To minimize unnecessary flamage, I'll describe it only after
I can assign a programmer to work on it, though it is not a very deep
or profound solution.
Hans
tytso@valinux.com wrote:
>
> Date: Sun, 06 Aug 2000 15:52:19 +0200
> From: Xuan Baldauf <xuan--reiserfs@baldauf.org>
>
> Tytso does not like the idea. And after some thinking about the issue, I can
> understand him. It is because
>
> (1) resolving from the bottom to the top might be more costly than
> static ACLs if no path component checking is needed anymore (path
> component checking is UNIX's Achilles Heel compared to NT) and (2)
> there is no definite parent for files with n_link>1
>
> The difference here is that NT always does path resolution from the
> root, whereas in Unix, we do path resolution of relative pathnames
> (i.e., those whose pathname don't start with a '/') relative to the
> current working directory.
>
> So doing full inheritable ACL's will force the Unix permissions checking
> model to be as SLOW as NT. (Consider how many relative pathnames are
> used when doing a kernel compile, for example.) And oh by the way, it's
> not just me who doesn't like this; most of the folks I chatted to at the
> OLS thought it was also an insane idea, including sct and alan, and a
> number of others. I very much doubt something like this would ever go
> into the VFS core. (If a filesystem wants to do this in their
> filesystem dependent code, and trash their Andrew benchmark scores, they
> can feel free to do so. :-)
>
> (1) can be circumvented by having a (persistent) ACL change cache in
> reiserfs. When accessing a file, the cache (usually empty) is checked
> against wether the entry in the cache applies to a particular
> file. If the cache entries do not apply to the file, the files ACL is
> checked. This way you can always have inheriting ACLs, make ACL
> changes of millions of files atomic. (Changes place an entry in the
> cache, and a background thread changes the resolved ACL entries in
> every file.)
>
> What are you storing in the cache? If you are storing the entry for
> each directory, you still have to do the full pathname resolution to
> find all of the parent directories. If you are storing cache entries
> index by inode number, then each time there is an ACL change, you have
> to flush the entire ACL cache. Also, this doesn't help you if you're
> doing something like a kernel compile, since you still have to do the
> full pathname resolution for every new file that you've never seen
> before. (Which in the case of the kernel compile, happens a lot.)
>
> - Ted
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.rutgers.edu
> Please read the FAQ at http://www.tux.org/lkml/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/