On Mon, March 1, 2010 23:04, Paul B. Henson wrote: >> If users have private primary groups then you can have them run with >> umask 007 or 002 and use set-gid and/or inherittable ACLs to ensure that >> users can share files in specific directories. (This is one reason that >> I recommend always giving users their own private primary groups.) > > The only reason for the recommendation to give users their own private > primary groups is because of the lack of flexibility of the umask/mode > bits > security model. In an environment with inheritable ACL's (that aren't > subject to being violated by that legacy security model) there's no real > need.
Hmmm; the "lack of flexibility" you talk about comes from not using the security model sensibly -- having per-person groups is very useful in that security model. You see it as a "legacy security model"; but for me it's the primary security model, with ACLs as an add-on. It's the only one that's supported across the various ways of sharing the disks. In the end, Solaris is one player in the POSIX world, and cutting yourself off from that would be very limiting. >> Alternatively we could have a new mode bit to indicate that the group >> bits of umask are to be treated as zero, or maybe assign this behavior >> to the set-gid bit on ZFS. > > So rather than a nice simple option granting ACL's immunity from > umask/mode > bits baggage, another attempted mapping/interaction? > > If you only ever access ZFS via CIFS from windows clients, you can have a > pure ACL model. Why should access via local shell or NFSv4 be a poor > stepchild and chained down with legacy semantics that make it exceedingly > difficult to actually use ACL's for their intended purpose? It's precisely to avoid having shell access being a poor stepchild that I'm resisting ACLs. As currently implemented, they relegate my primary access to the system to second-class status. And NFSv4 is mostly a rumor in my universe; NFSv2 and v3 are what people actually use. -- David Dyer-Bennet, d...@dd-b.net; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
