Non-trivial ACLs only?

Sun Jul 13 18:55:17 UTC 2014

On 0713T1215, Dr. Rolf Jansen wrote:
> Is there an easy (one-pass) way to retrieve only non-trivial ACLs from a file system item?
> 
> In the course of the speed optimization of my file system cloning tool https://code.google.com/p/clone/ for FreeBSD and Mac OS X, I found out that on FreeBSD-UFS2 (ACL enabled) the function acl_get_link_np() returns also the standard access rights as ACL, and my tool did an unnecessarily extraordinary work in fetching this from the original and storing it to the cloned file system items. For millions of files, the extra spent time sums up to hours.
> 
> On Mac OS X, acl_get_link_np() returns real ACLs only, can I have this somehow for FreeBSD too?

No, because it's a bug.  Unfortunately I don't expect Apple
to fix their implementation.

> For the time being I came up with the following quite involved solution:
> 
> // reading the ACLs
> int trivial;
> 
> if ((xmd->acl[0] = acl_get_link_np(src, ACL_TYPE_ACCESS)) &&
>     (acl_is_trivial_np(xmd->acl[0], &trivial) || trivial))
> {
>    acl_free(xmd->acl[0]);
>    xmd->acl[0] = NULL;
> }
> 
> if ((xmd->acl[1] = acl_get_link_np(src, ACL_TYPE_DEFAULT)) &&
>     (acl_is_trivial_np(xmd->acl[1], &trivial) || trivial))
> {
>    acl_free(xmd->acl[1]);
>    xmd->acl[1] = NULL;
> }

This one is wrong.  There is no such thing as trivial default
ACL.  If you can actually retrieve ACL_TYPE_DEFAULT ACL and
there are any entries in it, it's non-trivial.

> if ((xmd->acl[2] = acl_get_link_np(src, ACL_TYPE_NFS4)) &&
>     (acl_is_trivial_np(xmd->acl[2], &trivial) || trivial))
> {
>    acl_free(xmd->acl[2]);
>    xmd->acl[2] = NULL;
> }
> 
> This doesn't seem to work properly for directories, any ideas why?

I think it's the problem above.

> Isn't there a better way?

Actually, there is.  You try to obtain both POSIX and NFSv4
ACLs for every file, even though the filesystem can always
support either one, or the other.

Take a look how eg. the cp(1) utility does it.  The source
code is here:

http://svnweb.freebsd.org/base/head/bin/cp/utils.c?revision=245960&view=markup

Look for preserve_fd_acls() function.

> Is it really necessary to assemble the standard access rights into an ACL, I did not expect this, Mac OS X doesn't do this, and in the present situation it spoils up everything.

Well, yes, because the standard UNIX permissions are a part of ACL
by definition.

> Anyway, for the present purpose it would be great to have at least a function which simply informs whether a file system item got a non-trivial ACL or not, without actually needing to load that ACL into memory.

I don't think there would be any measurable speedup.  You still
need to use a syscall to do this, and the syscall would need to
access ACL metadata.  The only difference from what you're doing
right now is calling acl_is_trivial_np() and perhaps acl_free(),
which are both just a library functions, and thus cheap.