[illumos-Developer] revisiting aclmode options
Gordon Ross
gordon.w.ross at gmail.com
Tue Jul 19 19:10:50 PDT 2011
On Mon, Jul 18, 2011 at 9:44 PM, Paul B. Henson <henson at acm.org> wrote:
> Now that illumos has restored the aclmode option to zfs, I would like to
> revisit the topic of potentially expanding the suite of available modes.
[...]
At one point, I was experimenting with some code for smbfs that would
"invent" the mode bits (remember, smbfs does not get mode bits from
the remote server, only the ACL). I ended up discarding it there due to
objections from reviewers, but the idea might be useful for people who
really don't care about mode bits. I'll attempt a description below.
The idea: A new "aclmode" setting called "discard", meaning that the
users don't care at all about the traditional mode bits. A dataset with
aclmode=discard would have the chmod system call and NFS setattr
do absolutely nothing to the mode bits. The getattr call would receive
mode bits derived from the ACL. (this derivation would actually happen
when and acl is stored, not during getattr) The mode bits would be
derived from the ACL such that the mode represents the greatest
possible access that might be allowed by the ACL, without any
consideration of deny entries or group memberships.
In detail, that mode derivation might be:
The mode's "owner" part would be the union of access granted by any
"owner" type ACEs in the ACL and any ACEs where the ACE owner
matches the file owner. The mode's "group" part would be the union
of access granted by any group ACEs and any ACEs who's type is
unknown (all SIDs are of unknown type). The mode's "other" part
would be the access granted by an "Everyone" ACE, if present.
Would that be of any use?
Gordon
More information about the Developer
mailing list