http://www.linux-nfs.org/wiki/index.php?title=ACLs&feed=atom&action=historyACLs - Revision history2024-03-29T09:08:07ZRevision history for this page on the wikiMediaWiki 1.16.5http://www.linux-nfs.org/wiki/index.php?title=ACLs&diff=5655&oldid=prevBfields: /* Others */2020-07-10T15:57:08Z<p><span class="autocomment">Others</span></p>
<table style="background-color: white; color:black;">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 15:57, 10 July 2020</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 98:</td>
<td colspan="2" class="diff-lineno">Line 98:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>=== Others ===</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>=== Others ===</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>-</td><td style="background: #ffa; color:black; font-size: smaller;"><div>[<del class="diffchange diffchange-inline">http</del>://<del class="diffchange diffchange-inline">www</del>.openafs.org<del class="diffchange diffchange-inline">/pages/doc</del>/UserGuide/<del class="diffchange diffchange-inline">auusg007</del>.<del class="diffchange diffchange-inline">htm </del>AFS ACLs] are only set on directories, and affect the directory and all files contained in it; hardlinks are unsupported. They have more access bits than POSIX ACLs, but less than NFSv4/Windows ACLs. Denies are supported (though discouraged), and always supercede allows. (So an AFS ACL is roughly equivalent to a Windows/NFSv4 ACL with all DENY aces at the beginning.)</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>[<ins class="diffchange diffchange-inline">https</ins>://<ins class="diffchange diffchange-inline">docs</ins>.openafs.org/UserGuide/<ins class="diffchange diffchange-inline">HDRWQ46</ins>.<ins class="diffchange diffchange-inline">html </ins>AFS ACLs] are only set on directories, and affect the directory and all files contained in it; hardlinks are unsupported. They have more access bits than POSIX ACLs, but less than NFSv4/Windows ACLs. Denies are supported (though discouraged), and always supercede allows. (So an AFS ACL is roughly equivalent to a Windows/NFSv4 ACL with all DENY aces at the beginning.)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[http://www.csupomona.edu/reference/dfs3.1/html/AdminGd/duagd008.htm#HDRWQ97 DCE ACLs] appear to be a superset of POSIX ACLs, with additional mode bits and entities.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[http://www.csupomona.edu/reference/dfs3.1/html/AdminGd/duagd008.htm#HDRWQ97 DCE ACLs] appear to be a superset of POSIX ACLs, with additional mode bits and entities.</div></td></tr>
</table>Bfieldshttp://www.linux-nfs.org/wiki/index.php?title=ACLs&diff=5609&oldid=prevJianhong Yin: /* Server */ add info about richacl2017-02-28T01:19:02Z<p><span class="autocomment">Server: </span> add info about richacl</p>
<table style="background-color: white; color:black;">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 01:19, 28 February 2017</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 25:</td>
<td colspan="2" class="diff-lineno">Line 25:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Work is under way to include NFSv4 ACLs in the underlying filesystem, which would solve all of the above problems at the expense of increased filesystem complexity. As of this writing, patches for production use are not yet available.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Work is under way to include NFSv4 ACLs in the underlying filesystem, which would solve all of the above problems at the expense of increased filesystem complexity. As of this writing, patches for production use are not yet available.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">* The latest progress of Native NFSv4 ACLs on Linux [http://www.bestbits.at/richacl/ Richacls], and latest [https://getfedora.org/ Fedora] has included richacl package.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">* man-pages in package richacl [http://www.bestbits.at/richacl/man/richacl.7.txt richacl(7)] [http://www.bestbits.at/richacl/man/richaclex.7.txt richaclex(7)] [http://www.bestbits.at/richacl/man/getrichacl.1.txt getrichacl(1)] [http://www.bestbits.at/richacl/man/setrichacl.1.txt setrichacl(1)]</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Client ==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Client ==</div></td></tr>
</table>Jianhong Yinhttp://www.linux-nfs.org/wiki/index.php?title=ACLs&diff=5456&oldid=prevBfields: /* Lossy mapping */2014-02-19T17:01:10Z<p><span class="autocomment">Lossy mapping</span></p>
<table style="background-color: white; color:black;">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 17:01, 19 February 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 121:</td>
<td colspan="2" class="diff-lineno">Line 121:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>(Summarize tradeoffs.)</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>(Summarize tradeoffs.)</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">The current Linux server also implements a lossy algorithm described in [http://www.citi.umich.edu/projects/nfsv4/rfc/draft-ietf-nfsv4-acl-mapping-05.txt draft-ietf-nfsv4-acl-mapping-05.txt].</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>POSIX ACLs provide another interesting example: mode bits are themselves a primitive sort of ACL, and operating systems that support POSIX ACLs have to continue supporting mode bits as well. They do this in a rather interesting way--the POSIX ACL is guaranteed not to give more access than the corresponding mode bits, except that some named users and groups may be permitted more access than they otherwise would, with the restriction that that additional access is bounded by the mode bits given to the file's group.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>POSIX ACLs provide another interesting example: mode bits are themselves a primitive sort of ACL, and operating systems that support POSIX ACLs have to continue supporting mode bits as well. They do this in a rather interesting way--the POSIX ACL is guaranteed not to give more access than the corresponding mode bits, except that some named users and groups may be permitted more access than they otherwise would, with the restriction that that additional access is bounded by the mode bits given to the file's group.</div></td></tr>
</table>Bfieldshttp://www.linux-nfs.org/wiki/index.php?title=ACLs&diff=5455&oldid=prevBfields: /* Strict Mapping */2014-02-19T16:57:59Z<p><span class="autocomment">Strict Mapping</span></p>
<table style="background-color: white; color:black;">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:57, 19 February 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 111:</td>
<td colspan="2" class="diff-lineno">Line 111:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This approach has a few disadvantages:</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This approach has a few disadvantages:</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>-</td><td style="background: #ffa; color:black; font-size: smaller;"><div>* The NFSv4 ACLs produced by this mapping are hard to read, and are impossible for users to manipulate without software that understands the mapping to aid them. Thus a user modifying the ACLs through an application that doesn't treat them as POSIX ACLs will almost certainly produce an ACL that can no longer be read by applications that expect POSIX ACLs.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>* The NFSv4 ACLs produced by this mapping are hard to read, and are <ins class="diffchange diffchange-inline">nearly </ins>impossible for users to manipulate without software that understands the mapping to aid them. Thus a user modifying the ACLs through an application that doesn't treat them as POSIX ACLs will almost certainly produce an ACL that can no longer be read by applications that expect POSIX ACLs.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* An NFSv4 server like Linux with backend POSIX ACLs can accept only a very limited subset of ACLs, probably impossible to generate without software that understands the mapping.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* An NFSv4 server like Linux with backend POSIX ACLs can accept only a very limited subset of ACLs, probably impossible to generate without software that understands the mapping.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>-</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Strict mapping between Windows and NFSv4 ACLs is much easier<del class="diffchange diffchange-inline">; probably all that's necessary is the addition or subtraction of a "DENY EVERYONE@" ACE at the end of each ACL. This might also cause problems, though</del>.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Strict mapping between Windows and NFSv4 ACLs is much easier.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>=== Lossy mapping ===</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>=== Lossy mapping ===</div></td></tr>
</table>Bfieldshttp://www.linux-nfs.org/wiki/index.php?title=ACLs&diff=5454&oldid=prevBfields: /* Others */2014-02-19T16:57:10Z<p><span class="autocomment">Others</span></p>
<table style="background-color: white; color:black;">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:57, 19 February 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 100:</td>
<td colspan="2" class="diff-lineno">Line 100:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>AIX? Others?</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>AIX? Others?</div></td></tr>
<tr><td class='diff-marker'>-</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>-</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">AFS ACLs may be a particular issue here at CITI since we have AFS volumes that we'll want to transfer to NFSv4 at some point. But fortunately that will probably only require a one-time translation; we're not going to try to provide simultaneous NFSv4 and AFS acess....</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Interoperability Strategies ==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Interoperability Strategies ==</div></td></tr>
</table>Bfieldshttp://www.linux-nfs.org/wiki/index.php?title=ACLs&diff=5453&oldid=prevBfields: /* NFSv4 and Windows ACLs */2014-02-19T16:56:17Z<p><span class="autocomment">NFSv4 and Windows ACLs</span></p>
<table style="background-color: white; color:black;">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:56, 19 February 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 68:</td>
<td colspan="2" class="diff-lineno">Line 68:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* Windows does not have the special owner, group or everyone principals in ACEs. You could handle owner and group ACEs by translating them to ACEs that refer explicitly to the current owner or group, but the result won't behave correctly under chown().</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* Windows does not have the special owner, group or everyone principals in ACEs. You could handle owner and group ACEs by translating them to ACEs that refer explicitly to the current owner or group, but the result won't behave correctly under chown().</div></td></tr>
<tr><td class='diff-marker'>-</td><td style="background: #ffa; color:black; font-size: smaller;"><div>* RFC3530 says that if an ACL neither allows nor denies a certain mode bit, then behavior is undefined. But users of Windows ACLs expect them to deny by default.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>* RFC3530 says that if an ACL neither allows nor denies a certain mode bit, then behavior is undefined. But users of Windows ACLs expect them to deny by default. <ins class="diffchange diffchange-inline"> (I believe NFSv4 is now specified to have Windows behavior in RFC3530bis and RFC5661?)</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* Windows documentation suggests that if some but not all requested access bits have been allowed, then DENY aces will still apply even if they only deny bits among those already allowed. This has the somewhat bizarre result that an ACL can allow certain permissions individually but deny them in combination. The NFSv4 ACL algorithm doesn't have this property. (We're waiting the results of experiments to confirm this property of Windows ACLs.)</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* Windows documentation suggests that if some but not all requested access bits have been allowed, then DENY aces will still apply even if they only deny bits among those already allowed. This has the somewhat bizarre result that an ACL can allow certain permissions individually but deny them in combination. The NFSv4 ACL algorithm doesn't have this property. (We're waiting the results of experiments to confirm this property of Windows ACLs.)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
</table>Bfieldshttp://www.linux-nfs.org/wiki/index.php?title=ACLs&diff=5452&oldid=prevBfields: /* Client */2014-02-19T16:54:39Z<p><span class="autocomment">Client</span></p>
<table style="background-color: white; color:black;">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:54, 19 February 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 30:</td>
<td colspan="2" class="diff-lineno">Line 30:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>The kernel nfs client exposes ACLs on NFSv4 filesystems to userspace in the extended attribute named "system.nfs4_acl", which contains the raw xdr data which the client receives from the server as the value of the NFSv4 "acl" attribute. Writing to that attribute will modify the ACL on the server.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>The kernel nfs client exposes ACLs on NFSv4 filesystems to userspace in the extended attribute named "system.nfs4_acl", which contains the raw xdr data which the client receives from the server as the value of the NFSv4 "acl" attribute. Writing to that attribute will modify the ACL on the server.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>-</td><td style="background: #ffa; color:black; font-size: smaller;"><div>We have [http://<del class="diffchange diffchange-inline">www</del>.<del class="diffchange diffchange-inline">citi</del>.<del class="diffchange diffchange-inline">umich.edu</del>/<del class="diffchange diffchange-inline">projects/nfsv4/linux</del>/nfs4-acl-tools<del class="diffchange diffchange-inline">/ </del>client NFSv4 ACL tools]. They present NFSv4 ACLs to the user untranslated, using NFSv4 names. As a result they are usable against any NFSv4 server (even if the client doesn't know about all of the users on the server).</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>We have [http://<ins class="diffchange diffchange-inline">git</ins>.<ins class="diffchange diffchange-inline">linux-nfs</ins>.<ins class="diffchange diffchange-inline">org</ins>/<ins class="diffchange diffchange-inline">?p=bfields</ins>/nfs4-acl-tools<ins class="diffchange diffchange-inline">.git;a=summary </ins>client NFSv4 ACL tools]. They present NFSv4 ACLs to the user untranslated, using NFSv4 names. As a result they are usable against any NFSv4 server (even if the client doesn't know about all of the users on the server).</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>It is also possible to modify the client POSIX ACL tools to transparently map between POSIX and NFSv4 ACLs in userspace. This also requires mapping the names contained in the ACLs into local uid's. We have [http://www.citi.umich.edu/projects/nfsv4/linux/acl-patches/ patches to libacl] available which do this. However, this mapping is complex and (as on the server side) lossy. Also, the mapping of names to id's is complicated, and (in our current implementation) introduces unfortunate dependencies of basic system tools (like ls) on a great deal of unrelated NFSv4 and krb5 code. For these reasons we do not recommend this approach.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>It is also possible to modify the client POSIX ACL tools to transparently map between POSIX and NFSv4 ACLs in userspace. This also requires mapping the names contained in the ACLs into local uid's. We have [http://www.citi.umich.edu/projects/nfsv4/linux/acl-patches/ patches to libacl] available which do this. However, this mapping is complex and (as on the server side) lossy. Also, the mapping of names to id's is complicated, and (in our current implementation) introduces unfortunate dependencies of basic system tools (like ls) on a great deal of unrelated NFSv4 and krb5 code. For these reasons we do not recommend this approach.</div></td></tr>
</table>Bfieldshttp://www.linux-nfs.org/wiki/index.php?title=ACLs&diff=3590&oldid=prevTrasz: Add link to a FreeBSD wiki which explains their implementation.2009-12-24T10:36:57Z<p>Add link to a FreeBSD wiki which explains their implementation.</p>
<table style="background-color: white; color:black;">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 10:36, 24 December 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 75:</td>
<td colspan="2" class="diff-lineno">Line 75:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>The [http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Concepts/chapter_3_section_9.html new OSX ACLs] seem to be essentially identical to Windows ACLs; the obvious major exception being that instead of denying by default, when the ACL doesn't determine access, OSX falls back on the mode bits.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>The [http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Concepts/chapter_3_section_9.html new OSX ACLs] seem to be essentially identical to Windows ACLs; the obvious major exception being that instead of denying by default, when the ACL doesn't determine access, OSX falls back on the mode bits.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>-</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Though there is at least one [http://sourceforge.net/projects/ngacl proof of concept NFSv4/Windows ACL implementation for Linux], we know of no concerted effort to push native Linux support for NFSv4/Windows ACLs. However, AIX, FreeBSD, and Solaris support NFSv4 ACLs. Two Sun developers have an internet draft [http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-00.txt draft-falkner-nfsv4-acls-00.txt] which proposes more precise semantics for NFSv4 ACLs and deals with mode-bit mapping and other issues of particular interest for NFSv4 ACL implementors on POSIX systems; implementation in ZFS (in both Solaris and FreeBSD) and UFS (FreeBSD) implement semantics described in this draft.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Though there is at least one [http://sourceforge.net/projects/ngacl proof of concept NFSv4/Windows ACL implementation for Linux], we know of no concerted effort to push native Linux support for NFSv4/Windows ACLs. However, AIX, <ins class="diffchange diffchange-inline">[http://wiki.freebsd.org/NFSv4_ACLs </ins>FreeBSD<ins class="diffchange diffchange-inline">]</ins>, and Solaris support NFSv4 ACLs. Two Sun developers have an internet draft [http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-00.txt draft-falkner-nfsv4-acls-00.txt] which proposes more precise semantics for NFSv4 ACLs and deals with mode-bit mapping and other issues of particular interest for NFSv4 ACL implementors on POSIX systems; implementation in ZFS (in both Solaris and FreeBSD) and UFS (FreeBSD) implement semantics described in this draft.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>In practice many Windows applications (such as Explorer) may use only a small subset of Windows ACLs, and may not deal well with ACLs outside of that subset; for example, they generally want to sort all DENY ACE's before ALLOW ACE's. See</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>In practice many Windows applications (such as Explorer) may use only a small subset of Windows ACLs, and may not deal well with ACLs outside of that subset; for example, they generally want to sort all DENY ACE's before ALLOW ACE's. See</div></td></tr>
</table>Traszhttp://www.linux-nfs.org/wiki/index.php?title=ACLs&diff=3589&oldid=prevTrasz: Update situation with other operating systems.2009-12-21T21:03:23Z<p>Update situation with other operating systems.</p>
<table style="background-color: white; color:black;">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 21:03, 21 December 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 75:</td>
<td colspan="2" class="diff-lineno">Line 75:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>The [http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Concepts/chapter_3_section_9.html new OSX ACLs] seem to be essentially identical to Windows ACLs; the obvious major exception being that instead of denying by default, when the ACL doesn't determine access, OSX falls back on the mode bits.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>The [http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Concepts/chapter_3_section_9.html new OSX ACLs] seem to be essentially identical to Windows ACLs; the obvious major exception being that instead of denying by default, when the ACL doesn't determine access, OSX falls back on the mode bits.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>-</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Though there is at least one [http://sourceforge.net/projects/ngacl proof of concept NFSv4/Windows ACL implementation for Linux], we know of no concerted effort to push native Linux support for NFSv4/Windows ACLs. However, Solaris <del class="diffchange diffchange-inline">and AIX both seem to be adding </del>support <del class="diffchange diffchange-inline">for </del>NFSv4 ACLs. Two Sun developers have an internet draft [http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-00.txt draft-falkner-nfsv4-acls-00.txt] which proposes more precise semantics for NFSv4 ACLs and deals with mode-bit mapping and other issues of particular interest for NFSv4 ACL implementors on POSIX systems.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Though there is at least one [http://sourceforge.net/projects/ngacl proof of concept NFSv4/Windows ACL implementation for Linux], we know of no concerted effort to push native Linux support for NFSv4/Windows ACLs. However, <ins class="diffchange diffchange-inline">AIX, FreeBSD, and </ins>Solaris support NFSv4 ACLs. Two Sun developers have an internet draft [http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-00.txt draft-falkner-nfsv4-acls-00.txt] which proposes more precise semantics for NFSv4 ACLs and deals with mode-bit mapping and other issues of particular interest for NFSv4 ACL implementors on POSIX systems<ins class="diffchange diffchange-inline">; implementation in ZFS (in both Solaris and FreeBSD) and UFS (FreeBSD) implement semantics described in this draft</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>In practice many Windows applications (such as Explorer) may use only a small subset of Windows ACLs, and may not deal well with ACLs outside of that subset; for example, they generally want to sort all DENY ACE's before ALLOW ACE's. See</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>In practice many Windows applications (such as Explorer) may use only a small subset of Windows ACLs, and may not deal well with ACLs outside of that subset; for example, they generally want to sort all DENY ACE's before ALLOW ACE's. See</div></td></tr>
</table>Traszhttp://www.linux-nfs.org/wiki/index.php?title=ACLs&diff=3390&oldid=prevBfields: /* Server */ Too many "however"'s2008-06-26T16:59:13Z<p><span class="autocomment">Server: </span> Too many "however"'s</p>
<table style="background-color: white; color:black;">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:59, 26 June 2008</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 18:</td>
<td colspan="2" class="diff-lineno">Line 18:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Server ==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Server ==</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>-</td><td style="background: #ffa; color:black; font-size: smaller;"><div>None of the filesystems which the linux server exports support NFSv4 ACLs. However, many of them do support POSIX ACLs. So we map NFSv4 ACLs to POSIX ACLs and store POSIX ACLs in the filesystem. The mapping is imperfect. It accepts most NFSv4 ACLs. (The only exceptions are ACLs which explicitly deny permissions to read attributes or acls, or which explicitly deny the owner permissions to write attributes or acls.) <del class="diffchange diffchange-inline">However, the </del>lossy nature of the NFSv4->POSIX mapping means that querying an ACL will almost always result in an ACL returned that is different from the one set. However, if the original ACL is representable as a POSIX ACL, then the ACL returned should represent equivalent permissions to the one set. If not, then the ACL returned should have permissions that are stricter than those requested.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>None of the filesystems which the linux server exports support NFSv4 ACLs. However, many of them do support POSIX ACLs. So we map NFSv4 ACLs to POSIX ACLs and store POSIX ACLs in the filesystem. The mapping is imperfect. It accepts most NFSv4 ACLs. (The only exceptions are ACLs which explicitly deny permissions to read attributes or acls, or which explicitly deny the owner permissions to write attributes or acls.) <ins class="diffchange diffchange-inline">The </ins>lossy nature of the NFSv4->POSIX mapping means that querying an ACL will almost always result in an ACL returned that is different from the one set. However, if the original ACL is representable as a POSIX ACL, then the ACL returned should represent equivalent permissions to the one set. If not, then the ACL returned should have permissions that are stricter than those requested.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>The code to perform this mapping on the server side is in the kernel, in fs/nfsd/nfs4acl.c.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>The code to perform this mapping on the server side is in the kernel, in fs/nfsd/nfs4acl.c.</div></td></tr>
</table>Bfields