Re: [PATCH] Basic support for checking NFSv4 ACLs in Linux

[Andreas Grünbacher]

Am Di., 15. Nov. 2022 um 10:17 Uhr schrieb Ondrej Valousek
<ondrej.valousek.xm@renesas.com>:
> I mean from RFC8881:
> " The server that supports both mode and ACL must take care to synchronize 
> the MODE4_*USR, MODE4_*GRP, and MODE4_*OTH bits with the ACEs that have 
> respective who fields of "OWNER@", "GROUP@", and "EVERYONE@". This way, the 
> client can see if semantically equivalent access permissions exist whether 
> the client asks for the owner, owner_group, and mode attributes or for just 
> the ACL."
>
> ... I take it these 3 ACEs should always represent mode bits.

The NFSv4 specification is /very/ bad at specifying the interaction
between the acl and mode attributes. For example, consider an ACL like
"A::EVERYONE@:rwaDx" for a directory. This would correspond to a mode
attribute of "------rwx" according to the above statement, but the ACL
really grants "rwx" access to everyone including the owner and the
owning group, which would equate to a mode attribute of "rwxrwxrwx".
(Remember that the lower three mode bits indicate the permissions of
"others", which excludes the owner and the owning group, so
"------rwx" is not the same as "rwxrwxrwx".)

Andreas