>>>>> "nw" == Nicolas Williams <nicolas.willi...@oracle.com> writes:
nw> I would think that 777 would invite chmods. I think you are
nw> handwaving.
it is how AFS worked. Since no file on a normal unix box besides /tmp
ever had 777 it would send a SIGWTF to any AFS-unaware graybeards that
stumbled onto the directory, alerting them that they needed to go
learn something and come back.
I understand that everything:everyone on windows doesn't send SIGWTF,
but 777 on unix for AFS sites it did. You realize it's not
hypothetical, right? AFS was actually implemented, widely, and
there's experience with it.
If they failed to act on the SIGWTF, the overall system enforced the
tighter of the unix permissions and the AFS ACL, so it fails closed.
The current system fails open.
Also AFS did no translation between unix permissions and AFS ACL's so
it was easy to undo such a mistake when it happened: double-check the
AFS ACL is not too wide on the directories where you see unix people
mucking around in case the muckers were responding to a real problem,
then set the unix modes back to 777.
nw> When chmod()ing an object... ZFS would search for the most
nw> specific matching file in .zfs/ACLs/ and, if found, would
nw> replace the chmod()ed object's ACL with that of the
nw> .zfs/ACLs/... file found. The .inherit suffix would indicate
nw> that if the chmod() target's parent directory has inherittable
nw> ACEs then they will be groupmasked and added to the ACEs from
nw> the .zfs/ACLs/... file to produce a final ACL.
This proposal, like the current situation, seems to make chmod
configurable to act like ``not chmod'' which IMHO is exactly what's
unpopular about the current regime. You've tried to leave chmod
active on windows trees and guess at the intent of whoever invokes
chmod, providing no warning that you're secretly doing
``approximately'' what he asked for rather than exactly. Maybe that
flies on Windows, but on Unix people expect more precision: thorough
abstractions that survive corner cases and have good exception
handling.
The problem is not that Unix people refuse to learn about Windows
permissions to accomodate windows, or that they are too stupid to
understand the 'chmod A...' stuff in the manpage. They will learn if
you ask them to learn. The problem is that you don't ask them. The
repeated complaint is that when OTHER USERS hamfist a bunch of stuff
with chmod:
(1) they destroy the correct ACLs that were put on those files by
people who do know wtf is going on.
The ACL's are hard to get right, and there's no simple way for
the people who understand ACL's to undo the damage caused by
blind chmod'ing
(2) it's insecure because it doesn't reliably implement the will of
the unaware person invoking chmod and gives that person no
warning.
AFS had neither problem, nor my proposal. NFSv4 as-built has both.
pgpsBzUloiCYg.pgp
Description: PGP signature
_______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
