Rich access control lists
Rich access control lists
Posted Oct 21, 2015 11:28 UTC (Wed) by jlayton (subscriber, #31672)In reply to: Rich access control lists by mbunkus
Parent article: Rich access control lists
For NFSv4, they'd be translated into what NFSv4 ACLs can do. We do have to follow the protocol, after all. FWIW, knfsd currently translates NFSv4 ACLs into POSIX acls and back, but that's necessarily lossy. This should allow for much better semantics (though there are still some open questions about how this will work when idmapping fails).
There is a draft proposal to add xattr support to NFSv4:
https://tools.ietf.org/html/draft-ietf-nfsv4-xattrs-01
...and I think there are some patches that add this support, though it's unlikely they'll be merged until it's a little farther along.
Posted Oct 21, 2015 12:02 UTC (Wed)
by mbunkus (subscriber, #87248)
[Link] (1 responses)
Posted Oct 21, 2015 17:23 UTC (Wed)
by bfields (subscriber, #19510)
[Link]
Note that draft only covers what on Linux are the "user.*" extended attributes: "This document restricts the allowed namespaces to user-managed metadata only, in order to prevent the development of non-interoperable implementations. It requires that the attribute key/value MUST not be interpreted by the NFS clients and servers."
So for example the special system.posix_acl_{access,default} xattrs used to manage posix acls still wouldn't be exposed over NFS.
Posted Oct 21, 2015 15:23 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link] (17 responses)
Isn't this a general problem with DENY-type access control lists? It's relatively easy to force a client to prove that it *should* have access with a cryptographic challenge authentication protocol. But when you have user- or group-specific DENY entries in the ACL, you're asking the client to prove that it *shouldn't* have access, which isn't in the client's interest.
In particular, dropping a group membership should never *increase* a program's permissions.
Posted Oct 21, 2015 16:47 UTC (Wed)
by jra (subscriber, #55261)
[Link] (16 responses)
Posted Oct 21, 2015 19:09 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link] (15 responses)
Even if the process can't remove groups itself, an administrator can, and it's counter-intuitive that removing a user from a group might increase that user's privileges.
Whitelists are better than blacklists. Attempting to enumerate all the bad accounts or groups is poor security practice.
Posted Oct 21, 2015 20:18 UTC (Wed)
by fandingo (guest, #67019)
[Link] (14 responses)
It's only counter-intuitive because that's what you're used to. If you learned on systems with NFSv4-style ACLs, this wouldn't be confusing. We just need to get used to the idea of negative permissions.
> Whitelists are better than blacklists. Attempting to enumerate all the bad accounts or groups is poor security practice.
Sure, I guess, but nobody is talking about using allow *or* deny lists exclusively. They're talking about being able to mix them to apply complex policies. I imagine one place where allow and deny will be routinely combined is with daemons. They get an allow for append-only write access, and explicit denies for read, delete, and general write accesses. That's a completely reasonable policy.
Posted Oct 21, 2015 22:42 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link] (13 responses)
No, it's counter-intuitive because of how groups work in the real world. Being a member of a group is a privilege, not a burden. Being accepted into a group has positive connotations; rejection is negative.
Obviously one can learn to use either system, but whether or not it's deemed intuitive shouldn't depend on which system you had prior experience with. It should be based on what someone with no prior experience with ACLs would expect.
> I imagine one place where allow and deny will be routinely combined is with daemons. They get an allow for append-only write access, and explicit denies for read, delete, and general write accesses. That's a completely reasonable policy.
The reasonable version is a "default deny" policy. Don't just deny access to the daemons, deny access to everyone by default (as POSIX ACLs and standard permissions would), and grant the daemons append-only access. If other users or groups should have read, delete, or general write access, grant it to them specifically, not as a default.
Posted Oct 21, 2015 22:56 UTC (Wed)
by fandingo (guest, #67019)
[Link] (3 responses)
What about prison inmates? What about people on no-fly lists? Groups have negative connotations and restrict behavior all the time.
Posted Oct 22, 2015 17:50 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link] (1 responses)
Personally, I tend to think of those from the opposite (positive) point of view. The group of members of society in good standing; the group of people granted the privilege of flying. (Which should be the same as the first group, but that's a whole other discussion...)
Obviously any particular set of rules can be implemented either way. The problem mainly arises when you add new users to the system. In a pure whitelist scenario, you only have to decide what the new user *should* have access to. Anything you don't grant access to is off-limits, which is a safe default. If you build your system around DENY rules then you also have to make sure the new user gets added to the appropriate blacklists, or they'll have more access than you intended.
Posted Oct 22, 2015 18:26 UTC (Thu)
by fandingo (guest, #67019)
[Link]
What a coincidently self-serving stance, but it's still a tortured viewpoint that's incorrect. It simply doesn't comport with reality. The government does not maintain a list of people authorized to fly, so there's no group there. They do maintain list for no-fly and mistakenly-no-fly people. Same thing for inmates; there's no list of free civilians, but there are lists (per jurisdiction) of those incarcerated. To get a list of free people, you need to derive that from the difference between the census and those in prison. The implementation dictates POV.
> Obviously any particular set of rules can be implemented either way. The problem mainly arises when you add new users to the system. In a pure whitelist scenario, you only have to decide what the new user *should* have access to. Anything you don't grant access to is off-limits, which is a safe default. If you build your system around DENY rules then you also have to make sure the new user gets added to the appropriate blacklists, or they'll have more access than you intended.
Meh, that's what administrative user-management tools are for. Let the software handle it.
Posted Oct 30, 2015 17:17 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
> What about prison inmates? What about people on no-fly lists? Groups have negative connotations and restrict behavior all the time.
You missed that sentence of the OP ... Prison inmates aren't ACCEPTED, they're PLACED. Likewise the no-fly. You can split groups into two types, the ones you JOIN, and the ones that other people PUT you in. Yes, the latter are normally places you'd rather not be.
But if you treat ACLs as the former type of group, then it makes everything a lot simpler.
Cheers,
Posted Oct 22, 2015 17:36 UTC (Thu)
by eternaleye (guest, #67051)
[Link] (2 responses)
I'll note that even on classic mode bits, a group can restrict access. See above on how "the other permission is not even consulted if user or group match" - because of that, u=rw,g=,o=r is an entirely valid permission that denies read only for a specific group.
Posted Oct 22, 2015 18:18 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link] (1 responses)
Right, and I don't consider that intuitive either. The effective permissions should be a bitwise-OR of the applicable fields, not simply the first match.
Posted Oct 24, 2015 17:20 UTC (Sat)
by jubal (subscriber, #67202)
[Link]
Posted Oct 22, 2015 18:55 UTC (Thu)
by idra (guest, #36289)
[Link] (4 responses)
This is not the reason why negative ACLs are bad, they are bad because they do not fail safe.
Pure Windows semantics are even worse, and *are* counterintuitive, because not only they provide DENY ACLs, they are also *ordered*. And many admins do not understand the complex relationship that arises when you DENY *after* an ALLOW. Reason why the GUI clients in Windows do actually re-order ACLs so that all DENY instructions always come first, and they hide the fact order matters for the NT Kernel.
Of course hilarity ensues if you intentionally ordered an ALLOW ACL before a DENY ACL with a CLI tool and then someone just add a completely unrelated instruction via the GUI. Your careful ACL breaks as the gUI reorders everything; but at least in that case it fails safe because you end up denying access to a larger set, not allowing more access.
> The reasonable version is a "default deny" policy. Don't just deny access to the daemons, deny access to everyone by default (as POSIX ACLs and standard permissions would), and grant the daemons append-only access. If other users or groups should have read, delete, or general write access, grant it to them specifically, not as a default.
In some rare cases it may be simpler to add exceptions (all users but Joe should be able to read this file), but usually the need of an exception is a sympthom of a much deeper broken system/process elsewhere.
Posted Oct 22, 2015 20:10 UTC (Thu)
by fandingo (guest, #67019)
[Link] (3 responses)
This is entirely incorrect and undermines your entire point. ACL resolution order is an explicit feature of Linux ACLs (and traditional POSIX mode bits). Let's say I'm using traditional ACLs, and a file has permissions r-----rw-. It's owned by me, and the group doesn't matter. This is a negative policy! I am not allowed to write to this file, but others are. If the user "ACL is accidently dropped" to, say, change ownership (ACLs are a combination of a user/group object and mode bits), I end up with more permissions than I'm supposed to. This is specifically mentioned in the article.
> And many admins do not understand the complex relationship that arises when you DENY *after* an ALLOW.
How do I put this nicely? I don't want design limitations because some people are too stupid to learn the tools. That's their problem. Don't mount with the Richacl option if you don't know what you're doing.
> Reason why the GUI clients in Windows do actually re-order ACLs so that all DENY instructions always come first, and they hide the fact order matters for the NT Kernel.
I don't see why this matters at all. It's an implementation issue that the software completely handles for you, and it sounds like a good decision.
> Pure Windows semantics are even worse, and *are* counterintuitive, because not only they provide DENY ACLs, they are also *ordered*. And many admins do not understand the complex relationship that arises when you DENY *after* an ALLOW. Reason why the GUI clients in Windows do actually re-order ACLs so that all DENY instructions always come first, and they hide the fact order matters for the NT Kernel.
I don't understand what you're getting at. Back in the early NT days, yes, there were tooling problems, but those have been long corrected. Maybe you can be more specific, but this has been fixed for ages. There are some low-level APIs that allow insertion of ACLs without resolving the overall policy, but they're counter-recommended and proper versions have been around for a long time. But, hey, nothing like a Linux forum criticizing Microsoft with severely outdated information.
> In some rare cases it may be simpler to add exceptions (all users but Joe should be able to read this file), but usually the need of an exception is a sympthom of a much deeper broken system/process elsewhere.
I agree with this statement. I haven't once advocated for broad use of denial policies. Instead, I'm arguing that the ACL implementation needs to allow this expressiveness because there are legitimate situations where it's needed.
Posted Oct 25, 2015 1:44 UTC (Sun)
by idra (guest, #36289)
[Link] (2 responses)
Sorry man but you are very confused. First of all with as Posix permissions and not Posix ACLs, that said the default is no access ---, you have been given read access by turning on the r bit. Perimissions cannot be accidentally dropped so that case does not apply to the basix posix permissions. In any case if that bit were dropped you'd lose read access, whic is consistent with what I said.
> How do I put this nicely? I don't want design limitations because some people are too stupid to learn the tools. That's their problem. Don't mount with the Richacl option if you don't know what you're doing.
Tools are as good as they are usable by *normal* people. A car only a F1 drvier can use is ... how can I put it nicely ... useless to everyone but the 20 odd F1 driver on the planet, which is to say uselss.
Now RichACLs are not *that* hard, but my experience tells me that ACL systems the include ordered deny policy are a double-edged sword, and the balance between complexity and usefulness is wrongly tilted. All this said I need RichACLs to be able to reach compatibility with Windows ACLs so I'll take them as they come.
> I don't understand what you're getting at.
Sadly obvious.
> Back in the early NT days, yes, there were tooling problems, but those have been long corrected. Maybe you can be more specific, but this has been fixed for ages. There are some low-level APIs that allow insertion of ACLs without resolving the overall policy, but they're counter-recommended and proper versions have been around for a long time. But, hey, nothing like a Linux forum criticizing Microsoft with severely outdated information.
Look, those issues were not bugs that got fixed and are there no more, they are fundamental usability issues that are due to the semantics chosen. They just got "handled" by adjustment done by the GUI tools. Now there is no criticizing here *at all* (that's all in your mind pal), but only making people unfamiliar with these semantics that the *same* problems will now be found in systems used by Linux admins. They can be solved the same way, by forcing the tools to reorder the ACIs and massahe the ACLs, but afaik the tools do not do that today.
Posted Oct 25, 2015 4:30 UTC (Sun)
by mathstuf (subscriber, #69389)
[Link]
No, the default is 0777. You set umask to take bits away.
Posted Oct 25, 2015 9:06 UTC (Sun)
by paulj (subscriber, #341)
[Link]
Posted Oct 29, 2015 14:56 UTC (Thu)
by fest3er (guest, #60379)
[Link]
Posted Oct 21, 2015 17:49 UTC (Wed)
by drag (guest, #31333)
[Link] (25 responses)
In Windows-world their extended ACLs are used as of a matter of course. In Linux-land the the POSIX ACLs are almost never used. I expect that people that use them the most are Samba users. Next biggest is likely NFSv4 users...
I think this may be a big win for Linux in general.
Posted Oct 21, 2015 20:11 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (24 responses)
> In Linux-land the the POSIX ACLs are almost never used.
Posted Oct 21, 2015 20:25 UTC (Wed)
by fandingo (guest, #67019)
[Link] (23 responses)
The problem with Linux ACLs is that they don't allow novel permission schemes. It's still just RWX. The issue that Richacl is trying to solve is much broader than multiple RWX policies.
Here's the simplest general use-case for Richacls: every daemon that writes to a log file. W, whether through POSIX or Linux ACLs, is simply too crude for secure logging. That's a major reason why so much stuff needlessly goes through syslog just to end up on the local file system. So, yeah, I expect the append-only Richacl to be used a lot.
Posted Oct 21, 2015 21:01 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (4 responses)
Posted Oct 21, 2015 21:27 UTC (Wed)
by fandingo (guest, #67019)
[Link] (3 responses)
Posted Oct 21, 2015 22:35 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
I worked with Windows ACLs extensively. That's the reason why I hate complicated permission systems.
Posted Oct 21, 2015 22:57 UTC (Wed)
by fandingo (guest, #67019)
[Link]
Posted Oct 29, 2015 14:13 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
As others have said, it's just so complicated ...
And I know I've said it before, but Pr1mos just had read, write, use. For files or directories. So that makes six different permissions. And using them was simple - if your user was explicitly specified, that was what you got. If you weren't explicitly named, but your groups were, those permissions were added together. And if neither your user, nor a group you were in, was specified, you just got the default permissions. Very simple, very easy to understand.
Cheers,
Posted Oct 21, 2015 21:16 UTC (Wed)
by dlang (guest, #313)
[Link] (17 responses)
you are ignoring the fact that if things are written to go through syslog, even if they end up on the local filesystem in many/most cases, it's far nicer when you do want to do more than just write to the local disk.
having to poll local filesystems for changes to log files and then scrape them is a very poor thing to do.
Posted Oct 21, 2015 21:16 UTC (Wed)
by dlang (guest, #313)
[Link] (16 responses)
Posted Oct 21, 2015 21:24 UTC (Wed)
by fandingo (guest, #67019)
[Link] (15 responses)
Not everything is centralized either. Additionally, you'd use this exact same append-only policy on the files that syslog does write, making your point moot. I don't know about you, but I don't run my applications or centralized syslog systems on a file server.
Posted Oct 21, 2015 21:31 UTC (Wed)
by dlang (guest, #313)
[Link] (14 responses)
Posted Oct 21, 2015 22:02 UTC (Wed)
by fandingo (guest, #67019)
[Link] (13 responses)
Posted Oct 21, 2015 22:38 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (12 responses)
And there are much better ways to do it already, anyway.
Do you have less contrived examples? Preferably not involving a "mainframe shared among faculty and students" textbook scenario that is pretty much irrelevant right now.
Posted Oct 21, 2015 23:03 UTC (Wed)
by fandingo (guest, #67019)
[Link] (11 responses)
> A compromised application can just spam the log files with 2Mb zero-filled data pages. It will scramble other writers and make analysis difficult.
That's better than a 0B file that was maliciously truncated...
Posted Oct 21, 2015 23:19 UTC (Wed)
by dlang (guest, #313)
[Link] (3 responses)
Anything important like that sort of log data, I want off on a separate machine.
Posted Oct 22, 2015 0:04 UTC (Thu)
by fandingo (guest, #67019)
[Link] (2 responses)
I already addressed this in a previous comment.
>> Additionally, you'd use this exact same append-only policy on the files that syslog does write, making your point moot.
Wherever that data hits disk, it's advantageous to be able to restrict to `append_data`, even when that writing is happening on a separate system.
Posted Oct 22, 2015 0:09 UTC (Thu)
by dlang (guest, #313)
[Link] (1 responses)
advantageous, yes
but worth how much in the face of the added complications, bugs and performance hit?
Also, to make use of this, the applications are going to have to be modified in linux-only ways. Some apps won't care, but others try to be cross platform, so this sort of churn won't be welcome.
Posted Oct 22, 2015 0:56 UTC (Thu)
by fandingo (guest, #67019)
[Link]
It's worth 42. I don't know how to answer the obviously loaded, rhetorical question. You'll need to offer data about performance implications before I'll get into that topic; it's just FUD otherwise.
> Also, to make use of this, the applications are going to have to be modified in linux-only ways. Some apps won't care, but others try to be cross platform, so this sort of churn won't be welcome.
For the most part, this isn't something that applications will interact with at all. (I suppose beyond EACCESS when there is a violation, but they have to deal with that anyways.) It will be handled just like SELinux policy: The Linux distribution writes and maintains it.
There is specialized software that may need to interact with Richacl specifically, but I just don't see it being a major problem. The only places where it may cause a problem is when a project is sloppy with it's open(2) mode flags, which should be tightened regardless of Richacl. If a piece of software is diligent, writing a policy for that software package isn't any challenge.
Posted Oct 22, 2015 0:17 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (6 responses)
Append-only mode also does not guarantee atomicity, so I'm curious to see the actual systems that depend on it. I'm not aware of anything non-trivial.
Posted Oct 22, 2015 0:27 UTC (Thu)
by smckay (guest, #103253)
[Link] (1 responses)
Posted Oct 22, 2015 0:29 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Oct 22, 2015 1:13 UTC (Thu)
by fandingo (guest, #67019)
[Link] (3 responses)
> so I'm curious to see the actual systems that depend on it.
I'm not sure any piece of software itself could "depend" on it. From the software's perspective, it's just eliminating extraneous syscalls and mode flags. It's the software distribution's (or perhaps the adventurous sys admin's) job to write and distribute a policy. The policy separation and delegation to distributions is same as SELinux.
Posted Oct 22, 2015 1:30 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Of course, some people might also forbid any file activity on Sundays, so we need a special permission for that as well.
Posted Oct 22, 2015 1:50 UTC (Thu)
by fandingo (guest, #67019)
[Link] (1 responses)
Nonetheless, I doubt you'd have many people in such a scheme. But, let's dial it back from absurdity.
Posted Oct 22, 2015 22:58 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
At least with modebits I can understand what's happening immediately. With Windows ACLs you can't do that - you have to carefully evaluate the rules, keeping their order in mind. POSIX ACLs are ok-ish, they at least play nicely with the regular Unix permissions.
And your examples are so far extremely poor. If you need to constrain a daemon to use only O_APPEND - then write an LSM module for that. No need at all to rape file permissions. And if you are doing it over NFS then get a proper rsyslog, for FSM's sake.
So what are other examples, apart from the contrived O_APPEND?
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Wol
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
> No, it's counter-intuitive because of how groups work in the real world. Being a member of a group is a privilege, not a burden. Being accepted into a group has positive connotations; rejection is negative.
If an ACL is accidentally dropped in a Posix like system you lose access, with DENY ACLs if a DENY ACL is dropped then you gain access, which is a much worse failure mode.
Rich access control lists
If an ACL is accidentally dropped in a Posix like system you lose access, with DENY ACLs if a DENY ACL is dropped then you gain access, which is a much worse failure mode.
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
So much that consumer versions of Windows actually ship with something that resembles Unix permissions.
Which is really telling. Do we actually _need_ extended ACLs used anywhere except for fileservers?
Rich access control lists
Rich access control lists
Do we _need_ novel permission schemes? They are pretty much useless for anything except fileservers. And fileservers are not that popular anymore.
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Wol
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
If you want real WORM for auditing purposes then file permissions are not enough.
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists
Rich access control lists