From: marius aamodt eriksen (marius@umich.edu)
Date: 08/22/02-02:31:30 PM Z
Date: Thu, 22 Aug 2002 15:31:30 -0400 From: marius aamodt eriksen <marius@umich.edu> Message-ID: <20020822193130.GA24433@umich.edu> hi - in writing up a proposed method to map POSIX and NFSv4 ACLs, i more closely exacmined the ACL text in the RFC. i find the following to be ambiguous: To determine if an ACCESS or OPEN request succeeds each nfsace4 entry is processed in order by the server. Only ACEs which have a "who" that matches the requester are considered. Each ACE is processed until all of the bits of the requester's access have been ALLOWED. Once a bit (see below) has been ALLOWED by an ACCESS_ALLOWED_ACE, it is no longer considered in the processing of later ACEs. If an ACCESS_DENIED_ACE is encountered where the requester's mode still has unALLOWED bits in common with the "access_mask" of the ACE, the requet is denied. the ambiguitiy lies in that it does not specify what to do if the requested access mask was not all ALLOWed, but also not DENYed. i have always assumed to deny in this case, but it is not clear. if this is the case, i propose to add the following sentence: When the ACL is is fully processed, if there are remaining unALLOWed bits in the mask, the request is denied. marius. -- > marius@umich.edu > http://www.citi.umich.edu/u/marius
This archive was generated by hypermail 2.1.2 : 03/04/05-01:50:16 AM Z CST