Re: [nfsv4] Going forward on the security document
Rick Macklem <rick.macklem@gmail.com> Fri, 16 February 2024 21:44 UTC
Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 914DDC151984 for <nfsv4@ietfa.amsl.com>; Fri, 16 Feb 2024 13:44:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNqdFaaAkDZs for <nfsv4@ietfa.amsl.com>; Fri, 16 Feb 2024 13:44:55 -0800 (PST)
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3625C151983 for <nfsv4@ietf.org>; Fri, 16 Feb 2024 13:44:55 -0800 (PST)
Received: by mail-pg1-x52b.google.com with SMTP id 41be03b00d2f7-5ce2aada130so2171619a12.1 for <nfsv4@ietf.org>; Fri, 16 Feb 2024 13:44:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708119895; x=1708724695; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=rnYmjIAWQp4079ESC+YDrXsqt3n/0Hd1zi0YqNS/WR4=; b=hTkwsVInkFOX13fBBpbcUplYOrJRT14m2AlJPB0KyjdmwjESFuFzYVErScbqBQb74m l6xyf4Q897JJb4a2oWXl5ch8WzInk0itzsB65j5FRarWhSyaBK9ls1/yUxj0KHA3oATc /Ptueb1t+qSAtRJ7vtQ3sT3dKN/cEUT0i7xbmLqlxGLyj+7KnTSSCbkFskxOJ6UkrRFF Jt4fPI2K7wdDY4PZW/BrsXjfoJeXWyA8L0esTqugiJdqkBcMwU7oGadq4wpD+VoJZMjL T9qIYItsBzGIaVqGXQKbN4KEKIrH3gDUor7RCDnL076jDOiOJg+wixxyCneWrnMMgzOU xJVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708119895; x=1708724695; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rnYmjIAWQp4079ESC+YDrXsqt3n/0Hd1zi0YqNS/WR4=; b=grv6Ct8I8AH1jvuWkukP1UZPRnfECCRtHCyjO/hAnLUBdiP6EDu0evbKHif4mEdY3P frU2LOARGGT8/herfITHGbaPXW4N+7npFJgDmhruTs7MPuDVOBRSLW7vygMwKqdDmMTD Vlms6g5oDrbcdGxvThNZSg2RpR2bOMOg9bI/IGud7X5jzroW8i8ChTo+GWJIzcbjRi6T XZB7q3hdxNhhqtg9btGM4rWT7pZ042YWPxHJlFXl1n+ga7sMs9dIDFPMLGzchkrWiuAj iVap3sWyTt2beY/N2qGVQrpdJwFP4Wplw9O/7Y3W3fpG/25IrdJ68fXTayeiTlrAtWrD pgxQ==
X-Forwarded-Encrypted: i=1; AJvYcCWmMqw9LOHMW6ao+SvxPBytG6sQvz7RPRvPe9ckGQBAAQHEgiTEKk6WCl/zUpeIU0CxKrTFa/6cfz/6sbuNvQ==
X-Gm-Message-State: AOJu0YwaHjDH0GMq9dlCeLuKZd91QDsBZZrTWe172qJLDXfX2m16xEnI Pr/V4AywBVsdleP/1hz5Z+TOE9Hv0MJ3DtIaM9lXaaWBMioTX/tcL2DI05JEjLaokzamJqy/94A GXSuBd0W52t3XOxHYbJaLmTywpA==
X-Google-Smtp-Source: AGHT+IFvVoiXdyILhd3ss3sLmCvzwuRZdzOTmWMibklNRJhCiU5MgtJS7K8I+RwOmy3a1pDyvTmQie5Pi0Eeqsi16sI=
X-Received: by 2002:a05:6a20:9f91:b0:19e:b614:48ad with SMTP id mm17-20020a056a209f9100b0019eb61448admr7273597pzb.5.1708119895136; Fri, 16 Feb 2024 13:44:55 -0800 (PST)
MIME-Version: 1.0
References: <CADaq8jcFioz5XeRCaC7q6KkG6CJZaX6CYrcqk_AFAewU3-tkYw@mail.gmail.com> <8f4dbdf6-b388-4e02-96aa-21682e46c32f@oracle.com> <CAM5tNy4ipOe+=Bu8aS7qx6LkKY5MmS6c65aeQjnBwASthdq=VA@mail.gmail.com> <CAEo7hJGRyPso7etKSJDMspR4oAHXZG7mVdhq-gEzaZU1AuezSg@mail.gmail.com>
In-Reply-To: <CAEo7hJGRyPso7etKSJDMspR4oAHXZG7mVdhq-gEzaZU1AuezSg@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 16 Feb 2024 13:44:38 -0800
Message-ID: <CAM5tNy7LwL8g8a=Xd0v4mMnX4_FxJ9FEBaBVr=O+7HsWJ5wWCg@mail.gmail.com>
To: beepee@gmail.com
Cc: Rob Thurlow <robert.thurlow@oracle.com>, nfsv4@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/GwOzM1pg4oi_hgNlt1teDkJ8YhI>
Subject: Re: [nfsv4] Going forward on the security document
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2024 21:44:59 -0000
On Fri, Feb 16, 2024 at 10:12 AM Brian Pawlowski <beepee@gmail.com> wrote: > > Does this help Rick? Good work. I looked months ago and couldn't find it. I think it might be useful for David as he proceeds with an ACL document. Thanks, rick > > https://www.illumos.org/opensolaris/ARChive/PSARC/2010/029/20100126_mark.shellenbaum > > On Thu, Feb 15, 2024 at 3:44 PM Rick Macklem <rick.macklem@gmail.com> wrote: >> >> On Thu, Feb 15, 2024 at 7:50 AM Rob Thurlow <robert.thurlow@oracle.com> wrote: >> > >> > On 2/14/24 9:07 AM, David Noveck wrote: >> > >> > > As a result, the next draft of the security document, >> > > draft-dnoveck-nfsv4-security-08, will limit the discussion of >> > > acl-related issues by treating acls as an EXPERIMENTAL feature to be >> > > described in a separate document. >> > >> > > We will be needing information about actual implementations of some of >> > > the ACL extensions discussed in existing documents and have to be >> > > prepared to simply drop material that was never implemented. >> FreeBSD implements what was believed to be a RFC5661 compatible >> implementation of NFSv4 ACLs, with the following limitation: >> - Only Allow and Deny ACEs are handled (there is some code for Alert >> and Alarm in ZFS, but they are not recognized by the generic code). >> - For ZFS, they are based on what was in OpenSolaris (FreeBSD now uses >> what is referred to as the OpenZFS code base, formerly called ZoL, but >> I do not think NFSv4 ACL semantics has changed from what OpenSolaris had. >> - There is also an implementation for UFS (which also supports POSIX draft >> ACLs). A UFS volume needs to choose one or the other, as I understand it. >> This document (which Rob might actually know where it can be found?) is >> referred to for the mode->NFSv4 ACL translation. >> >> * Calculate trivial ACL in a manner compatible with PSARC/2010/029. >> * Note that this results in an ACL different from (but semantically >> * equal to) the "canonical six" trivial ACL computed using algorithm >> * described in draft-ietf-nfsv4-minorversion1-03.txt, 3.16.6.2. >> It would be really nice to find a copy of PSARC/2010/029? >> >> And this comment indicates how ZFS handles "delete". I have no idea who/what >> generated the "recommendation"? >> * The following chart is the recommended NFSv4 enforcement for >> * ability to delete an object. >> * >> * ------------------------------------------------------- >> * | Parent Dir | Target Object Permissions | >> * | permissions | | >> * ------------------------------------------------------- >> * | | ACL Allows | ACL Denies| Delete | >> * | | Delete | Delete | unspecified| >> * ------------------------------------------------------- >> * | ACL Allows | Permit | Permit | Permit | >> * | DELETE_CHILD | | >> * ------------------------------------------------------- >> * | ACL Denies | Permit | Deny | Deny | >> * | DELETE_CHILD | | | | >> * ------------------------------------------------------- >> * | ACL specifies | | | | >> * | only allow | Permit | Permit | Permit | >> * | write and | | | | >> * | execute | | | | >> * ------------------------------------------------------- >> * | ACL denies | | | | >> * | write and | Permit | Deny | Deny | >> * | execute | | | | >> * ------------------------------------------------------- >> * ^ >> * | >> * No search privilege, can't even look up file? >> >> Now, having said the above, I believe few (if anyone) uses the NFSv4 >> ACLs in FreeBSD. >> >> Since Linux does not support native NFSv4 ACLs (the translation algorithm >> to/from POSIX draft ACLs is too obscure for me), I do not see how this will >> ever be resolved? >> - An extention to NFSv4.2 for getting/setting POSIX draft ACLs might help, >> but since ZFS does not support POSIX draft ACLs, it wouldn't be much >> help for FreeBSD. >> >> Off topic,but nice to hear from you Rob, it has been a while, rick >> >> >> > >> > I will attempt to describe what Solaris does for ACLs for this. >> > It's going to take some time for me to get something useful. >> > The top-level summary is that our ZFS ACL implementation, which >> > our SMB implementation also uses, are strongly similar to what >> > the NFSv4 spec details, while older filesystems like UFS use >> > Posix-draft ACLs. >> > >> > Rob T >> > >> > _______________________________________________ >> > nfsv4 mailing list >> > nfsv4@ietf.org >> > https://www.ietf.org/mailman/listinfo/nfsv4 >> >> _______________________________________________ >> nfsv4 mailing list >> nfsv4@ietf.org >> https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Going forward on the security document David Noveck
- Re: [nfsv4] Going forward on the security document Jeff Layton
- Re: [nfsv4] Going forward on the security document Frank Filz
- Re: [nfsv4] Going forward on the security document Rob Thurlow
- Re: [nfsv4] Going forward on the security document Rick Macklem
- Re: [nfsv4] Going forward on the security document Brian Pawlowski
- Re: [nfsv4] Going forward on the security document Rick Macklem