UFS Access Control Lists Copyright

The UFS Access Control Lists implementation is copyright Robert Watson,
and is made available under a Berkeley-style license.

  About UFS Access Control Lists (ACLs)

Access control lists allow the association of fine-grained discretionary
access control information with files and directories, extending the
base UNIX permission model in a (mostly) compatible way.  This
implementation largely follows the POSIX.1e model, and relies on the
availability of extended attributes to store extended components of
the ACL, while maintaining the base permission information in the inode.

  Using UFS Access Control Lists (ACLs)

Support for UFS access control lists may be enabled by adding:

	options UFS_ACL

to your kernel configuration.  As ACLs rely on the availability of extended
attributes, your file systems must have support for extended attributes.
For UFS2, this is supported natively, so no further configuration is
necessary.  For UFS1, you must also enable the optional extended attributes
support documented in README.extattr.  A summary of the instructions
and ACL-specific information follows.

To enable support for ACLs on a file system, the 'acls' mount flag
must be set for the file system.  This may be set using the tunefs
'-a' flag:

	tunefs -a enable /dev/md0a

Or by using the mount-time flag:

	mount -o acls /dev/md0a /mnt

The flag may also be set in /etc/fstab.  Note that mounting a file
system previously configured for ACLs without ACL-support will result
in incorrect application of discretionary protections.  Likewise,
mounting an ACL-enabled file system without kernel support for ACLs
will result in incorrect application of discretionary protections.  If
the kernel is not configured for ACL support, a warning will be
printed by the kernel at mount-time.  For reliability purposes, it
is recommended that the superblock flag be used instead of the
mount-time flag, as this will avoid re-mount isses with the root file
system.  For reliability and performance reasons, the use of ACLs on
UFS1 is discouraged; UFS2 extended attributes provide a more reliable
storage mechanism for ACLs.

Currently, support for ACLs on UFS1 requires the use of UFS1 EAs, which may
be enabled by adding:

	options UFS_EXTATTR

to your kernel configuration file and rebuilding.  Because of filesystem
mount atomicity requirements, it is also recommended that:

	options UFS_EXTATTR_AUTOSTART

be added to the kernel so as to support the atomic enabling of the
required extended attributes with the filesystem mount operation.  To
enable ACLs, two extended attributes must be available in the
EXTATTR_NAMESPACE_SYSTEM namespace: "posix1e.acl_access", which holds
the access ACL, and "posix1e.acl_default" which holds the default ACL
for directories.  If you're using UFS1 Extended Attributes, the following
commands may be used to create the necessary EA backing files for
ACLs in the filesystem root of each filesystem.  In these examples,
the root filesystem is used; see README.extattr for more details.

  mkdir -p /.attribute/system
  cd /.attribute/system
  extattrctl initattr -p / 388 posix1e.acl_access
  extattrctl initattr -p / 388 posix1e.acl_default

On the next mount of the root filesystem, the attributes will be
automatically started, and ACLs will be enabled.

  UFS Extended Attributes Copyright

The UFS Extended Attributes implementation is copyright Robert Watson, and
is made available under a Berkeley-style license.

  About UFS Extended Attributes

Extended attributes allow the association of additional arbitrary
meta-data with files and directories.  Extended attributes are defined in
the form name=value, where name is an nul-terminated string in the style
of a filename, and value is a binary blob of zero or more bytes. The UFS
extended attribute service layers support for extended attributes onto a
backing file, in the style of the quota implementation, meaning that it
requires no underlying format changes in the filesystem.  This design
choice exchanges simplicity, usability and easy deployment for
performance.  When defined, extended attribute names exist in a series of
disjoint namespaces: currently, two namespaces are defined:
EXTATTR_NAMESPACE_SYSTEM and EXTATTR_NAMESPACE_USER.  The primary
distinction lies in the protection model: USER EAs are protected using the
normal inode protections, whereas SYSTEM EAs require privilege to access
or modify.

  Using UFS Extended Attributes

Support for UFS extended attributes is natively available in UFS2, and
requires no special configuration.  For reliability, administrative,
and performance reasons, if you plan to use extended attributes, it
is recommended that you use UFS2 in preference to UFS1.

Support for UFS extended attributes may be enabled for UFS1 by adding:

	options UFS_EXTATTR

to your kernel configuration file.  This allows UFS-based filesystems to
support extended attributes, but requires manual administration of EAs
using the extattrctl tool, including the starting of EA support for each
filesystem, and the enabling of individual attributes for the file
system.  The extattrctl utility may be used to initialize backing files
before first use, to start and stop EA service on a filesystem, and to
enable and disable named attributes.  The command lines for extattrctl
take the following forms:

  extattrctl start [path]
  extattrctl stop [path]
  extattrctl initattr [-f] [-p path] [attrsize] [attrfile]
  extattrctl enable [path] [attrnamespace] [attrname] [attrfile]
  extattrctl disable [path] [attrnamespace] [attrname]

In each case, [path] is used to indicate the mounted filesystem on which
to perform the operation.  [attrnamespace] refers to the namespace in
which the attribute is being manipulated, and may be "system" or "user".
The [attrname] is the attribute name to use for the operation. The
[attrfile] argument specifies the attribute backing file to use. When
using the "initattr" function to initialize a backing file, the maximum
size of attribute data must be defined in bytes using the [attrsize]
field.  Optionally, the [-p path] argument may be used to indicate to
extattrctl that it should pre-allocate space for EA data, rather than
creating a sparse backing file.  This prevents attribute operations from
failing in low disk-space conditions (which can be important when EAs are
used for security purposes), but pre-allocation will consume space
proportional to the product of the defined maximum attribute size and
number of attributes on the specified filesystem.

Manual configuration increases administrative overhead, but also
introduces the possibility of race conditions during filesystem mount, if
EAs are used to support other features, as starting the EAs manually is
not atomic with the mount operation.  To address this problem, an
additional kernel option may be defined to auto-start EAs on a UFS file
system based on special directories at mount-time:

	options UFS_EXTATTR_AUTOSTART

If this option is defined, UFS will search for a ".attribute"
sub-directory of the filesystem root during the mount operation.  If it
is found, EA support will be started for the filesystem.  UFS will then
search for "system" and "user" sub-directories of the ".attribute"
directory for any potential backing files, and enable an EA for each valid
backing file with the name of the backing file as the attribute name.
For example, by creating the following tree, the two EAs,
posix1e.acl_access and posix1e.acl_default will be enabled in the system
namespace of the root filesystem, reserving space for attribute data:

  mkdir -p /.attribute/system
  cd /.attribute/system
  extattrctl initattr -p / 388 posix1e.acl_access
  extattrctl initattr -p / 388 posix1e.acl_default

On the next mount of the root filesystem, the attributes will be
automatically started.