From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C47CDC004C9 for ; Tue, 7 May 2019 08:07:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 22A8620578 for ; Tue, 7 May 2019 08:07:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=szeredi.hu header.i=@szeredi.hu header.b="JciVvm+L" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726592AbfEGIHe (ORCPT ); Tue, 7 May 2019 04:07:34 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:41179 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726453AbfEGIHd (ORCPT ); Tue, 7 May 2019 04:07:33 -0400 Received: by mail-io1-f67.google.com with SMTP id a17so5342434iot.8 for ; Tue, 07 May 2019 01:07:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PEZVy9C+Z3ICJpvsn26xeqhO1e763sY5Q6qDpaKXZYs=; b=JciVvm+L8utAHEyD6sXVzJvXBWDDmLzUDru6e2Z6O7UUhE2uYt6t01+U9KuovpPXFK SVoBnOMRpR/M0jYtVyra7OBS30QfLjlk+10q3bu8kYLImeYysyY5BCIcTiaH8mJwq+lF dWqGpCsk3fQOh11X0sH7ux9nl+jIhQyw49PY4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PEZVy9C+Z3ICJpvsn26xeqhO1e763sY5Q6qDpaKXZYs=; b=KtBfinHmLe33GZwOcqGcwqrNisJ82+bmCw5HtSdBV5yck01GZEvQAaRvF6odwx5Vxq ddolx27Qw8sjHv2+1J2DTh7PBPvnBF4FAMa6GEd/fsjihpcNZjZxVJUxkv6lzzy2e9c4 5rFWOtCXFmapI3MxBorWXvMYR12X2SKr9PMzKr2nPXG2BfElgYwFDGcyvf8dVTgXM+Pf 4qid4jA2r6J6WghW8a/Z6a8Rxv9esBT9fAO5rTswIndvlGwpv8qDbaqIw3TWHx6sWpla MuWhZqHDkh/ViF57dQPBrkDw9yAbgPaT2iKkIOk/P1dEd9BhbaizhJPMsYmxn1F7YBCf IQbw== X-Gm-Message-State: APjAAAVDXqscwTbnS4YdZ28pSK7NkQ3lg2TVEjsBG6ZvQ0p7T7n7QE/A /UE5Vv3+WedPjtCzLzXmATw93kJAQ/sMB7IXfU2sBw== X-Google-Smtp-Source: APXvYqwG7Qhlz0ih1MCulvyvogd0VnUgA/VyGWATqTE+j80uOQBpCOYbueOcG/IyjFlZNjhBSEPaLFPbgVREQTdhdl0= X-Received: by 2002:a6b:ee04:: with SMTP id i4mr1817315ioh.246.1557216453174; Tue, 07 May 2019 01:07:33 -0700 (PDT) MIME-Version: 1.0 References: <20161205162559.GB17517@fieldses.org> <266c571f-e4e2-7c61-5ee2-8ece0c2d06e9@web.de> <20161206185806.GC31197@fieldses.org> <87bm0l4nra.fsf@notabene.neil.brown.name> <20190503153531.GJ12608@fieldses.org> In-Reply-To: <20190503153531.GJ12608@fieldses.org> From: Miklos Szeredi Date: Tue, 7 May 2019 04:07:21 -0400 Message-ID: Subject: Re: [PATCH] overlayfs: ignore empty NFSv4 ACLs in ext4 upperdir To: "J. Bruce Fields" Cc: NeilBrown , Andreas Gruenbacher , =?UTF-8?Q?Andreas_Gr=C3=BCnbacher?= , Patrick Plagwitz , "linux-unionfs@vger.kernel.org" , Linux NFS list , Linux FS-devel Mailing List , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Fri, May 3, 2019 at 11:35 AM J. Bruce Fields wrote: > > On Thu, May 02, 2019 at 12:02:33PM +1000, NeilBrown wrote: > > Silently not copying the ACLs is probably not a good idea as it might > > result in inappropriate permissions being given away. So if the > > sysadmin wants this (and some clearly do), they need a way to > > explicitly say "I accept the risk". > > So, I feel like silently copying ACLs up *also* carries a risk, if that > means switching from server-enforcement to client-enforcement of those > permissions. That's not correct: permissions are checked on the overlay layer, regardless of where the actual file resides. For filesystems using a server enforced permission model that means possibly different permissions for accesses through overlayfs than for accesses without overlayfs. Apparently this is missing from the documentation and definitely needs to be added. So I think it's perfectly fine to allow copying up ACLs, as long as the ACL is representable on the upper fs. If that cannot be ensured, then the only sane thing to do is to disable ACL checking across the overlay ("noacl" option). Thanks, Miklos