[nfsv4] Windows/NFSv4 ACL interoperability
jra at samba.org
Tue Mar 28 01:44:21 GMT 2006
On Mon, Mar 27, 2006 at 06:10:28PM -0600, Nicolas Williams wrote:
> The Windows ordering is done in the GUI/libraries, not in the kernel.
> Cygwin has exploited this in the past to emulate POSIX modes much as one
> might use this to emulate POSIX Draft ACLs.
> > So the problem is just with stuff like a posix user setting a bunch of
> > long carefully crafted ACLs and then a Windows user not being able to
> > read them and blowing them away in an attempt to modify them.
> > To a certain extent that kind of problem may be unavoidable. But we may
> > have some control over how common it is and how gracefully we fail.
> I agree. The right solution is to move away from POSIX Draft ACLs.
I disagree. POSIX draft ACLs are the right level of complexity for
administrators to handle, and the Gnome and KDE GUI's are starting
to be able to handle them. Windows ACLs are completely overdesigned
and (as these threads adequately prove), not usable or easily understood
even by people with research degrees in computer science.
In terms of *usable* security (which IMHO is the only kind that matters
in the real world) POSIX ACLs are far superiour to Windows/NFSv4 ACLs.
More information about the samba-technical