ACL sorting, qualifier uniqueness
Robert Watson
rwatson at FreeBSD.org
Sat Mar 10 23:46:48 GMT 2001
In my first implementation of ACLs on FreeBSD, I required that userland
processes submit only ACLs with strictly sorted entries. The intent in
doing so was to allow the kernel to iterate through the ACL once when
doing a syntax check, and determine that there were no duplicated
qualifiers for any of the tags. That is, there were no duplicate uid's or
gid's in the list; if sorted, it's only necessary to walk down the list
and (a) verify that they are sorted, and (b) that there are no adjacent
entries with the same qualifier/tag. In later revisions of the code, I
remove this requirement, and disabled the check for duplicated qualifiers,
as the verification code simply does a first match on users, and best
match on groups. I have two questions:
1) What sorting requirements, if any, are enforced in other
implementations? Also, what syntactic requirements, if any, are
enforced with regards to duplicated qualifiers for a tag?
2) Many calls specifically disclaim ordering as a property that will
be preserved over the call. To what extent is this the case on
other platforms?
If desirable, I can reinstate the ordering verification in kernel along
with the associated syntactic check for qualifiers, and similarly
introduce an acl_sort() invocation in acl_set_{fd,file}(). Just want to
get a feel for what other platforms do.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list