Adding creator owner support to nfs4:mode simple.

Alexander Werth werth at linux.vnet.ibm.com
Fri Jul 27 08:25:16 MDT 2012 

Hi,

I've been working on the NFS4 ACL code recently.
It turns out that while "creator owner" and "creator owner group" ACEs
behave pretty much like nfs4 inheritonly special owner@ and group@ ACEs
these nfs4 special id's are not used for that purpose by the current code.

The current code uses these special id's in nfs4:mode special to encode
the explicit user and group ACEs of the current file owner and group.

I'd like to contribute the following patch which will use the special
ids for the "creator" SIDs in nfs4:mode simple. Right now in mode simple
the nfs4 special ids are interpreted as explicit ACEs of the current
file owner and group. So it's interpreting the special ids as if they
had been written in nfs4:mode special.

This also points to a problem with the nfs4:mode special. Mapping the
ACEs of the owner to nfs4 special ids will result in an inheritance
behavior matching the "creator" aces and not the intended behavior of
user aces. While this mapping to special id's is needed to get sensible
posix mode bits the resulting inheritance behavior seams arbitrary and
broken from a user point of view.

Files written earlier with nfs4:mode special and read in nfs4:mode
simple would now show an creator owner entry with these patches.
That might be slightly confusing but the files actually already behave
that way even in nfs4:mode special.


The patch for adding creator owner support to nfs4:mode simple contains
the following seperate commits:
- Move params struct and reading of parameters up.
- Change smbacl4_get_vfs_params to use connection_struct instead of fsp.
- Add params parameter to smbacl4_nfs42win function
- In nfs4:mode simple read nfs4 special owner@ and group@ ACEs as
"creator owner" and "creator owner group".
- In nfs4:mode simple write "creator owner" and "creator owner group" as
nfs4 special owner@ and group@ ACEs.

I'm also working on a modified version of mode special that does use the
inherited special ids for creator owner and uses non inheriting aces for
the posix mode bits which builds on this change.

Please share your thoughts or concerns.

Cheers,
Alexander Werth

-------------- next part --------------
A non-text attachment was scrubbed...
Name: simple-mode-with-creator.patch
Type: text/x-patch
Size: 15488 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120727/1aa4c985/attachment.bin>

More information about the samba-technical mailing list