Dear Tom,
> > (2) Although I subscribe your first 3 points, I do not like the 4th point.
>
> I didn't either. After working on it some more, what I want to do now
> is keep the ACL representation the same as it is, but implicitly assume
> that the owner has all grant options whether the ACL says so or not.
Mmmm... So you still want to stick to "exceptionnal" rights that are
managed somewhere explicitely in the backend code. I would much prefer
something explicit in the acl, because it would make the path to roles
easier, and I'm a little bit interested in this path.
What I was "implicitely" suggesting thru questions in my mail was an
approach where:
(0) all rights are always explicit, null means "no rights". So the algorithm to check accesses would be:
- if (it is a super-user) access granted; else interpret explicitly ACL;
Otherwise you have everywhere:
- if (it is a super-user) access granted; elsif (it is the owner and we just need grant options) access granted;
else interpret acl explicitly;
As I've pointed out with some bug reports, the current middle section is quite buggy at the time, and I think I've
foundanother one not yet reported bugs in this area.
As we're dealing with security, the simpler the better. Having implicit things just make the code harder to
understandand check because there is always a special case, and looking at the acl from userland needs some
interpretationof things that are not there.
(1) "grant option" rights are given at creation time explicitly, maybe with your special user 0. They could then be
revokedby the owner.
(2) if they are revoked, they could be given back but only by the super user, with something like:
GRANT ALL ON ... TO calvin WITH GRANT OPTIONS FROM GRANTOR _SYSTEM;
It is a point that the super user should be able to create and
manage all rights, including explicit grantors.
So only the superuser is special in this approach, and owners are
only managed especially when creating an object, but not after.
This should make the actual code simpler and more explicit, so I feel that
it would less likely be buggy, and adding roles after that would be more
straightforward.
Well, all this is just my little opinion, and I'm not the one coding.
Have a nice day,
--
Fabien Coelho - coelho@cri.ensmp.fr