enterprise-ubuntu team mailing list archive

[Timo Aaltonen <tjaalton@xxxxxxxxxx>]

On 14.05.2013 20:48, Bolesław Tokarski wrote:
> Hello,
> 
>> good, that you took the challenge, because I hoped that there are
>> linux solutions which can compete with Microsofts rights management.
>>
>> I am not a linux expert, but to compare what file/folder rights are
>> possible on linux and windows I found for Linux:
>>         - read, write and execute rights to a specific user, group and
>> for all other
>>         - with NFSv3 ACLs additional users can be configured to get
>> "rwx"-rights, set with "setfacl" (which are listed as "+" if you do
>> "ls -l")
>>         - nfs4 can maybe have more possibilities, but as you also
>> wrote, it is not used, because of incompatibility and complexity of
>> available solutions
> 
> You might have misunderstood me. I know of a couple of broken NFSv4
> server code in NAS devices. If you have need for NFSv4, just make sure
> you either have an up-to-date Linux OS on the NFSv4 server or a
> well-implemented NAS device.
> 
>> on Windonws NTFS we have the following 13 rights
>> (http://technet.microsoft.com/en-us/library/cc787794%28v=ws.10%29.aspx)
>>         - Traverse Folder/Execute File, List Folder/Read Data, Read
>> Attributes, Read Extended Attributes, Create Files/Write Data, Create
>> Folders/Append Data, Write Attributes, Write Extended Attributes,
>> Delete Subfolders and Files, Delete, Read Permissions, Change
>> Permissions, Take Ownership, Synchronize
> 
> It's not about the amount of ACLs. How often did you need to use those
> special attributes like "Traverse Folder" or "Read Permissions"? If you
> are interested in all-cool ACL entries, have a look at Novell's
> filesystem and its network transport mechanism. It has 18 (!) rights.
> Note these were created already for NetWare 4, released in 1993. I'd say
> Windows is still behind that, so it seems they are behind like... 20
> years. See:
> http://www.novell.com/documentation/oes/stor_filesys/?page=/documentation/oes/stor_filesys/data/bs3fkbm.html
> 
> Actually Novell did this right back then and even their NDS (now called
> eDirectory) released in 1993 was long before Microsoft decided to get
> there with their Active Directory, that only started shipping with
> Windows 2000 server. I believe Microsoft's win in this market was only
> due to its workstation monopoly.
> 
>> and most of them can be accomplished with rights on linux also, but
>> for us functionalities like
>>         - rights inheritance on different levels
> 
> You have inheritance on POSIX ACLs. See the --default option to setfacl.

POSIX ACLs don't match with CIFS ACLs, so it's not really an option to
use them in a mixed environment. NFSv4 ACLs should work better, and
there is a project to "merge" best of both worlds, richacl:

http://www.bestbits.at/richacl/

..but it's been a couple of years since I looked at it and it's still
has not made it in the kernel, boo..

>>         - authentication on access (NFSv3 only checks IP/hostname, but
>> e.g. no kerberos token)
> 
> Well, this basically crosses out NFSv3.

You can use RPCSEC_GSS with v3 just fine. v4 generally works too, but
there have been bugs in the past (10.04) which basically made it
unsuitable for using $HOME on it (with krb5). AIUI those should be fixed
by now..


-- 
t