acl-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Acl-devel] choice of 'namespace' for ACL's


From: Ben Myers
Subject: Re: [Acl-devel] choice of 'namespace' for ACL's
Date: Fri, 19 Jul 2013 17:39:16 -0500
User-agent: Mutt/1.5.20 (2009-06-14)

Hey Linda,

On Fri, Jul 19, 2013 at 01:52:47AM -0700, Linda Walsh wrote:
> I was looking at the attr and it left me a bit puzzled.
> 
> (1) Of minor consideration, was the statement about 'values can be up
> to 64KB'...  But there is no mention of how many names can be present
> or if there is a cumulative maximum on the names or on the data.  I thought
> I remembered there was, but all I found was limits on single datums.

IIRC there isn't an artificial cap on the number of entries, and the attribute
code is using similar structures as directories and block maps.  Normally data
are inline with the names, but with remote attributes the large ones will have
the data stored elsewhere..  So the answer is... many?

> (2) A more confusing issue was the bit describing XFS as having 2
> disjoint attrib
> namespaces, but later the selectors for the names spaces are given as
> [none] = user, [R] = root, and [S] = Security -- making it sound like 3
> disjoint
> namespaces.  So, how many attrib namespaces are their, 2 or 3?

There are three:  user, root/trusted, and security.

> (3) Adding a bit more to pique my curiosity, I noticed that
> file ACL's were in the root-namespace, not the security attribute namespace.
> Wouldn't it make more sense if access control was considered a security
> attrib?

The security namespace is being used by selinux.  I'm not clear on all of the
history how it came to be this way..  Maybe someone can pipe up and explain
that.

> Another point of confusion was on the attrib manpage where it says:
> CAVEATS
>        The list option present in the IRIX version of this command is
> not sup‐
>        ported.  getfattr provides a mechanism to retrieve all of the
> attribute
>        names.
> 
> (4) What does that mean?  i.e.:
> 
> when I use attr -l:
> 
> > attr -l openssh-6.1p1-hpn13v14.diff.gz
> Attribute "DOSATTRIB" has a 56 byte value for openssh-6.1p1-hpn13v14.diff.gz
> Attribute "SAMBA_PAI" has a 25 byte value for openssh-6.1p1-hpn13v14.diff.gz
> 
> or addint the -q switch with -l:
> 
> > attr -ql openssh-6.1p1-hpn13v14.diff.gz
> DOSATTRIB
> SAMBA_PAI

It sure seems like 'attr -l' is working for you.

> ---
> Does "not supported" mean that it is working by accident and may be
> removed   ... because....[_________???______]? 

It may be that the manpage is out of date?

> getfattr is suggested as a replacement, but
> (5) how can it be used to list the lengths?  and
> (6) how can it be used to list the Security or Root namespaces?
> 
> Sorry for all the Q's, but it seemed like there were some missing pieces...

Hmm.  Maybe try over on address@hidden

Regards,
        Ben



reply via email to

[Prev in Thread] Current Thread [Next in Thread]