[PATCH] Add tests for our NFSv4 ACL code

Andrew Bartlett abartlet at samba.org
Thu May 2 17:17:24 MDT 2013 

On Thu, 2013-05-02 at 17:53 +0200, Alexander Werth wrote:
> On Wed, 2013-05-01 at 18:54 +1200, Andrew Bartlett wrote:
> > On Wed, 2013-05-01 at 05:09 +0200, Alexander Werth wrote:
> > > In either case I'm posting some wip, collecting the pro and cons of the
> > > various nfs4:mode settings:
> > > 
> > > nfs4:mode simple
> > > 
> > > Pro
> > > - Working inheritance
> > > - Creator owner support with new code
> > > - No overhead on file creation.
> > > - Owner changes have no side effect on the ACL with the exception of a
> > > not rewritten creator owner entry.
> > > - Recommended option for SMB only file servers.
> > > 
> > > Con
> > > - No Posix mode bits for file owner and group.
> > 
> > This is just the same as if a file is created over NFS or directly in
> > the shell, correct?
> Yes. In this case mode specialcreator and mode simple would behave
> identical.
> 
> > 
> > > - Files with creator owner or creator group entries do have mode bits
> > > after file creation but lose them by rewriting the ACL through SMB.
> > > - Files lose mode bits applied through chmod by rewriting the ACL with
> > > SMB.
> > 
> > Why can't we get this feature (of specialcreator) in simple?  Isn't it
> > just a matter of expressing the creator owner stuff properly for simple
> > mode-based permissions?
> 
> That got me thinking. Actually I think we can get these two into mode
> simple with the attached patch.

Great!

> nfs4:mode simple
> Pro
> - Working inheritance
> - Creator owner support with new code
> - Posix mode bits for file owner and group from non inheriting ACEs.
> - No overhead on file creation.
> - Files keep mode bits applied by chmod when rewriting the ACL with SMB.
> - Inherited mode bit's on files can be created with creator owner entries.
> - Recommended option.
> 
>  
> Con
> - Files with inherited ACL entries for the owner don't get mode bits.
>   A complete solution here will need file system support anyway.
> - Owner changes have side effects on the ACL.
>   Can be alleviated by updating the ACL on an owner change.

What are the side effects other than that, as intended, the old owner
looses access and the new owner gains it?

> So it's pretty much complete with few drawbacks.
> What do you think?

I'm impressed, this is starting to really look like a solution.  

Am I correct to say that we are skipping the specialcreator for now?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list