On Thu, Sep 30, 2010 at 03:28:14PM -0500, Nicolas Williams wrote:
> Consider this chronologically-ordered sequence of events:
> 
> 1) File is created via Windows, gets SMB/ZFS/NFSv4-style ACL, including
>    inherittable ACEs.  A mode computed from this ACL might be 664, say.
> 
> 2) A Unix user does chmod(644) on that file, and one way or another this
>    effectively reduces permissions otherwise granted by the ACL.
> 
> 3) Another Windows user now fails to get write perm that they should
>    have, so they complain, and then the owner tries to view/change the
>    ACL from a Windows desktop.
> 
> Now what?
> 
> Can the user in (3) fix the permissions from Windows?  For that to be
> possible the mode must implicitly get recomputed when the ACL is
> modified.

Also, even if in (3) the user can fix the perms from Windows because
we'd recompute the mode from the ACL, the user wouldn't be able to see
the "effective" ACL (as "reduced" by the mode_t that Windows can't see).
The only way to address that is... to do groupmasking.  And that gets us
back to the problems we had with groupmasking.

Nico
-- 
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Reply via email to