linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stef Bon <stefbon@gmail.com>
To: ronnie sahlberg <ronniesahlberg@gmail.com>
Cc: linux-cifs <linux-cifs@vger.kernel.org>
Subject: Re: Question about parsing acl to get linux attributes.
Date: Sun, 1 Aug 2021 06:12:48 +0200	[thread overview]
Message-ID: <CANXojczOzWWebVJNDmS-b=cYSFOJ=0dSNSeNJ6T5+-FZfq_pNQ@mail.gmail.com> (raw)
In-Reply-To: <CAN05THS_KtutZxOOap7xPU3d+XfEJJTe7XT9sZ1tVZFMcLAYEA@mail.gmail.com>

Op za 31 jul. 2021 om 23:57 schreef ronnie sahlberg <ronniesahlberg@gmail.com>:
>
>
>
>
> Example:
> 1, S-1-2-ALICE                  ALLOW   READ
> 2, S-1-2-BOB                     ALLOW  READ/WRITE
> 3, S-1-2-EVERYBODY      ALLOW   READ/WRITE
> 4, S-1-2-BOB                     DENY     WRITE
>
> In this case, even though there are two ACEs that would grant BOB
> WRITE access (the ACE for BOB and EVERYBODY), BOB is still denied
> write access due to the presence of a DENY ACE for WRITE.
>
> In this case the ACEs are evaluated in the following order
> 4, 1, 2, 3

Wow this will take a lot of time to process when listing a directory.
After the readdir for every entry a lookup is done, for more details,
and then this processing of a list has to be done.

Is it really required to do this more than once? You mention looking
first for the denies, and then the allow entries. But what happens if
there no allow entries, then it will be denied I think. Is it
something like iptables: there is a default policy which counts when
no rule applies?
If this is the case you do not have to do it twice:
- if the policy is deny, you only have to look for allow rules
- and vica versa if the policy is allow, you will have to look for deny rules

Stef

PS it is sophisticated, but (I read somewhere) no system administrator
will use the fine grained rules, use defaults (which make them
predictable).

  reply	other threads:[~2021-08-01  4:13 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-31 16:02 Question about parsing acl to get linux attributes Stef Bon
2021-07-31 21:57 ` ronnie sahlberg
2021-08-01  4:12   ` Stef Bon [this message]
2021-08-01  6:02     ` ronnie sahlberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CANXojczOzWWebVJNDmS-b=cYSFOJ=0dSNSeNJ6T5+-FZfq_pNQ@mail.gmail.com' \
    --to=stefbon@gmail.com \
    --cc=linux-cifs@vger.kernel.org \
    --cc=ronniesahlberg@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).