File System ACLs: Where to go from here in FreeBSD?

David Collier-Brown David.Collier-Brown at Sun.COM
Mon Sep 19 14:11:51 GMT 2005 

   I don't know Sun's intentions, but I'll raise the question
and see if anyone comments.

   However, I strongly suspect the Samba team will come down
on the side of NT-compatible ACLS, as they are a genuine
center of expertise at mapping NT and Posix ACLS and
are definitely on the side of more expressive ACLs.

   I'll forward your note to them.

--dave

Robert Watson wrote:
>
> The FreeBSD ACL implementation is currently based on a late POSIX.1e
> draft, and is similar in functionality to the ACL support in Solaris,
> IRIX, and Linux.  It was developed along a similar timeline to the Linux
> ACL support, and Andreas and I chatted a fair amount along the way so
> the parallels are strong -- in fact, the Samba ACL support is almost
> identical, and the ACL API man pages on Linux are directly derived from
> our ACL man pages (and maybe some of the code?).  Differences lie
> primarily in three areas:
>
> (1) We follow the POSIX.1e specification for file creation modes, in which
>     the ACL and umask are combined with the cmode to generate a
>     conservative ACL.  This was the same as IRIX, but different from
>     Solaris; Linux adopted the Solaris model.  Since then, IRIX has (I
>     believe) also switched to the Solaris model.  Our model is
>     "conservative" in that it will never offer broader rights on a file
>     than the umask permits, but it turns out to be quite useful in some
>     environments to allow the ACL on a directory to overide the umask of a
>     program writing files there.
>
> (2) We offer a few fewer support routines in user space, such as routines
>     to copy an ACL from one file to another.  This has been getting
>     gradually fleshed out over time.
>
> (3) We don't offer Solaris-compatible NFSv3 extensions to allow remote
>     management of ACLs via NFS, although the ACLs are enforced on the
>     server so they are "implemented".  I'm not sure if these patches were
>     merged to Linux or not, but they were floating around for quite a
>     while.
>
> As I see it, there are two directions we can take file system ACL
> support, and here-in lies the Big Question:
>
> (a) We can continue down the POSIX.1e branch of the ACL world, continuing
>     to enhance and refine our support.  For example, continuing to flesh
>     out a few missing spots in user space, move over to the now
>     predominent model for generating new file permissions
>     (non-conservative ACL override), implement NFSv3 RPCs.  This is some,
>     work, but not a huge amount of work.
>
> Or, the a new option that has basically become feasible over the last
> six years since the POSIX.1e direction was the one we selected:
>
> (b) We can consider a migration to NT/NFSv4-style ACLs, which is the route
>     that Darwin has taken.  They use the FreeBSD user space ACL library
>     and POSIX.1e interfaces, but use ACLs with more NT-like semantics.
>     In particular, they have notions of taking ownership, slightly finer
>     grained directory controls, etc.  This is a lot of work.
>
> Option (b) is an interesting new choice as compared to 1999, when NTFS
> ACLs were in the distinct minority in terms of the syntax and semantics
> they offered.  However, they become much more appealing if we consider
> that there appears to be a much clearer mapping from NTFS ACLs to NFSv4
> ACLs than there is from POSIX.1e ACLs to NFSv4 ACLs.  And the fact that
> Mike Smith at Apple has taken the time to make it sit behind our library
> for the Darwin implementation on HFS+, etc, is also quite interesting.
> When I implemented the library, it was my hope that it would support
> that sort of thing, but we never actually tried :-).
>
> If we don't start considering a move to Darwin/NTFS ACLs, then we run
> into a problem when it comes to implementing NFSv4 ACLs: the mapping and
> behavior is rather poor and unclear.  There's an ID on the topic, which
> I basically read as saying "This is all rather hard and rather
> non-ideal". Apple has identified that, for them, compatibility with NT
> (and possibly NFSv4?) is the way to go, and they may be right.  On the
> other hand, the result is much reduced possibility of clean
> interoperability with Linux, Solaris, IRIX, and so on.  So there's a
> definite trade-off.
>
> If we do make this change, I'd like to also simultaneously consider a
> change to add an array size field in the ACL structure -- right now, we
> have a fixed maximum size, and there's a field that says how much of
> that space is used, but not how much space is available.  If we want to
> support longer ACLs in the future, having a variable array size will
> improve efficiency and add flexibility.
>
> If we want to consider switching to the Darwin ACL model, it sounds like
> the strategy would be something like the following:
>
> (1) Investigate the model closely, and compare it to NTFS.  Identify
>     whether any of the significant semantic differences is a problem.
>
> (2) Investigate the NFSv4 model closely, and decide if there is a clean
>     and useful mapping or not.  If there are nits, approach Apple and
>     decide whether the nits are necessary or not.
>
> (3) Produce an implementation on top of UFS2 to experiment with, and see
>     what happens.  Specifically, how our current in-kernel APIs and data
>     structures work with it.
>
> (4) See whether there is a sensible mapping from existing POSIX.1e ACLs to
>     the newer ACL style, which could be performed at run-time when reading
>     an existing ACL-enabled partition.  Specifically, in the long term
>     will we need to support two ACL modes -- a legacy POSIX.1e mode and a
>     new Darwin/NTFS/NFSv4 mode, or can we run entirely in the new mode and
>     run-time translate old ACLs to support a migration path?
>
> (6) Investigate what the implications are for applications, especially
>     relating to supporting two ACL models.  Will applications get stuck
>     figuring out how they co-exist, or can the kernel help to hide it?
>
> (7) Investigate what the implications are for users, who may find that the
>     semantic changes are significant -- and disruptive, potentially.
>     Apple has chosen to provide separate tools for managing ACLs, rather
>     than the POSIX.2e ones, and we might find the same is necessary.
>
> It would be interesting to know if systems other than Darwin have
> started exploring this route.  For example, Sun has always been quite
> interested in NFSv4 -- are they considering or have they made an ACL
> change that corresponds with the integration of NFSv4 support?
>
> My feeling is that NFSv4 might be the compelling argument to consider a
> migration, and that if we are going to migrate, the sooner we get
> started with the implementation work, the better.  Any thoughts here are
> welcome.
>
> Robert N M Watson
> To Unsubscribe: send mail to majordomo at trustedbsd.org
> with "unsubscribe trustedbsd-discuss" in the body of the message
>

-- 
David Collier-Brown,      | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb at canada.sun.com     |                      -- Mark Twain
(416) 263-5733 (x65733)   |
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list