On Tue, 2 Mar 2010, Kjetil Torgrim Homme wrote: > no. what happens when an NFS client without ACL support mounts your > filesystem? your security is blown wide open. the filemode should > reflect the *least* level of access. if the filemode on its own allows > more access, then you've lost.
Say what? If you're using secure NFS, access control is handled on the server side. If an NFS client that doesn't support ACL's mounts the filesystem, it will have whatever access the user is supposed to have, the lack of ACL support on the client is immaterial. On the other hand, if you're using AUTH_SYS, you don't care about security in the first place so there's no real point in worrying about it. > if your ACLs are completely specified and give proper access on their > own, and you're using aclmode=passthrough, "chmod -R 000 /" will not > harm your system. Actually, it will destroy the three special ACE's, user@, group@, and every...@. On the other hand, with a hypothetical aclmode=ignore or aclmode=deny, such a chmod would indeed not harm the system. > if you have rogue processes doing "chmod a+rwx" or other nonsense, you > need to fix the rogue process, that's not an ACL problem or a problem > with traditional Unix permissions. What I have are processes that don't know about ACL's. Are they broken? Not in and of themselves, they are simply incompatible with a security model they are unaware of. Why on earth would I want to go and try to make every single application in the world ACL aware/compatible instead of simply having a filesystem which I can configure to ignore any attempt to manipulate legacy permissions? > not at all. you just have to use them correctly. I think we're just not on the same page on this; while I am not saying I'm on the right page, it does seem you need to do a little more reading up on how ACL's work. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
