Re: Status Of POSIX ACLs

Jeremy Allison (jeremy@valinux.com)
Fri, 23 Mar 2001 12:45:28 -0500


I don't read linux-kernel (too much traffic already on the Samba lists :-)
but I do read the kernel traffic summaries, and I noticed this item :

------------------------------------------------------------------------
"Jochen Dolze [*] asked, "i found at http://acl.bestbits.at the
ACL-linux-project.
Now i want to know, if there is a plan to integrate posix-ACLs into the
fs-part of
the kernel, e.g. into the VFS-Layer? Is there a general discussion about
this
anywhere? What are the biggest problems? (i know that many userland-tools
must
be changed for this)."

" Albert D. Cahalan [*] retched into his hand, and said he
hoped POSIX ACLs never got into the kernel. He added, "POSIX ACLs are crap.
NFSv4 mostly follows NT. Compatibility with NFSv4 and SMB (Samba's protocol)
is important."

And Bernd Eckenfels [*] added: AFAIK there is no Support in User Land
Programs
required. You just have additional tools for managing the ACLs . The main
problem
with ACLs are the storage of the additional info in the file system. This is
a
hard job if you want to have it for all/most file systems. Remy had a
working
Version for ext2, but it never got very public.. dunno why. NTs ACLs are
somewhat
messy cause they require too much scanning.
------------------------------------------------------------------------

Well as I like to say, they may be crap, but at least they're
slow and buggy :-) :-).

Actually, the next rev. of Samba (2.2 which will ship soon)
will *depend* upon the POSIX ACL patch at http://acl.bestbits.at
in order to support ACLs on Linux.

The reason for this is that the ACL code there is reasonably
common (ie. enough for me to have a wrapper layer that hides
all the uglyness :-) enough to provide ACL support across
Solaris, HPUX, AIX, IRIX, Sco UnixWare (all of which have
POSIX ACLs or something similar) and Linux.

In order to support ACLs, Samba needs to have an underlying
implementation of ACLs in the kernel, as Samba doesn't make
policy decisions on allowing file access in user-space (that
way root race holes lie... :-).

I just spent 3 weeks coding up a (somewhat) reasonable
mapping between NT ACLs and POSIX ACLs (ie., it's as good
as I can get it - and it's a *hard* problem :-) and it is
also the number ONE Samba feature request from shops that
use NT servers who are looking at Linux+Samba to get around
the "client access license" 'problem' :-).

If we don't eventually get them in the kernel I'm sure Sun
will be happy to suggest they convert to Samba on Solaris
to get the functionality they need :-) :-).

I certainly hope POSIX ACLs (or some form of ACL support)
does get into the kernel at some point (no, not NT ACLS - they
*suck* and are ordering dependent.... brrrrrrr :-) otherwise
there will be a host of applications for which Linux servers
will be disqualified for, and that would be a shame.

Please respond to samba-technical@samba.org or to me personally
if you want more timely feedback, else I'll wait for the next
kernel-traffic summary and take my answer off line (in the
grand tradition of polite radio talk show call in listeners :-).

Cheers,

Jeremy Allison,
Samba Team.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/