Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 8 Aug 2003 09:52:35 -0400 (EDT)
From:      Robert Watson <rwatson@freebsd.org>
To:        Terry Lambert <tlambert2@mindspring.com>
Cc:        current@freebsd.org
Subject:   Re: ACLS on UFS2 from FreeBSD 5.1-RELEASE install.
Message-ID:  <Pine.NEB.3.96L.1030808094632.77240D-100000@fledge.watson.org>
In-Reply-To: <3F335184.A84ECFDB@mindspring.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Fri, 8 Aug 2003, Terry Lambert wrote:

> "Daniel C. Sobral" wrote:
> > You'll also notice I'm not questioning the _existence_ of ACL. My point
> > is that FreeBSD is Unix (no matter what the lawyers say), and people
> > don't usually think of ACL when they think of Unix. Ergo, enabling ACL
> > by defautl violates POLA.
> 
> Not if you never *set* an ACL on anything.  It's only when there are
> ACL's set on things that POLA may be violated. 
> 
> One presumes that an ACL has to be set on purpose... 

Well, I think it's more a question of risk with a new feature: it is strue
that the intended semantics of the POSIX.1e ACLs is that they are 100%
compatible: if you don't have any default or extended ACLs, you should get
permissions equivilent to not using ACLs.  However, ACLs both rely on UFS2
EAs, which are a new feature, and include a substantial chunk of logic. 
This suggests that for users never using ACLs, there's a lower risk (in
terms of security and stability) by disabling them by default.

There's also a small potential performance cost associates with ACLs: you
have to access the EAs (generally cheap on UFS2) and do a bit more memory
allocation and evaluation.  When we ran our original ACL performance
benchmarks with UFS1, the difference was fairly measurable for
directory-intensive create operations (since the worst case involves
accessing two ACLs on a parent directory, and writing two on the child) --
almost all of that cost was the EA cost.  With UFS2, EA contents have much
more locality to the file, make use of the buffer cache more effectively,
etc.  All my performance measurements with MAC have seen the EA cost go
almost to zero with UFS2, but I haven't rerun the ACL performance tests
since the move to UFS2.

There are also some application compatibility concerns, which I think is
where the POLA element comes into play: if your users do start using ACLs,
they may get surprises, which may surprise you :-).

I think that having ACLs as an option is lower risk -- in a few minor
revisions, once we have more deployed experience, and have rerun the
performance tests, and more applications have been adapted (for example,
they get backed up by common backup tools) it should be reasonable to
enable them by default.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030808094632.77240D-100000>