Rich access control lists
The mode ("permissions") bits attached to every file and directory on a Linux system describe how that object may be accessed by its owner, by members of the file's group, and by the world as a whole. Each class of user has three bits regulating write, read, and execute access. For many uses, that is all the control a system administrator needs, but there are times where finer-grained access control is useful. That is where ACLs come in; they allow the specification of access-control policies that don't fit into the nine mode bits. There are different types of ACLs, reflecting their evolution over time.
POSIX ACLs
POSIX ACLs are clearly designed to fit in with traditional Unix-style permissions. They start by implementing the mode bits as a set of implicit ACL entries (ACEs), so a file with permissions like:
$ ls -l foo
-rw-rw-r-- 1 linus penguins 804 Oct 18 09:40 foo
Has a set of implicit ACEs that looks like:
$ getfacl foo
user::rw-
group::rw-
other::r--
The user and group ACEs that contain empty name fields ("::") apply to the owner and group of the file itself. The administrator can add other user or group ACEs to give additional permissions to named users and groups. The actual access control is implemented in a way similar to how the mode bits are handled. If one of the user entries matches, the associated permissions are applied. Otherwise, if one of the group entries matches, that entry is used; failing that, the other permissions are applied.
There is one little twist: the traditional mode bits still apply as well. When ACLs are in use, the mode bits define the maximum permissions that may be allowed. In other words, ACLs cannot grant permissions that would not be allowed by the mode bits. The reason for this behavior is to avoid unpleasant surprises for applications (and users) that do not understand ACLs. So a file with mode 0640 (rw-r-----) would not allow group-write access, even if it had an ACE like:
group::rw-
If a particular process matches a named ACE (by either user or group name), that process is in the group class and is regulated by the group mode bits on the file. The owning group itself can be given fewer permissions than the mode bits would otherwise allow. See this article for a detailed description of how it all works.
NFSv4 ACLs
When the NFS community took on the task of defining an ACL mechanism for the NFS protocol, they chose not to start with POSIX ACLs; instead, they started with something that looks a lot more like Windows ACLs. The result is a rather more expressive and flexible ACL mechanism. With one obscure exception, all POSIX ACLs can be mapped onto NFSv4 ACLs, but the reverse is not true.
NFSv4 ACLs do away with the hardwired evaluation order used by POSIX ACLs. Instead, ACEs are evaluated in the order they are defined. Thus, for example, a group ACE can override an owner ACE if the group ACE appears first in the list. NFSv4 ACEs can explicitly deny access to a class of users. Permissions bits are also additive in NFSv4 ACLs. As an example of this, consider a file with these ACLs:
group1:READ_DATA:ALLOW
group2:WRITE_DATA:ALLOW
These ACEs allow read access to members of group1 and write access to members of group2. If a process that is a member of both groups attempts to open this file for read-write access, the operation will succeed. When POSIX ACLs are in use, instead, the requested permissions must all be allowed by a single ACE.
NFSv4 ACLs have a lot more permissions that can be granted and denied. Along with "read data," "write data," and "execute," there are independent permissions bits allowing append-only access, deleting the file (regardless of permissions in the containing directory), deleting any file contained within a directory, reading a file's metadata, writing the metadata (changing the timestamps, essentially), taking ownership of the file, and reading and writing a file's ACLs.
There is a set of bits controlling how ACLs are inherited from their containing directories. ACEs on directories can be marked as being inheritable by files within those directory; there is also a bit to mark an ACE that should only propagate a single level down the hierarchy. When a file is created within the directory, it will be given the ACLs that are marked as being inheritable in its parent directory. This behavior conflicts with POSIX, which requires that any "supplemental security mechanisms" be disabled for new files.
ACLs can have an "automatic inheritance" flag set. When an ACL change is made to a directory, that change will be propagated to any files or directories underneath that have automatic inheritance enabled — unless the "protected" flag is also set. Setting the "protected" flag happens whenever the ACL or mode of the file have been set explicitly; that keeps inheritance from overriding permissions that have been intentionally set to something else. The interesting twist here is that there is no way in Linux for user space to create a file without explicitly setting its mode, so the "protected" bit will always be set on new files and automatic inheritance simply won't work. NFS does have a way to create files without specifying the permissions to use, though, so automatic inheritance will work in that case.
NFSv4 ACLs also differ in how permissions are applied to the world as a whole. The "other" class is called "EVERYONE@", and it means truly everyone. In normal POSIX semantics, if a process is in the "user" or "group" class, the "other" permissions will not even be consulted; that allows, for example, a specific group to be blocked from a file that is otherwise world accessible. If a file is made available to everyone in an NFSv4 ACL, though, it is truly available to everyone unless a specific "deny" ACE earlier in the list says otherwise.
RichACLs
The RichACLs work tries to square NFSv4 ACLs with normal POSIX expectations. To do so, it applies the mode bits in the same way that POSIX ACLs do — the mode specifies the maximum access that is allowed. Since there are far more access types in NFSv4 ACLs than there are mode bits, a certain amount of mapping must be done. So, for example, if the mode denies write access, that will be translated to a denial of related capabilities like "create file," "append data," "delete child," and more.
The actual relationship between the ACEs and the mode is handled via a set of three masks, corresponding to owner, group, and other access. If a file's mode is set to deny group-write access, for example, the corresponding bits will be cleared from the group mask in the ACL. Thereafter, no ACE will be able to grant write access to a group member. The original ACEs are preserved when the mode is changed, though; that means that any additional access rights will be returned if the mode is made more permissive again. The masks can be manipulated directly, giving more fine-grained control over the maximum access allowed to each class; tweaking the masks can cause the file's mode to be adjusted to match.
There are some interesting complications in the relationship between the ACEs, the masks, and the actual file mode. Consider an example (from this document) where a file has this ACL:
OWNER@:READ_DATA::ALLOW
EVERYONE@:READ_DATA/WRITE_DATA::ALLOW
This ACL gives both read and write access to the owner. If, however, the file's mode is set to 0640, the mask for EVERYONE@ will be cleared, denying owner-write access even though there is nothing in the permissions that requires that. Fixing this issue requires a special pass through the ACL to grant the EVERYONE@ flags to other classes where the mode allows it.
A similar problem comes up when an EVERYONE@ ACE grants access that is denied by the owner or group mode bits. Handling this case requires inserting explicit DENY ACEs for OWNER@ (or GROUP@) ahead of the EVERYONE@ ACE.
The RichACLs patch set implements all of this and more. See this page and the richacl.7 man page for more details. As of this writing, though, there is still an open question: how to handle RichACL support in Linux filesystems.
At the implementation level that question is easily answered; RichACLs are stored as extended attributes, just like POSIX ACLs or SELinux labels. The problem is one of backward compatibility: what happens when a filesystem containing RichACLs is mounted by a kernel that does not implement them? Older kernels will not corrupt the filesystem (or the ACLs) in this case, but neither will they honor the ACLs. That can result in access being granted that would have been denied by an ACL; it also means that ACL inheritance will not be applied to new files.
To prevent such problems, Andreas requested that a feature flag be added to the ext4 filesystem; that flag would prevent the filesystem from being mounted by kernels that do not implement RichACLs. There was some discussion about whether this made sense; ext4 maintainer Ted Ts'o felt that the feature flags were there to mark metadata changes that the e2fsck utility needed to know about to avoid corrupting the filesystem. RichACLs do not apply, since filesystems don't pay attention to the contents of extended attributes.
Over the course of the conversation, though, a consensus seemed to form around the idea that the use of RichACLs is a fundamental filesystem feature. So it appears that once they are enabled for an ext4 filesystem (either at creation time, or via tune2fs), that filesystem will be marked as being incompatible with kernels that don't implement RichACLs. Something similar will likely be done for XFS.
If things go as planned, this work will be mainlined during the 4.4 merge
window. At that point, NFS servers should be able to implement the full
semantics of NFSv4 ACLs; the feature should also be of use to people
running Samba servers. This patch set, the culmination of several years'
work, should provide a useful capability to server administrators who need
fully supported access control lists on Linux.
| Index entries for this article | |
|---|---|
| Kernel | Access control lists |
| Kernel | RichACLs |
Posted Oct 20, 2015 22:06 UTC (Tue)
by barryascott (subscriber, #80640)
[Link]
DoD 5200.28-STD "Orange Book", DoD Trusted Computer System
http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt
Posted Oct 21, 2015 1:41 UTC (Wed)
by JeffBai (guest, #103577)
[Link] (15 responses)
Doesn't sound like some nice `protection'.
Posted Oct 21, 2015 4:00 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link] (14 responses)
Posted Oct 21, 2015 7:57 UTC (Wed)
by mjthayer (guest, #39183)
[Link] (13 responses)
Posted Oct 21, 2015 12:44 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link] (12 responses)
Can an old kernel at least mount the filesystem read-only?
Posted Oct 21, 2015 15:01 UTC (Wed)
by felixfix (subscriber, #242)
[Link] (9 responses)
Posted Oct 21, 2015 15:16 UTC (Wed)
by niner (subscriber, #26151)
[Link] (8 responses)
If you're not improving security by denying read only mount and you're not preventing any erroneous modifications, then why prohibit it?
Posted Oct 21, 2015 16:23 UTC (Wed)
by felixfix (subscriber, #242)
[Link] (7 responses)
Posted Oct 21, 2015 16:34 UTC (Wed)
by niner (subscriber, #26151)
[Link] (5 responses)
If you as an attacker want to circumvent file permissions and the way you do it is by booting a different kernel, no feature bit in the world can stop you. To boot the other kernel you either have physical access to the media, or at least root access to the machine. So the feature bit is completely worthless as protection.
File permissions are a security device in a running system. Once the system is not running anymore be it because the drives are removed or the system is rebooted, the security is gone. That's why we have disk encryption. Disk encryption won't help you if the attacker breaks into the running system. File permissions may. But disk encryption helps you where file permissions won't: with offline attacks.
Posted Oct 21, 2015 16:55 UTC (Wed)
by bfields (subscriber, #19510)
[Link] (2 responses)
If you're mounting an ACL-protected filesystem on a multi-user system that isn't capable of enforcing them then there's a reasonable chance you're just making a mistake.
I assume there's some way to clear the flag if you still really want to do it.
Posted Oct 21, 2015 23:06 UTC (Wed)
by neilbrown (subscriber, #359)
[Link] (1 responses)
You are showing your age! It has been for many years that trying to mount an already-mounted block device simply creates a bind-mount.
Posted Oct 22, 2015 1:52 UTC (Thu)
by bfields (subscriber, #19510)
[Link]
Already??
Sigh; I was paying attention to this, honest! Thanks for the correction.
Posted Oct 21, 2015 23:03 UTC (Wed)
by smoogen (subscriber, #97)
[Link] (1 responses)
Posted Oct 22, 2015 0:15 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
XKCD explains that succinctly: https://xkcd.com/1200/
Posted Oct 21, 2015 16:35 UTC (Wed)
by mjthayer (guest, #39183)
[Link]
Posted Oct 28, 2015 10:24 UTC (Wed)
by Seegras (guest, #20463)
[Link] (1 responses)
You don't mind something ignoring the ACLs, but you don't want it to delete them. ACL-insensitive-but-ACL-preserving ;)
Posted Oct 28, 2015 23:55 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link]
Posted Oct 21, 2015 7:57 UTC (Wed)
by mbunkus (subscriber, #87248)
[Link] (48 responses)
POSIX ACLs already have default ACLs on directories which are applied to all new entries created within such a directory. Doesn't this fall under the same term of "supplemental security mechanisms"? And what does "supplemental" mean in the first place? Is a directory's sticky bit deemed to be a base security mechanism or would that not qualify and be "summplemental" as well?
Near the end you mention Samba which I've been meaning to ask about, too. At the moment Samba stores NT(FS)-specific ACLs in extended attributes (Make sure your backup software saves those, too!). Are the RichACL a strict superset of NT(FS) ACLs so that Samba could switch to using them instead of extended attributes for kernels and file systems that support RichACLs? And how would RichACLs interact with NFSv4 or later – would they be transmitted or would they be stripped down to what NFSv4 ACLs can do?
And while we're on the topic of extended attributes: does anyone know of work going into making NFS support extended attributes?
I'm looking at this specificially as an admin of various networks in which Linux and Windows clients access the same file servers via NFS and CIFS. I'd appreciate any insight into what's on the horizon wrt. ACLs, extended attributes, NFS etc.
Posted Oct 21, 2015 11:28 UTC (Wed)
by jlayton (subscriber, #31672)
[Link] (46 responses)
For NFSv4, they'd be translated into what NFSv4 ACLs can do. We do have to follow the protocol, after all. FWIW, knfsd currently translates NFSv4 ACLs into POSIX acls and back, but that's necessarily lossy. This should allow for much better semantics (though there are still some open questions about how this will work when idmapping fails).
There is a draft proposal to add xattr support to NFSv4:
https://tools.ietf.org/html/draft-ietf-nfsv4-xattrs-01
...and I think there are some patches that add this support, though it's unlikely they'll be merged until it's a little farther along.
Posted Oct 21, 2015 12:02 UTC (Wed)
by mbunkus (subscriber, #87248)
[Link] (1 responses)
Posted Oct 21, 2015 17:23 UTC (Wed)
by bfields (subscriber, #19510)
[Link]
Note that draft only covers what on Linux are the "user.*" extended attributes: "This document restricts the allowed namespaces to user-managed metadata only, in order to prevent the development of non-interoperable implementations. It requires that the attribute key/value MUST not be interpreted by the NFS clients and servers."
So for example the special system.posix_acl_{access,default} xattrs used to manage posix acls still wouldn't be exposed over NFS.
Posted Oct 21, 2015 15:23 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link] (17 responses)
Isn't this a general problem with DENY-type access control lists? It's relatively easy to force a client to prove that it *should* have access with a cryptographic challenge authentication protocol. But when you have user- or group-specific DENY entries in the ACL, you're asking the client to prove that it *shouldn't* have access, which isn't in the client's interest.
In particular, dropping a group membership should never *increase* a program's permissions.
Posted Oct 21, 2015 16:47 UTC (Wed)
by jra (subscriber, #55261)
[Link] (16 responses)
Posted Oct 21, 2015 19:09 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link] (15 responses)
Even if the process can't remove groups itself, an administrator can, and it's counter-intuitive that removing a user from a group might increase that user's privileges.
Whitelists are better than blacklists. Attempting to enumerate all the bad accounts or groups is poor security practice.
Posted Oct 21, 2015 20:18 UTC (Wed)
by fandingo (guest, #67019)
[Link] (14 responses)
It's only counter-intuitive because that's what you're used to. If you learned on systems with NFSv4-style ACLs, this wouldn't be confusing. We just need to get used to the idea of negative permissions.
> Whitelists are better than blacklists. Attempting to enumerate all the bad accounts or groups is poor security practice.
Sure, I guess, but nobody is talking about using allow *or* deny lists exclusively. They're talking about being able to mix them to apply complex policies. I imagine one place where allow and deny will be routinely combined is with daemons. They get an allow for append-only write access, and explicit denies for read, delete, and general write accesses. That's a completely reasonable policy.
Posted Oct 21, 2015 22:42 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link] (13 responses)
No, it's counter-intuitive because of how groups work in the real world. Being a member of a group is a privilege, not a burden. Being accepted into a group has positive connotations; rejection is negative.
Obviously one can learn to use either system, but whether or not it's deemed intuitive shouldn't depend on which system you had prior experience with. It should be based on what someone with no prior experience with ACLs would expect.
> I imagine one place where allow and deny will be routinely combined is with daemons. They get an allow for append-only write access, and explicit denies for read, delete, and general write accesses. That's a completely reasonable policy.
The reasonable version is a "default deny" policy. Don't just deny access to the daemons, deny access to everyone by default (as POSIX ACLs and standard permissions would), and grant the daemons append-only access. If other users or groups should have read, delete, or general write access, grant it to them specifically, not as a default.
Posted Oct 21, 2015 22:56 UTC (Wed)
by fandingo (guest, #67019)
[Link] (3 responses)
What about prison inmates? What about people on no-fly lists? Groups have negative connotations and restrict behavior all the time.
Posted Oct 22, 2015 17:50 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link] (1 responses)
Personally, I tend to think of those from the opposite (positive) point of view. The group of members of society in good standing; the group of people granted the privilege of flying. (Which should be the same as the first group, but that's a whole other discussion...)
Obviously any particular set of rules can be implemented either way. The problem mainly arises when you add new users to the system. In a pure whitelist scenario, you only have to decide what the new user *should* have access to. Anything you don't grant access to is off-limits, which is a safe default. If you build your system around DENY rules then you also have to make sure the new user gets added to the appropriate blacklists, or they'll have more access than you intended.
Posted Oct 22, 2015 18:26 UTC (Thu)
by fandingo (guest, #67019)
[Link]
What a coincidently self-serving stance, but it's still a tortured viewpoint that's incorrect. It simply doesn't comport with reality. The government does not maintain a list of people authorized to fly, so there's no group there. They do maintain list for no-fly and mistakenly-no-fly people. Same thing for inmates; there's no list of free civilians, but there are lists (per jurisdiction) of those incarcerated. To get a list of free people, you need to derive that from the difference between the census and those in prison. The implementation dictates POV.
> Obviously any particular set of rules can be implemented either way. The problem mainly arises when you add new users to the system. In a pure whitelist scenario, you only have to decide what the new user *should* have access to. Anything you don't grant access to is off-limits, which is a safe default. If you build your system around DENY rules then you also have to make sure the new user gets added to the appropriate blacklists, or they'll have more access than you intended.
Meh, that's what administrative user-management tools are for. Let the software handle it.
Posted Oct 30, 2015 17:17 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
> What about prison inmates? What about people on no-fly lists? Groups have negative connotations and restrict behavior all the time.
You missed that sentence of the OP ... Prison inmates aren't ACCEPTED, they're PLACED. Likewise the no-fly. You can split groups into two types, the ones you JOIN, and the ones that other people PUT you in. Yes, the latter are normally places you'd rather not be.
But if you treat ACLs as the former type of group, then it makes everything a lot simpler.
Cheers,
Posted Oct 22, 2015 17:36 UTC (Thu)
by eternaleye (guest, #67051)
[Link] (2 responses)
I'll note that even on classic mode bits, a group can restrict access. See above on how "the other permission is not even consulted if user or group match" - because of that, u=rw,g=,o=r is an entirely valid permission that denies read only for a specific group.
Posted Oct 22, 2015 18:18 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link] (1 responses)
Right, and I don't consider that intuitive either. The effective permissions should be a bitwise-OR of the applicable fields, not simply the first match.
Posted Oct 24, 2015 17:20 UTC (Sat)
by jubal (subscriber, #67202)
[Link]
Posted Oct 22, 2015 18:55 UTC (Thu)
by idra (guest, #36289)
[Link] (4 responses)
This is not the reason why negative ACLs are bad, they are bad because they do not fail safe.
Pure Windows semantics are even worse, and *are* counterintuitive, because not only they provide DENY ACLs, they are also *ordered*. And many admins do not understand the complex relationship that arises when you DENY *after* an ALLOW. Reason why the GUI clients in Windows do actually re-order ACLs so that all DENY instructions always come first, and they hide the fact order matters for the NT Kernel.
Of course hilarity ensues if you intentionally ordered an ALLOW ACL before a DENY ACL with a CLI tool and then someone just add a completely unrelated instruction via the GUI. Your careful ACL breaks as the gUI reorders everything; but at least in that case it fails safe because you end up denying access to a larger set, not allowing more access.
> The reasonable version is a "default deny" policy. Don't just deny access to the daemons, deny access to everyone by default (as POSIX ACLs and standard permissions would), and grant the daemons append-only access. If other users or groups should have read, delete, or general write access, grant it to them specifically, not as a default.
In some rare cases it may be simpler to add exceptions (all users but Joe should be able to read this file), but usually the need of an exception is a sympthom of a much deeper broken system/process elsewhere.
Posted Oct 22, 2015 20:10 UTC (Thu)
by fandingo (guest, #67019)
[Link] (3 responses)
This is entirely incorrect and undermines your entire point. ACL resolution order is an explicit feature of Linux ACLs (and traditional POSIX mode bits). Let's say I'm using traditional ACLs, and a file has permissions r-----rw-. It's owned by me, and the group doesn't matter. This is a negative policy! I am not allowed to write to this file, but others are. If the user "ACL is accidently dropped" to, say, change ownership (ACLs are a combination of a user/group object and mode bits), I end up with more permissions than I'm supposed to. This is specifically mentioned in the article.
> And many admins do not understand the complex relationship that arises when you DENY *after* an ALLOW.
How do I put this nicely? I don't want design limitations because some people are too stupid to learn the tools. That's their problem. Don't mount with the Richacl option if you don't know what you're doing.
> Reason why the GUI clients in Windows do actually re-order ACLs so that all DENY instructions always come first, and they hide the fact order matters for the NT Kernel.
I don't see why this matters at all. It's an implementation issue that the software completely handles for you, and it sounds like a good decision.
> Pure Windows semantics are even worse, and *are* counterintuitive, because not only they provide DENY ACLs, they are also *ordered*. And many admins do not understand the complex relationship that arises when you DENY *after* an ALLOW. Reason why the GUI clients in Windows do actually re-order ACLs so that all DENY instructions always come first, and they hide the fact order matters for the NT Kernel.
I don't understand what you're getting at. Back in the early NT days, yes, there were tooling problems, but those have been long corrected. Maybe you can be more specific, but this has been fixed for ages. There are some low-level APIs that allow insertion of ACLs without resolving the overall policy, but they're counter-recommended and proper versions have been around for a long time. But, hey, nothing like a Linux forum criticizing Microsoft with severely outdated information.
> In some rare cases it may be simpler to add exceptions (all users but Joe should be able to read this file), but usually the need of an exception is a sympthom of a much deeper broken system/process elsewhere.
I agree with this statement. I haven't once advocated for broad use of denial policies. Instead, I'm arguing that the ACL implementation needs to allow this expressiveness because there are legitimate situations where it's needed.
Posted Oct 25, 2015 1:44 UTC (Sun)
by idra (guest, #36289)
[Link] (2 responses)
Sorry man but you are very confused. First of all with as Posix permissions and not Posix ACLs, that said the default is no access ---, you have been given read access by turning on the r bit. Perimissions cannot be accidentally dropped so that case does not apply to the basix posix permissions. In any case if that bit were dropped you'd lose read access, whic is consistent with what I said.
> How do I put this nicely? I don't want design limitations because some people are too stupid to learn the tools. That's their problem. Don't mount with the Richacl option if you don't know what you're doing.
Tools are as good as they are usable by *normal* people. A car only a F1 drvier can use is ... how can I put it nicely ... useless to everyone but the 20 odd F1 driver on the planet, which is to say uselss.
Now RichACLs are not *that* hard, but my experience tells me that ACL systems the include ordered deny policy are a double-edged sword, and the balance between complexity and usefulness is wrongly tilted. All this said I need RichACLs to be able to reach compatibility with Windows ACLs so I'll take them as they come.
> I don't understand what you're getting at.
Sadly obvious.
> Back in the early NT days, yes, there were tooling problems, but those have been long corrected. Maybe you can be more specific, but this has been fixed for ages. There are some low-level APIs that allow insertion of ACLs without resolving the overall policy, but they're counter-recommended and proper versions have been around for a long time. But, hey, nothing like a Linux forum criticizing Microsoft with severely outdated information.
Look, those issues were not bugs that got fixed and are there no more, they are fundamental usability issues that are due to the semantics chosen. They just got "handled" by adjustment done by the GUI tools. Now there is no criticizing here *at all* (that's all in your mind pal), but only making people unfamiliar with these semantics that the *same* problems will now be found in systems used by Linux admins. They can be solved the same way, by forcing the tools to reorder the ACIs and massahe the ACLs, but afaik the tools do not do that today.
Posted Oct 25, 2015 4:30 UTC (Sun)
by mathstuf (subscriber, #69389)
[Link]
No, the default is 0777. You set umask to take bits away.
Posted Oct 25, 2015 9:06 UTC (Sun)
by paulj (subscriber, #341)
[Link]
Posted Oct 29, 2015 14:56 UTC (Thu)
by fest3er (guest, #60379)
[Link]
Posted Oct 21, 2015 17:49 UTC (Wed)
by drag (guest, #31333)
[Link] (25 responses)
In Windows-world their extended ACLs are used as of a matter of course. In Linux-land the the POSIX ACLs are almost never used. I expect that people that use them the most are Samba users. Next biggest is likely NFSv4 users...
I think this may be a big win for Linux in general.
Posted Oct 21, 2015 20:11 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (24 responses)
> In Linux-land the the POSIX ACLs are almost never used.
Posted Oct 21, 2015 20:25 UTC (Wed)
by fandingo (guest, #67019)
[Link] (23 responses)
The problem with Linux ACLs is that they don't allow novel permission schemes. It's still just RWX. The issue that Richacl is trying to solve is much broader than multiple RWX policies.
Here's the simplest general use-case for Richacls: every daemon that writes to a log file. W, whether through POSIX or Linux ACLs, is simply too crude for secure logging. That's a major reason why so much stuff needlessly goes through syslog just to end up on the local file system. So, yeah, I expect the append-only Richacl to be used a lot.
Posted Oct 21, 2015 21:01 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (4 responses)
Posted Oct 21, 2015 21:27 UTC (Wed)
by fandingo (guest, #67019)
[Link] (3 responses)
Posted Oct 21, 2015 22:35 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
I worked with Windows ACLs extensively. That's the reason why I hate complicated permission systems.
Posted Oct 21, 2015 22:57 UTC (Wed)
by fandingo (guest, #67019)
[Link]
Posted Oct 29, 2015 14:13 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
As others have said, it's just so complicated ...
And I know I've said it before, but Pr1mos just had read, write, use. For files or directories. So that makes six different permissions. And using them was simple - if your user was explicitly specified, that was what you got. If you weren't explicitly named, but your groups were, those permissions were added together. And if neither your user, nor a group you were in, was specified, you just got the default permissions. Very simple, very easy to understand.
Cheers,
Posted Oct 21, 2015 21:16 UTC (Wed)
by dlang (guest, #313)
[Link] (17 responses)
you are ignoring the fact that if things are written to go through syslog, even if they end up on the local filesystem in many/most cases, it's far nicer when you do want to do more than just write to the local disk.
having to poll local filesystems for changes to log files and then scrape them is a very poor thing to do.
Posted Oct 21, 2015 21:16 UTC (Wed)
by dlang (guest, #313)
[Link] (16 responses)
Posted Oct 21, 2015 21:24 UTC (Wed)
by fandingo (guest, #67019)
[Link] (15 responses)
Not everything is centralized either. Additionally, you'd use this exact same append-only policy on the files that syslog does write, making your point moot. I don't know about you, but I don't run my applications or centralized syslog systems on a file server.
Posted Oct 21, 2015 21:31 UTC (Wed)
by dlang (guest, #313)
[Link] (14 responses)
Posted Oct 21, 2015 22:02 UTC (Wed)
by fandingo (guest, #67019)
[Link] (13 responses)
Posted Oct 21, 2015 22:38 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (12 responses)
And there are much better ways to do it already, anyway.
Do you have less contrived examples? Preferably not involving a "mainframe shared among faculty and students" textbook scenario that is pretty much irrelevant right now.
Posted Oct 21, 2015 23:03 UTC (Wed)
by fandingo (guest, #67019)
[Link] (11 responses)
> A compromised application can just spam the log files with 2Mb zero-filled data pages. It will scramble other writers and make analysis difficult.
That's better than a 0B file that was maliciously truncated...
Posted Oct 21, 2015 23:19 UTC (Wed)
by dlang (guest, #313)
[Link] (3 responses)
Anything important like that sort of log data, I want off on a separate machine.
Posted Oct 22, 2015 0:04 UTC (Thu)
by fandingo (guest, #67019)
[Link] (2 responses)
I already addressed this in a previous comment.
>> Additionally, you'd use this exact same append-only policy on the files that syslog does write, making your point moot.
Wherever that data hits disk, it's advantageous to be able to restrict to `append_data`, even when that writing is happening on a separate system.
Posted Oct 22, 2015 0:09 UTC (Thu)
by dlang (guest, #313)
[Link] (1 responses)
advantageous, yes
but worth how much in the face of the added complications, bugs and performance hit?
Also, to make use of this, the applications are going to have to be modified in linux-only ways. Some apps won't care, but others try to be cross platform, so this sort of churn won't be welcome.
Posted Oct 22, 2015 0:56 UTC (Thu)
by fandingo (guest, #67019)
[Link]
It's worth 42. I don't know how to answer the obviously loaded, rhetorical question. You'll need to offer data about performance implications before I'll get into that topic; it's just FUD otherwise.
> Also, to make use of this, the applications are going to have to be modified in linux-only ways. Some apps won't care, but others try to be cross platform, so this sort of churn won't be welcome.
For the most part, this isn't something that applications will interact with at all. (I suppose beyond EACCESS when there is a violation, but they have to deal with that anyways.) It will be handled just like SELinux policy: The Linux distribution writes and maintains it.
There is specialized software that may need to interact with Richacl specifically, but I just don't see it being a major problem. The only places where it may cause a problem is when a project is sloppy with it's open(2) mode flags, which should be tightened regardless of Richacl. If a piece of software is diligent, writing a policy for that software package isn't any challenge.
Posted Oct 22, 2015 0:17 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (6 responses)
Append-only mode also does not guarantee atomicity, so I'm curious to see the actual systems that depend on it. I'm not aware of anything non-trivial.
Posted Oct 22, 2015 0:27 UTC (Thu)
by smckay (guest, #103253)
[Link] (1 responses)
Posted Oct 22, 2015 0:29 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Oct 22, 2015 1:13 UTC (Thu)
by fandingo (guest, #67019)
[Link] (3 responses)
> so I'm curious to see the actual systems that depend on it.
I'm not sure any piece of software itself could "depend" on it. From the software's perspective, it's just eliminating extraneous syscalls and mode flags. It's the software distribution's (or perhaps the adventurous sys admin's) job to write and distribute a policy. The policy separation and delegation to distributions is same as SELinux.
Posted Oct 22, 2015 1:30 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Of course, some people might also forbid any file activity on Sundays, so we need a special permission for that as well.
Posted Oct 22, 2015 1:50 UTC (Thu)
by fandingo (guest, #67019)
[Link] (1 responses)
Nonetheless, I doubt you'd have many people in such a scheme. But, let's dial it back from absurdity.
Posted Oct 22, 2015 22:58 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
At least with modebits I can understand what's happening immediately. With Windows ACLs you can't do that - you have to carefully evaluate the rules, keeping their order in mind. POSIX ACLs are ok-ish, they at least play nicely with the regular Unix permissions.
And your examples are so far extremely poor. If you need to constrain a daemon to use only O_APPEND - then write an LSM module for that. No need at all to rape file permissions. And if you are doing it over NFS then get a proper rsyslog, for FSM's sake.
So what are other examples, apart from the contrived O_APPEND?
Posted Oct 21, 2015 14:58 UTC (Wed)
by agruen (subscriber, #6613)
[Link]
The second mechanism, Automatic Inheritance, extends the first: ACEs which are inherited from the parent are marked as such; when the parent permissions are modified, the inherited permissions change as well. This is implemented by walking the directory tree and updating all ACLs, in user-space.
Automatic Inheritance works well enough as long as the inherited permissions are not modified. POSIX syscalls that create files or directories have a mode parameter which defines the maximum permissions that may be granted, and appling that mode to the inherited ACL counts as a modification, however. The effect is that Automatic Inheritance is immediately stopped at create time.
Both CIFS and NFSv4 have "create without a create mode" operations though; they can emulate those by doing normal creates and re-enabling Automatic Inheritance. That's the best we can do at the moment.
Posted Oct 21, 2015 8:49 UTC (Wed)
by ldo (guest, #40946)
[Link] (2 responses)
I was reading about MULTICS a little while back, and discovered that its protection system didn’t suffer from the problem that POSIX-based systems have with multiple users trying to manage files in a common “group” directory—that every file can only have one owner, it cannot belong collectively to the group.
It looks like RichACLs finally solve that problem.
Posted Oct 21, 2015 17:15 UTC (Wed)
by bfields (subscriber, #19510)
[Link] (1 responses)
Posted Nov 1, 2015 2:25 UTC (Sun)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Oct 21, 2015 15:40 UTC (Wed)
by fandingo (guest, #67019)
[Link] (7 responses)
Posted Oct 21, 2015 22:10 UTC (Wed)
by daniels (subscriber, #16193)
[Link] (6 responses)
Posted Oct 21, 2015 23:06 UTC (Wed)
by fandingo (guest, #67019)
[Link] (5 responses)
There's absolutely no reason why this needs to be done in POSIX bits, though. If the file/file-system is Richacl enabled, translate the chmod(2) (or the variety of other POSIX ACL syscalls) to Richacl -- solely operating on the Richacl xattrs. The POSIX bits, then, are just a virtual representation of Richacl xattrs.
I'd argue that we'd be far better off switching to native Richacl solely. Continue to support traditional POSIX ACL syscalls, but they all get translated to Richacl for both policy evaluation and storage. (I'm only advocating for this strategy due to the agreement of making Richacl a compatibility-breaking filesystem feature.) Richacl offers a superset of features from POSIX and Linux ACLs; it makes more sense to stop duplicating information, and at least for kernel internals, entirely switch to the most expressive system.
Posted Oct 22, 2015 0:19 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (3 responses)
But forcing your insanity on others? No way.
Posted Oct 22, 2015 0:59 UTC (Thu)
by fandingo (guest, #67019)
[Link] (2 responses)
Posted Oct 22, 2015 1:09 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
So no, it's definitely not something I'd want to ever see close to my systems.
Posted Oct 23, 2015 19:59 UTC (Fri)
by nevyn (guest, #33129)
[Link]
Posted Oct 22, 2015 2:05 UTC (Thu)
by bfields (subscriber, #19510)
[Link]
Note that POSIX ACLs are quite a bit more complicated than mode bits, I wouldn't lump them together.
You can think of Andreas's patches as already implementing mode bits on top of Richacls, if you'd like. I'm not sure exactly what your complaint is there.
Going further and implementing full POSIX ACLs on top of Richacls would also be possible, but quite complicated, and I think Andreas's choice not to do that is reasonable.
Posted Oct 21, 2015 20:19 UTC (Wed)
by AndreiG (guest, #90359)
[Link] (1 responses)
Posted Oct 21, 2015 20:50 UTC (Wed)
by BlueLightning (subscriber, #38978)
[Link]
Posted Oct 25, 2015 22:48 UTC (Sun)
by skissane (subscriber, #38675)
[Link] (3 responses)
Posted Aug 15, 2019 17:59 UTC (Thu)
by pgoetz (subscriber, #4931)
[Link] (2 responses)
There is one extremely minor inaccuracy in this mapping: if a
ACL_USER_OBJ: ---
will prevent a user that is a member of groups g1 and g2 from opening
The NFSv4 ACL permission-checking algorithm has the property that it
Posted Aug 15, 2019 18:36 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Posted Aug 20, 2019 16:43 UTC (Tue)
by bfields (subscriber, #19510)
[Link]
Eh, this is a pretty minor nit.
If you want to complain about some flavor or ACLs being too complicated, I think there are better places to start.
Here, honestly, I think we should probably just fix the Linux ACL implementation, and I doubt anyone would notice the change.
I've been meaning to write a patch and just haven't gotten around to it. It's not something people run across in practice so a little hard to prioritize.
Posted Aug 15, 2019 18:02 UTC (Thu)
by pgoetz (subscriber, #4931)
[Link]
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
So, no, it absolutely was not meant in that way.
Rich access control lists
Rich access control lists
> -EBUSY on attempts to mount the same block device twice.
You do get -EBUSY if you mount a block device on a directory where the same block device is mounted, but I think that is just to stop repeated "mount -a" from flooding the mount table.
Rich access control lists
You are showing your age!
It has been for many years that trying to mount an already-mounted block device simply creates a bind-mount. You do get -EBUSY if you mount a block device on a directory where the same block device is mounted, but I think that is just to stop repeated "mount -a" from flooding the mount table.
Rich access control lists
Rich access control lists
So pretty much every system out there?
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Wol
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
> No, it's counter-intuitive because of how groups work in the real world. Being a member of a group is a privilege, not a burden. Being accepted into a group has positive connotations; rejection is negative.
If an ACL is accidentally dropped in a Posix like system you lose access, with DENY ACLs if a DENY ACL is dropped then you gain access, which is a much worse failure mode.
Rich access control lists
If an ACL is accidentally dropped in a Posix like system you lose access, with DENY ACLs if a DENY ACL is dropped then you gain access, which is a much worse failure mode.
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
So much that consumer versions of Windows actually ship with something that resembles Unix permissions.
Which is really telling. Do we actually _need_ extended ACLs used anywhere except for fileservers?
Rich access control lists
Rich access control lists
Do we _need_ novel permission schemes? They are pretty much useless for anything except fileservers. And fileservers are not that popular anymore.
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Wol
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
If you want real WORM for auditing purposes then file permissions are not enough.
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
History Repeats
Well, we've had posix ACLs since 2002, I think. Rich ACLs are more about SMB, NFSv4, and Windows compatibility.
(And without posix ACLs you can share files using groups.)
History Repeats
History Repeats
Wol
Perhaps I'm missing something, but why are we keeping the POSIX 3-bit modes at all (when Richacl is enabled)? Why are we preserving that outmoded 3-bit POSIX, and allowing it to impact Richacls? As I understand it, anyone using Richacls should set POSIX perms to 777 in every case without exception. I can't come up with a situation where somebody would use Richacls, but implement the POSIX+Richacls policy by using POSIX ACLs whose effect is to "break" Richacls.
If this is going to be a FS mount option, which it is, and use FS metadata to tie that FS to 4.4+ Richacl kernels, which it does, I really don't see any purpose in preserving anything from POSIX ACLs.
Users who stick with POSIX ACLs won't be affected either way. Users who migrate to Richacls will end up fighting against useless POSIX ACLs; they do nothing but interfere with what you're trying to do in the Richacl.
I'm really excited that permissions are finally getting more expressive on Linux. I worry that continuing to integrate with POSIX ACLs is going to undercut all this work.
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
I vomited a little. Personally, I'm not against some FS-specific ACL perversions. Just wash your hands after using it.
Rich access control lists
Rich access control lists
And a translation layer. And significant additional overhead (xattrs are SLOW compared to the fastpath).
Rich access control lists
Rich access control lists
There's absolutely no reason why this needs to be done in POSIX bits, though. If the file/file-system is Richacl enabled, translate the chmod(2) (or the variety of other POSIX ACL syscalls) to Richacl -- solely operating on the Richacl xattrs. The POSIX bits, then, are just a virtual representation of Richacl xattrs.
Rich access control lists
Rich access control lists
Rich access control lists
And what is that "one obscure exception"? My curiosity has been piqued.
Rich access control lists
requester that is a member of more than one group listed in the ACL
requests multiple bits simultaneously, the POSIX algorithm requires
all of the bits to be granted simultaneously by one of the group
ACEs. Thus a POSIX ACL such as
ACL_GROUP_OBJ: ---
g1: r--
g2: -w-
ACL_MASK: rw-
ACL_OTHER: ---
a file for both read and write, even though read and write would be
individually permitted.
permits a group of bits whenever it would permit each bit individu-
ally, so it is impossible to mimic this behaviour with an NFSv4 ACL.
Rich access control lists
Rich access control lists
Rich access control lists