[OpenAFS] ACLs and open-afs

Ray Link rlink+@pitt.edu
Thu, 10 Oct 2002 14:20:39 -0400 (EDT)


On Thu, 10 Oct 2002, E.Spencer B. wrote:

> > No, Solaris ACLs are UFS-only.  When attempting to use Solaris ACLs
>
> Sorry to hear this, has anyone tried to mod this behavior?

I'm guessing that it would take a change to Solaris itself.  I'd assume
that the acl(2) call goes "Is this a UFS filesystem?", sees that it's
not, and returns an error.  (However, this is just a hypothesis.  The
last Solaris sources we had were for 2.5.1.)

> Well, with Solaris ACLs and non-Solaris ACL interpreters like Linux, the
> Solaris ACLs are honored (permissions granted or not granted depending on
> the Solaris ACL), but you cannot set them from non-Solaris ACL
> interpreters like Linux from an NFS mounted Solaris exported filesystem.

That's fine for Linux with an ACL interpreter, but since anyone can set
up an AFS client and access your cell, what's to stop them from not
using the ACL interpreter?  What's to stop someone from using a
platform that doesn't even have a Solaris ACL interpreter?  Without the
interpreter, all they need is access to the directory, and their
machine doesn't care about any additional file-level restrictions.  My
point is, file-level ACLs are something that would need to be
implemented within AFS, not tacked on via vendor-specific mechanisms.

Actually doing so, however, is a completely different matter.  One has to
consider how to deal with older clients that don't grok file ACLs, among
other things.  It would completely change the internal workings of AFS.
That said, I don't forsee it happening anytime soon.  (But I could be
wrong; I'm not an AFS developer.)

==== Ray Link === University of Pittsburgh CSSD === rlink@pitt.edu ====

For some reason I was confusing "SubGenius" with "GNU" there.
        - The Cube, Forum 3000