[PATCH] Add tests for our NFSv4 ACL code

Alexander Werth werth at linux.vnet.ibm.com
Thu May 2 19:10:16 MDT 2013 


On Fri, 2013-05-03 at 11:17 +1200, Andrew Bartlett wrote:
> On Thu, 2013-05-02 at 17:53 +0200, Alexander Werth wrote:
> > On Wed, 2013-05-01 at 18:54 +1200, Andrew Bartlett wrote:
> > > On Wed, 2013-05-01 at 05:09 +0200, Alexander Werth wrote:
> > > > In either case I'm posting some wip, collecting the pro and cons of the
> > > > various nfs4:mode settings:
> > > > 
> > > > nfs4:mode simple
> > > > 
> > > > Pro
> > > > - Working inheritance
> > > > - Creator owner support with new code
> > > > - No overhead on file creation.
> > > > - Owner changes have no side effect on the ACL with the exception of a
> > > > not rewritten creator owner entry.
> > > > - Recommended option for SMB only file servers.
> > > > 
> > > > Con
> > > > - No Posix mode bits for file owner and group.
> > > 
> > > This is just the same as if a file is created over NFS or directly in
> > > the shell, correct?
> > Yes. In this case mode specialcreator and mode simple would behave
> > identical.
> > 
> > > 
> > > > - Files with creator owner or creator group entries do have mode bits
> > > > after file creation but lose them by rewriting the ACL through SMB.
> > > > - Files lose mode bits applied through chmod by rewriting the ACL with
> > > > SMB.
> > > 
> > > Why can't we get this feature (of specialcreator) in simple?  Isn't it
> > > just a matter of expressing the creator owner stuff properly for simple
> > > mode-based permissions?
> > 
> > That got me thinking. Actually I think we can get these two into mode
> > simple with the attached patch.
> 
> Great!
> 
> > nfs4:mode simple
> > Pro
> > - Working inheritance
> > - Creator owner support with new code
> > - Posix mode bits for file owner and group from non inheriting ACEs.
> > - No overhead on file creation.
> > - Files keep mode bits applied by chmod when rewriting the ACL with SMB.
> > - Inherited mode bit's on files can be created with creator owner entries.
> > - Recommended option.
> > 
> >  
> > Con
> > - Files with inherited ACL entries for the owner don't get mode bits.
> >   A complete solution here will need file system support anyway.
> > - Owner changes have side effects on the ACL.
> >   Can be alleviated by updating the ACL on an owner change.
> 
> What are the side effects other than that, as intended, the old owner
> looses access and the new owner gains it?

That's what's intended by a chown on unix and this will happen.
But that's not what happens on windows and therefore a windows user
wouldn't expect that side effect.
So on an owner change in windows we eventually have to:
- write an ACL similar to the current mode simple that doesn't contain
the non inheriting special owner and group entries.
- Apply the chmod
- And apply a new ACL using the special owner and group if it applies to
the new owner.

We might also be able to skip that first step arguing that someone who
can change the owner to himself also would have the implicit right to
change the ACL so there's no security issue here.

Also keep in mind that just using the special entries for creator owner
entries opens the mode simple to the problems with user changes for
files that inherit these entries. So the change just increases the
likelihood if hitting that problem.

I'm not aware of other side effects. We might surprise some users of
mode simple with the sudden support for creator owner.
Previously mode simple meant that the special owner and group sid had
not been used at all. But there isn't really any technical reason for
not using them and the special everyone had been used all along.

> 
> > So it's pretty much complete with few drawbacks.
> > What do you think?
> 
> I'm impressed, this is starting to really look like a solution.  
> 
> Am I correct to say that we are skipping the specialcreator for now?

Yes. I think with this we don't need the mode specialcreator anymore.
I still like the idea of maxing out what we mode bits we can get,
but the inconsistencies between creating a file in unix and windows are
hard to explain and devalue the usefulness of a specialcreator mode.

One use case is to use robocopy on a subtree primarily used by nfs with
it's access permissions set with chmod. That's working very well now
with the suggested changes.

I'm really happy with the fact that now even for creator owner entries
the mode bits survive a rewrite of the ACL.

What else would be needed before the changes can be applied to master?

More information about the samba-technical mailing list