Site Specific ACL Bits/chown: Was: [OpenAFS-devel] posix chown again

Derrick Brashear shadow@gmail.com
Tue, 13 Jan 2009 16:07:45 -0500 

Guess the lists were constipated. Anyway,

On Tue, Dec 9, 2008 at 11:38 AM,  <wollman@khavrinen.csail.mit.edu> wrote:
> <<On Tue, 9 Dec 2008 07:46:36 +0000, Simon Wilkinson <sxw@inf.ed.ac.uk> said:
>
>> On 8 Dec 2008, at 17:46, Jeffrey Hutzelman wrote:
>>> Too late; that ship has already sailed.  The very existence of site-
>>> specific ACL bits is a statement that it _is_ fine for cell
>>> administators to decide what the meanings of those bits should be.
>>> That decision was made, and the bits were being used, long before
>>> the OpenAFS project was started.
>
>> But the use of these bits isn't incorporated into the OpenAFS code.
>
> Please excuse my skepticism, but there seems to be a fairly strong
> claim being put forth here and I've not seen any evidence at all to
> back it up.
>
> These so-called "site-specific ACL bits": evidence?  In which cells,
> precisely, are they being used, and for what?

The primary issue would be "we don't know".

At some point one of the bits, maybe "G", meant "if you have rights
via this acl entity the group and not owner bits apply to you" in
clients of the Athena cell running software as modified by Richard
Basch. That's the obvious top of my head example.

> Can you point to
> documentation from a specific site that explains how they use them?

Nope. But in that case I probably still have the code somewhere.

> Are these purely private uses, or has the code been released to other
> sites?

Depends what you mean, but I was clearly not Athena when I got the
code nor did OpenAFS exist yet, so, arguably yes.

> Given that the OpenAFS code assigns no semantics to them, how
> many servers do you (have reason to) believe actually implement custom
> ACL semantics?

In the above example it's a client.

The "principle of least surprise" which i picked up in my interactions
with CMU SCS Facilities dictates a change not suddenly show up, and
the real issue is not servers, really, anyway. Those will all get
upgraded or we can at least do due diligence to explain and provide
tools to manage ACLs. The issue is at least somewhat that in the
example: what happens where an ACL bit means one thing to one client,
something else to another, and you didn't mean to imply the behavior
you got, but the other? Sure, in this case you don't give away any
server abilities, but what happens if you end up giving away root on
the client, for instance?

-- 
Derrick