![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: Andreas Gruenbacher <ag@bestbits.at> To: acl-devel@bestbits.at Subject: [Acl-Devel] Version 0.7.16 released Date: Sat, 1 Sep 2001 21:00:58 +0200 (CEST) Hello, I have updated the kernel patches for the current stable kernel version, 2.4.9. In addition to that, all the other packages contain a number of minor changes. No critical bugs have been fixed, so there is NO NEED TO UPDATE immediately. Upcoming changes ---------------- We and the XFS filesystem developers will hopefully manage to agree on the system call interface for extended attributes to be used in the next couple of days/weeks. This is a necessary step for increasing the chances that the patches will be integrated in the standard kernel. This will bring additional functionality, but incur incompatible changes at the system call and probably also at the filesystem level. Therefore, one of the next versions will again break compatibility. There will of course be upgrade paths. I have been informed that the tar clone called `star' by Joerg Schilling <schilling@fokus.gmd.de> already includes support for extended headers. Extended headers are standardized under POSIX. We will work on adding ACL and extended attribute support to star, so we will probably have a proper backup solution soon !!! NFS (versions 2 and 3): ----------------------- As has been said before, ACLs will not be supported over the NFSv2 network file system (see the Web site for an explanation). In the previous kernel patches it was possible in a very few cases (that all involved ACL entries that deny access to files for specific users) that these users still obtain read access to such files. Several conditions had to be met in order for that to happen. Nevertheless, the mechanism has been tightened even more, so in the current version, permission escalation is no longer possible. The last kernel versions (including 2.2.19 and 2.4.9) include partial support for the NFSv3 protocol. The kernel NFSv3 daemon (server side) implements the access remote procedure call, which is required for ACLs to properly over NFS. Unfortunately the Linux NFSv3 client code does not yet utilize this call, so permissions defined in ACLs still will not be available for Linux clients. This problem is known to the NFS developers. Since fixing this bug will require a number of substantial changes in the NFS code, some of which are related with kernel restructuring work planned in the 2.5 development cycle, no fixes will be available in the near future. In the extremely unlikely case that you use Linux as a file server, and all your clients are fully NFSv3 compliant (e.g., Solaris boxes), you can disable the ACL permission masking, and thus enable access to ACL permissions over NFSv3. In order to do that, you will need to build the kernel NFS daemon as a module, and add the module parameter `nfs_permission_mode=0' (or compile nfsd into your kernel and add this parameter to the kernel parameters of your boot manager). See the file fs/nfsd/nfsctl.c for an explanation of the nfs_permission_mode parameter. Note that retrieving or setting ACLs on an NFS-mounted filesystem are separate problems. These operations are currently not supported. Change log: ----------- 0.7.16 ------ Kernel patches: * Permissions sent over NFS tightened up even more to avoid privilege escalation in presence of ACL entries denying permissions. * NFSv3 now includes a new module parameter `nfs_permission_mode' for configuring whether the file mode permission bits are modified. ACL utilities: * Minor cleanups/fixes in the make files. * The test cases in test/src have been updated to match the corrected ACL entry syntax (see the 0.7.15 changes). EA utilities: * Minor cleanups/fixes in the make files. Fileutils patch: * Autoconf and automake-generated files have been regenerated with autoconf-2.52 and automake-1.5. This only affects the xdelta version, and should not result in any functional changes. Regards, Andreas. _______________________________________________ acl-devel mailing list acl-devel@bestbits.at http://acl.bestbits.at/mailman/listinfo/acl-devel