• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: ACL handling for NFSv4
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ACL handling for NFSv4

  • Subject: Re: ACL handling for NFSv4
  • From: Rick Macklem <email@hidden>
  • Date: Thu, 27 Nov 2008 12:06:24 -0500 (EST)


On Thu, 20 Nov 2008, Terry Lambert wrote:

[good stuff snipped]

So if I have an ACE I am trying to set, since the storage format *happens* to be GUID, then we translate the integer for the gid and uid of the current credential into a GUID for the purposes of storage.

For the purposes of comparison on lookup, we then convert the current credential into a GUID (in general, the uid, since that is the primary identity in a credential), and compare the GUID to the GUID in the ACE. This is handled in xnu in bsd/kern/kern_authorization.c:kauth_acl_evaluate().

Although there are support functions for translating the other direction, e.g. kauth_cred_guid2uid(), and kauth_cred_guid2gid() no one uses them, and I would, in fact, like to keep things that way. The only exception to this is kauth_cred_guid2gid() is used by kauth_cred_ismember_guid() when attempting to set a group owner on a file. This use is poorly supported by the rest of the code and should be avoided.

Ok, thanks to the help you guys have provided, I've been able to code most
of it. I have run into one more glitch w.r.t. handling ace_applicable when
setting an ACL. If kauth_wellknown_guid() returns KAUTH_WKG_NOT, I have
an ace_applicable that I need to turn into:
	email@hiddenn
and to do that, I need to know:
- is it a user or group?

Once I know that, I can use kauth_cred_guid2uid() or kauth_cred_guid2gid(). (I know you say you'd rather they not be used, but
I don't see another way.)

From looking at kern_credential.c, all I can think of is doing 
kauth_cred_guid2gid() first and assuming it is a group, if it succeeds.
(Which won't work if a given guid_t represents both a gid and uid.)

Any suggestions on how to handle this?

Thanks in advance for any help, rick

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: ACL handling for NFSv4

      • From: Michael Smith <email@hidden>
      • 





References: 


 >ACL handling for NFSv4 (From: Rick Macklem <email@hidden>)


 >Re: ACL handling for NFSv4 (From: Michael Smith <email@hidden>)


 >Re: ACL handling for NFSv4 (From: Terry Lambert <email@hidden>)






    

  • Prev by Date:
Re: Panics on a new MacPro

    • 

  • Next by Date:
Re: ACL handling for NFSv4

    • 

  • Previous by thread:
Re: ACL handling for NFSv4

    • 

  • Next by thread:
Re: ACL handling for NFSv4

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •