When ACLs Attack:Cross-Platform FilePermissionsAndrew LeonardISB IT ExchangeJuly 13, 2012
In the beginning: "Traditional" UnixPermissions Write Execute Read Not permitted drwxr-x--- Other User Group
Playing Nice With Other (Unix) UsersSome tactics:● drwxrws---: Use setgid bit to force files and directories created within a directory to inherit its group id, rather than be assigned users primary group id. (c. 1972?)● umask 002: Dont limit group permissions, or read/execute permissions for others. (c. 1982?)● drwxrwxrwt: Only the items owner, directorys owner, or root can rm or mv contained files. (c. 1986)● User private groups: Group containing single user, allows private files when setting umask 002. (Red Hat c. 2002) Take dates above with a giant grain of salt, they could be way off.
POSIX.1e ACLs● Allow setting permissions for multiple users and groups per file.● Set explicit defaults (beyond the setgid bit).user::rwxuser:aleonard:rwxgroup::r-xmask::rwxother::r-xdefault:user::rwxdefault:user:aleonard:rwxdefault:group::r-xdefault:mask::rwxdefault:other::r-x
Meanwhile, in Redmond...NTFS ACLs: Standard Permissions Advanced Permissions ● Modify ● Full Control ● Read & Execute ● Traverse Folder/Execute ● Read File ● Write ● List Folder/Read Data ● List Folder Contents ● Read Attributes ● Read Extended Attributes ● Create Files/Write Data ● Create Folders/Append Data ● Write Attributes ● Write Extended Attributes ● Delete Subfolders & Files ● Delete ● Read Permissions ● Change Permissions ● Take Ownership
Enter NFSv4 ACLsA Standard, as of 2000:http://ietfreport.isoc.org/idref/draft-falkner-nfsv4-acls/https://tools.ietf.org/html/rfc3010https://tools.ietf.org/html/rfc3530# file: .# owner: root# group: bifx group:bifx:rwxpDdaARWcCos:fd----:allow owner@:rwxp--aARWcCos:------:allow group@:rwxp--a-R-c--s:------:allow everyone@:r-x---a-R-c--s:------:allow ● Each Access Control Entry (ACE) is made up of four parts: identifier, access rights, flags, type (allow, deny, audit, alarm). ● ACEs are traversed in order. ● Access rights are NTFS compatible.
But: ACLs Arent All Rainbows andUnicornsAssuming the trade-off of flexibility for additional complexityis acceptable: ● Does your file system support them? Do your clients? ● Tools to manipulate ACLs are inconsistent and sometimes inefficient. ● Does your backup software preserve ACLs? ● Do your everyday file system utilities handle them correctly? ● Does your vendor understand them? How buggy is their implementation? ● How do new-style ACLs interact with legacy permission schemes?
Specifics: Seattle BioMed NASEnvironment● NetApp ○ NFSv3/SMBv2 ○ Mix of "office" and "science" data. ○ Home directories, group shares.● FreeBSD/ZFS ○ ZFS v28 ○ NFSv3, NFSv4/SMBv1 ○ Serves NFSv4 via newnfs ○ Uses Samba for SMB ○ Larger shares, mostly scientific data
Specifics: Our Client EnvironmentPretty standard stuff, in order of prevalence:● Windows Desktops - SMBv1, SMBv2 ○ 7, XP ○ 2000, NT4, sigh.● OS X - SMB, no NFS● Linux - NFSv3, NFSv4 ○ CentOS ○ Ubuntu
Details: ACLs and NetApp● NetApp has three different security modes you can choose from at a volume or qtree level. ○ "unix" mode: Unix-style permission bits. ○ "ntfs" mode: "For CIFS requests, Windows NT permissions determine user access. For NFS requests, the filer generates and stores a set of UNIX-style permission bits that are at least as restrictive as the Windows NT permissions. The filer grants NFS access only if the UNIX-style permission bits allow the user access." ○ They also have a third "mixed" mode, but nobody seems to use it: "A files security style depends on whether the permission was last set from CIFS or NFS."● (Were not using NFSv4 on NetApp today.) ○ http://www.netapp.com/us/communities/tech-ontap/nfsv4-0408.html
Details: ACLs and ZFSZFS has native NFSv4 ACLs. Important issue:● What happens to an NFSv4 ACL when you chmod(2) is important. If a file has an NFSv4 ACL, do you: ○ Edit only the files mode ("passthrough")? ○ Remove any NFSv4 ACL ("discard")? ○ Do something in-between ("groupmask")? ○ Let the admin decide on a per-file system basis?On ZFS, this is controlled by the "aclmode" property. Sun removed this shortlybefore the Oracle acquisition, enforcing "discard" on all ZFS file systems;however, FreeBSD and Illumos have added "aclmode" back.http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum
Usage notes: User mapping mattersYou cant share files across platforms if youcant map identities across platforms.We use Active Directory as our source of truthfor users and groups; NetApp and FreeBSDsystems access this information using LDAP.
Usage notes: General notes● Simple permissions solve most of our use cases ○ User home directories are on NetApp, using unix- mode, 0700 permissions. ○ Ntfs-mode qtrees work well for most groups. ○ Many of our complex permission structures are SMB-only and therefore use ntfs-mode. ○ For those that need them, unix-mode qtrees are often enough.● For everything else, theres NFSv4 ACLs on ZFS.
Usage notes: NetApp + ntfs-mode● What you see with an ntfs qtree over NFS is often not what you get: $ ls -ld somedir drwxrwxrwx 40 root root 8192 Mar 16 10:45 somedir $ cd somedir -bash: cd: somedir: Permission denied● Some apps try to be good citizens and check permissions before carrying out an action, and then fail. Others complain when they cant set permissions within an ntfs-mode qtree. ○ Setting cifs.ntfs_ignore_unix_security_ops (silently discard NFS permission operations) and nfs. ntacl_display_permissive_perms (displayed permissions are based on the maximum access granted to any user) to oncan help here.
Usage notes: NetApp + unix-modeFor simple configurations, these cifs sharesflags may get you what you need:Make created files belong to a group:-forcegroup <groupname>Set initial permissions of newly created files and directories:-umask <mask>-dir_umask <mask>-file_umask <mask>
Usage notes: ZFS on whichoperating system?Were using FreeBSD 8-STABLE, as we oftenneed fixes before they wind up in a -RELEASE.The firstname.lastname@example.org and email@example.com mailing lists have beenindispensable. On the Solaris side of ZFS, theres always Oracle Solaris 11. As far as Ilumos, Nexenta is always an option, and I hear theres neat stuff being built on OmniOS. Theres also ZFS-on-Linux.
Usage Notes: ZFS file systempropertiesWe generally set permissions at the top of ashare, and have them inherited down into theshare, so we:zfs set aclinherit=passthrough-xInherits all inheritable ACL entries without modification, butinherit execute permission only if the file creation modespecifies it.zfs set aclmode=passthroughWhen chmod(2) is called, "no changes are made to theACL other than creating or updating the necessary ACLentries to represent the new mode of the file or directory."
Usage notes: Samba configuration -simple permissionsWe frequently use this idiom when configuring Sambashares, roughly equivalent to umask 007 and a setgiddirectory under NFS:# Bitwise AND file/directory permissions with these masks:create mask = 0660directory mask = 2770# File/directory permission bits that will always be set:force create mode = 0660force directory mode = 2770# Assign group:force group = "somelab"# Limit permission bits that can be modified from Windows client -# these are forced on:force security mode = 0660force directory security mode = 2770
Usage notes: Samba configuration -complex ACLsSet ACLs using native tools on ZFS as needed.In smb.conf, remove force group, adjustmask and mode settings as appropriate... andlet the NFSv4 ACLs at the file system level dothe rest.(Remember: Samba is just another applicationaccessing files - v4 ACLs, including inheritance,are still applied.)
Usage notes: Samba on FreeBSD/ZFS config toallow ACL manipulation from WindowsWe havent heavily used this, but it seems to work.Build Samba WITH_ACL_SUPPORT=true from FreeBSD ports; add thefollowing to smb.conf:Global config:unix extensions = noWithin a share definition:nt acl support = yesinherit acls = nomap acl inherit = yesvfs objects = zfsaclnfs4:mode = specialnfs4:acedup = mergenfs4:chown = yes
Usage notes: Users increasinglywant to manipulate their own ACLsIn general, our users havent wanted tounderstand or manage their own ACLs, so IThas done it for them. However, we now haveone group of users - an internal serviceprovider - that wants to actively manage theirown ACLs on a wide scale.● They use either nfs4_setfacl on Linux, or an IT-supplied script to adjust permissions.● This is a fairly new development, so its unclear what pitfalls await.
Closing: NFSv4 in 2012Despite being 12 years old, NFSv4 isnt widely-or well-supported. Commercial vendors dontdedicate more resources to it because usersarent using it heavily; users dont use it heavilybecause vendors arent dedicating resources toit.As a consequence, the best implementationsand support today seem to be Open Source.