Brian Cameron wrote:
> Mark & Others:
>
>> I think you may have misunderstood what people were suggesting. They
>> weren't suggesting changing the mode of the file, but using chmod(1M) to
>> add/modify ZFS ACLs on the device file.
>>
>> chmod A+user:gdm:rwx:allow <file>
>>
>> See chmod(1M) or the zfs admin guide for ZFS ACL examples.
>
> Thanks for your help. Now GDM is using the following code to set ACL's
> (spacing slightly modified for readability):
>
> {
> int acl_flavor;
> acl_flavor = pathconf("/dev/audio", _PC_ACL_ENABLED);
>
> if (acl_flavor & _ACL_ACLENT_ENABLED) {
> system ("/usr/bin/setfacl -m user:gdm:rwx,mask:rwx
> /dev/audio");
> system ("/usr/bin/setfacl -m user:gdm:rwx,mask:rwx
> /dev/audioctl");
> } else if (acl_flavor & _ACL_ACE_ENABLED) {
> system ("/usr/bin/chmod A+user:gdm:rwx:allow
> /dev/audio");
> system ("/usr/bin/chmod A+user:gdm:rwx:allow
> /dev/audioctl");
> }
> }
>
> That works much better, and now GDM text-to-speech works much better on
> ZFS filesystems.
>
> However, now I am wondering if it might be better to call acl(2) functions
> rather than spawning off new processes via system(). Does setfacl(2), for
> exmaple, work with both flavors, or would I need to call different functions
> based on the acl_flavor? I am not very familiar with working with
> acl's, so any help explaining how to modify the above code to use acl
> functions rather than calling system would be helpful.
>
> Thanks,
>
You could call acl(2) directly, but you would have to construct a
complete ACL to set. It would be easier to use acl_get() and acl_set()
which understand the various ACL flavors and will call the syscall with
correct ACL flavor arguments.
Unfortunately, what you are wanting to do is retrieve the ACL, prepend
an entry and then call acl_set(). There is a private interface in
libsec called acl_addentries() that can do such a thing, but that
interface could change and I'm not sure I would recommend using it since
gdm isn't in ON. Also, acl_entries needs the added ACE entries to be in
raw ace_t format and not the textual representation you are setting with
chmod(1). We definately need some better ACL interfaces for this sort
of thing.
You should probably make sure that you just don't keep continually
adding the same entry over and over again to the ACL. With NFSv4 ACLs
you can insert the same entry multiple times and if you keep doing it
long enough you will eventually get an error back when you reach the ACE
limit on the file.
There is code in libdevinfo called setdevaccess() that will strip off
all ACEs on a device file via acl_strip(3sec). The setdevaccess()
interface is called by di_devperm_login(). Does gdm use that interface?
-Mark
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
