[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Future: Filesystem ACL and SCM



On Tuesday 20 March 2007 11:00:14 am Warren Togami wrote:
> NOTE: This info is not relevant to the near-term Fedora merge or any
> infrastructure supporting it.  We will continue to use the existing CVS
> + ACL system.
>
> Toshio was wondering about the possibility of using filesystem ACL's as
> part of a future ideal SCM's ACL enforcement.  It would work something
> like this:
> 1) PackageDB knows about all packages, owners, granted permissions,
> groups, etc.
> 2) PackageDB generates xattrs or FS ACL (themselves based on xattrs)
> within the SCM files/directories.
> 3) SCM has a custom ACL enforcement script that reads those xattrs,
> making it very fast and flexible.  ACL's could be enforced based on a
> list of users, groups, or a combination of users and groups.
Sounds very sane to me 

> I talked with a few filesystem experts within Red Hat.  They said...
> - ext3 has a limit of 4KB for xattr data.  If you use the standard
> encoding of 8 bytes per uid, that has a limit of roughly 100 entities
> that could be associated with a file.  Is this too limiting?  I dunno.
> Perhaps it need not be too limiting if more extensive use of
> group-based-ACL's are used.
I would like to encourage use of acls based on groups extensivly.  i.e KDE SIG 
security etc.  8KB would probably be a little better but 4KB will be fine.

> - XFS could possibly allow a maximum of 64KB xattr's per file, but that
> is very inefficient in filesystem storage.
> - xattr's are currently not supported by NFS.
i currently use linux ACL's over nfs very effectively 



-- 
Dennis Gilmore, RHCE


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]