d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
759cb26335
freebsd-nq/sys/ufs/ufs
History
Robert Watson b114e127e6 In my first reading of POSIX.1e, I misinterpreted handling of the 
ACL_USER_OBJ and ACL_GROUP_OBJ fields, believing that modification of the
access ACL could be used by privileged processes to change file/directory
ownership.  In fact, this is incorrect; ACL_*_OBJ (+ ACL_MASK and
ACL_OTHER) should have undefined ae_id fields; this commit attempts
to correct that misunderstanding.

o Modify arguments to vaccess_acl_posix1e() to accept the uid and gid
  associated with the vnode, as those can no longer be extracted from
  the ACL passed as an argument.  Perform all comparisons against
  the passed arguments.  This actually has the effect of simplifying
  a number of components of this call, as well as reducing the indent
  level, but now seperates handling of ACL_GROUP_OBJ from ACL_GROUP.

o Modify acl_posix1e_check() to return EINVAL if the ae_id field of
  any of the ACL_{USER_OBJ,GROUP_OBJ,MASK,OTHER} entries is a value
  other than ACL_UNDEFINED_ID.  As a temporary work-around to allow
  clean upgrades, set the ae_id field to ACL_UNDEFINED_ID before
  each check so that this cannot cause a failure in the short term
  (this work-around will be removed when the userland libraries and
  utilities are updated to take this change into account).

o Modify ufs_sync_acl_from_inode() so that it forces
  ACL_{USER_OBJ,GROUP_OBJ,MASK,OTHER} ae_id fields to ACL_UNDEFINED_ID
  when synchronizing the ACL from the inode.

o Modify ufs_sync_inode_from_acl to not propagate uid and gid
  information to the inode from the ACL during ACL update.  Also
  modify the masking of permission bits that may be set from
  ALLPERMS to (S_IRWXU|S_IRWXG|S_IRWXO), as ACLs currently do not
  carry none-ACCESSPERMS (S_ISUID, S_ISGID, S_ISTXT).

o Modify ufs_getacl() so that when it emulates an access ACL from
  the inode, it initializes the ae_id fields to ACL_UNDEFINED_ID.

o Clean up ufs_setacl() substantially since it is no longer possible
  to perform chown/chgrp operations using vop_setacl(), so all the
  access control for that can be eliminated.

o Modify ufs_access() so that it passes owner uid and gid information
  into vaccess_acl_posix1e().

Pointed out by:	jedger
Obtained from:	TrustedBSD Project
2001-04-17 04:33:34 +00:00
..
acl.h Introduce support for POSIX.1e ACLs on UFS-based file systems. This 2001-03-26 17:53:19 +00:00
dinode.h $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
dir.h $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
extattr.h o Rename "namespace" argument to "attrnamespace" as namespace is a C++ 2001-03-19 05:44:15 +00:00
inode.h Fixes to track snapshot copy-on-write checking in the specinfo 2001-03-07 07:09:55 +00:00
quota.h Back out the previous change to the queue(3) interface. 2000-05-26 02:09:24 +00:00
README.acls o Indent sub-section headings to be consistent with README.extattr. 2001-04-03 18:05:03 +00:00
README.extattr o Introduce a README file describing briefly how to use extended 2001-04-03 17:31:36 +00:00
ufs_acl.c In my first reading of POSIX.1e, I misinterpreted handling of the 2001-04-17 04:33:34 +00:00
ufs_bmap.c This patch corrects the first round of panics and hangs reported 2000-07-24 05:28:33 +00:00
ufs_extattr.c o Change the default from using IO_SYNC on EA set and delete operations 2001-04-03 04:09:53 +00:00
ufs_extern.h o Implement "options FFS_EXTATTR_AUTOSTART", which depends on 2001-03-14 05:32:31 +00:00
ufs_ihash.c Change and clean the mutex lock interface. 2001-02-09 06:11:45 +00:00
ufs_inode.c Add kernel support for running fsck on active filesystems. 2001-03-21 04:09:01 +00:00
ufs_lookup.c Extend the sanity checks in ufs_lookup to ensure that each directory 2001-02-04 01:52:11 +00:00
ufs_quota.c Change and clean the mutex lock interface. 2001-02-09 06:11:45 +00:00
ufs_readwrite.c Grab the process lock while calling psignal and before calling psignal. 2001-03-07 03:37:06 +00:00
ufs_vfsops.c Add a missing <sys/systm.h> 2000-10-30 20:37:19 +00:00
ufs_vnops.c In my first reading of POSIX.1e, I misinterpreted handling of the 2001-04-17 04:33:34 +00:00
ufsmount.h Introduce extended attribute support for FFS, allowing arbitrary 2000-04-15 03:34:27 +00:00

README.extattr 

$FreeBSD$

  UFS Extended Attributes Copyright

The UFS Extended Attributes implementation is copyright Robert Watson, and
is made available under a Berkeley-style license.

  About UFS Extended Attributes

Extended attributes allow the association of additional arbitrary
meta-data with files and directories.  Extended attributes are defined in
the form name=value, where name is an nul-terminated string in the style
of a filename, and value is a binary blob of zero or more bytes. The UFS
extended attribute service layers support for extended attributes onto a
backing file, in the style of the quota implementation, meaning that it
requires no underlying format changes in the file system.  This design
choice exchanges simplicity, usability and easy deployment for
performance.  When defined, extended attribute names exist in a series of
disjoint namespaces: currently, two namespaces are defined:
EXTATTR_NAMESPACE_SYSTEM and EXTATTR_NAMESPACE_USER.  The primary
distinction lies in the protection model: USER EAs are protected using the
normal inode protections, whereas SYSTEM EAs require privilege to access
or modify.

  Using UFS Extended Attributes

Support for UFS extended attributes may be enabled by adding:

	options UFS_EXTATTR

to your kernel configuration file.  This allows UFS-based file systems to
support extended attributes, but requires manual administration of EAs
using the extattrctl tool, including the starting of EA support for each
file system, and the enabling of individual attributes for the file
system.  The extattrctl utility may be used to initialize backing files
before first use, to start and stop EA service on a file system, and to
enable and disable named attributes.  The command lines for extattrctl
take the following forms:

  extattrctl start [path]
  extattrctl stop [path]
  extattrctl initattr [-f] [-p path] [attrsize] [attrfile]
  extattrctl enable [path] [attrnamespace] [attrname] [attrfile]
  extattrctl disable [path] [attrnamespace] [attrname]

In each case, [path] is used to indicate the mounted file system on which
to perform the operation.  [attrnamespace] refers to the namespace in
which the attribute is being manipulated, and may be "system" or "user".  
The [attrname] is the attribute name to use for the operation. The
[attrfile] argument specifies the attribute backing file to use. When
using the "initattr" function to initialize a backing file, the maximum
size of attribute data must be defined in bytes using the [attrsize]
field.  Optionally, the [-p path] argument may be used to indicate to
extattrctl that it should pre-allocate space for EA data, rather than
creating a sparse backing file.  This prevents attribute operations from
failing in low disk-space conditions (which can be important when EAs are
used for security purposes), but pre-allocation will consume space
proportional to the product of the defined maximum attribute size and
number of attributes on the specified file system.

Manual configuration increases administrative overhead, but also
introduces the possibility of race conditions during file system mount, if
EAs are used to support other features, as starting the EAs manually is
not atomic with the mount operation.  To address this problem, an
additional kernel option may be defined to auto-start EAs on a UFS file
system based on special directories at mount-time:

	options UFS_EXTATTR_AUTOSTART

If this option is defined, UFS will search for a ".attribute"
sub-directory of the file system root during the mount operation.  If it
is found, EA support will be started for the file system.  UFS will then
search for "system" and "user" sub-directories of the ".attribute"
directory for any potential backing files, and enable an EA for each valid
backing file with the name of the backing file as the attribute name.  
For example, by creating the following tree, the two EAs,
posix1e.acl_access and posix1e.acl_default will be enabled in the system
namespace of the root file system, reserving space for attribute data:

  mkdir /.attribute /.attribute/system
  cd /.attribute/system
  extattrctl -p / 388 posix1e.acl_access
  extattrctl -p / 388 posix1e.acl_default

On the next mount of the root file system, the attributes will be
automatically started.