Re: ACL handling for NFSv4
Re: ACL handling for NFSv4
- Subject: Re: ACL handling for NFSv4
- From: Rick Macklem <email@hidden>
- Date: Wed, 3 Dec 2008 16:12:44 -0500 (EST)
On Mon, 1 Dec 2008, Terry Lambert wrote:
[good stuff snipped]
I agree with this, but you need to be very careful here.
A lot of client/server enforcement is predicated on the idea that the client
and server will be members of the same security association, and being
members of the same SA, you will get the same answer for both ends. In most
of these cases, the enforcement is intended to be done server-side, while
(potentially) being originated client-side or via inheritance.
For NFSv4, the enforcement is done on the server.
For GUID translations for unknown GUIDs, which are "unknown" because you have
disconnected your laptop from the corporate network and happened to be using
ACLs on it, or you have disconnected your laptop from one of maybe three SAs
it's normally a member of (e.g. you are in your home office talking to your
home office server(SA 1), your Internet connection is up(SA 2), but your VPN
connection into work is currently down(SA 3)), then DS will make up a
transient answer for you.
This will boil down to you being likely to get an answer to the first
question you ask in this situation, i.e. "please give me a transient GID for
this GUID" or "please give me a transient UID for this GUID", but not both.
The ACL support will only me enabled when a mount option is set and that
allows me to document the above in the man page for that option.
Would you mind if I cut/paste some of the above into the man page,
attributing it to you as the author?
Thanks again, rick
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden