Problems with capabilities
Problems with capabilities
Posted Jun 26, 2024 16:26 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)In reply to: Problems with capabilities by Wol
Parent article: A capability set for user namespaces
Because you have a complicated interplay between permissions for the principal, inherited permissions for the object, and object's own permissions. Then you have the interaction between the owner's permissions, groups, and deny entries (both inherited and explicit).
I don't believe it can be made simple.
Posted Jun 26, 2024 20:44 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (9 responses)
I will need to read NYKevin's paper, and maybe I am being simplistic, but I fail to see why it needs to be complex.
Personally I would "set_acl DEFAULT:LUR". Gives you permission to cd into the directory (Use), see what's in it (List), and Read any files in it. Absent any good reason, I think blocking people out (a) does more harm than good, and (b) if people *can* read it, they're actually *less* likely to want to.
Unfortunately there's plenty of good reasons for DEFAULT:$NONE, starting with GDPR and going downhill from there.
If you work in a department, you need department permissions. These should be additive, so you are in several groups. If you're working on a project, you need project permissions, so you're in other groups. I don't see why, in a properly designed setup, you would need to take permissions away? You need department permissions, you need project permissions, you can only be logged in to one project at a time, so you can't transfer stuff between projects unless their permissions intersect ...
And then for the assholes, you have $USER:$NONE. You've given them an explicit set of permissions, and that trumps everything else.
NYKevin's paper (from my first glance) goes into a lot of stuff about how certain objects need permission to access other stuff, but from what I could see it all seems to be additive.
Under my scheme, there's no need to "take away" rights. If you work on the basis that named people get the rights they are given under their named user and that's it, you have control at the individual level. You then work on the basis that normal people need rights based on their permanent job, and their temporary role, and they get assigned additive group permissions based on that. And lastly, if you are not given personal or group rights, you get the default.
There is no mechanism there for negative rights. And I can't see why you'd need it. For the odd occasion where assigning rights to either a person's job, or role, doesn't cut it you just assign the necessary rights to the person.
The paper goes on about how an *object* (a shared document, say) needs to access other objects to display properly, but my immediate reaction to that is SHOULD one document be allowed to access another? What happens if I share a document that is not itself sensitive, but contains links to sensitive data? Just because I can see the entire document, doesn't mean that I should be able to share it with someone else, and leak that sensitive data to someone who's not supposed to see it! I can understand why that might be important to Google, but it stinks to me of Facebook's habit of deliberately "failing open".
I've no doubt people can come up with contrived examples, but I have difficulty conceiving of a scenario where, if your necessary access rights are properly designed and allocated, you then need subtractive rights to be able to take permissions away from people. And as soon as you fail to come up with a reasonably-to-be-encountered scenario where you have to take rights away, ACLs become pretty simple. (And no, I haven't yet studied the paper.)
Cheers,
Posted Jun 26, 2024 20:47 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
1. The parent object allows reading, but not writing.
2. The object's ACL allows the owner to do writing, but not reading.
3. The parent's parent ACL denies writing to everyone.
How the heck should this all work?
Posted Jun 27, 2024 7:37 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (1 responses)
I know that's the typical state of most specs, but that's absurd.
First question - which acl takes priority - the owner's, or the parent's parent? That's not down to the programmer.
Cheers,
Posted Jun 27, 2024 20:46 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Jun 26, 2024 21:45 UTC (Wed)
by pizza (subscriber, #46)
[Link]
...It is necessarily complex because that is necessary to meet/implement the user requirements.
Posted Jun 26, 2024 21:57 UTC (Wed)
by pizza (subscriber, #46)
[Link] (4 responses)
"Everyone in this administrative group has permissions to read/write this project, except for members of this other group that potentially overlap multiple projects."
That "other" group is often defined by legal requirements, such as laws/regulations that mean foreign nationals can work on some subsets of a project but not others. Alternatively you could have contractual obligations that require folks that see some things from not seeing others, due to potential IP contamination scenarios.
It is much simpler to express this sort of thing with coarser projects with overlaid "Take away" than it is to define a bajillion combinatorial sub-groups. Unfortunately, that simpler expression leads to a more complex implementation.
Posted Jun 27, 2024 7:48 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (3 responses)
Umm... So simply put, I'm right it is unnecessarily complex, but in reality I'm just moving the complexity elsewhere ...
Personally, I'd move that complexity into the acl management system, create a group, let's say russian nationals (sorry Russia), and tell the acl system that members of that group cannot be in the security cleared group. Etc etc.
Not nice, but personally I feel that's where the complexity belongs - we shouldn't be subtracting rights at acl evaluation time - it doesn't make sense. We should be enforcing correct allocation of rights at the allocation stage - where we assign people to groups.
That way, you do get your bazillion groups, sorry, but at least it's a damn sight easier to have a human audit it and not screw up. I live in that world at work - with permissions galore, badly thought through, and generally a mess. We don't have slip-ups to the best of my knowledge, but then the data I work with isn't that confidential and it's pretty easy to get access on an "I can't do my job without it" basis.
Cheers,
Posted Jun 27, 2024 9:43 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (2 responses)
The neat thing about a system like Zanzibar is that it doesn't have to have an exact match between the configuration layer (where humans read and write rules) and the evaluation layer (where the machine interprets rules). I can have an ACL that's written as "all in FOO project allowed. No Russian nationals. Default deny", and Zanzibar is allowed to turn that into "Deny unless member of the computed group 'FOO project' subtract 'Russian nationals'".
Thus, the humans can work with nice human-friendly concepts - "HR creates a group for all Russian nationals", "HR creates a group for the FOO project team", "Legal marks all things where the USA State Department says 'no Russian nationals'", "Engineering Management marks FOO project resources with FOO project group" - and ACLs that directly reflect the complexity that humans create, while the machine can compile those ACLs into an easier to evaluate form - "create a virtual group that's FOO project team minus Russian nationals. Where the ACL says 'FOO Project allowed' and 'no Russian nationals', compile into a check against the virtual group".
Posted Jun 27, 2024 15:31 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (1 responses)
Snag is, when I read that, it's contradictory. If that is the EXplicit ACL, then it's fair to read it as "if the first two conditions conflict, the default resolution is deny". Which is how you're reading it.
But then your explanation says that's NOT what's going on. The FOO manager has said "all members of FOO can access the FOO project". The legal compliance team has said "Russians can't access security stuff". There's no clue whether security stuff is a subset, superset, or intersection of FOO project. And where does "Default deny" come from? Why not "Default allow"?
I get that Zanzibar is great at merging all this stuff, but that assumes that Zanzibar is going to make the correct assumptions when merging stuff. I think I'm moving a lot closer to thinking negative permissions may be necessary, that legal "Russians aren't allowed X even if they need it for their job" is a bit of killer ...
Role-based ACLs should never be negative - if you need that permission then you need it, but how to say that certain Person-based permissions should never be granted ... Ouch! I think separating role and personal permissions makes the problem much simpler, but it's still a tricky problem ... hmmm...
Cheers,
Posted Jun 27, 2024 17:59 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
Humans are happy to work with contradictory information, however, and the system needs to handle that somehow. A system that doesn't resolve contradictions that humans are generally happy to live with is a system where people build arcane and complex configurations that no-one really understands but that seems to mostly do the right thing.
In this context, "default deny" tells the ACL system that if no entries match and grant access, the requestor should be denied access; "default allow" would mean that if no entries match and deny access, the requestor should be allowed access. The idea behind allowing both choices is that there are some ACLs that are naturally expressed as "everyone has access, unless we have reason to stop them", and others that are naturally expressed as "need to know, otherwise you don't have access".
And even role-based ACLs need to interact nicely with negative entries, because we need to combine your role-based permissions with your personal permissions; a role may grant the "access to international travel agents" permission, because you may need to travel internationally in that role, but if you're in the "legally banned from leaving the country" group, your personal ban on travelling internationally overrides the role-based permission to travel.
This can get extremely interesting to manage, and one of the hardest requirements for a high-quality ACL system is it being able to explain its decisions usefully - at a minimum, it should be possible to give the system a person to test, and have it say "this ACL explicitly grants access", "this ACL explicitly denies access", "this ACL default grants access" or "this ACL default denies access". Better is a system where it can tell you what the results are of each entry in the ACL, and how it combines them - so that you know (e.g.) that you need FOO project membership to pass this ACL, and also that even if you got FOO project membership, you'd need to leave Russian Nationals to be allowed to pass the ACL.
Problems with capabilities
Wol
Problems with capabilities
Problems with capabilities
Wol
Problems with capabilities
Problems with capabilities
Problems with capabilities
Problems with capabilities
Wol
Problems with capabilities
Problems with capabilities
Wol
Problems with capabilities