Re: Issue 202: POSIX_ACL_MASK special user

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Mike Eisler (mike@eisler.com)
Date: 07/25/02-04:10:52 PM Z

Next message: mike.kupfer@sun.com: "Re: Issue 94 (cleanup after ^C)"
Previous message: Mike Eisler: "Re: SETCLIENTID issues (long)"
In reply to: marius aamodt eriksen: "Re: Issue 202: POSIX_ACL_MASK special user"

Message-ID: <3D40695C.3080501@eisler.com>
Date: Thu, 25 Jul 2002 14:10:52 -0700
From: Mike Eisler <mike@eisler.com>
Subject: Re: Issue 202: POSIX_ACL_MASK special user

marius aamodt eriksen wrote:

> * Mike Eisler <mike@eisler.com> [020719 15:13]:
>
>> POSIX ACL standardization and acceptance by customers have both
>> been failures right?
>
>
> the only place i have seen it used is by andreas gruebacker's ACL API
> for Linux, which is close to becoming an official part of the linux
> kernel (according to linus torvalds @ usenix this year), and hence
> POSIX ACLs will have a ton of users. these are reasons for our
> decision on basing our ACL implementation upon this. it has a clean
> and to-become-standard API in the kernel, and we wanted to comply so
> that users did not have to learn a different ACL functionality for
> their NFSv4 mounts; they can use the same ACLs on their local
> FS.

I  looked at it, and it looks to me like the same old arcane POSIX
ACL interface to me. It's a nonstarter IMHO ... but if Andreas has customers
that tolerate it, they have my admiration.
The primary problem with POSIX ACLs is that there's no way to associate a
carefullly craft long list of access contriol entries (such a list is an 
ACL)
with a symbolic name. Whereas, with UNIX style groups, one can assign
a symbolic name to lists of user names. This is a lot easier to handle,
especially when this database is extended from a file /etc to
the directory (NIS/NIS+/LDAP).

I used to believe that ACLs would obviate the 16 group limit in
AUTH_SYS but now believe that won't happen.

There needs to be an "ACL map" in NIS/NIS+/LDAP before
ACLs succeed in the UNIX space. Windows ACLs might
be similarly hampered, I don't know, but at least Windows ACLs
have one thing going for them that UNIX doesn't ... a standard ACL
manipulation protocol for file access protocol (CIFS).
Maybe NFSv4 will solve a problem for
UNIX users, but as long as they can uses UNIX groups, I doubt they
will bother. UNIX/NFS users can overcome AUTH_SYS limits
via Kerberos V5 authentication (no groups on the wire, no problem).
No, I think NFSv4 ACLs will primarily server Windows desktops which
is still useful.

    -mre

Next message: mike.kupfer@sun.com: "Re: Issue 94 (cleanup after ^C)"
Previous message: Mike Eisler: "Re: SETCLIENTID issues (long)"
In reply to: marius aamodt eriksen: "Re: Issue 202: POSIX_ACL_MASK special user"

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

This archive was generated by hypermail 2.1.2 : 03/04/05-01:50:05 AM Z CST