[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Does supporting POSIX applications require ACLs?
|
From: |
Jonathan S. Shapiro |
|
Subject: |
Re: Does supporting POSIX applications require ACLs? |
|
Date: |
Tue, 25 Oct 2005 14:01:17 -0400 |
On Tue, 2005-10-25 at 11:50 +0100, Neal H. Walfield wrote:
> > > Yes. One of our aimes is to build a unix replacing OS.
> > I tried to point to this compatibility layer. Of course we use
> > capabilities in the core, but the POSIX layer has to support acl based
> > access control.
>
> I'm not convinced that we have to support ACLs. I think the question
> needs to be asked: how many applications rely of ACLs?
The answer, in practice, is "zero", because the majority of UNIX systems
do not implement ACLs. A very small number of applications rely on the
access(2) system call. All of these are wrong, because the answers
provided by access(2) do not match the behavior of open(2) in many
versions of UNIX.
The real question is: what support do we need for UIDs? I suggest that
the answer may well be "none". The only programs that use UIDs actively
are the ones that call setuid, and these are exactly the sort of
privileged apps we need to rebuild.
> Many
> applications just open files and read and write some bytes. For these
> applications, the fact that access is granted based on an ACL, a
> capability or something else is immaterial: if open succeeds and
> returns a file descriptor to the named file then all is well.
Yes. This statement is reinforced by many posix-ish "glue" libraries
that have been used to bring up UNIX applications (including, by the
way, emacs) on non-UNIX systems.
shap
- Re: Let's do some coding :-), (continued)
- Re: Let's do some coding :-), Ludovic Courtès, 2005/10/21
- Re: Let's do some coding :-), Jun Inoue, 2005/10/22
- Re: Let's do some coding :-), Jonathan S. Shapiro, 2005/10/23
- Re: Let's do some coding :-), ness, 2005/10/23
- Re: Let's do some coding :-), Jonathan S. Shapiro, 2005/10/24
- Re: Let's do some coding :-), Alfred M\. Szmidt, 2005/10/24
- Re: Let's do some coding :-), Jonathan S. Shapiro, 2005/10/24
- Re: Let's do some coding :-), ness, 2005/10/25
- Does supporting POSIX applications require ACLs?, Neal H. Walfield, 2005/10/25
- Re: Does supporting POSIX applications require ACLs?,
Jonathan S. Shapiro <=
- Re: Does supporting POSIX applications require ACLs?, Neal H. Walfield, 2005/10/25
- Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), olafBuddenhagen, 2005/10/25
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Marcus Brinkmann, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Jonathan S. Shapiro, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Bas Wijnen, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Alfred M\. Szmidt, 2005/10/26
- Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?), Jonathan S. Shapiro, 2005/10/26