PERFORCE change 144766 for review
Edward Tomasz Napierala
trasz at FreeBSD.org
Sun Jul 6 08:57:57 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=144766
Change 144766 by trasz at trasz_traszkan on 2008/07/06 08:57:32
With NFS4 ACLs, it is possible that applying a mode to an ACL which
is identical to the mode computed from that ACL will modify the ACL.
For example, mode computed from the following ACL is 0600:
user:kamila:rwx--------C--:------:allow
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:rwxp----------:------:deny
group@:--------------:------:allow
everyone@:rwxp---A-W-Co-:------:deny
everyone@:------a-R-c--s:------:allow
However, applying that mode (chmod 0600) changes the ACL into this:
user:kamila:rwx-----------:------:deny
user:kamila:rwx--------C--:------:allow
owner@:--x-----------:------:deny
owner@:rw-p---A-W-Co-:------:allow
group@:rwxp----------:------:deny
group@:--------------:------:allow
everyone@:rwxp---A-W-Co-:------:deny
everyone@:------a-R-c--s:------:allow
In chmod(1) utility, there is an optimisation, which makes it not
call chmod(2) if the mode of the file is the same as the new mode.
Disable that optimisation for files which may have NFS4 ACLs.
Affected files ...
.. //depot/projects/soc2008/trasz_nfs4acl/TODO#5 edit
.. //depot/projects/soc2008/trasz_nfs4acl/bin/chmod/chmod.c#2 edit
Differences ...
==== //depot/projects/soc2008/trasz_nfs4acl/TODO#5 (text+ko) ====
@@ -6,10 +6,6 @@
- Add error checking to acl_to_text_nfs4.c.
-- Find out what to do with chmod(1). Right now, "chmod 600" on file
- which already has mode 0600 does not call chmod(2) at all - and it
- should, as it might cause ACL recomputation.
-
- Make access control more granular.
- Attach ZFS to the framework.
==== //depot/projects/soc2008/trasz_nfs4acl/bin/chmod/chmod.c#2 (text+ko) ====
@@ -54,6 +54,7 @@
#include <unistd.h>
void usage(void);
+int may_have_nfs4acl(const FTSENT *ent);
int
main(int argc, char *argv[])
@@ -180,8 +181,15 @@
break;
}
newmode = getmode(set, p->fts_statp->st_mode);
- if ((newmode & ALLPERMS) == (p->fts_statp->st_mode & ALLPERMS))
- continue;
+ /*
+ * With NFS4 ACLs, it is possible that applying a mode
+ * identical to the one computed from an ACL will change
+ * that ACL.
+ */
+ if (may_have_nfs4acl(p) == 0) {
+ if ((newmode & ALLPERMS) == (p->fts_statp->st_mode & ALLPERMS))
+ continue;
+ }
if ((*change_mode)(p->fts_accpath, newmode) && !fflag) {
warn("%s", p->fts_path);
rval = 1;
@@ -219,3 +227,25 @@
"usage: chmod [-fhv] [-R [-H | -L | -P]] mode file ...\n");
exit(1);
}
+
+int
+may_have_nfs4acl(const FTSENT *ent)
+{
+ int ret;
+ static dev_t previous_dev = (dev_t)-1;
+ static int supports_acls = -1;
+
+ if (previous_dev != ent->fts_statp->st_dev) {
+ previous_dev = ent->fts_statp->st_dev;
+ supports_acls = 0;
+
+ ret = pathconf(ent->fts_accpath, _PC_EXTENDED_SECURITY_NP);
+ if (ret > 0)
+ supports_acls = 1;
+ else if (ret < 0 && errno != EINVAL)
+ warn("%s", ent->fts_path);
+ }
+
+ return (supports_acls);
+}
+
More information about the p4-projects
mailing list