[nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-02

Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> Fri, 09 August 2024 22:34 UTC

Return-Path: <pali-ietf-nfsv4@ietf.pali.im>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42352C180B71 for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 15:34:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.004
X-Spam-Level:
X-Spam-Status: No, score=-2.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pali.im
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FP875dnsZ9vR for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 15:34:50 -0700 (PDT)
Received: from pali.im (mail.pali.im [IPv6:2a02:2b88:6:5cc6::2a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F82FC16943F for <nfsv4@ietf.org>; Fri, 9 Aug 2024 15:34:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pali.im; s=mail; t=1723242886; i=@pali.im; bh=Rxm+Od3XR6ITSDUjyKpERNNIRlAoNKW/ke1JTvDLsi4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=VLfx/EvZXBMuweemSjHH+Kr2EGkWZzo9RqP4bNaKv7U+XlPehQ4S3WVBMtB2k8xkP LJu8ZMk+ha7gg9WLhUu6UUVIB1/bEIEWtV1NBLeL04yRJw+aZ6mZ3Ork8lk4Axq4Fn rQhL5VZ2zCuvDuTHettu2lAlPwDoELBtnpP+/lUIzPy6I+K5Q8qZjhbOjID1YFZABc EkVpTrjIYdjqLhgGMQgw7WChDFPzzjaS6KJF/BkJyWcO/tgTHrWJF/vGeV5qLsgVJJ /V0vtyQKcjjmpD6yHppGHwISe6zK3K2FsEWukrlr96V7HmUFm/BU7PRsdQiYLqJVxY lUNUKzgHtdg/A==
Received: by pali.im (Postfix) id 2E3EDF26; Sat, 10 Aug 2024 00:34:46 +0200 (CEST)
Date: Sat, 10 Aug 2024 00:34:46 +0200
From: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
To: David Noveck <davenoveck@gmail.com>
Message-ID: <20240809223446.4q6umzjpelv4kz3b@pali>
References: <20240806170525.trrqy27aqu7sayb5@pali> <CAM5tNy4pPcP7AErkqvu2URqX9nCT-8i3y_esVzpyyjaHC6Uuew@mail.gmail.com> <CADaq8jexUbGSNfrkSkrVn3axkDZu2HrMYeT1pF7TNGKXHaZ73w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADaq8jexUbGSNfrkSkrVn3axkDZu2HrMYeT1pF7TNGKXHaZ73w@mail.gmail.com>
User-Agent: NeoMutt/20180716
Message-ID-Hash: DW3D2ID4XTEBY2ZLI76MWNEJSQSPTLQW
X-Message-ID-Hash: DW3D2ID4XTEBY2ZLI76MWNEJSQSPTLQW
X-MailFrom: pali-ietf-nfsv4@ietf.pali.im
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Comments for draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/cXC3UIjcGyDQu3_a1OcX3YifaMg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Wednesday 07 August 2024 08:07:16 David Noveck wrote:
> On Tue, Aug 6, 2024, 6:21 PM Rick Macklem <rick.macklem@gmail.com> wrote:
> > On Tue, Aug 6, 2024 at 10:05 AM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
> > wrote:
> >> 2)
> >>
> >> Then there is a problem with "group" bits of "mode" attribute.
> >> In RFC 8881 section 6.2.4 is written:
> >>
> >> "Bits MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP apply to principals
> >> identified in the owner_group attribute but who are not identified in
> >> the owner attribute."
> >>
> >> And in section 6.3.2.1 is written:
> >>
> >> "Some server implementations also add bits permitted to named users and
> >> groups to the group bits (MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP).
> >> Implementations are discouraged from doing this."
> >> "The same user confusion seen when fetching the mode also results if
> >> setting the mode does not effectively control permissions for the owner,
> >> group, and other users; this motivates some of the requirements that
> >> follow."
> >>
> >> POSIX ACL with at least one named user or named group requires that
> >> mode group bits refers to POSIX ACL mask, and not to the POSIX ACL
> >> group_obj (which represents owner_group).
> >>
> >> Those RFC 8881 parts of NFS mode attribute are basically not compatible
> >> with POSIX ACL. Your extension does not mention this problem and does
> >> not handle it.
> >>
> >> Existing NFS4 servers which follows the RFC 8881 meaning of mode group
> >> bits, would not be able to implement this your extension for POSIX ACL,
> >> because existing servers cannot change behavior of mode attribute due
> >> backward compatibility. I think that this is a big problem.
> >> Servers in multiprotocol environment mostly follows the RFC 8881 advice
> >> to never return something like "POSIX mask" in group bits.
> >>
> >> How to solve this problem. One option could be including all mode bits
> >> into your new "posix_access_acl" attribute and let NFS4 clients to use
> >> only "posix_access_acl" on chown operation, and never use existing
> >> "mode" attribute at all (if the extension is supported by server).
> >>
> >> Another option could be to introduce a new "posix_mode" attribute which
> >> would be strictly POSIX and old "mode" attribute can stay as before for
> >> backward compatibility. Again clients would not use "mode" attribute
> >> anymore.
> >>
> >
> A similar possibility is discussed in an appendix to acls-04.   The idea is
> a read-only mode_info attribute
> that clients could use if they want to display a mode that can be displayed
> to reflect a summary of the ACL permissions.

I think that it should be the client who compose summary of the ACL
permissions. Why? Because POSIX ACL clients compute this summary
differently than NFS4 servers who follows RFC 8881 recommendation (to
not add bits from named users and named group to mode group bits).

So if you have a POSIX ACL compatible system, then its NFS4 should
report different mode to applications, than the NFS4 compatible system
which does not support POSIX ACL.

For example if you have POSIX compatible system which connects to two
different NFS4 servers, where first is POSIX ACL, second is NFS4 ACL and
you set same access control on both of them for some files (just with
simple ALLOW cases, which is supported by both POSIX and NFS4 ACL
models) then every server will report different mode. Even it both
servers will provide same access. And this is strange.