On Fri, Feb 26, 2010 at 03:00:29PM -0500, Miles Nordin wrote: > >>>>> "nw" == Nicolas Williams <nicolas.willi...@sun.com> writes: > > nw> What could we do to make it easier to use ACLs? > > 1. how about AFS-style ones where the effective permission is the AND > of the ACL and the unix permission? You might have to combine this
Yes, that sounds useful. (Group modebits could be applied to all ACEs that are neither owner@ nor everyone@ ACEs.) > with an inheritable-by-subdirectories umask setting so you could > create ACL-dominated lands of files that are all unix 777, but this > would stop clobbering difficult-to-recreate ACL's as well as > unintended information leaking. If users have private primary groups then you can have them run with umask 007 or 002 and use set-gid and/or inherittable ACLs to ensure that users can share files in specific directories. (This is one reason that I recommend always giving users their own private primary groups.) Alternatively we could have a new mode bit to indicate that the group bits of umask are to be treated as zero, or maybe assign this behavior to the set-gid bit on ZFS. > 2. define a standard API for them, add ability to replicate them to > [...] That'd be nice. > Maybe we're beyond the point of no return for the first suggestion. Why? It can just be another value of the aclmode property. Nico -- _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
