[nfsv4] draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits

From: Benny Halevy (bhalevy@panasas.com)
Date: 08/20/03-04:59:56 PM Z

• Next message: Richard Sharpe: "Re: [nfsv4] draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits"
• Previous message: Trond Myklebust: "Re: [nfsv4] Client disk cache"
• Next in thread: Richard Sharpe: "Re: [nfsv4] draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits"
• Reply: Richard Sharpe: "Re: [nfsv4] draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits"
• Maybe reply: Mike Eisler: "RE: [nfsv4] draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits"
• Reply: marius aamodt eriksen: "[nfsv4] Re: draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits"

Message-ID: <3F43EF5C.6090809@panasas.com>
From: Benny Halevy <bhalevy@panasas.com>
Subject: [nfsv4] draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits
Date: Wed, 20 Aug 2003 17:59:56 -0400

Marius,

It seems like the mapping you suggested between the Posix 
{read,write,execute}
access mask bits to ACE4_GENERIC_{READ,WRITE,EXECUTE} access masks in 
section 4.
may have a problem with regards to reading and writing the object's 
attributes
and ACL.

The Posix read, write, and execute permissions refer to file data and to the
directory contents and do not cover file attributes or ACL. Attributes 
(and ACL)
are always readable to everyone and writeable to the file owner and to other
permitted users, e.g. the super user.

A simple example of what can go wrong with the mapping you suggested is a
read-only file for which the file owner can never change the file's ACL 
since
the permission to write the file's attributes and ACL is tied with the
permission to write the file's contents.

I believe that a Posix compliant nfsv4 client should create an ACE for 
the file
OWNER to allow it ACE4_WRITE_{ATTRIBUTES,ACL} | ACE4_WRITE_OWNER and an 
ACE for
EVERYONE to allow ACE4_READ_{ATTRIBUTES,ACL} and ACE4_DELETE (when 
supported by
the server).

Also, for the complimenting DENY ACEs suggested, what do you mean by 
"with the
exception that the access mask is inverted."? A Posix client needs to 
map the
unset Posix ACL permission bits to their corresponding NFSv4 access mask 
bits
in the DENY ACE.

To summarize, I believe that the correct mappings should be:
Posix read:     ACE4_READ_DATA | ACE4_LIST_DIRECTORY
Posix write:    ACE4_WRITE_DATA | ACE4_ADD_FILE | ACE4_APPEND_DATA |
                ACE4_ADD_SUBDIRECTORY | ACE4_DELETE_CHILD
Posix execute:  ACE4_READ_DATA | ACE4_LIST_DIRECTORY | ACE4_EXECUTE

--
Benny Halevy
bhalevy@panasas.com



_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

• Next message: Richard Sharpe: "Re: [nfsv4] draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits"
• Previous message: Trond Myklebust: "Re: [nfsv4] Client disk cache"
• Next in thread: Richard Sharpe: "Re: [nfsv4] draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits"
• Reply: Richard Sharpe: "Re: [nfsv4] draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits"
• Maybe reply: Mike Eisler: "RE: [nfsv4] draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits"
• Reply: marius aamodt eriksen: "[nfsv4] Re: draft-ietf-nfsv4-acl-mapping-00: mapping of posix to NFSv4 access mask bits"

This archive was generated by hypermail 2.1.2 : 03/04/05-02:12:37 AM Z CST