ACLs and least surprise (was Samba vs. NetAppliance)

David Collier-Brown davecb at canada.sun.com
Fri Jun 25 12:31:13 GMT 1999 

[This is fairly far from the topic of the mailing-list: we may want to
take further discussion to email or the tech list]

Jeremy writes:
> 			it violates the principle of
> least suprises for the nfs user. ie. They may get access 
> denied when the UNIX perms say they should be granted access.

Paul replies:
> But wouldn't it also be a "surprise" when an NFS user finds that she can't
> execute a file because one of the DOS bits was flipped on by a Windows user?

	Methinks "least surprise" is really only applicable
	to things which are very close in behavior.

	The is a principle of "no surprise" applicable to
	commensurable things: if one of the services'
	operations is a proper subset of the other, then one
	can argue for no or least surprise. If one has no 
	overlap between the two things' behaviors, everything 	
	is a surprise! 	And between the two comes a muddy middle, 
	full of execute and "hidden" bits (;-))

	In such cases, you have to pull other engineering criteria 
	out of your hat, such as "greatest value to the end-user" or 
	"requires only finite effort".


	An area where least surprise is a useful criteria is ACLs:

Paul writes:
|		don't some flavors of UNIX (e.g. Solaris) have their own
| incompatible-with-other-flavours ACLs? Why would you even bother with
it until
| there was some sort of a standard (and who knows when that might be)?

	Er, it was set on 15 Aug, 1983 (;-))

	Seriously, though, the U.S. DOD did then define the minimum
	functionality required from access control lists for protection
	of confidentiality.  All the various ACL designs are supersets
	of this standard (defined in the "orange book", 
	http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html, 
	appendix D) 

	In addition, there is a detailed study of access control lists
	and permissions bits, written as a separate book, 
	http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.html,
	which specifies the rules and also defines the criteria to be
	used in mapping super- to sub-sets: it's slightly stronger than
	"least surprise": it's "most restrictive of the two" (hey, these
	are professional paranoids, you know!)

	In the ACL space, the commensurable functions can be designed
	to meet "no surprises" and "more restrictive", and the others
	to minimize surprise in the general case, with a good chance
	of the result being useful to the community. My reading of
	map_unix_perms (nttrans.c) is that's what Jeremy is doing.
	

--dave
-- 
David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | http://java.science.yorku.ca/~davecb
Work: (905) 477-0437 Home: (416) 223-8968 Email: davecb at canada.sun.com

More information about the samba mailing list