[OpenAFS] user-visible change suggestion for fs setacl

Todd Lewis utoddl@email.unc.edu
Wed, 17 Dec 2008 08:07:25 -0500 

On 12/17/2008 04:02 AM, Felix Frank wrote:
> On Wed, 17 Dec 2008, Erik Dal=E9n wrote:
>=20
>> On Wed, Dec 17, 2008 at 03:09, Stephen Joyce <stephen@physics.unc.edu>=
=20
>> wrote:
>>> On Tue, 16 Dec 2008, Tom Maher wrote:
>>>
>>>> What's the semantics for negative ACLs?  For example,
>>>>
>>>> fs sa . system:authuser rl
>>>> fs sa . badguy +rl -negative
>>>>
>>>> I'm guessing that'll give badguy negative "rl" bits.
>>>
>>> Makes sense to me.
>>>
>>>> Should 'fs sa . badguy -rl' implicitly give him negative "rl" bits, =
if
>>>> he doesn't have anything already?
>>>
>>> That doesn't make sense to me. I'd suggest that -<perm> should never =
add
>>> permissions, only remove. So it should just clear the perms if=20
>>> they're set
>>> and do nothing if not. To add the negative flags, do what you suggest=
ed
>>> above.
>>>
>>> My $0.02.
>>
>> Sounds very reasonable to me. My vote for implementing it like this.
>=20
> Still doesn't feel devoid of ambiguity, though:
>=20
> fs sa . user +rl -negative    # sets negative bits
> fs sa . user -rl -negative    # takes away negative bits?
> fs sa . user -rl        # takes away both negative and positive bits?
>                 # or positive only? what about neg. then?
>=20
> To add more confusion, I find another model conceivable:
>=20
> fs sa . user +a         # always removes negative bit, adds positive bi=
t
> fs sa . user -a         # always sets negative bit, removes positive bi=
t
>=20
> the drawbacks being painfully obvious.
>=20
> In all, with ACLs having one degree of higher complexity than unix=20
> permissions, there probably is no way to make this syntax 100%=20
> intuitively akin to chmod's.
> Thus, the original proposal to use postfix +/- might communicate the
> distinction?
>=20
> Regards
> Felix

Doesn't seem ambiguous to me at all. If you don't say "-negative", you=20
aren't messing with the negative ACLs; If you do, you're leaving the=20
positive ACLs alone. I'm pretty sure most folks are not even aware of=20
negative ACLs anyway, and those who use them intentionally are (I'm=20
guessing) extremely rare creatures.  My two cents. -- Todd_Lewis@unc.edu