Client ACL tools

From Linux NFS

(Difference between revisions)
Jump to: navigation, search

Revision as of 02:36, 4 September 2006

The libacl patches at http://linux-nfs.org/cgi-bin/gitweb.cgi?p=bfields-acl.git;a=summary have a few problems.

First, they implement acl-setting by querying the NFSv4 ACL, translating it to a posix ACL (throwing away anything not inherited or anything not effective, depending on whether we're modifying the effective or default ACL), modifying or replacing that as appropriate, then translating the result back into a NFSv4 ACL, and setting the result.

The problem is that in the process you throw out any inherited ACEs (if you're editing the default ACL), or any effective ACEs (if you're editing the effective ACL). This is particularly noticeable if you use any command that adds or modifies a default ACL--you end up with *no* permissions to the directory in question, since you set an empty effective ACL (thus denying all access).

What the code *should* do is query the NFSv4 ACL, split it into purely inherited and purely effective parts (sometimes this requires duplicating aces--see the "split" function in fs/nfsd/nfs4acl.c in the kernel code), then replace only one of those two, leaving the other the same.

Second, the NFSv4->POSIX mapping only accepts a very narrow range of NFSv4 ACLs. We have algorithms which can do better (and have implemented them on the server side in the kernel), so this should be straightforward. Email for details.

Personal tools