IETF Logo Mail Archive

Re: [nfsv4] Going forward on the security document

Rick Macklem <rick.macklem@gmail.com> Thu, 15 February 2024 23:44 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8BBAC14F6FE for <nfsv4@ietfa.amsl.com>; Thu, 15 Feb 2024 15:44:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGqw5z1guqC6 for <nfsv4@ietfa.amsl.com>; Thu, 15 Feb 2024 15:44:17 -0800 (PST)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BA46C14F60F for <nfsv4@ietf.org>; Thu, 15 Feb 2024 15:44:17 -0800 (PST)
Received: by mail-pg1-x529.google.com with SMTP id 41be03b00d2f7-5cddfe0cb64so1192360a12.0 for <nfsv4@ietf.org>; Thu, 15 Feb 2024 15:44:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708040656; x=1708645456; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=5L+lYsD+oIvk7DRTkFgmhqyTECgk3VyKV98T8wq0tVA=; b=BRr05V+mVA4QIgVGONgCVkcXF5Q1+qJWrSZvnPvMs2Kwj7v7PklDeUKpnpB+5q/mfe NJhQnujHUml7wCcJ26Uhl+mTLkrgtjQf1V5Qei2ryDq6iUyvMQTcxmrW9vycT8Wjjty7 0b1aPw6FQrQGDKBabDVF5zfwmcKizqCTMv5ZAxUoFr9gHM409YpYiRT3goqCGcH7BzLw gWlgGCrueaobC3UaEiMfRo91iT6ZvuAoyVkDkJDQfr3iqpuvh0LsUZbZGkwrMXuaicA2 dYH1xUKxGbJt/xpW9s8unkTudCIF76QxUnQHsHZ8WQNE2GT9JTiKw5lse8AxmuY9xSzh 2cFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708040656; x=1708645456; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5L+lYsD+oIvk7DRTkFgmhqyTECgk3VyKV98T8wq0tVA=; b=lya3mZ+K8V8leR4nA5d9+rDQnvO4NDIc6XdwZjLavkBsnIc/bV8XTPlGg7fsFOANiP ubhv86ueB6oF9gqMU33RikjpMz+OlDuiMiRo6uqbxJ4WW3Yig+Y14RYOX2N1GUwgimdU +iwrNF9t1w/zdpQyIK7Lw0YRPM11fsAAnF091SjRnTUv1ktEBn9KXtUyeUtH9wxuX2Fk HXCzkGQiX3LLvMgfq7XBzTewwIg3BADPkLbTyfwPb+f494HwKOvLGX2FugI2F+Ls5iYi sL7CagGjXBH4rkCvg1x8620pnnCEQ4mcdf+qqsiP6yDPaoWBPBNGfy4OHIxUkn9jXJsO 9HhQ==
X-Gm-Message-State: AOJu0YxOp2LYidcED/ZX7TPev0iGvcuSEwXD018DEgh2hQu2QA5yeCdH qdLQUF6U2wPIattdQ1auD4hDCPTAOsIK+8/V2J6M9WSKNe9FER96c6uWkhQ4r6VAITvsK4wCr31 nAm2cRnCbr8VzKu//EOl8k9xRI+3obB4BPA==
X-Google-Smtp-Source: AGHT+IEwOmmqEUQFUhctV0qzAQjsVMYndMtvK0W918onZuECXCteCgIGQq2EOqc5V8tnJ6Nl8ejLRUpRsWj8wmm5CCo=
X-Received: by 2002:a17:90a:f317:b0:290:2e08:74f1 with SMTP id ca23-20020a17090af31700b002902e0874f1mr3067022pjb.21.1708040656261; Thu, 15 Feb 2024 15:44:16 -0800 (PST)
MIME-Version: 1.0
References: <CADaq8jcFioz5XeRCaC7q6KkG6CJZaX6CYrcqk_AFAewU3-tkYw@mail.gmail.com> <8f4dbdf6-b388-4e02-96aa-21682e46c32f@oracle.com>
In-Reply-To: <8f4dbdf6-b388-4e02-96aa-21682e46c32f@oracle.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Thu, 15 Feb 2024 15:44:00 -0800
Message-ID: <CAM5tNy4ipOe+=Bu8aS7qx6LkKY5MmS6c65aeQjnBwASthdq=VA@mail.gmail.com>
To: Rob Thurlow <robert.thurlow@oracle.com>
Cc: nfsv4@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/_HXeAl70w96etY8ILqmt38V_JOI>
Subject: Re: [nfsv4] Going forward on the security document
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2024 23:44:17 -0000

On Thu, Feb 15, 2024 at 7:50 AM Rob Thurlow <robert.thurlow@oracle.com> wrote:
>
> On 2/14/24 9:07 AM, David Noveck wrote:
>
> > As a result, the next draft of the security document,
> > draft-dnoveck-nfsv4-security-08, will limit the discussion of
> > acl-related issues by treating acls as an EXPERIMENTAL feature to be
> > described in a separate document.
>
> > We will be needing information about actual implementations of some of
> > the ACL extensions discussed in existing documents and have to be
> > prepared to simply drop material that was never implemented.
FreeBSD implements what was believed to be a RFC5661 compatible
implementation of NFSv4 ACLs, with the following limitation:
- Only Allow and Deny ACEs are handled (there is some code for Alert
  and Alarm in ZFS, but they are not recognized by the generic code).
- For ZFS, they are based on what was in OpenSolaris (FreeBSD now uses
  what is referred to as the OpenZFS code base, formerly called ZoL, but
  I do not think NFSv4 ACL semantics has changed from what OpenSolaris had.
- There is also an implementation for UFS (which also supports POSIX draft
  ACLs). A UFS volume needs to choose one or the other, as I understand it.
This document (which Rob might actually know where it can be found?) is
referred to for the mode->NFSv4 ACL translation.

 * Calculate trivial ACL in a manner compatible with PSARC/2010/029.
 * Note that this results in an ACL different from (but semantically
 * equal to) the "canonical six" trivial ACL computed using algorithm
 * described in draft-ietf-nfsv4-minorversion1-03.txt, 3.16.6.2.
It would be really nice to find a copy of PSARC/2010/029?

And this comment indicates how ZFS handles "delete". I have no idea who/what
generated the "recommendation"?
 * The following chart is the recommended NFSv4 enforcement for
 * ability to delete an object.
 *
 *      -------------------------------------------------------
 *      |   Parent Dir  |           Target Object Permissions |
 *      |  permissions  |                                     |
 *      -------------------------------------------------------
 *      |               | ACL Allows | ACL Denies| Delete     |
 *      |               |  Delete    |  Delete   | unspecified|
 *      -------------------------------------------------------
 *      |  ACL Allows   | Permit     | Permit    | Permit     |
 *      |  DELETE_CHILD |                                     |
 *      -------------------------------------------------------
 *      |  ACL Denies   | Permit     | Deny      | Deny       |
 *      |  DELETE_CHILD |            |           |            |
 *      -------------------------------------------------------
 *      | ACL specifies |            |           |            |
 *      | only allow    | Permit     | Permit    | Permit     |
 *      | write and     |            |           |            |
 *      | execute       |            |           |            |
 *      -------------------------------------------------------
 *      | ACL denies    |            |           |            |
 *      | write and     | Permit     | Deny      | Deny       |
 *      | execute       |            |           |            |
 *      -------------------------------------------------------
 *         ^
 *         |
 *         No search privilege, can't even look up file?

Now, having said the above, I believe few (if anyone) uses the NFSv4
ACLs in FreeBSD.

Since Linux does not support native NFSv4 ACLs (the translation algorithm
to/from POSIX draft ACLs is too obscure for me), I do not see how this will
ever be resolved?
- An extention to NFSv4.2 for getting/setting POSIX draft ACLs might help,
  but since ZFS does not support POSIX draft ACLs, it wouldn't be much
  help for FreeBSD.

Off topic,but nice to hear from you Rob, it has been a while, rick


>
> I will attempt to describe what Solaris does for ACLs for this.
> It's going to take some time for me to get something useful.
> The top-level summary is that our ZFS ACL implementation, which
> our SMB implementation also uses, are strongly similar to what
> the NFSv4 spec details, while older filesystems like UFS use
> Posix-draft ACLs.
>
> Rob T
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email