rwx in ACLs (was Re: extattr in-kernel interface)

[Kris Kennaway]

On Tue, 18 Apr 2000 jont at us.ibm.com wrote:

> > Do you still plan to use rwx model for ACLs?
> 
> _I_ hope he plans to do something akin to the WinNT model[1]:
>     read, write, append, delete, execute, take-owner, change-perm.

It depends how far we want to go, but there's an argument for having an
ACL for each of the file-access syscalls. In addition to the above list,
there are:

* rename

If I can write to a file but not delete it, I can truncate it to zero
length but the file itself is still there. But I can still possibly hide
the file amongst others by renaming it with the rename() syscall and
creating another in its place. The rename could be prohibited by a write
acl on the parent directory, though, but conceivably not in all cases
(e.g. a directory which contains files created dynamically by a daemon)

* chflags

This is probably going to be mostly redundant with ACLs, but seem to be a
still-useful flag or two (opaque/nodump/archived/etc). File flags are
something which needs to be thought about for the new world order.

* stat

It might break things unexpectedly if users cannot stat files, however.

A further (and more likely to break :-) possibility is if we made it so
users could not even see the existence of a file if they don't pass a
"visible" ACL element. I don't know how feasible this is, though.

There might be other applicable syscalls I've missed.

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe at alum.mit.edu>

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message