SUMMARY:

	This proposal is to provide several enhancements for setting NFSv4 ACLs
	and changing the owner and group ownership of files.

	Permission aliases will be added to allow a "set" of permissions
	to be specified.  The sets to be provided are full_set, modify_set,
	read_set and write_set.

	Three special ACE types will be added to allow a user to specify a
	Windows SID in place of an ephemeral uid/gid.  

	Both chown(1) and chgrp(1) will be enhanced to allow setting the
	owner and or group of files by SID rather than ephemeral id.

PROBLEM:

	Users of the CIFS service often want to specify permissions on
	ZFS directories that map to the windows aliases.
	
	For completeness we should also allow a user to specify file owner
	ship via a SID and also allow ACEs to be specified by SID rather than
	uid/gid.

PROPOSED SOLUTION:

	acl_totext() and acl_fromtext() will be enhanced to understand
	permission aliases and the special usersid, groupsid or sid ACE types.
	The following special permissions aliases will be added 

	full_set = all permissions
	modify_set = all permissions except write_acl and write_owner
	read_set = read_data, read_attributes, read_xattr and read_acl
	write_set = write_data, append_data, write_attributes, write_xattr

	usage example:

	chmod A+user:joe:full_set:allow
	chmod A+user:tom:modify_set:fd:allow
	chmod A+user:frank:read_set/write_set:allow

	usersid/groupsid/sid ACE types.  These are aliases for user and group,
	but instead of an id a windows SID or  is specified instead.  The final 
	form "sid" is used when the user doesn't care whether its a user or
        group sid.

	In addition to raw SID format the user can also specify the windows
	user or group via name@domain syntax.
	
	usersid:S-1-5-4343545-34534-44354-23:rwxp:allow
	groupsid:S-1-5-438473-58347567-4848-55:rwx:allow
	sid:S-1-5-438473-58347567-4848-55:rwx:allow
	usersid:joe@domain:rwxp:allow
	sid:admins@domain:rwxp:allow

	The acl_fromtext() interface will use idmap to convert the SID or
	Wwindows name string into an id. 

	The acl_totext() interface will introduce a new flag bit ACL_SID_FMT
	that will be used to instruct acl_totext() to use the usersid,
	or groupsid format when constructing textual ACLs when the "id" 
	field is an ephemeral id and the flag parameter requests "sid" format.
	The raw format will only be used when the ephemeral ID can't be mapped
	to a name such as joe@domain.

	acl_totext(aclp, ACL_SID_FMT);

	Both chown(1) and chgrp(1) will have a -s option added to allow 
	changing the owner/group by SID string.

	For example:

	chown -s S-1-5-4343545-34534-44354-23:S-1-5-438473-58347567-4848-55 file
	chown -s tom@domain:admin@domain
	chgrp -s S-1-5-438473-58347567-4848-55 file
	chgrp -s admin@domain

	All of the normal options to chown(1)/chgrp(1) will still apply, the
	-s argument simply tells the utility to treat the owner/group argument
	as a SID rather than a user or groupname.

MANPAGE DIFFS

chmod(1)

580a581
>      usersid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
581a583,584
>        Permissions for a specific user, but user is specified by SID
> 
585a589
>      groupsid:<sid string>:<perms>[:inheritance flags]:<allow|deny>
586a591
>        Permissions for a specific group, but user is specified by SID
590a596,597
> 
> 
703,704d709
< 
< 
746a752,754
>      Several special permission sets or aliases are also supported.  
>      The following permission sets are used the same way that verbose
>      permissions are specified.
747a756
>      full_set             all permissions.
748a758,766
>      modify_set                   all permissions except write_acl and write_owner.
> 
>      read_set             read_data, read_acl, read_attributes, and
>                           read_xattr
> 
>      write_set                    write_data, append_data, write_attributes, and
>                           write_xattr
> 
> 

acl_totext(3sec)
54a57,62
>      ACL_SID_FMT      For NFSv4 ACLs, the ACL entries for user or
>                       group entries will use the usersid or groupsid
>                       format when the "id" field in the ACL entry
>                       is an ephemeral uid or gid.  The raw sid format
>                       will only be used when the "id" can't be resolved
>                       to a windows name.
104a113,115
>      usersid    This ACL entry with a SID or Windows name specifies
>                 the access granted to a Windows user.
>                 This type of entry is for a CIFS server created file.
108a120,122
>      groupsid     This ACL entry with a SID or Windows name specifies
>                   the access granted to a Windows group.   This type of
>                 entry is for a CIFS server created file.
109a124,125
>      sid        This ACL entry with a SID or Windows name when the entry
>                 could be either a group or a user.
110a127
>


chown(1)

13a14
>      /usr/bin/chown -s [-fhR] ownersid[:groupsid] file...
16a18
>      /usr/bin/chown -s -R [-f] [-H | -L | -P] ownersid[:groupsid] file...
20a23
>      /usr/xpg4/bin/chown -s [-fhR] ownersid[:groupsid] file...
23a27
>      /usr/xpg4/bin/chown -s -R [-f] [-H | -L | -P] ownersid[:groupsid] file...
105a110,112
>      -s    The owner and or group arguments are Windows SID strings.
>          This option requires a file system that supports storing SIDS,
>          such as ZFS.

chgrp(1)
12a13
>      chgrp -s [-fhR] groupsid file...
15a17
>      chgrp -s -R [f] [-H | -L | -P] groupsid file...
88a91,92
>      -s    The specified group is a Windows SID.  This option requires
>          a file system that supports storing SIDs, such as ZFS..