IETF Logo Mail Archive

Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt

Rick Macklem <rmacklem@uoguelph.ca> Sun, 09 January 2022 00:31 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 313E83A1313; Sat, 8 Jan 2022 16:31:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEWJJhbrCy0o; Sat, 8 Jan 2022 16:31:15 -0800 (PST)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on062c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 307E93A1314; Sat, 8 Jan 2022 16:31:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eOUU4JR9+QDl7nt9PY53AS8zChPxOO0bDU1yKmBiKwF6AMdM+7lBNtXG7NHo5ffUOZ6cpY2sCkrXhvJomUjHryctunazf1VUFJjmfwNTzAu936J6B259MxxsQvo13uUY0ipOmu2RAQlt+8OUIKULZJaivz22RI6AN7/iMYMNj9bn5QkMmo4uKIWfEav9pfGwXntWEsKdtDCFzoWMQHgK5T/oIuTgRsu3rt4Ja9+8nW8n2hRPbYAwEpY/Bdbz9IEGu4jxqZgsLDBKvXks3Y4suKBduPQuV9/olUjDkes2zXY6h0zIJxF4g+09M05xgibLZECFSRyF6Hh1DN/EvGVV0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hvVbEthDdYNJqi0inG1KtX6ZH+5Yopk5mreyCpEXDRE=; b=SwycV3r2PJkQlbTgLzgWH1TCrwsBR7L47rflJ0lNSykvwAhogaHLSgJhtbnMc43pC/JRM/EizxPSbzPqg5LGgALyCD4GitoseZmstYLDlnhQxsOtJdEkwDmCb/HmH35FDcLR6Swz44G44/4/KeoMAyCjH7SN95W+6tO2tTLlVqBDDoeUvdbx6qYHi1z5Fjg6fw2U+Z0HesfoO7anORT8mEnV+UXW0q7LeGG3gYeeX7n7Uj3ZZGpo83RDKgdPRInfgYkxRD07rT0+BrKbT5Ul9k2n5RFoKm9zkSDpG9Bzfqk3U3KvX+MnJom6Qw35/ZNwzV4kuWSF00bAOT9HO+gv8A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hvVbEthDdYNJqi0inG1KtX6ZH+5Yopk5mreyCpEXDRE=; b=EjbjFxCgrgiT9Og2SjfFy54lqhRcMi5UYy6HCqFpDQYYp8YJFyiBhBlNwXaX7x0G6HDbhxXiiBIMHXyKjgHxuCXDwYbxl5vHzqhxzP/kK6zT32gs8zN7m/HFIn03uZ+fyt5DyqVtEnyG84TUqGB5BGq5N5QKrcnBL2F2fMJZQEvWYSfK0unK+2pbJlcBUaYWPPFpoOiSBR64bGBonrVQs3WFuMtX3lT3adGIhCO4RhnKjgrXrRcVAVHek2azZRkyT2ws2CRsgA7f3VA7Hj0fd9HrYqNeaU+vRNFSh5wPGBlZlFPynzgATRdCoJtKn+mMLgSL0IIqYZ7KpNb6tjsEXA==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQXPR01MB4467.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:1e::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4867.9; Sun, 9 Jan 2022 00:31:09 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::c9d2:bf41:eeca:90aa]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::c9d2:bf41:eeca:90aa%4]) with mapi id 15.20.4867.011; Sun, 9 Jan 2022 00:31:09 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: "J. Bruce Fields" <bfields@fieldses.org>
CC: David Noveck <davenoveck@gmail.com>, NFSv4 <nfsv4@ietf.org>, "nfsv4-ads@ietf.org" <nfsv4-ads@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>
Thread-Topic: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
Thread-Index: AQHX+M0Zr/DOM25hTke40cIHszU7L6xJvgjZgA5u7QCAATmMVYAAZIiAgAAhPFI=
Date: Sun, 09 Jan 2022 00:31:09 +0000
Message-ID: <YQXPR0101MB0968A10469968400934EE7C9DD4F9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <164035267965.25968.10921853654415505678@ietfa.amsl.com> <CADaq8jcXitpCCA+y3u6dYxGM95rfX6UtuZTm27g=Ht6=8x3+Qw@mail.gmail.com> <YQXPR0101MB0968955CCDDFC660EE9180D1DD449@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jeitOwexgH2tq5azmCj9937SBw6e18+qrAYAFC==LhsRA@mail.gmail.com> <YQXPR0101MB09688A093AD2FDDFA0AF70B2DD4E9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <20220108222311.GA17868@fieldses.org>
In-Reply-To: <20220108222311.GA17868@fieldses.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: 909b1305-e9fe-766f-bbca-2dca97166baf
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bdaaf01e-fb67-4f1c-86c0-08d9d3075501
x-ms-traffictypediagnostic: YQXPR01MB4467:EE_
x-microsoft-antispam-prvs: <YQXPR01MB44677807C87724195E6C2167DD4F9@YQXPR01MB4467.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:2331;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XBpaw/d1xsQgUAsj+GyTFnpgnrhXSrYqutb4mt9covkkRwxW/TTDtriBChy2HB8GHJmSkBMBec7X0xdNh0kOnOTecSrnKdiZPILS25nWbmhIzmWEgutemgoOgoXqGlRo7iAoB2wYJpf2mZT2cYTZ95zSFQJ5sH5LbsIG5JHgtiZ36XboEFIJTSvr5e87uBirOYEe/Qk3kbAIfq/wz9042cSjxQ0oFuTkHQvKEPTAdKkX1YxqWTJvQvVbUtnFWkp5fQx2rYjO9GnnKGHXJu36uh1Vl9BwncW7QkexWXdWkhmBYjwWq0z2yuCgBjxantJjvOIaz3XEXgT/HmyU9Fi0pRjvZedY/P/ETuJUPzaP7mKOCqTcdDQ2DRLNEHVy8KtV5LWCw5k0h65ueFT2fRFwJGkNqwyGu/NJPLG/d+pNHqGUtYlXbpZfN6SSOBLqZkK9u66Q+GtemzdtIZVEIHlal89nIvmBu5ZQvOag2AOFThgE8cq4lMSJzczkHFzSuT8MToQGhnBjSZ3IAGPE1O65eY8dn+uKl2TTlWg23ihIzdVoPvVIXII0OiliVl5Mm7s/Y8QzlZwRd+EvY+7XJC1lXrXd3AhbfRosylCvTSmFvmVyhWlgjKleBa9jDe7PLKpUS/A+6/SnbHbeGbAQh3zNi2TboiEGF/B13Z8EblamPR6lzRURIJ/kI8anogqTCQ8Wf9eIZYC6bhhjx+ZD/LjFkyubhGDTQj7lhGi4dzQk4H08e2x8VHaJzCCxxeebMymQD4jwCzbVTVmkFzAz69BVME9ph9QqzKMp/FYS67cdXhc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(55016003)(71200400001)(54906003)(186003)(66556008)(4326008)(9686003)(66446008)(6506007)(2906002)(66476007)(33656002)(6916009)(38100700002)(7696005)(122000001)(64756008)(86362001)(316002)(508600001)(38070700005)(8676002)(66946007)(52536014)(966005)(83380400001)(8936002)(91956017)(76116006)(786003)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uKpOcbDbhHuGq9hrb22EwjWgw/osQ8BnxzOHXScV2nDpkOULoUJwieGWTmJuqG1udujgANigAsCGxtAyTR+lENVuwkIuRnr0ft2zExe2Hx6ttOpWjGjoTdmFPaMvywK5LP+k5eKkBXBCLdQBXe5OrAPwO3lCJ5iEYosnoEOtD7UaFI6V9GlL0EHpNBdP4O+8qrMePE4i3in6D+cDSCk2HzecgVaTara1hAcw2NyQN/B4oPSFmhtMjYhj0qvCPABkiHMXAFDYh5msUcr2vt71khGQYmxCvanBych2bGZD6q1IMhpNwNu1F4UHOYdAarQE1Y0Yw9MIDJvNYGBv2PG/3AZtfReZLP3vGOjgENq/3v30AAxApXKWaAD8+5QNn57ZHH0zezcf57Dx9XZI7sMzsq7OdvDFoAwNg9uhOOiOvpN+NnezSMIscSoojM5Q2LPbg83uS2z8DuZQyQ3/o7SJxpkxoiIyWdXFQq6dyzBSR401Qs3MV6eCEdahKjX20+u/mzOLlrTzpnI6fg3juiTXDL6Rmk2TbgD1gBHjAjn4R65GAaBbqDQWqC2W+w1C9pDvH6oLymdRGqAmtE3S2xMFb8YapwYV/iz+w9KGv1Rv2IXtA275JgX6Mh/IGuUKxiK622kQls6sYZeUFY0ZxM/jqgF5UsjFDC9+7GZJ93IWUA2hIRkjVOMUwO3qRpyDwJF86HKqnlUKo4G0NDqz0TjYu+6in5YkNTyTDvwlX+jBckIFzhN5C76vvPoyLdvu5TuenL/G4LTZh5aVp9F8sqr7nPp6c4r0Sg6JolTwiITB4J0fXgddR8hN0ZzOhbRuhLiPtXX2OdLVf0QDtYWb8lbd6AVSsbaLKiN/S4DXL8isYyQUmg+6ZmbOLMbAe3gLsQhwmyWhPskwc86QKPoPEcmqF9uJGfdOLL3pIJIYeNoRzdp86aMB0RI/MDbnfDe5JJxJUQGuPdMJe/JnZ7fr6JgBk2AQ9tT/idX7zcNZVyrLj5MR3oGVFQGzLlKp0EtcDQE23SM9Zpp/nO3lXat85XFN+XWhqwuPIPKOZmzZOCWh/ndfh2e4KmRNUdjLmvjYB4jFgIiEaigDm4CvYhPUlPSuaIoVScGeC89vD8/hL/GtbW2LS9jbC4ZYkOeLoESIyzRBZUcq8gZD3MhzcsldFwaWOKXSzEfiRbRAgOMdH/MtyoLYVkSsUFFPmlFoKJFRJpHrpE19zJaFuX0LMt/iTEa/4gjU5eCEJuCHgGmO0fHNUTiNJo8Gu+lt6tnWPee60FBlOgu/RTGwvtHsZL2ePwghLd0VxB3l3nMfy2oLAqjt1MWCOYBcW1s4TVZayR7DF8v827vA+21sspWxVTw6I1kjP75tjpN8ltb6DM5Ru142AZ7reOZMJ60wuZos3xMxv43zCm/8FK9lwDhrSUzQnZFUKfSr+ol3XnnI7CidOwhhiEzDXZ6ZI/FnHgbT1qfOqRwD6CHYbdjw+0P43jAdKbh3OpDcxJb8l6TefH5msq6jSpWRglcSTsjIkPNWKfl65WHxDIkO4++FBwil+XUcyydMtmippFP0PkQUhYo+h1cWbDdAE8NfeD32/YfPU90KkZ8oZLTq0gNOrf4GDzvqFivC6DvfJD43fh/PkOeFrAAoBGz68plj433BMaDfgwOUBAEghdn9tliYMvi4FR11tS1oUA==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: bdaaf01e-fb67-4f1c-86c0-08d9d3075501
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2022 00:31:09.3249 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eWhWbVHx2qbBos3GBzhiTfo3WBpFE42nMMToGEjylXqVly7PQftzDixPHJ41NrFUxURaaLOQeM9rwRU7El7Ebw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR01MB4467
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Na6x-WtT9TBRJREGUvL6OdBhfyM>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jan 2022 00:31:20 -0000

J. Bruce Fields wrote:
> Rick Macklem wrote:
[stuff snipped]
> >
> > On the PSARC/2010/029 document:
> > - The author of the FreeBSD NFSv4 ACL code no longer has a copy, either.
> >    However, he recalls the main item in it was an alternate algorithm for
> >    converting mode->ACL. The "canonical six" upset Windows, because it
> >    mixes allow/deny ACEs and apparently Windows likes all the Allow ACEs
> >    to preceed all the Deny ACEs.
>
> It's the other way around.  Googling....:
>
>        https://docs.microsoft.com/en-us/windows/win32/secauthz/order-of-aces-in-a-dacl
>
> >    - This alternate algorithm creates a set of Allow ACEs followed by a set of
> >       Deny ACEs that are semnatically equivalent to the "canonical six".
>
> So, we put Deny ACEs before Allow whenever possible.  Or, better yet,
> just leave them out.
>
> In theory Windows allows both but I'm told various tools complain if
> your ACLs are weird.
Oops, my mistake.
This algorithm only generates Allow ACEs for simple cases like
# chmod 664
but for
# chmod 646
it generates

owner@:write/append Allow
group@:write/append Deny
owner@:read/write/append + a bunch more Allow
group@read + read acl Allow
everyone@:read/write/append + read acl Allow

So it puts the Deny before the Allow for any given "who".

rick

--b.

v2.23.0 | Report a Bug | By Email