Windows/NFSv4 ACL interoperability
tridge at samba.org
tridge at samba.org
Tue Mar 14 12:13:20 GMT 2006
Christoph,
> Yes, we are taliking about the same thing. Thats why i said semi-dynamic
> and applied at the time the ace is set, and not when the actual access
> check happens! But as this behaviour is not exposed to the windows user (he
> always has the feeling he's working on a fully dynamic inheritng fs),
> and should be obeyed by applications (don't allows users to delete
> inherited aces and propagate new aces in the tree) this makes no difference.
all applications have to do is obey the individual acls. Applications
never have to consider inheritance implications, unless they are
trying to setup a specific inheritance structure themselves.
Also, servers don't have to be aware of this 'semi-dynamic'
inheritance at all. It is purely a client construct, and is equivalent
to a tacky little LD_PRELOAD that runs chmod -R on a tree when you
change some permissions.
The wording can easily mislead. Some people might assume that "applied
at the time the ace is set" implies it is atomic, or at least
quick. In fact it is very much non-atomic, and can take a very long
time to propogate on a large tree (the client has to do manually
findfirst/findnext calls and recurse itself).
It really surprised me when I found this. I couldn't believe that this
was how the famed 'dynamic' inheritance of w2k3 ACLs worked!
Cheers, Tridge
More information about the samba-technical
mailing list