Hello,
I think they intentionally removed the system.nfs4* in Fedora-42 because
commands like "cp -a" complained when copying files.
It complained because usually people copy from NFSv4 volume to a non-NFSv4
volume which is normal (expected) behaviour as we can't copy nfsv4 acls to non
nfsv4 volume.
What we can (and should) do is a check whether the ACLs detected are primitive
(i.e. no ACLs at all) and in this case, just skip the ACL copy.
If we do it, then most people will not receive any warning even when
system.nfs4* in /etc/xattr.conf and Fedora maintainers will re-add entries
there.
Does it make a sense?
Ondrej
-----Original Message-----
From: Bruno Haible <br...@clisp.org>
Sent: Monday, May 12, 2025 2:25 PM
To: bug-gnulib@gnu.org; Ondrej Valousek <ondrej.valousek...@renesas.com>; Lukáš
Zaoral <lzao...@redhat.com>; Paul Eggert <egg...@cs.ucla.edu>;
fedoraproj...@ferree-clark.org; Pádraig Brady <p...@draigbrady.com>
Subject: Re: qcopy-acl: Fix copying of ACLs on CentOS 7
Hi Pádraig,
> > 2024-07-15 Bruno Haible <br...@clisp.org>
> >
> > qcopy-acl: Fix copying of ACLs on CentOS 7 (regression 2023-01-12).
> > * lib/qcopy-acl.c: Include <string.h>, <linux/xattr.h>.
> > (XATTR_NAME_NFSV4_ACL, XATTR_NAME_POSIX_ACL_ACCESS,
> > XATTR_NAME_POSIX_ACL_DEFAULT): New macros, from file-has-acl.c.
> > (is_attr_permissions): Test for these names explicitly.
> > * m4/acl.m4 (gl_QCOPY_ACL): New macro.
> > * modules/qcopy-acl (Files): Add m4/acl.m4.
> > (configure.ac): Invoke gl_QCOPY_ACL.
> >
> > diff --git a/lib/qcopy-acl.c b/lib/qcopy-acl.c index
> > dfc39cead0..877f42588b 100644
> > --- a/lib/qcopy-acl.c
> > +++ b/lib/qcopy-acl.c
> > @@ -26,6 +26,20 @@
> > #if USE_XATTR
> >
> > # include <attr/libattr.h>
> > +# include <string.h>
> > +
> > +# if HAVE_LINUX_XATTR_H
> > +# include <linux/xattr.h>
> > +# endif
> > +# ifndef XATTR_NAME_NFSV4_ACL
> > +# define XATTR_NAME_NFSV4_ACL "system.nfs4_acl"
> > +# endif
> > +# ifndef XATTR_NAME_POSIX_ACL_ACCESS # define
> > +XATTR_NAME_POSIX_ACL_ACCESS "system.posix_acl_access"
> > +# endif
> > +# ifndef XATTR_NAME_POSIX_ACL_DEFAULT # define
> > +XATTR_NAME_POSIX_ACL_DEFAULT "system.posix_acl_default"
> > +# endif
> >
> > /* Returns 1 if NAME is the name of an extended attribute that is related
> > to permissions, i.e. ACLs. Returns 0 otherwise. */ @@ -33,7
> > +47,12 @@
> > static int
> > is_attr_permissions (const char *name, struct error_context *ctx)
> > {
> > - return attr_copy_action (name, ctx) == ATTR_ACTION_PERMISSIONS;
> > + /* We need to explicitly test for the known extended attribute names,
> > + because at least on CentOS 7, attr_copy_action does not do it.
> > + */ return strcmp (name, XATTR_NAME_POSIX_ACL_ACCESS) == 0
> > + || strcmp (name, XATTR_NAME_POSIX_ACL_DEFAULT) == 0
> > + || strcmp (name, XATTR_NAME_NFSV4_ACL) == 0
> > + || attr_copy_action (name, ctx) ==
> > + ATTR_ACTION_PERMISSIONS;
> > }
> >
>
> I was wondering a little about the generality of this patch, and how
> it somwehat overrides /etc/xattr.conf which gives configurability over
> how these xattrs are treated.
>
> I checked one centos 7 system, and it didn't have a /etc/xattr.conf
> file which might explain the behavior noticed above.
>
> Then on centos 8 we have:
> system.nfs4_acl permissions
> system.nfs4acl permissions
> system.posix_acl_access permissions
> system.posix_acl_default permissions
>
> While on Fedora 42 we have:
> system.posix_acl_access permissions
> system.posix_acl_default permissions
And what do you suggest?
- Do you suggest that on CentOS 7, the lack of a /etc/xattr.conf file
should be considered like an intention to NOT copy any ACL xattrs,
and that therefore the aforementioned unit tests SHOULD fail?
- Do you suggest that on Fedora 42, the lack of the system.nfs4*acl in
/etc/xattr.conf should be considered like an intention to NOT copy
NFSv4 ACLs, and that therefore copying files with such ACLs SHOULD
produce errors since they are not supported?
> I'm not sure why nfs4 acls were only considered for a few Red Hat
> releases, but it might explain the (already resolved) issue with nfs4
> acls at
> https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> illa.redhat.com%2F2363149&data=05%7C02%7Condrej.valousek.xm%40renesas.
> com%7Cf42b4ab003db4d78f99d08dd91500ef8%7C53d82571da1947e49cb4625a166a4
> a2a%7C0%7C0%7C638826495226693650%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hc
> GkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjo
> yfQ%3D%3D%7C0%7C%7C%7C&sdata=1qfnzyr7DeT0ugJC7%2FX22CfKhXjoUwf35l5frys
> Yf%2Fk%3D&reserved=0
The major part of Paul's patch there was to optimize the number of system calls
in the case of NFSv4 ACLs. So, even if this patch might not have been essential
on Fedora 42 (because NFSv4 ACLs are intentionally unsupported there), it is
useful for CentOS 8. Right?
Bruno
