On Fri, Feb 26, 2010 at 05:02:34PM -0600, David Dyer-Bennet wrote: > > On Fri, February 26, 2010 12:45, Paul B. Henson wrote: > > > I've already posited as to an approach that I think would make a pure-ACL > > deployment possible: > > > > > > http://mail.opensolaris.org/pipermail/zfs-discuss/2010-February/037206.html > > > > Via this concept or something else, there needs to be a way to configure > > ZFS to prevent the attempted manipulation of legacy permission mode bits > > from breaking the security policy of the ACL. > > It seems to me that it should depend. > > chown ddb /path/to/file > chmod 640 /path/to/file > > constitutes explicit instructions to give read-write access to ddb, read > access to people in the group, and no access to others. Now, how should > that be combined with an ACL?
The chown is irrelevant (well, it's relevant to you in terms of your intentions, but it's very hard for the filesystem to consider a chmod in relation to earlier chowns and chgrps). I see four ways to handle the mode mask vs. ACL conflict: a) clobber the ACL; b) map the change as best you can to an ACL change; c) ignore the rwx bits in the mode mask (except on create from a POSIX open(2)/creat(2), in which case the ACL has to be derived from the initial mode); d) fail the chmod(). All three can be surprising! (d) may be the least surprising, but it may disrupt some apps. (b) is the next least surprising, but it has some dangerous effects. (b) is tricky because the filesystem needs to figure out what the change actually was by tracking mode bits from the beginning. For (b) IMO the right thing to do would be to always track a mode mask whose rwx bits are not actually used for authorization, but which are used to detect changes on chmod(2), and then the changes should be applied as best effort edits of the ACLs. On create via non-POSIX methods the mode mask would have to be constructed synthetically. When the ACL is edited the current mode bits have to be brought in sync with owner@/group@/everyone@ ACEs. All methods of synchronizing or synthesizing a mode mask from/to an ACL are going to be lossy. Nico -- _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss