LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Letters page

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

On ACLs

[Posted November 6, 2002 by corbet]

From:  Neil Brown <neilb@cse.unsw.edu.au>
To:  letters@lwn.net
Subject:  On ACLs
Date:  Wed, 6 Nov 2002 23:00:35 +1100




You commented that you would like more letters so I thought I would
spend a few minutes writing something - something on the topic of ACLs
which as you noted caused a lot of discussion and differing opinions
on linux-kernel.

For myself I think that it is sad that ACL support had to go into
Linux.  Not sad that it *did*, but sad that it *had to*.
Linus is ever the pragmatist, and including support for ACL's
is certainly the pragmatic thing to do.  But I think that the
environment that makes it a pragmatic decision is sad.

You see, I would rather go in the opposite direction, and remove what
ACL's we do have from being supported by the kernel:  they aren't
needed, and are often 'wrong', except in the simplest cases.

They aren't needed because I have access to much more flexible ACL's
completely outside of the kernel.  Apache, for example, provides very
flexible access control via the .htaccess file and various 'require'
directives and authentication mechanisms.  These mechanisms allow
people to create their own groups and give access based on patterns
in filenames, both features that are very useful and unlikely to be
supported by any ACL mechanism that is embedded in the kernel.

You might think that apache's access control only allows control of
read access, but write access is also very much a possibility.  By
defining a few generally applicable 'PUT' handlers (e.g. one which
will append, one which will check-in to RCS first, etc) a sysadmin
can make it fairly straight forward for users to give controlled write
access to files as they choose.

And this leads to the second issue, that current ACLs (and by that I
mean UNIX rwx for each of ugo) are wrong except in the simplest cases.

Giving anyone else unfettered write access to your files is probably a
bad idea.  We have a long history of how much of a bad idea a world
writable /tmp is, and group-writable directories aren't really much better.
The issues with others-writable files aren't so bad, but still, in
most cases you would really like some sort of control.  Possibly
allowing others to append, providing their username appears first
would be ok.  Possibly checking the file into a revision control
system before making a change would be ok.  But un-checked write
access just isn't sensible.

Obviously some files would benefit from much more subtle access
control rules.  Your example of /etc/password as mentioned in the
article on reiser4 is a good one.  Some people possibly should have
write access to some parts of their own record.  Some people might be
denied read access to some fields of other people's records.  Hans
Reiser, it would seem, would like to embed all that knowledge in the
filesystem.  I would rather lift it all up and embed it in some
user-space service.  Quite possibly that service could present a
filesystem-like interface (as I'm sure it would in plan-9) and that
interface could be 'mounted' into the filesystem name-space.  But
embedding knowledge of such access controls in the kernel is, to me,
wrong.


So what is my grand vision (which will never eventuate due to the
weight of current-practice)?

- File systems do not store any ownership/access control information.
- File systems are mounted either readonly, or writable.  / and /usr
  are readonly.  /home (which will only contain my home) is writable.
- Each process has a separate 'mount table' and associated view of the
  name space (this is coming to Linux if it isn't here already).
  My processes see my home directory, your processes see yours.
- Access to other people's personal filesystems have to be through
  some sort of gateway, such as apache/http.  Such gateways would be
  able to impose arbitrary access controls as appropriate.
  There may well be a very light weight gateway that provides everyone
  with read-only access to a certain part of other peoples home
  directories (e.g. /home/public) to make sharing easier.
- These gateways would use cryptographically secure identities (much
  like ssh does, and possibly using something like ssh-agent to
  supply them) so they could easily and securely be either remote or
  local.

Thus we lift the whole ACL issue out of the kernel and place it
clearly in user-space.  As there doesn't seem to be clear agreement
about what ACLs should really look like anyway (witness the Posix
draft that nobody seems to like), I think the flexibility of being in
user-space is a good thing.

Doing away with access bits does mean that we loose the 'x' bit.  But
having non-executable files in directories in your PATH is a bit
pointless anyway, and the kernel already knows what files are
executable based on 'magic numbers'.
The 'x' bit of directories doesn't add anything useful over the 'r'
bit.

It would also mean loosing the possibility of removing write access
from files that you own.  This (the 'user-write' bit) is probably the
only permission bit that might be worth leaving, but I would want to
think about it some more before I was certain that (in the ideal
world) we should even keep that.


I think filesystems should be left to store files and names of files
  (and symlinks/devices I guess)
I think inter-person access control should be left to user-space
  daemons which are in a position to be more flexible than any ACL scheme
  that a kernel/fs developer is likely to come up with.
I think the filesystem interface is likely to be a good interface for
  accessing such daemons, but that is quite different from embedding
  the daemons functionality in a filesystem.

As a sort of summary, it seems a pity to have to include a
questionable feature due to outside pressure.
It is true that having ACL support in the kernel doesn't preclude me
from coming up with a system that doesn't need it.  However as
Linus said recently on another matter (LKCD I think it was), a problem
with including something that is 'good' but might not be 'best' is
that it reduced the incentive to create the 'best' thing.  I feel that
logic could apply to ACLs.

NeilBrown
(Log in to post comments)

On ACLs

Posted Nov 7, 2002 13:31 UTC (Thu) by tres (guest, #352) [Link]

The main problem would be the duplication of code. Right now if there is a problem with something getting permission to do something that it shouldn't you can bet that the problem exists within the kernel or the standard libraries. Moving that to user space would mean a serious number of places that the same bug would have to be fixed and never really knowing if you got them all.

Just my $0.02,
Tres

On ACLs

Posted Nov 8, 2002 16:02 UTC (Fri) by mrshiny (subscriber, #4266) [Link]

I disagree with the notion that ACLs don't belong in the filesystem. A filesystem is more than just a byte stream and a name; a filesystem should manage your files. Just as a name is an important piece of meta-data about a file, so too are the ACLs of that file. I'm personally a fan of the BeOS approach to the filesystem, which is to define a standard set of metadata that can be appended to files, so that you can store more than just one thing about a file in the filesystem.

Consider an MP3 file. It is a song. It has a filename. What information goes in the filename? The artist? The title? How about the track number? The album of origin? etc. If you want to search for all songs written by a specific songwriter, you can not do it without using a huge naming convention. All of this information can be encoded in the MP3 file itself, using proprietary formats. However, then you need a special search tool to search for MP3s, and another search tool to search for email or some other type of document.

In BeOS, the additional metadata about files can be stored in the filesystem itself. This makes the filesystem somewhat more like a database, and it conceptually blurs the distinction between a file and a directory (though not too much... I've read about other systems that have no distinction at all). This changes some concepts, but makes the system more general. You can now use the filesystem's search tool to search for all documents written by Joe, regardless of what format the document is. Furthermore, the information is backed up when you back up the filesystem.

ACLs are just another example of metadata about a file that should live with the file.

On ACLs

Posted Nov 8, 2002 23:09 UTC (Fri) by Peter (guest, #1127) [Link]

I'm personally a fan of the BeOS approach to the filesystem, which is to define a standard set of metadata that can be appended to files

You call this "the BeOS approach" - is that because you don't like Windows NT, or because you don't like OS/2, or because you don't like MacOS? Or all of the above?

Nothing new under the sun, etc. (I think OS/400 had something like this as well, but I'm not sure.)

You'll be happy to learn, by the way, that as of kernel 2.5.45 or 2.5.46, Linux now supports extended attributes too - at least in certain filesystems.

On ACLs

Posted Nov 8, 2002 23:51 UTC (Fri) by abredon (guest, #2038) [Link]

If the ACL is stored as metadata, what happens when a user account that is listed in 300+ ACLs is deleted? You wind up with obsolete data that is never going to be deleted, and when a new user is added with the old user's user ID, that new user gets the permissions of the old user.

If you only store group access in ACLs, the situation is somewhat better, but there is still a strong possibility of messing up, and you still have to administer rights on a massive number of items.

There is no true 'right' way to handle it. The Unix ugo permissions is a relatively simple method that works well over 99% of the time. The Novell method of 'inherited' rights allows one to administer fewer objects, at the cost of inspecting the rights of the entire access tree to an object on every access.

On ACLs

Posted Nov 10, 2002 22:20 UTC (Sun) by ranger (guest, #6415) [Link]

The Novell method of 'inherited' rights allows one to administer fewer objects, at the cost of inspecting the rights of the entire access tree to an object on every access.

AFAIK, ACLs (both on XFS and ext2/3) support 'inherited' ACLs, see the '--default' option. In fact, these can also be manipulated from Windows (NT/2000/XP) machines when using samba with ACL support.

Of course, Posix ACLs don't support having multiple user accounts be able to change the permissions on files or directories (like the Windows 'Full Control' permission), which is why they currently aren't as useful as they could be.

We have situations where we would like 2 users to be able to manage ACLs, but we can't currently do that.

ACLs cannot be userspace

Posted Nov 10, 2002 22:33 UTC (Sun) by ranger (guest, #6415) [Link]

ACLs cannot be user space, for the simple reason that they would not be consistent.

Fine, you may be able to have fine-grained ACLs with apache, but then what happens when you decide to share the same filesystem (to your web developers?) via samba or NFS?

Unless there is support in samba and your NFS server, your ACLs will no longer apply, and this could be a security risk.

And when you allow a user to log in locally?

ACLs are great, and but I think there is a crucial feature missing, allowing more than one normal user account the permission to change permissions.

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds