Problem with default ACLs and mask
Robert Watson
rwatson at FreeBSD.org
Fri Oct 14 06:20:56 PDT 2005
On Fri, 14 Oct 2005, Heinrich Rebehn wrote:
>> The problem, so to speak, is that we actually implement what is
>> described in the POSIX.1e spec. When we did our initial
>> implementation, the various OS's varied a bit in the semantics they
>> implemented:
>>
>> - Solaris implemented umask override if the mask was specified in the
>> default ACL.
>
> does umask override or is umask overriden? :-) I suppose the former.
Sorry -- to be more specific, in the Solaris ACL model, the umask will be
ignored if a mask exists in the default ACL of the parent. In POSIX.1e,
the umask and parent mask are combined to generate a conservative result,
avoiding applications leaking data in the event they understand
permissions but not ACLs. Of course, many people find it desirable to be
able to override the umaks by directory, hence interest in the less
conservative model.
>> - IRIX implemented the spec.
And to clarify this: IRIX and FreeBSD both implemented POSIX.1eD17 as
written. We implemented it because it was the spec, and SGI implemented
it because the primary editor of that draft of the spec was running their
trusted systems team. :-)
> Thanks for this in-depth explanation. This sounds like we cannot expect
> a solution any time soon. I will think about another method of managing
> our lab users (or use adjust umask - better than nothing). I would
> really appreciate alternative models for NFS4.
I think a solution for 7.0 is quite likely, but a solution for 6.x is less
likely because I'm not sure I want to change something like the semantics
of ACLs and file system interfaces during a -STABLE branch. I'll have to
think about it a bit -- we may be able to offer it as a non-default option
that will be configured by default in 7.x, if it's OK to change the
internal kernel file system interfaces during the RELENG_6 life span.
Robert N M Watson
More information about the freebsd-fs
mailing list