Relative vs. absolute ACLs, and necessity for '-' when printing

[Robert Watson]

Two quickies:

1) The POSIX.2c setfacl spec refers to "absolute" and "relative" ACLs.  In
permission-land, the difference has to with the use of an operator ('-',
'+') rather than specification of a mode directly.  In ACLs, I would guess
it involves invidual entries in the ACL using operators rather than
absolutely specifying the rights, but I was unable to find this definition
in .1e or .2c  Could someone point me in the right direction?

2) The .2c getfacl specification states that a given right letter ("w",
for example) "may" be replaced by a "-" if the right is not present.  As
such, in my first implementation, I simply listed rights present when
using acl_to_text(), such that I got "...:rw", or "...:w" or the like.
This is compatible with the input format.  However, is "may" meant to be
taken as "MAY" in the IETF sense, or as a "should" of some sort? :-)
Changing it is easy, I just have to know to do it.

It strikes me that setfacl is a fairly unfortunate and over-burdened set
of functionality, and that it's also rather hard to implement given the
ACL editing library.  Earlier on the list, Andreas and I discussed an
acl_from_text_with_flags() type of call that accepted a flags field
indicating the types of conversions to perform, and some or another call
to merge a starting ACL with a modifying ("relative"?) ACL so as to better
support setfacl.  Given that my implementation of setfacl is fairly
incomplete, I don't have a sense of the best supporting calls to use here,
and any guidance would be appreciated.  :-)

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message