l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Does supporting POSIX applications require ACLs?

From: Neal H. Walfield
Subject: Re: Does supporting POSIX applications require ACLs?
Date: Tue, 25 Oct 2005 23:01:54 +0100
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.4 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI) 
At Tue, 25 Oct 2005 14:01:17 -0400,
Jonathan S. Shapiro wrote:
> 
> On Tue, 2005-10-25 at 11:50 +0100, Neal H. Walfield wrote:
> > > > Yes. One of our aimes is to build a unix replacing OS. 
> > > I tried to point to this compatibility layer. Of course we use 
> > > capabilities in the core, but the POSIX layer has to support acl based 
> > > access control.
> > 
> > I'm not convinced that we have to support ACLs.  I think the question
> > needs to be asked: how many applications rely of ACLs?
> 
> The answer, in practice, is "zero", because the majority of UNIX systems
> do not implement ACLs. A very small number of applications rely on the
> access(2) system call. All of these are wrong, because the answers
> provided by access(2) do not match the behavior of open(2) in many
> versions of UNIX.

What I meant by requiring ACLs was actually the unix permission model.
This is a a less flexible form of the general ACL model, however, I
was sloppy.

> The real question is: what support do we need for UIDs? I suggest that
> the answer may well be "none". The only programs that use UIDs actively
> are the ones that call setuid, and these are exactly the sort of
> privileged apps we need to rebuild.

There are other places where UIDs can be a pain.  One example that
comes to mind is servers which use a Unix domain socket to communicate
with their clients.  Traditionally, the kernel did not use the
permissions on the node referring to unix domain sockets.  Instead, it
was the responsibility of the server to use SCM_CREDS to get the user
id of the opener and perform the authentication.  Modern kernels, such
as the Linux kernel, actually check the permissions, however,
applications still perform the check anyway.  Is this incorrect?  For
backwards compatibility, no.  I imagine most of the rest of the time
the answer is: yes.  Is it easy to work around in the code?  Yes, in
particular with Autoconf's help.  Convincing upstream to use a general
solution is a bit more difficult.  Consider my experience with this
exact issue with gamin[1].

Thanks,
Neal

[1] http://mail.gnome.org/archives/gamin-list/2005-June/msg00001.html
reply via email to
[Prev in Thread] Current Thread [Next in Thread]