search

bcpierce00 / unison

Unison file synchronizer
GNU General Public License v3.0
4.11k stars 232 forks source link

Allow syncing POSIX ACLs on Linux via xattrs #879

Closed tleedjarv closed 1 year ago

tleedjarv commented 1 year ago

There is no direct support for syncing POSIX ACLs on Linux via the acl preference. Since Linux stores POSIX ACLs as extended attributes on files and directories, an easy way to sync POSIX ACLs (between Linux systems only) is to enable xattr syncing support for these attributes (system.posix_acl_access and system.posix_acl_default).

A user can sync POSIX ACLs on Linux by enabling the xattrs preference and adding an xattrignorenot preference with value Path !system.posix_acl_*. To optionally prevent other xattrs from being synced, also add an xattrignore preference with value Path * (or Regex .*).

tleedjarv commented 1 year ago

So you want the long story.

It seems like Linux implements the functionality of POSIX ACLs but does not implement the specified API.

I believe it does implement the API. The reason for going the xattr way is that I don't intend to ever make the 'acl' preference support POSIX draft ACLs. Instead of just saying "sorry, you can't sync those", I offer the xattr way as an alternative. (This is a Linux issue. Most other platforms offer something better than POSIX draft ACLs anyway.)

Mind you, this is actually the same thing that cp in GNU coreutils does (via gnulib), so I'd call it a pretty good alternative. https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=lib/qcopy-acl.c;h=0f4159b7fd954646d27946823e937264235bdfbb;hb=HEAD#l64 for those interested. Quoting from gnulib source:

Rather than fiddling with acls one by one, we just copy the whole ACL xattrs

and then, if xattrs are not supported then this comment:

no XATTR, so we proceed the old dusty way

So it's safe to say that this is what everyone using POSIX draft ACLs on Linux has been doing anyway, just not being aware of it.

This alternative is actually available for all (pseudo-)ACLs that are not implemented by the 'acl' preference, such as Samba server-side (attributes security.NTACL and user.SAMBA_PAI).

Does rsync deal with this by basically implementing the missing API? Something else? Can it sync ACLs between POSIX systems and Linux? Should we be doing that instead?

I don't know what rsync does but a quick look at the source makes me believe that they use platform-specific APIs to get/set ACLs and transform those to/from their own internal serialization format. In my opinion this is a dead end for rsync. They can't support better ACLs with this code.

Very early on I made a decision not to have a semantic representation of ACLs within Unison with transformations to/from all platform-specific representations. That would be just too much work and possible maintenance and compatibility issues. With current design it is still possible to improve cross-platform syncing in future in backwards-compatible way if it starts making sense.

I don't intend to ever add direct support for POSIX draft ACLs (although I driveby-added limited support on BSDs...). Other contributors are welcome to do it of course but then I'd recommend them they better spend their effort migrating away from POSIX ACLs to something better.

Should Linux implement NFSv4 ACLs then that I will add into the 'acl' preference.