Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
Sam Falkner <Sam.Falkner@Sun.COM> Tue, 11 July 2006 12:44 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G0Hbc-0002qo-HH; Tue, 11 Jul 2006 08:44:48 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G0Hba-0002qe-Av for nfsv4@ietf.org; Tue, 11 Jul 2006 08:44:46 -0400
Received: from brmea-mail-2.sun.com ([192.18.98.43]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G0HbZ-0002OR-NA for nfsv4@ietf.org; Tue, 11 Jul 2006 08:44:46 -0400
Received: from fe-amer-05.sun.com ([192.18.108.179]) by brmea-mail-2.sun.com (8.13.6+Sun/8.12.9) with ESMTP id k6BCijeb012120 for <nfsv4@ietf.org>; Tue, 11 Jul 2006 06:44:45 -0600 (MDT)
Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java System Messaging Server 6.2-4.02 (built Sep 9 2005)) id <0J2800I01OQ7XB00@mail-amer.sun.com> (original mail from Sam.Falkner@Sun.COM) for nfsv4@ietf.org; Tue, 11 Jul 2006 06:44:45 -0600 (MDT)
Received: from [132.219.16.161] by mail-amer.sun.com (Sun Java System Messaging Server 6.2-4.02 (built Sep 9 2005)) with ESMTPSA id <0J2800ARHOQJVSW4@mail-amer.sun.com>; Tue, 11 Jul 2006 06:44:45 -0600 (MDT)
Date: Tue, 11 Jul 2006 08:44:42 -0400
From: Sam Falkner <Sam.Falkner@Sun.COM>
Subject: Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
In-reply-to: <200607111045.43779.agruen@suse.de>
To: Andreas Gruenbacher <agruen@suse.de>
Message-id: <7C3E0D57-F0ED-4702-B24B-CF3E366FAF5D@Sun.COM>
MIME-version: 1.0
X-Mailer: Apple Mail (2.752.2)
Content-type: text/plain; format="flowed"; delsp="yes"; charset="US-ASCII"
Content-transfer-encoding: 7bit
References: <200607032310.15252.agruen@suse.de> <200607110050.57449.agruen@suse.de> <BCB7A126-5749-406A-A730-48B64C41402B@Sun.COM> <200607111045.43779.agruen@suse.de>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 20f22c03b5c66958bff5ef54fcda6e48
Cc: Brian Pawlowski <beepy@netapp.com>, Spencer Shepler <Spencer.Shepler@Sun.COM>, nfs@lists.sourceforge.net, nfsv4@ietf.org, Lisa Week <Lisa.Week@Sun.COM>
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Errors-To: nfsv4-bounces@ietf.org
On Jul 11, 2006, at 4:45 AM, Andreas Gruenbacher wrote: > On Tuesday, 11. July 2006 08:17, Sam Falkner wrote: >> On Jul 10, 2006, at 5:50 PM, Andreas Gruenbacher wrote: >>> On Monday, 10. July 2006 15:29, Sam Falkner wrote: >>>> On Jul 9, 2006, at 10:22 AM, Andreas Gruenbacher wrote: >>>>> On Saturday, 8. July 2006 05:45, Sam Falkner wrote: >>>>>> On Jul 7, 2006, at 5:55 AM, Andreas Gruenbacher wrote: >>>>>>> On Monday, 3. July 2006 23:10, Andreas Gruenbacher wrote: >>>>> >>>>> Here are some facts to back my points: Let's assume that a file >>>>> inherits >>>>> the following ACL when being created (I am using ^(...) here >>>>> with the >>>>> meaning of "all bitflags except ..."): >>>>> >>>>> OWNER@:READ_DATA/WRITE_DATA::ALLOW >>>>> OWNER@:^(READ_DATA/WRITE_DATA)::DENY >>>>> GROUP@:READ_DATA::ALLOW >>>>> user@domain:READ_DATA/WRITE_DATA::ALLOW >>>>> GROUP@:^READ_DATA::DENY >>>>> user@domain:^(READ_DATA/WRITE_DATA)::DENY >>>>> EVERYONE@:READ_DATA::ALLOW >>>>> >>>>> This acl is "well structured" in the POSIX sense: OWNER@ will >>>>> only get >>>>> the owner permissions and none of the other permissions, >>>>> user@domain >>>>> and GROUP@ will only get the permissions intended for them, and >>>>> only >>>>> others (neither OWNER@ nor user@domain nor GROUP@) will get >>>>> EVERYONE@ >>>>> permissions; in other words, the acl is even correct for non- >>>>> monotonic >>>>> permissions. >>>>> >>>>> According to section 5.1 of draft-ietf-nfsv4-acls [1], the >>>>> resulting >>>>> file mode permission bits for this acl shall be rw-r--r--. >>>> >>>> Your proposal would give this mode: rw-rw-r--. I think we should >>>> consider this more carefully. >>>> >>>>> After a chmod or a file create, alternate file access control >>>>> mechanisms >>>>> must be disabled and only additional file access control >>>>> mechanisms may >>>>> remain active. According to POSIX, additional file access control >>>>> mechanisms require that no user may be granted more permissions >>>>> than the >>>>> respective file classes permit. In this case, user@domain >>>>> clearly is not >>>>> in the File Owner Class. (According to POSIX, user@domain must >>>>> be in the >>>>> File Group Class.) The user@domain user is granted WRITE_DATA >>>>> though, >>>>> which is *incorrect* from a POSIX point of view. >>>> >>>> No, it is not granted WRITE_DATA after a chmod(). After a chmod >>>> 644, >>>> there will be a "user@domain:WRITE_DATA::DENY" prepended. This is >>>> well defined in the current minorversion1. So it is not "incorrect >>>> from a POSIX point of view." >>> >>> Now that I look at the example again, I realize that I didn't >>> define the create mode. With create mode 640 or less permissive, >>> everything is fine. Let's assume create mode 664 though: then the >>> file >>> mode permission bits will still come out as rw-r--r--, but the >>> ACL will >>> grant WRITE_DATA to user@domain. That's the case I meant, and >>> this case is >>> not POSIX compliant. >> >> Wrong. The file mode permission bits will be rw-rw-r--. There is no >> problem with POSIX compliance. > > Ah. And why should that be according to draft-ietf-nfsv4-acls-00? > Because the > group file mode permission bits write through to GROUP@ entries, > and so the > rw- group permissions in the create mask elevate the permissions > given to the > owning group in the ACL? > > I hope that my reply from Tue, 11 Jul 2006 10:05:21 +0200 made it > clear that > writing through to the GROUP@ entries causes POSIX applications to > accidentally remove restrictions from an ACL, and so we really must > not do > that. The same argument applies to writing through to OWNER@ and > EVERYONE@ > entries, by the way. The "The final six ACEs are adjusted according > to the > incoming mode" section of the algorithm described in 5.3 is a > really bad > idea. > >>>>> Next, let's assume than an ACL contains the following pair of >>>>> user- >>>>> provided entries: >>>>> >>>>> GROUP@:WRITE_DATA::DENY >>>>> GROUP@:READ_DATA::ALLOW >>>>> >>>>> Clearly the user's intention is to deny WRITE_DATA access to >>>>> GROUP@. >>>> >>>> Yes, that *was* the user's intention, at the time the user set the >>>> ACL. >>> >>> Hm... not the best example because GROUP@ is the owning group, which >>> corresponds to the group file mode permission bits in traditional >>> POSIX. The problem is more difficult to see in this case, but I >>> argue >>> that the owhning group permissions and the group file mode >>> permission >>> bits are not the same with ACLs: the file group mode permission bits >>> restrict GROUP@ entries, and all user@domain and group@domain >>> entries >>> in the acl. For the sake of this example, substitute GROUP@ with >>> user@domain though, and you'll see the problem more clearly: a user >>> adds an explicit user@domain:WRITE_DATA::DENY entry to an acl which >>> is followed by a user@domain:READ_DATA::ALLOW entry. After a >>> chmod to >>> 664 for example, this user suddenly has write access. The >>> user clearly did not intend this to happen. >> >> No -- after the chmod, the DENY still stands, unaltered. > > Great Sam, you have trapped me with another special case that is > there only > because of those pesky mask DENY entries: "the mask bits are a > subset of the > mask bits of the current ACE" [1]. I trapped you, but not out of malice. The fact that you fell into the trap proves a point. You tried to give an example as a reasonable pair of ACEs that a user would set, and fell into the trap of having the design deal with your ACEs correctly. The design is to only manipulate DENY entries if the follow a very specific pattern, a pattern that an end-user is unlikely to set. In other words, the design avoids manipulating DENYs unless the DENYs are redundant. > My point still holds, just that the following ALLOW ACE must have > the denied > WRITE_DATA permission set as well: > > user@domain:WRITE_DATA::DENY > user@domain:READ_DATA/WRITE_DATA::ALLOW Yes, there, the chmod would change the DENY ACE. So if an end-user really did say WRITE_DATA:DENY, WRITE_DATA:ALLOW, albeit with other bits, then yes, the ACL can change as a result of the chmod. > Do you *still* disagree? I don't disagree that the DENY would be changed by a chmod(), but I do disagree that it's a major flaw. I would rather live with the flaw of having redundant user-supplied ACEs manipulated upon chmod than to add new file attributes that NFSv4.0 clients and servers won't know about. - Sam _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] NFSv4 ACL and POSIX interaction / mask Andreas Gruenbacher
- [nfsv4] Re: NFSv4 ACL and POSIX interaction / mas… Andreas Gruenbacher
- [nfsv4] Re: NFSv4 ACL and POSIX interaction / mas… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Lisa Week
- [nfsv4] Re: NFSv4 ACL and POSIX interaction / mask David Collier-Brown
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… J. Bruce Fields
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [NFS] [nfsv4] Re: NFSv4 ACL and POSIX interac… J. Bruce Fields
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [NFS] [nfsv4] Re: NFSv4 ACL and POSIX interac… Sam Falkner
- Re: [NFS] [nfsv4] Re: NFSv4 ACL and POSIX interac… J. Bruce Fields
- Re: [NFS] [nfsv4] Re: NFSv4 ACL and POSIX interac… J. Bruce Fields
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… J. Bruce Fields
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Lisa Week
- Re: [NFS] [nfsv4] Re: NFSv4 ACL and POSIX interac… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… J. Bruce Fields
- [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interaction… J. Bruce Fields
- Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… J. Bruce Fields
- Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… J. Bruce Fields
- RE: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… wurzl_mario
- Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… Andreas Gruenbacher
- Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… Andreas Gruenbacher
- Re: [nfsv4] Re: [NFS] NFSv4 ACL and POSIX interac… J. Bruce Fields
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Sam Falkner
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Lisa Week
- Re: [nfsv4] Re: NFSv4 ACL and POSIX interaction /… Andreas Gruenbacher