nfsv4 acls and mode bits
play

NFSv4 ACLs and mode bits Traditionally clients have used either mode - PDF document

Nov 23, 2022 •297 likes •369 views

fields_combined.html 09/22/2006 10:41 AM NFSv4 ACLs and mode bits Traditionally clients have used either mode bits or Windows ACLs, rarely (if ever) both. This limits the kind of mode-bit/NFSv4 ACL interactions seen so far. NFSv4 (hopefully!)

  1. fields_combined.html 09/22/2006 10:41 AM NFSv4 ACLs and mode bits Traditionally clients have used either mode bits or Windows ACLs, rarely (if ever) both. This limits the kind of mode-bit/NFSv4 ACL interactions seen so far. NFSv4 (hopefully!) will change this. The goal is to move to a common permissions model based on Windows/NFSv4 ACLs. How do we migrate unix systems to NFSv4 ACLs? What sort of problems are we likely to encounter as we do so? Widespread integration of Windows ACLs into unix filesystems and interfaces may present new problems not as common in previous multi-protocol situations. Past experience with Windows ACL/mode bit sharing may not be enough. How do applications use modes? Do applications use modes? Yes! chmod calls on fieldses.org, a Debian (Sid) server/desktop/entertainment center..... 296077 faubackup-scatter 832 chmod 494 udevd 148 dpkg 98 sshd 38 pine 33 totem 17 xmame 17 vi 12 dpkg-preconfigure 11 unison 10 ld 6 gdm 6 xine 5 unison 3 dbus-daemon 3 postmaster 3 screen 3 syslogd 3 Xorg 2 firefox-bin 2 objcopy file:///Users/shepler/sun_home/2006nfsv4interim/fields_combined.html Page 1 of 6

  2. fields_combined.html 09/22/2006 10:41 AM 1 d 1 install 1 postmaster 1 vim What do they expect from mode bits? How do applications use mode bits? What does the standard say? All you need to know is: After a chmod, permissions must be bounded above by the given mode. This condition is very easily met: ALLOW OWNER@ rwx ALLOW u:andros rwx ALLOW u:bfields rwx ALLOW g:users rwx ALLOW GROUP@ rwx ALLOW EVERYONE@ rwx chmod 644 ALLOW OWNER@ rw- ALLOW GROUP@ r-- ALLOW EVERYONE@ r-- But POSIX allows preserving more, if you want: ALLOW OWNER@ rwx ALLOW u:andros rwx ALLOW u:bfields rwx ALLOW g:users rwx ALLOW GROUP@ rwx ALLOW EVERYONE@ rwx chmod 644 ALLOW OWNER@ rw- ALLOW u:andros r-- ALLOW u:bfields r-- ALLOW g:users r-- ALLOW GROUP@ r-- ALLOW EVERYONE@ r-- Should you do more? Inherited ACLs and open() file:///Users/shepler/sun_home/2006nfsv4interim/fields_combined.html Page 2 of 6

  3. fields_combined.html 09/22/2006 10:41 AM If you implement chmod by replacing the NFSv4 ACL, and you use the same algorithm on inheritance, then unix clients will never inherit ACLs. Inherited ACLs represent policy that should be overridden only when explicitly requested. Can we handle inheritance as a special case? Based on observed chmod use by applications, open("somefile", O_RDWR|O_CREAT, mode1) ... write some stuff, etc ... chmod("somefile", mode2) is extremely common. Without ACLs, final permissions are the same as they would have been if we created the file with mode2. With ACLs, they may be completely different. Should we do more? Masking Without masking: ALLOW OWNER@ rwx ALLOW u:andros rwx ALLOW u:bfields rwx ALLOW g:users rwx ALLOW GROUP@ rwx ALLOW EVERYONE@ rwx chmod 0 ALLOW EVERYONE@ --- chmod 644 ALLOW OWNER@ rw- ALLOW GROUP@ r-- ALLOW EVERYONE@ r-- With masking: ALLOW OWNER@ rwx ALLOW u:andros rwx ALLOW u:bfields rwx ALLOW g:users rwx ALLOW GROUP@ rwx ALLOW EVERYONE@ rwx chmod 0 file:///Users/shepler/sun_home/2006nfsv4interim/fields_combined.html Page 3 of 6

  4. fields_combined.html 09/22/2006 10:41 AM ALLOW EVERYONE@ --- chmod 644 ALLOW OWNER@ rw- ALLOW u:andros r-- ALLOW u:bfields r-- ALLOW g:users r-- ALLOW GROUP@ r-- ALLOW EVERYONE@ r-- How do you store the extra information? Masking Explicit mask in the ACL: ALLOW OWNER@ rwx ALLOW u:andros rwx ALLOW u:bfields rwx ALLOW g:users rwx ALLOW GROUP@ rwx ALLOW EVERYONE@ rwx chmod 0 DENY OWNER@ rwx ALLOW OWNER@ rwx DENY u:andros rwx ALLOW u:andros rwx DENY u:bfields rwx ALLOW u:bfields rwx DENY g:users rwx ALLOW g:users rwx DENY GROUP@ rwx ALLOW GROUP@ rwx DENY EVERYONE@ rwx ALLOW EVERYONE@ rwx chmod 644 ALLOW OWNER@ rw- ALLOW u:andros r-- ALLOW u:bfields r-- ALLOW g:users r-- ALLOW GROUP@ r-- ALLOW EVERYONE@ r-- Storing the mask separately on the server: ALLOW OWNER@ rwx ALLOW u:andros rwx ALLOW u:bfields rwx ALLOW g:users rwx file:///Users/shepler/sun_home/2006nfsv4interim/fields_combined.html Page 4 of 6

  5. fields_combined.html 09/22/2006 10:41 AM ALLOW GROUP@ rwx ALLOW EVERYONE@ rwx chmod 0 ALLOW EVERYONE@ --- chmod 644 ALLOW OWNER@ rw- ALLOW u:andros r-- ALLOW u:bfields r-- ALLOW g:users r-- ALLOW GROUP@ r-- ALLOW EVERYONE@ r-- Advantages: ACLs returned are as simple as in the case where there is no masking. We still handle the only case we care about: open(...,mode1) chmod(...,mode2) chmod(...,mode3) ... (We don't handle this case: open(...,mode1) chmod(...,mode2) get acl set acl chmod(...,mode3) But that's not a case we care about.) Disadvantage: Operation is opaque to client Mask attribute? Masking Client's view with and without mask attribute: ALLOW OWNER@ rwx ALLOW u:andros rwx ALLOW u:bfields rwx ALLOW g:users rwx ALLOW GROUP@ rwx ALLOW EVERYONE@ rwx file:///Users/shepler/sun_home/2006nfsv4interim/fields_combined.html Page 5 of 6

  6. fields_combined.html 09/22/2006 10:41 AM chmod 0 Client that requests acl only: Client that requests acl and mask: ACL: ACL: mask: ALLOW EVERYONE@ --- ALLOW OWNER@ rwx 000 ALLOW u:andros rwx ALLOW u:bfields rwx ALLOW g:users rwx ALLOW GROUP@ rwx ALLOW EVERYONE@ rwx chmod 644 ALLOW OWNER@ rw- ALLOW u:andros r-- ALLOW u:bfields r-- ALLOW g:users r-- ALLOW GROUP@ r-- ALLOW EVERYONE@ r-- Advantages: Operation of mask is no longer opaque to client Allows complete save and restore of permissions over NFSv4. Direct manipulation of mask may be useful in some cases. Disadvantages: None. It's optional. Feel free to pretend it doesn't exist. file:///Users/shepler/sun_home/2006nfsv4interim/fields_combined.html Page 6 of 6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team ACL basics (for file system) ACLs is a

NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team ACL basics (for file system) ACLs is a

NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team ACL basics (for file system) ACLs is a list of Access Control Entries attached to a file or a directory ACEs grant or deny a principal an action on a file or a directory ACL basics

379 views • 34 slides
dCache NFSv4.1 Tigran Mkrtchyan Zeuthen, 13.04.12 dCache NFSv4.1 | Tigran Mkrtchyan | 4/13/12 |

dCache NFSv4.1 Tigran Mkrtchyan Zeuthen, 13.04.12 dCache NFSv4.1 | Tigran Mkrtchyan | 4/13/12 |

dCache NFSv4.1 Tigran Mkrtchyan Zeuthen, 13.04.12 dCache NFSv4.1 | Tigran Mkrtchyan | 4/13/12 | Page 1 Outline NFSv41 basics NFSv4.1 concepts PNFS Id mapping Industry standard dCache implementation dCache NFSv4.1 |

1.14k views • 46 slides
NFSv4 Beyond v4.2 Part 2 of Road Map of the features in NFS v4.1, v4.2, and beyond Dave Noveck

NFSv4 Beyond v4.2 Part 2 of Road Map of the features in NFS v4.1, v4.2, and beyond Dave Noveck

NFSv4 Beyond v4.2 Part 2 of Road Map of the features in NFS v4.1, v4.2, and beyond Dave Noveck Netapp Vault Conference March 2017 Contents A tiny bit about the NFSv4 Working group and the IETF process NFSv4 beyond v4.2 as approved

750 views • 16 slides
MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance, add r1, r2, r3 has - 000000 00010 00011 00001 00000 100000 opcode (OP) tells the machine which format 1 VAX Instruction Formats (x86

431 views • 20 slides
NFSv4.1/pNFS Ready for Prime Time Deployment February 15, 2012 FAST 2012 San Jose NFSv4.1

NFSv4.1/pNFS Ready for Prime Time Deployment February 15, 2012 FAST 2012 San Jose NFSv4.1

NFSv4.1/pNFS Ready for Prime Time Deployment February 15, 2012 FAST 2012 San Jose NFSv4.1 pNFS product community Value of NFSv4.1 / pNFS Industry Standard Secure Performance and Scale Throughput Increased Storage Capacity

368 views • 24 slides
IETF-64 2005-11-08 Mike Eisler email2mre-ietf@yahoo.com draft-eisler-nfsv4-impid-00.txt

IETF-64 2005-11-08 Mike Eisler email2mre-ietf@yahoo.com draft-eisler-nfsv4-impid-00.txt

draft-eisler-nfsv4-impid-00.txt draft-adamson-nfsv4-spkm3-00.txt IETF-64 2005-11-08 Mike Eisler email2mre-ietf@yahoo.com draft-eisler-nfsv4-impid-00.txt Problem: NFSv4.0 has no method for allowing clients and servers to provide to each

487 views • 7 slides
GANESHA, a multi-usage with large cache NFSv4 server Philippe Deniel Thomas Leibovici

GANESHA, a multi-usage with large cache NFSv4 server Philippe Deniel Thomas Leibovici

GANESHA, a multi-usage with large cache NFSv4 server Philippe Deniel Thomas Leibovici Jacques-Charles Lafoucrire FAST07 / Work in Progress Session 1 GANESHA and NFSv4 NFSv4 is a complex and generic protocol. It can be used to

441 views • 5 slides
1 Transducers Inherently Discrete values devices that convert from one representation to

1 Transducers Inherently Discrete values devices that convert from one representation to

Interpretation of bits depends on context meaning of a group of bits depends on how they are interpreted 1 byte could be Bits, Bytes, 1 bit in use, 7 wasted bits (e.g., M/F in a database) 8 bits storing a number between 0 and 255

543 views • 3 slides
NFSv4 Strawman Spencer Shepler spencer.shepler@eng.sun.com draft-shepler-nfsv4-02.txt Spencer

NFSv4 Strawman Spencer Shepler spencer.shepler@eng.sun.com draft-shepler-nfsv4-02.txt Spencer

42nd IETF NFSv4 Strawman Slide 1 of 19 42nd IETF NFSv4 Strawman Spencer Shepler spencer.shepler@eng.sun.com draft-shepler-nfsv4-02.txt Spencer Shepler 42nd IETF NFSv4 Strawman Slide 2 of 19 Charter Goals for V4 Improved access and

481 views • 19 slides
Bits and Bytes Topics Topics Why bits? Representing information as bits

Bits and Bytes Topics Topics Why bits? Representing information as bits

Systems I Bits and Bytes Topics Topics Why bits? Representing information as bits Binary/Hexadecimal Byte representations numbers characters and strings Instructions Bit-level manipulations Boolean algebra

614 views • 33 slides
The Data Link Layer Bits are just bits. With only a physical layer, System A has no way to tell

The Data Link Layer Bits are just bits. With only a physical layer, System A has no way to tell

32 PART I Networking Basics weather station. More realistic devices use duplex mode , where all systems can send or receive with equal facility. This is often further distinguished as half-duplex (the system can send and receive, but not at the

161 views • 13 slides
Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l

Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l

15-213 The Class That Gives CMU Its Zip! Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l Binary/Hexadecimal l Byte representations numbers characters and strings Instructions n

690 views • 34 slides
On Channel Bindings draft-ietf-nfsv4-channel-bindings-02.txt Nicolas.Williams@sun.com (to be

On Channel Bindings draft-ietf-nfsv4-channel-bindings-02.txt Nicolas.Williams@sun.com (to be

On Channel Bindings draft-ietf-nfsv4-channel-bindings-02.txt Nicolas.Williams@sun.com (to be presented at 60 th IETF NFSv4 WG and KITTEN BoF meetings) Introduction Channel bindings allow session protection at one network layer to be

603 views • 24 slides
pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78

pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78

pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78 NFSv4 WG Meeting, July 28, 2010 Sorin Faibish sfaibish@emc.com David Black - EMC Mike Eisler - NetApp Jason Glasgow - Google Problem Statement

376 views • 6 slides
Disclosure Crashing Patient (Beyond A-B-C and ACLS) I have no financial relationships to

Disclosure Crashing Patient (Beyond A-B-C and ACLS) I have no financial relationships to

10 Things You Must Consider in the Disclosure Crashing Patient (Beyond A-B-C and ACLS) I have no financial relationships to disclose. Amal Mattu, MD, FAAEM, FACEP Professor and Vice-Chair Department of Emergency Medicine University of

549 views • 34 slides
NFSv4 Requirements Spencer Shepler spencer.shepler@eng.sun.com Spencer Shepler 42nd IETF NFSv4

NFSv4 Requirements Spencer Shepler spencer.shepler@eng.sun.com Spencer Shepler 42nd IETF NFSv4

42nd IETF NFSv4 Requirements Slide 1 of 11 42nd IETF NFSv4 Requirements Spencer Shepler spencer.shepler@eng.sun.com Spencer Shepler 42nd IETF NFSv4 Requirements Slide 2 of 11 WG Charter and Requirements First Milestone - deliver

327 views • 11 slides
Live demonstration of Project accounting Andr Scharmann, mbi GmbH Live demonst onstrat ration

Live demonstration of Project accounting Andr Scharmann, mbi GmbH Live demonst onstrat ration

Live demonstration of Project accounting Andr Scharmann, mbi GmbH Live demonst onstrat ration ion of Proj oject ect accou counti nting ng Workshop 06 Block II (13:30-14:15) Live demonstration of Project accounting SYMPOSIUM 2019

549 views • 34 slides
This webinar is brought to you by CLEONet www.cleonet.ca CLEONet is a web site of legal

This webinar is brought to you by CLEONet www.cleonet.ca CLEONet is a web site of legal

This webinar is brought to you by CLEONet www.cleonet.ca CLEONet is a web site of legal information for community workers and advocates who work with low-income and disadvantaged communities in Ontario. 2010, Community Law School

533 views • 26 slides
I/O Virtualization with Hardware Support Ubaid H. and Vasia P. Trade-offs and Motivation - In

I/O Virtualization with Hardware Support Ubaid H. and Vasia P. Trade-offs and Motivation - In

I/O Virtualization with Hardware Support Ubaid H. and Vasia P. Trade-offs and Motivation - In a fully virtual I/O, we have interposition - Full encapsulation (store, pause, resume), portability, flexibility, live migration - Slow

423 views • 24 slides
Welcome to the Learning & Working RRTC National Webinar! Please sign up for our E-Blasts by

Welcome to the Learning & Working RRTC National Webinar! Please sign up for our E-Blasts by

Welcome to the Learning & Working RRTC National Webinar! Please sign up for our E-Blasts by visiting our website: http://www.umassmed.edu/TransitionsRTC Acknowledgements The Learning & Working Transitions RRTC is a national effort that

220 views • 20 slides
Solving Existentially Quantified Horn Clauses Corneliu Popeea - joint work with Tewodros Beyene

Solving Existentially Quantified Horn Clauses Corneliu Popeea - joint work with Tewodros Beyene

Solving Existentially Quantified Horn Clauses Corneliu Popeea - joint work with Tewodros Beyene and Andrey Rybalchenko - Universal properties ... success story Temporal verification of universal properties of various kind of programs

572 views • 27 slides
REGULATORY UPDATE AND THE PRCS ROLE IN REFORM ASSOCIATION OF ALTERNATE POSTAL SYSTEMS THE

REGULATORY UPDATE AND THE PRCS ROLE IN REFORM ASSOCIATION OF ALTERNATE POSTAL SYSTEMS THE

The views expressed are those of the author alone, and do not necessarily reflect the views of the Postal Regulatory Commission REGULATORY UPDATE AND THE PRCS ROLE IN REFORM ASSOCIATION OF ALTERNATE POSTAL SYSTEMS THE VISION AND VOICE OF

658 views • 36 slides
Early Twentieth-Century Fiction e20fic19.blogs.rutgers.edu Prof. Andrew Goldstone

Early Twentieth-Century Fiction e20fic19.blogs.rutgers.edu Prof. Andrew Goldstone

Early Twentieth-Century Fiction e20fic19.blogs.rutgers.edu Prof. Andrew Goldstone (andrew.goldstone@rutgers.edu) Office hours: Murray 019, Thursdays 11:301:30 or by appointment November 25, 2019. Tagore (1). review: Hurston and the hurricane

514 views • 23 slides
Timed Runtime Monitoring for Multiparty Conversations Rumyana Neykova, Laura Bocchi, Nobuko

Timed Runtime Monitoring for Multiparty Conversations Rumyana Neykova, Laura Bocchi, Nobuko

Timed Runtime Monitoring for Multiparty Conversations Rumyana Neykova, Laura Bocchi, Nobuko Yoshida On the importance of time On the importance of time } Web services (timeouts): } Twitter Streaming API: Reconnect no more than twice

521 views • 50 slides

More recommend