xfs
[Top] [All Lists]

Re: choice of 'namespace' for ACL's

To: Linda Walsh <xfs@xxxxxxxxx>
Subject: Re: choice of 'namespace' for ACL's
From: Ben Myers <bpm@xxxxxxx>
Date: Fri, 19 Jul 2013 17:39:16 -0500
Cc: Linux-Xfs <linux-xfs@xxxxxxxxxxx>, acl-devel@xxxxxxxxxx
Delivered-to: linux-xfs@xxxxxxxxxxx
In-reply-to: <51E8FE5F.8030107@xxxxxxxxx>
References: <51E8FE5F.8030107@xxxxxxxxx>
User-agent: Mutt/1.5.20 (2009-06-14)
Hey Linda,

On Fri, Jul 19, 2013 at 01:52:47AM -0700, Linda Walsh wrote:
> I was looking at the attr and it left me a bit puzzled.
> 
> (1) Of minor consideration, was the statement about 'values can be up
> to 64KB'...  But there is no mention of how many names can be present
> or if there is a cumulative maximum on the names or on the data.  I thought
> I remembered there was, but all I found was limits on single datums.

IIRC there isn't an artificial cap on the number of entries, and the attribute
code is using similar structures as directories and block maps.  Normally data
are inline with the names, but with remote attributes the large ones will have
the data stored elsewhere..  So the answer is... many?

> (2) A more confusing issue was the bit describing XFS as having 2
> disjoint attrib
> namespaces, but later the selectors for the names spaces are given as
> [none] = user, [R] = root, and [S] = Security -- making it sound like 3
> disjoint
> namespaces.  So, how many attrib namespaces are their, 2 or 3?

There are three:  user, root/trusted, and security.

> (3) Adding a bit more to pique my curiosity, I noticed that
> file ACL's were in the root-namespace, not the security attribute namespace.
> Wouldn't it make more sense if access control was considered a security
> attrib?

The security namespace is being used by selinux.  I'm not clear on all of the
history how it came to be this way..  Maybe someone can pipe up and explain
that.

> Another point of confusion was on the attrib manpage where it says:
> CAVEATS
>        The list option present in the IRIX version of this command is
> not supâ
>        ported.  getfattr provides a mechanism to retrieve all of the
> attribute
>        names.
> 
> (4) What does that mean?  i.e.:
> 
> when I use attr -l:
> 
> > attr -l openssh-6.1p1-hpn13v14.diff.gz
> Attribute "DOSATTRIB" has a 56 byte value for openssh-6.1p1-hpn13v14.diff.gz
> Attribute "SAMBA_PAI" has a 25 byte value for openssh-6.1p1-hpn13v14.diff.gz
> 
> or addint the -q switch with -l:
> 
> > attr -ql openssh-6.1p1-hpn13v14.diff.gz
> DOSATTRIB
> SAMBA_PAI

It sure seems like 'attr -l' is working for you.

> ---
> Does "not supported" mean that it is working by accident and may be
> removed   ... because....[_________???______]? 

It may be that the manpage is out of date?

> getfattr is suggested as a replacement, but
> (5) how can it be used to list the lengths?  and
> (6) how can it be used to list the Security or Root namespaces?
> 
> Sorry for all the Q's, but it seemed like there were some missing pieces...

Hmm.  Maybe try over on acl-devel@xxxxxxxxxx?

Regards,
        Ben

<Prev in Thread] Current Thread [Next in Thread>