>>>>> "rb" == Ralph Böhme <ra...@rsrc.de> writes:
rb> The Darwin kernel evaluates permissions in a first
rb> match paradigm, evaluating the ACL before the mode
well...I think it would be better to AND them together like AFS did.
In that case it doesn't make any difference in which order you do it
because AND is commutative. The Darwin method you describe means one
might remove permissions with chmod but still have access granted
under first-match by the ACL. I just tested, and Darwin does indeed
work this way. :(
One way to get from NFSv4 to what I want is that you might add EVEN
MORE complexity and have ``tagged ACL groups'':
* all the existing ACL tools and NFS/SMB clients targeting
the #(null) tag,
* traditional 'chmod' unix permissions targeting the #(unix) tag.
* The evaluation within a tag-group is first-match like now,
* The result of each tag-group is ANDed together for the final
evaluation
When accomodating Darwin ACL's or Windows ACL's or Linux NFSv4 ACL's
or translated POSIX ACL's, the result of the imperfect translation can
be shoved into a tag-group if it's unclean.
The way I would implement the userspace, tools would display all tag
groups if given some new argument, but they would always be incapable
of editing any tag group except #(null). Another chroot-like tool
would swap a given tag-group for #(null) for all child processes:
car...@awabagal:~/bar$ ls -v\# foo
-rw-r--r-- 1 carton carton 0 Sep 29 18:31 foo
0#(unix):owner@:execute:deny
1#(unix):owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(unix):group@:write_data/append_data/execute:deny
3#(unix):group@:read_data:allow
4#(unix):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(unix):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
car...@awabagal:~/bar$ chmod A+owner@:write_data:deny foo
car...@awabagal:~/bar$ ls -v\# foo
-rw-r--r-- 1 carton carton 0 Sep 29 18:31 foo
0#(null):owner@:write_data:deny
#
0#(unix):owner@:execute:deny
1#(unix):owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(unix):group@:write_data/append_data/execute:deny
3#(unix):group@:read_data:allow
4#(unix):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(unix):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
car...@awabagal:~/bar$ echo lala > foo
-bash: foo: Permission denied
car...@awabagal:~/bar$ chpacl baz ls -v\# foo
-rw-r--r-- 1 carton carton 0 Sep 29 18:31 foo
#
0#root:owner@:write_data:deny <-- #root is what's mapped to
#(null) at boot
#
0#(unix):owner@:execute:deny
1#(unix):owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(unix):group@:write_data/append_data/execute:deny
3#(unix):group@:read_data:allow
4#(unix):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(unix):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
car...@awabagal:~/bar$ chpacl '(null)' true
chpacl: '(null)' is reserved.
car...@awabagal:~/bar$ chpacl baz chmod A+owner@:read_data:deny foo
car...@awabagal:~/bar$ chpacl baz ls -v\# foo
-rw-r--r-- 1 carton carton 0 Sep 29 18:31 foo
0#(null):owner@:read_data:deny
#
0#root:owner@:write_data:deny
#
0#(unix):owner@:execute:deny
1#(unix):owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(unix):group@:write_data/append_data/execute:deny
3#(unix):group@:read_data:allow
4#(unix):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(unix):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
car...@awabagal:~bar$ cat foo
-bash: foo: Permission denied
car...@awabagal:~bar$ chpacl baz cat foo <-- current tagspace is irrelevant to
ACL evaluation
-bash: foo: Permission denied
car...@awabagal:~/bar$ ls -v\# foo
-rw-r--r-- 1 carton carton 0 Sep 29 18:31 foo
0#(null):owner@:write_data:deny
#
0#baz:owner@:read_data:deny
#
0#(unix):owner@:execute:deny
1#(unix):owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(unix):group@:write_data/append_data/execute:deny
3#(unix):group@:read_data:allow
4#(unix):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(unix):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
car...@awabagal:~/bar$ chpacl '(unix)' chmod A0=owner@::deny foo
car...@awabagal:~/bar$ chpacl '(unix)' chmod
A1=owner@:execute/read_data/write_data/append_data/write_xattr/write_attributes/write_acl/write_owner:allow
foo
car...@awabagal:~/bar$ ls -v\# foo <-- subshells of 'chpacl (unix)'
have precise equiv. to current behavior,
including exactly the same 'ls
-v' output if you leave off the -#,
so pre-taggroups quirky behavior
can be quickly restored if some
goofy script depends on it
-rwxr--r-- 1 carton carton 0 Sep 29 18:31 foo
0#(null):owner@:write_data:deny
#
0#baz:owner@:read_data:deny
#
0#(unix):owner@::deny
1#(unix):owner@:execute/read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(unix):group@:write_data/append_data/execute:deny
3#(unix):group@:read_data:allow
4#(unix):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(unix):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
car...@awabagal:~/bar$ chpacl -u bop chmod 644 foo <-- -u flag to map
(unix). no magical constant names!
car...@awabagal:~/bar$ ls -v\# foo
-rwxr--r-- 1 carton carton 0 Sep 29 18:31 foo
0#(null):owner@:write_data:deny
#
0#baz:owner@:read_data:deny
#
0#(unix):owner@::deny
1#(unix):owner@:execute/read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(unix):group@:write_data/append_data/execute:deny
3#(unix):group@:read_data:allow
4#(unix):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(unix):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
#
0#bop:owner@:execute:deny
1#bop:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#bop:group@:write_data/append_data/execute:deny
3#bop:group@:read_data:allow
4#bop:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#bop:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
car...@awabagal:~/bar$ chpacl -u bop chpacl '(unix)' ls -v\# <--
parenthesized names are shortcuts to copy a
translation
context for (null). currently the only
``translation context'' is (unix) for permission bits
car...@awabagal:~/bar$ ls -v\# foo
-rwxr--r-- 1 carton carton 0 Sep 29 18:31 foo
0#(null):owner@:execute:deny
1#(null):owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(null):group@:write_data/append_data/execute:deny
3#(null):group@:read_data:allow
4#(null):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(null):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
#
0#root:owner@:write_data:deny
#
0#baz:owner@:read_data:deny
#
0#unix:owner@::deny
1#unix:owner@:execute/read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#unix:group@:write_data/append_data/execute:deny
3#unix:group@:read_data:allow
4#unix:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#unix:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
#
0#(unix):owner@:execute:deny
1#(unix):owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(unix):group@:write_data/append_data/execute:deny
3#(unix):group@:read_data:allow
4#(unix):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(unix):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
car...@awabagal:~/bar$ ls -l foo
-rwxr--r-- 1 carton carton 0 Sep 29 18:31 foo
car...@awabagal:~/bar$ ./foo
-bash: ./foo: Permission denied
car...@awabagal:~/bar$ chpacl -u bop ls -l foo
-rw-r--r-- 1 carton carton 0 Sep 29 18:31 foo
car...@awabagal:~/bar$ ls -v foo
-rwxr--r-- 1 carton carton 0 Sep 29 18:31 foo
0:owner@:write_data:deny
car...@awabagal:~/bar$ chpacl bop chmod A- foo
car...@awabagal:~/bar$ chpacl baz chmod A- foo
car...@awabagal:~/bar$ chmod A- foo
car...@awabagal:~/bar$ ls -v foo
-rwxr--r-- 1 carton carton 0 Sep 29 18:31 foo
car...@awabagal:~/bar$ echo lala > foo
car...@awabagal:~/bar$ cat foo
lala
car...@awabagal:~/bar$ ./foo
./foo: line 1: lala: command not found
car...@awabagal:~/bar$ ls -v\# foo
-rwxr--r-- 1 carton carton 0 Sep 29 18:31 foo
#
0#(unix):owner@::deny
1#(unix):owner@:execute/read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(unix):group@:write_data/append_data/execute:deny
3#(unix):group@:read_data:allow
4#(unix):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(unix):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
car...@awabagal:~/bar$
-----8<-----
You could perhaps have a ``zoned'' bit on tag groups as well, which
would subdivide taggroup namespaces by subdirectory: if you are in the
global zone and say ``chpacl foo chmod -R A- /'' or set up
/etc/user_attr to say ``carton has root-eqivalent permission to alter
tagspace #foo'' then neither would apply to the #foo with zoned=1. If
you are inside a zone, then it would apply and modify the ACL's. One
needn't make any further attempt to separate zone 1 #foo from zone 2
#foo because that can be done by keeping the zoneroots separate, and
sometimes it might be appropraite for tagspaces to bleed across zones
which remains possible with lofs mounts.
I cannot decide what to do with ACL evaluation wrt the zoned bit. One
alternative:
* ACL evaluation, global or zoned, should always ignore the zoned bit
and consider all ACL groups.
Another one is:
* in the global zone, all ACL groups with the zoned bit set are
ignored (allow everything). However, it's still impossible to
chpacl to an ACL group with the zoned bit set. If you want to much
around, you would have to:
chpacl -z 'tagspace'
chpacl 'tagspace' command
chpacl +z 'tagspace'
* in a zone, all ACL groups are respected regardless of the bit.
both have advantages and disadvantages.
-----8<-----
car...@awabagal:~/bar$ ls -v\# foob
-rwxr--r-- 1 carton carton 0 Sep 29 18:31 foo
0z#foob:owner@:write_data:deny
#
0#(unix):owner@::deny
1#(unix):owner@:execute/read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
2#(unix):group@:write_data/append_data/execute:deny
3#(unix):group@:read_data:allow
4#(unix):everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
5#(unix):everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
car...@awabagal:~/bar$ chpacl foob chmod A- foo
chpacl: foob: zoned namespace
car...@awabagal:~/bar$ pfexec chpacl -z foob
car...@awabagal:~/bar$ chpacl foob chmod A- foo
car...@awabagal:~/bar$
-----8<-----
By default a zone would use the same 'root' and 'unix' tagspace as the
rest of the system with the zoned bit unset, but if chpacl is used
within the zone then it's implied that the space created should have
zoned bit forcibly set. thus, if you apply tagged ACL's to a file
within a zone and then unset the zoned bit on those files' tag from
the global zone, then those ACL groups cannot be changed within the
zone at all. The 'chpacl (unix)' trick still works though, and except
for this zoned-bit caveat the use of chpacl is totally unrestricted
inside the zone. This is an elegant way that the global zone can
enforce inescapable permissions onto the inside zones without reducing
the featureset available within the zone.
The zoned bit is an attribute of the tagspace on a particular file, so
there cannot be a #foob and z#foob tagspace on the same file.
Display of the zoned bit by ls -v# is inverted within the zone
(sneaky, eh?), except that (contexts) are always presented as lacking
the zoned bit even if the underlying tagspace has bit=0 in the global
zone, and of course 'chpacl +-z' is forbidden in a zone.
Lastly it should be possible to run 'chpacl' and 'chpacl -u'
implicitly at zone startup time. The given tagspace could have or
lack the zoned bit, doesn't really matter. Either way, there's no way
within the zone to determine the name of the tagspace you were shoved
into except by guessing and probing, so while the name of your
assigned tagspace is not fully secret, the fact that you're in one
should not break any future tagspace-dependent script that used to
work in the global zone.
pgpMOQ2aAoCrX.pgp
Description: PGP signature
_______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
