[nfsv4] Windows/NFSv4 ACL interoperability

Nicolas Williams Nicolas.Williams at sun.com
Tue Mar 28 00:10:28 GMT 2006

On Mon, Mar 13, 2006 at 10:19:22PM -0500, J. Bruce Fields wrote:
> On Mon, Mar 13, 2006 at 04:04:00PM -0800, Yoder, Alan wrote:
> > During the NFVv4 ACL spec writeup, I questioned the
> > lack of ordering requirements for ALLOW and DENY.
> > Carl Beame demonstrated to my satisfaction that 
> > Windows NT servers did not at that time enforce
> > any such thing, and that the requirement is (was?)
> > entirely client-side in Windows.

> Yeah, that's my understanding too.

The Windows ordering is done in the GUI/libraries, not in the kernel.

Cygwin has exploited this in the past to emulate POSIX modes much as one
might use this to emulate POSIX Draft ACLs.

> So the problem is just with stuff like a posix user setting a bunch of
> long carefully crafted ACLs and then a Windows user not being able to
> read them and blowing them away in an attempt to modify them.
> To a certain extent that kind of problem may be unavoidable.  But we may
> have some control over how common it is and how gracefully we fail.

I agree.  The right solution is to move away from POSIX Draft ACLs.

Maintaining two ACLs, for example, doesn't help since that can lead to
conflicting authorizations depending on how one accesses a file, and how
would conflicts on ACL change operations be handled?

The best interim option, I think, is to silently ignore the problem on
ACL change operations and accept whatever ACE order the client requests.


More information about the samba-technical mailing list