/wine-Diablo_II-sqfs -t
squashfs -o ro,loop
mount -v -t aufs -o
br:/home/administrator/.wine-Diablo_II_rw=rw:/srv/wine/wine-Diablo_II-sqfs=ro
none /home/administrator/.wine-Diablo_II

Gnome gvfs doesn't show the mounted squash file so I avoid that bug as well.

This solves my problem.  Thanks!

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[Jeff Hanson]

On Fri, Feb 4, 2011 at 4:03 PM, Jeff Hanson jhanso...@gmail.com wrote:

 Users can't run chown because they are not root.


Another problem is that the CIFS mounts show up in Gnome/Nautilus as
mounted volumes.  Since these are ro mounts that only exist for the
UID change they aren't useful to the user and just make a mess of the
desktop and Nautilus places sidebar.  The aufs mount point is what the
user needs.

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[Jeff Hanson]

On Sun, Feb 6, 2011 at 9:58 PM,  sf...@users.sourceforge.net wrote:

 How about writing a wrapper?
 Allow chown after some tests.
 - the target path is aufs, or /home/$USER in your case?
 - the target uid is $USER
 - etc
 The warpper may be implemented suid-ed, or customized /etc/sudoers.


I can do that easily and it would only work for a single-user desktop
with one user logged in.  If there is more than one simultaneous user,
or if the ro branch is located on a server that is sharing with a
protocol that doesn't have UID/GID override support (like NFS) then
this method doesn't really function.

There is also the problem of not wanting to trust users with shared
executables that they can write to.  As Wine becomes more compatible
with Windows it will be more vulnerable to malware and the separation
of rw data between users is crucial.  Allowing them to chown means
that anything can be written to the files from their account and the
users of other accounts will be executing (and possibly writing to)
the same files..

 You may want to try fuse, nfs or any other fs which has uid-mapping
 feature.
 After some considerations, I could understand why you want such feature
 in aufs. But as I wrote first, I don't think it is a feature of
 stackable filesystem. Aufs should follow and should not disturb the
 native behaviour of brach fs.


I did look into funionfs but it had a lot of bugs and development
stopped back in 2005 pending a rewrite.

I reported a bug about the problem with SMB/CIFS mounts being
displayed in Nautilus even if the mount point is a hidden directory
but the initial response wasn't enthusiastic:
https://bugzilla.gnome.org/show_bug.cgi?id=641569

I understand your position.  A filesystem that does nothing more than
change UID/GID/ACLS/permissions would be perfect but I don't know of
any.  Seems like it would be a great feature for a rootkit :D  I'll
keep looking for other solutions.

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[Jeff Hanson]

On Tue, Feb 8, 2011 at 2:44 AM,  sf...@users.sourceforge.net wrote:
 Users have their own rw branch individually, don't they?
 chwon makes the file copied-up in aufs. So it never affect other users.


Tried that.  The result is that the rw branch ends up with the entire
data of the ro branch.  It seems that aufs copies the entire file to
the rw branch even if only the ownership changes.  Effectively:
aufs + chown = cp
which eliminates my primary reason for using aufs which is to save
storage space by eliminating the need to replicate the entire contents
of the application directory in each users' home directory.


 Then I am afraid the approach you wrote faking uid internally will be
 insecure either.


No.  From the user's perspective, only the file ownership within the
aufs mount point appears to change.  The real ro branch remains owned
by root.  They can modify the files as if they owned them but the
changes end up in the rw branch.  The ro branch is not affected.


 I'd suggest you to develop a fuse based one.


I don't think that shell scripts can be used for that so I can't do
much until I learn C or find someone willing to write it for me.

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[Michael S. Zick]

On Tue February 8 2011, Jeff Hanson wrote:
 On Tue, Feb 8, 2011 at 2:44 AM,  sf...@users.sourceforge.net wrote:
  Users have their own rw branch individually, don't they?
  chwon makes the file copied-up in aufs. So it never affect other users.
 
 
 Tried that.  The result is that the rw branch ends up with the entire
 data of the ro branch.  It seems that aufs copies the entire file to
 the rw branch even if only the ownership changes.  Effectively:
 aufs + chown = cp


That is a property of inode file systems - only one location for ownership.
Symbolic link chain at the directory name level -
Hard links are many names-to-single inode - with one location for ownership.

There are file systems (on non-*nix systems) that can clone the
data branch independent of the meta-data - just not under *nix (I.E: Linux).

The work around for that inherent property of inode file systems is
the various systems of ACL meta-data.
I.E: What you seem to want is a per-user Access Control List (ACL) that
is created on-demand (rather than the data copied on-demand).

 which eliminates my primary reason for using aufs which is to save
 storage space by eliminating the need to replicate the entire contents
 of the application directory in each users' home directory.
 

Should not result in the entire directory contents, only the files that
where changed.  And nothing except a rootkit should be writing to executables.

Keep in mind that you don't want to disable the handling of single use
restrictions for executables which are licensed that way.
Many commercial programs that can be run with Wine on a multi-user machine
are not (commonly) licensed for multiple concurrent use on a single machine.

A common example is any Microsoft DLLs you let Wine access.  They are almost
always single use per machine licensed.

Mike
 
  Then I am afraid the approach you wrote faking uid internally will be
  insecure either.
 
 
 No.  From the user's perspective, only the file ownership within the
 aufs mount point appears to change.  The real ro branch remains owned
 by root.  They can modify the files as if they owned them but the
 changes end up in the rw branch.  The ro branch is not affected.
 
 
  I'd suggest you to develop a fuse based one.
 
 
 I don't think that shell scripts can be used for that so I can't do
 much until I learn C or find someone willing to write it for me.
 
 --
 The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
 Pinpoint memory and threading errors before they happen.
 Find and fix more than 250 security defects in the development cycle.
 Locate bottlenecks in serial and parallel code that limit performance.
 http://p.sf.net/sfu/intel-dev2devfeb



--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[Jeff Hanson]

On Tue, Feb 8, 2011 at 3:59 PM, Michael S. Zick a...@morethan.org wrote:
 That is a property of inode file systems - only one location for ownership.
 Symbolic link chain at the directory name level -
 Hard links are many names-to-single inode - with one location for ownership.

 There are file systems (on non-*nix systems) that can clone the
 data branch independent of the meta-data - just not under *nix (I.E: 
 Linux).

 The work around for that inherent property of inode file systems is
 the various systems of ACL meta-data.
 I.E: What you seem to want is a per-user Access Control List (ACL) that
 is created on-demand (rather than the data copied on-demand).

 Should not result in the entire directory contents, only the files that
 where changed.  And nothing except a rootkit should be writing to executables.


Actually I just want to fake user ownership in the mount point so that
userspace applications (like Wine) can write to it (which ends up in
the rw branch).  Currently the ownership and permissions come from the
ro branch which the user doesn't have write permission to.  Wine
can't/won't write to the mount point even if the user has ownership of
the rw branch.  Since the ro branch is set ro and owned by a different
account (or root) and the aufs mount point in the user's directory is
mounted by root (fstab or pam_mount), there is no risk to the system
by faking different ownership there.  Any writes are going to be in
the rw branch.  It does work when looped through CIFS/SMB but that's
an overcomplicated (and ugly due to the Gnome gvfs bug) solution.

I'm not familiar with ACL capabilities on Linux.  Does aufs support
ACLs?  The web page section seems to indicate no with Features or
just an idea in the future (see also design/*.txt),
http://aufs.sourceforge.net/

 Keep in mind that you don't want to disable the handling of single use
 restrictions for executables which are licensed that way.
 Many commercial programs that can be run with Wine on a multi-user machine
 are not (commonly) licensed for multiple concurrent use on a single machine.

 A common example is any Microsoft DLLs you let Wine access.  They are almost
 always single use per machine licensed.


Most Linux desktops have switch-user functionality so multiple users
can be logged in but only one has keyboard/mouse access.

A lot of older applications are supported well enough in Wine that
additional dlls are not needed.  Any with licensing that strict will
have DRM with centrally registered key servers so concurrent usage
license violations within a single site are unlikely.

With internally developed applications the licensing is not an issue.
Many businesses have such legacy applications that function on Wine
and aren't worth rewriting.

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[sfjro]

Jeff Hanson:
 Tried that. $BB (BThe result is that the rw branch ends up with the entire
 data of the ro branch. $BB (BIt seems that aufs copies the entire file to
 the rw branch even if only the ownership changes. $BB (BEffectively:
 aufs + chown = cp
 which eliminates my primary reason for using aufs which is to save
 storage space by eliminating the need to replicate the entire contents
 of the application directory in each users' home directory.

What did you chown?
My asummption is
- you have all common files in the ro branch.
  (if your common files should be run by multiple users at the same
  time as Michael S. Zick pointed, then you should not do that)
- users customize some of files, and these files are put in his rw
  branch.
- finally the rw branch has only the difference.

If the difference is so large and the rw branch cannot have all of them
due to its space, then you just need to expand the size of rw branch.

If you have chwon-ed the common files, then that must be unnecessary.


 No. $BB (BFrom the user's perspective, only the file ownership within the
 aufs mount point appears to change. $BB (BThe real ro branch remains owned
 by root. $BB (BThey can modify the files as if they owned them but the
 changes end up in the rw branch. $BB (BThe ro branch is not affected.

Aufs never write to the ro branch.
If it happens, it must a bug.


Jeff,
I don't think your discussion style is good. You send mails to me
directly, personally and I replied to you. Later you forwarded your
messages only to the aufs ML. It might be your simple failure of
operating mail software. But it is not only once. I won't reply to your
personal mails.


J. R. Okajima

--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Re: UID/GID support

[Jeff Hanson]

On Tue, Feb 8, 2011 at 10:34 PM,  sf...@users.sourceforge.net wrote:

 What did you chown?

The aufs mount point.  That is what the users will be working with.
They could access the rw branch directly since it is in their home but
that is unlikely since it is hidden.

 My asummption is
 - you have all common files in the ro branch.
  (if your common files should be run by multiple users at the same
  time as Michael S. Zick pointed, then you should not do that)
 - users customize some of files, and these files are put in his rw
  branch.
 - finally the rw branch has only the difference.


Some is the problem.  I can't predict which files out of the ro
branch they will want to modify.  Many Windows applications have their
own on-line update utilities for patching so any file can be changed
by the user account.  With games there are many third-party
modifications that can be added and I can't tell which games the users
will play or which mods they will add.


 If the difference is so large and the rw branch cannot have all of them
 due to its space, then you just need to expand the size of rw branch.

 If you have chwon-ed the common files, then that must be unnecessary.


Using Diablo II (http://en.wikipedia.org/wiki/Diablo_II) as an example
of installation for multiple users, this is what I want to do.  To
function without the CDs a full installation is needed which is about
2.2GB total.  With five users that is 11GB for one game.  If I use
aufs and share one installation then it's closer to 2.3GB total for
all five users.

I have a special user account wineadmin which is identical to other
user accounts except that it owns /srv/wine.  I login as wineadmin
and I create a directory ~/.wine-Diablo_II and install Diablo II
into it (WINEPREFIX=/home/wineadmin/.wine-Diablo_II).  The latest
Diablo updates and patches are applied.

For deployment, I copy .wine-Diablo_II to
/srv/wine/.wine-Diablo_II and remove symlinks specific to wineadmin
which are for special folders like My Documents.  Diablo license
keys in this copy of the Wine registry are purged.  All
files/directories are owned by wineadmin with file permissions of 644
(rw-r--r--) and directory permissions of 755 (rwx-r-xr-x).

For each user (administrator in this example) I create
~/.wine-Diablo_II and ~/.wine-Diablo_II_rw and mount the shared
copy with aufs:

mount -v -t aufs -o
br:/home/administrator/.wine-Diablo_II_rw=rw:/srv/wine/.wine-Diablo_II=ro
none /home/administrator/.wine-Diablo_II

Wine symlinks for administrator are recreated in
~/.wine-Diablo_II/dosdevices and
~/.wine-Diablo_II/drive_c/users/administrator.  Registry entries for
wineadmin in the administrator copy of the registry
(~/.wine-Diablo_II/*.reg) are fixed with sed and regex.  XDG/fdo menu
entries are added in ~/.config/menus and
~/.local/share/applications.  The game is started and new license
keys are entered.

This process is repeated for each user.  When a user updates Diablo II
from its built-in updater, the changes only affect them as they are
contained in their rw branch.  When they play the game, the save files
are located in the Diablo II application directory in
~/.wine-Diablo_II/drive_c/Program Files/Diablo II/save/ and game
settings are either in *.ini files or in the Wine registry.

Next I need to install a popular mod, Median XL
(http://modsbylaz.hugelaser.com).  It consists of a replacement
Patch_D2.mpq file.  Because it greatly changes and complicates the
game, I need to maintain the original installation for beginners.  I
log back into wineadmin.  I move /home/wineadmin/.wine-Diablo_II and
a create a new empty directory ~/.wine-Diablo_II and
.wine-Diablo_II_rw.  I mount the /srv/wine/.wine-Diablo_II the
same as I did for administrator.  I then install the Median XL mpq
file.  I then unmount .wine-Diablo_II and copy the contents of
.wine-Diablo_II_rw (excluding .wh.*) to
/srv/wine/.wine-Diablo_II_Median_XL.

In the administrator home, I create two new directories,
.wine-Diablo_II_Median_XL and .wine-Diablo_II_Median_XL_rw then
mount them with aufs:

mount -v -t aufs -o
br:/home/administrator/.wine-Diablo_II_Median_XL_rw=rw:/srv/wine/.wine-Diablo_II=ro:/srv/wine/.wine-Diablo_II_Median_XL=ro
none /home/administrator/.wine-Diablo_II_Median_XL

I then fix the registry, links, and menu entries.  The user now has
two different Diablo II installations, original and Median XL.  They
act completely independent of each other which is important because
game save files from Median XL are not compatible with the original
game.  Total size for one user is 2.3GB and very little additional
space for five users (or many more).

For a single-file modification this may seem overcomplicated but
modifications in other games have hundreds of files that are changed
including changes in the Wine registry.  With registry changes I
normally create a diff of them and patch it back in for each user.  I
have shell scripts that perform some of the work.  When the users
update the game or add 

Re: UID/GID support

[sfjro]

Jeff Hanson:
 Users can't run chown because they are not root.

How about writing a wrapper?
Allow chown after some tests.
- the target path is aufs, or /home/$USER in your case?
- the target uid is $USER
- etc
The warpper may be implemented suid-ed, or customized /etc/sudoers.

--

 Another problem is that the CIFS mounts show up in Gnome/Nautilus as
 mounted volumes.  Since these are ro mounts that only exist for the
 UID change they aren't useful to the user and just make a mess of the
 desktop and Nautilus places sidebar.  The aufs mount point is what the
 user needs.

You may want to try fuse, nfs or any other fs which has uid-mapping
feature.
After some considerations, I could understand why you want such feature
in aufs. But as I wrote first, I don't think it is a feature of
stackable filesystem. Aufs should follow and should not disturb the
native behaviour of brach fs.


J. R. Okajima

--
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

Re: UID/GID support

[sfjro]

Hello Jeff,

Jeff Hanson:
 point.  From reading through the man page and the following posting,
 it appears that AUFS doesn't support setting the mount point UID/GID
 independently of the branches:
 https://sourceforge.net/mailarchive/message.php?msg_id=21772475

 Is there any plan to add UID/GID setting in the future?  Currently I
 have to run everything through CIFS which supports UID/GID setting.
 This adds a lot of work as I need a CIFS mount for every user * every
 Wine application directory.

While I think it may be possible to implement such feature in aure, aufs
should not do it. Because it is a different kind of feature. I think it
is better to wrap the ro branch by fuse or cifs as you are doing.
If I were you, I'd suggest user to run chown before you modify files.


J. R. Okajima

--
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

Re: UID/GID support

[Jeff Hanson]

On Fri, Feb 4, 2011 at 8:56 AM,  sf...@users.sourceforge.net wrote:
 While I think it may be possible to implement such feature in aure, aufs
 should not do it. Because it is a different kind of feature. I think it
 is better to wrap the ro branch by fuse or cifs as you are doing.
 If I were you, I'd suggest user to run chown before you modify files.


Users can't run chown because they are not root.

--
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb