gabriel rosenkoetter on Mon, 3 Feb 2003 14:37:10 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Moving a lot of user accounts


On Mon, Feb 03, 2003 at 08:50:11AM -0500, sean finney wrote:
> system that needs quotas.  of course what would be _really_
> nice is if linux NFS supported it as well, so it could be used in a
> network environment as, say, a drop-in replacement for a solaris server
> (or for the solaris clients) in a certain un-named cs dept.

I think I said it when you were having your ACL troubles there: use
AFS. (Not something you want to switch over to in the middle of a
semester, though.)

> also, afaik netBSD et al. also don't have any native file systems with
> acls either, though, correct?  i sent an email to current-users
> this summer asking about that, and the general response was that
> they hadn't gotten around to it yet either.

FreeBSD 5.0 has them, and it's on the list for NetBSD 1.7 (or maybe
1.8; the big addition for 1.7 will be SMP for all ports where
multiple processors are possible).

I can't speak to the FreeBSD code, but my understanding is that it's
clean, standards-compliant, and works with AFS. Across NFS, I don't
know.

There are those within the NetBSD camp who seem to feel that the
old, BSD-style user and group permissions should be sufficient. That
led to a series of flamefests on current-users and tech-kern, but
the anti-ACL people were finally quieted by assurances of backwards-
compatibility and allowing them to avoid "bloating" their file
systems with the extra metadata if they so desired. Adding ACLs to
existing file systems either won't work or will only work through
the bad way to implement ACLs (keep them in a file at the root of
the mount, like quotas are under some file systems). The big win for
ACLs is that there are very real situations where NetBSD is used in
production and someone has reached the groups-per-user limit.
Bumping the limit is clearly not a real fix, since there can't not
be a limit without a huge rototill of authentication internals. (And
even with that rototill, you'd leave yourself a loaded gun aimed at
your foot in the way of a DoS.)

Based on that, we should expect them to be showing up in OpenBSD,
oh, about 2013. ;^>

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgpXtGKaDDDYM.pgp
Description: PGP signature