[OpenAFS-devel] posix chown again

Jeffrey Hutzelman jhutz@cmu.edu
Tue, 28 Oct 2008 12:42:47 -0400 

--On Tuesday, October 28, 2008 09:57:46 AM -0400 Michael Meffie 
<mmeffie@sinenomine.net> wrote:

> Simon Wilkinson wrote:
>>
>> On 27 Oct 2008, at 15:15, Michael Meffie wrote:
>>> Jeffrey Hutzelman wrote:
>>>> --On Monday, October 20, 2008 09:51:15 AM -0400 Michael Meffie
>>>> <mmeffie@sinenomine.net> wrote:
>>>>> Since the C acl is documented as having no default meaning,
>>>>> this is conditionally compiled into the fileserver with
>>>>> the --enable-posix-chown option (disabled by default).
>>>> As discussed at the recent hackathon, the bit to be used should be
>>>> determined at configure time, rather than being hard coded.  This
>>>> allows sites that wish to use this feature to map it onto an ACL bit
>>>> they are not already using.  Thus, one would have to configure with
>>>> an option like --enable-posix-chown=C (with legal values being
>>>> [ABCDEFGH] and "no", and maybe even 'a' or 'w', but not "yes").
>>>
>>> The attached patch includes the code to set which ACL bit is to
>>> be used. The configure switch has been changed to
>>> --enable-permit-chown-acl
>>> which can be used to specify which ACL bit is used and defaults
>>> to disabled.
>>
>> Please, please, please don't make this configurable. From a user
>> experience point of view it's horrific. Having the ACL bit which
>> controls this behaviour differ between cells (and even between
>> fileservers) will confuse any user who moves between sites, or even who
>> reads a different site's documentation when trying to come to grips with
>> AFS. It spectacularly violates the principle of least surprise.
>
> All good points. I've found even testing of this patch to be
> interesting, something which we probably want to avoid for
> a security sensitive change.
>
>
>> We should either pick a bit, and make it globally consistent (and
>> reserved on those fileservers which don't enable the behaviour), or
>> defer this feature until we have more ACL bits to play with.

We can't pick a bit, because there aren't any bits available.  This is 
inherently a site-specific extension, and selection of a suitable bit can 
be done only by the site administrator who knows what other bits are 
already being used.  This is also why the extension is disabled by default 
-- in its current form, it can only be used when the site makes a 
deliberate decision to add non-standard functionality.


> What would the process be to pick a bit? Derrick originally suggested
> 'C', which seems to be a fine choice and easy to remember.

There is no process; there are no bits available.

> How could we have more ACL bits to play with? Does that entail
> an on disk format change?

Yes, and more.  There's nowhere to store additional bits either in the 
current vnode index format and no way to represent them on the wire (though 
we might be able to finesse the last, given the way these values are 
represented).

-- Jeff