ACLs and least surprise (was Samba vs. NetAppliance)
davecb at canada.sun.com
Fri Jun 25 12:31:13 GMT 1999
[This is fairly far from the topic of the mailing-list: we may want to
take further discussion to email or the tech list]
> it violates the principle of
> least suprises for the nfs user. ie. They may get access
> denied when the UNIX perms say they should be granted access.
> But wouldn't it also be a "surprise" when an NFS user finds that she can't
> execute a file because one of the DOS bits was flipped on by a Windows user?
Methinks "least surprise" is really only applicable
to things which are very close in behavior.
The is a principle of "no surprise" applicable to
commensurable things: if one of the services'
operations is a proper subset of the other, then one
can argue for no or least surprise. If one has no
overlap between the two things' behaviors, everything
is a surprise! And between the two comes a muddy middle,
full of execute and "hidden" bits (;-))
In such cases, you have to pull other engineering criteria
out of your hat, such as "greatest value to the end-user" or
"requires only finite effort".
An area where least surprise is a useful criteria is ACLs:
| don't some flavors of UNIX (e.g. Solaris) have their own
| incompatible-with-other-flavours ACLs? Why would you even bother with
| there was some sort of a standard (and who knows when that might be)?
Er, it was set on 15 Aug, 1983 (;-))
Seriously, though, the U.S. DOD did then define the minimum
functionality required from access control lists for protection
of confidentiality. All the various ACL designs are supersets
of this standard (defined in the "orange book",
In addition, there is a detailed study of access control lists
and permissions bits, written as a separate book,
which specifies the rules and also defines the criteria to be
used in mapping super- to sub-sets: it's slightly stronger than
"least surprise": it's "most restrictive of the two" (hey, these
are professional paranoids, you know!)
In the ACL space, the commensurable functions can be designed
to meet "no surprises" and "more restrictive", and the others
to minimize surprise in the general case, with a good chance
of the result being useful to the community. My reading of
map_unix_perms (nttrans.c) is that's what Jeremy is doing.
David Collier-Brown, | Always do right. This will gratify some people
185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
Willowdale, Ontario | http://java.science.yorku.ca/~davecb
Work: (905) 477-0437 Home: (416) 223-8968 Email: davecb at canada.sun.com
More information about the samba