Re: [nfsv4] Going forward on the security document
Brian Pawlowski <beepee@gmail.com> Fri, 16 February 2024 18:12 UTC
Return-Path: <beepee@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD41C14F5F7 for <nfsv4@ietfa.amsl.com>; Fri, 16 Feb 2024 10:12:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFjI0tqKwfEj for <nfsv4@ietfa.amsl.com>; Fri, 16 Feb 2024 10:12:23 -0800 (PST)
Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAB5DC14F5F5 for <nfsv4@ietf.org>; Fri, 16 Feb 2024 10:12:18 -0800 (PST)
Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-607a84acf6aso9209177b3.2 for <nfsv4@ietf.org>; Fri, 16 Feb 2024 10:12:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708107137; x=1708711937; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YqdaPVDYWWnx48mY/i5sC5vUcvGtQzstgtUqCZJPC0s=; b=MybEY64HaaAsFoPpNrxpI/uVXdFRdMmUQxWXlY+sFJDV0NjMlUj1pG92qY81Q8bNhT VTTjhgZ4xMh1Cu3fOGTuc0DEvyLTjLC2d+lZuwsH5idcLyk0gBGS99yYR8HDWCbCOLuL vTVeltZYjCl0i+fVjcUZTFja7suykb/lBSWzd6nBypO9KGAUyivcp+yH7KZpi9npBQWG +CjxA1frihlXULTFr6AQwxuag6Yej4rGEaOvr/sQpbZoNRtqhanDtu8ZgQuBbPO0G10V 70SImGlHvfRQqd3zgmlkGz942SrO0YKapaENyTxTYyhGiL8Sj6OVe4QZxDvANTyVNLWV 5hCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708107137; x=1708711937; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YqdaPVDYWWnx48mY/i5sC5vUcvGtQzstgtUqCZJPC0s=; b=QayrnI1pTJAkbstAEKnrll4NkyrSK6KUZBxxYxHqkJ8McTIMKCkJWbm/IZzmlaRKyX xbmdhJOpdjdDgw5lMuHUmqqRXwi2vPCpkaFoh/3vNcDbJKIFiXO6lXv26btJ94Pw4KWz mt3EslHnd9ewV8wvO0ZHXU/OBvbcRu9bWV/lzxkM9b+dBWZnqcF+8Ng5VgNJEFATQJGV TVsYryCRsMSi5femmRU4uywRolaE7ZP7bTVyAzBbQtIhowMfNcCvAEuB1ZW4BaSojGKQ 91hktDIMduMXQinhRBPjwhsvtDvvTmIfDy9Mto5Sj39L6tHd0jHiQ7VxW368KNlGA9D5 q0Cw==
X-Forwarded-Encrypted: i=1; AJvYcCX92xrtAEaq4oKlxv52aPgqZiCPEoB7mPf7wgrUu9T0Fk9aGVow+KDkiwTjuUXUhz0CIHFK0zAF9b+1up/+KA==
X-Gm-Message-State: AOJu0YznnCxk8OKYRxAvO4KZp6Ka/H4UPdvt6c/SVchGrMFAPM2q2xjj uNlMDRM/OvVC73mpHdMAKcUjHX8z8KdzwA40QpoOUywz78JUTs8dYBQ4Ko51KPQRgea7ZHOeWRJ Yg8GabgPTYNwoMRPjAPB+moFGX2s=
X-Google-Smtp-Source: AGHT+IFKKKXPDJ4mg4nLgeuvKvDBRBV4WpQI9gIghjoIZPYt4NLu6x1AoFhGCgY1XqzzPR6csGMQlaK9YzGxtxPQRi8=
X-Received: by 2002:a81:8309:0:b0:607:925a:3bfe with SMTP id t9-20020a818309000000b00607925a3bfemr5214674ywf.24.1708107137531; Fri, 16 Feb 2024 10:12:17 -0800 (PST)
MIME-Version: 1.0
References: <CADaq8jcFioz5XeRCaC7q6KkG6CJZaX6CYrcqk_AFAewU3-tkYw@mail.gmail.com> <8f4dbdf6-b388-4e02-96aa-21682e46c32f@oracle.com> <CAM5tNy4ipOe+=Bu8aS7qx6LkKY5MmS6c65aeQjnBwASthdq=VA@mail.gmail.com>
In-Reply-To: <CAM5tNy4ipOe+=Bu8aS7qx6LkKY5MmS6c65aeQjnBwASthdq=VA@mail.gmail.com>
Reply-To: beepee@gmail.com
From: Brian Pawlowski <beepee@gmail.com>
Date: Fri, 16 Feb 2024 10:12:05 -0800
Message-ID: <CAEo7hJGRyPso7etKSJDMspR4oAHXZG7mVdhq-gEzaZU1AuezSg@mail.gmail.com>
To: Rick Macklem <rick.macklem@gmail.com>
Cc: Rob Thurlow <robert.thurlow@oracle.com>, nfsv4@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002bc553061183af51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/U-yLqp0MiCyFp7kgGfooLAyCQQQ>
Subject: Re: [nfsv4] Going forward on the security document
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2024 18:12:27 -0000
Does this help Rick? https://www.illumos.org/opensolaris/ARChive/PSARC/2010/029/20100126_mark.shellenbaum On Thu, Feb 15, 2024 at 3:44 PM Rick Macklem <rick.macklem@gmail.com> wrote: > On Thu, Feb 15, 2024 at 7:50 AM Rob Thurlow <robert.thurlow@oracle.com> > wrote: > > > > On 2/14/24 9:07 AM, David Noveck wrote: > > > > > As a result, the next draft of the security document, > > > draft-dnoveck-nfsv4-security-08, will limit the discussion of > > > acl-related issues by treating acls as an EXPERIMENTAL feature to be > > > described in a separate document. > > > > > We will be needing information about actual implementations of some of > > > the ACL extensions discussed in existing documents and have to be > > > prepared to simply drop material that was never implemented. > FreeBSD implements what was believed to be a RFC5661 compatible > implementation of NFSv4 ACLs, with the following limitation: > - Only Allow and Deny ACEs are handled (there is some code for Alert > and Alarm in ZFS, but they are not recognized by the generic code). > - For ZFS, they are based on what was in OpenSolaris (FreeBSD now uses > what is referred to as the OpenZFS code base, formerly called ZoL, but > I do not think NFSv4 ACL semantics has changed from what OpenSolaris had. > - There is also an implementation for UFS (which also supports POSIX draft > ACLs). A UFS volume needs to choose one or the other, as I understand it. > This document (which Rob might actually know where it can be found?) is > referred to for the mode->NFSv4 ACL translation. > > * Calculate trivial ACL in a manner compatible with PSARC/2010/029. > * Note that this results in an ACL different from (but semantically > * equal to) the "canonical six" trivial ACL computed using algorithm > * described in draft-ietf-nfsv4-minorversion1-03.txt, 3.16.6.2. > It would be really nice to find a copy of PSARC/2010/029? > > And this comment indicates how ZFS handles "delete". I have no idea > who/what > generated the "recommendation"? > * The following chart is the recommended NFSv4 enforcement for > * ability to delete an object. > * > * ------------------------------------------------------- > * | Parent Dir | Target Object Permissions | > * | permissions | | > * ------------------------------------------------------- > * | | ACL Allows | ACL Denies| Delete | > * | | Delete | Delete | unspecified| > * ------------------------------------------------------- > * | ACL Allows | Permit | Permit | Permit | > * | DELETE_CHILD | | > * ------------------------------------------------------- > * | ACL Denies | Permit | Deny | Deny | > * | DELETE_CHILD | | | | > * ------------------------------------------------------- > * | ACL specifies | | | | > * | only allow | Permit | Permit | Permit | > * | write and | | | | > * | execute | | | | > * ------------------------------------------------------- > * | ACL denies | | | | > * | write and | Permit | Deny | Deny | > * | execute | | | | > * ------------------------------------------------------- > * ^ > * | > * No search privilege, can't even look up file? > > Now, having said the above, I believe few (if anyone) uses the NFSv4 > ACLs in FreeBSD. > > Since Linux does not support native NFSv4 ACLs (the translation algorithm > to/from POSIX draft ACLs is too obscure for me), I do not see how this will > ever be resolved? > - An extention to NFSv4.2 for getting/setting POSIX draft ACLs might help, > but since ZFS does not support POSIX draft ACLs, it wouldn't be much > help for FreeBSD. > > Off topic,but nice to hear from you Rob, it has been a while, rick > > > > > > I will attempt to describe what Solaris does for ACLs for this. > > It's going to take some time for me to get something useful. > > The top-level summary is that our ZFS ACL implementation, which > > our SMB implementation also uses, are strongly similar to what > > the NFSv4 spec details, while older filesystems like UFS use > > Posix-draft ACLs. > > > > Rob T > > > > _______________________________________________ > > nfsv4 mailing list > > nfsv4@ietf.org > > https://www.ietf.org/mailman/listinfo/nfsv4 > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 >
- [nfsv4] Going forward on the security document David Noveck
- Re: [nfsv4] Going forward on the security document Jeff Layton
- Re: [nfsv4] Going forward on the security document Frank Filz
- Re: [nfsv4] Going forward on the security document Rob Thurlow
- Re: [nfsv4] Going forward on the security document Rick Macklem
- Re: [nfsv4] Going forward on the security document Brian Pawlowski
- Re: [nfsv4] Going forward on the security document Rick Macklem