Uploaded byandy_leonard
PDF, PPTX6,200 views

When ACLs Attack

This document discusses access control lists (ACLs) and how they are implemented across different platforms and file systems. It provides a history of ACL implementations including POSIX ACLs, NTFS ACLs, and NFSv4 ACLs. It also discusses specifics of how ACLs are supported and some issues that can arise with ACLs on the author's NetApp and FreeBSD environments. Overall, the document aims to educate about ACL standards and interoperability challenges across platforms.

Embed presentation

Download as PDF, PPTX
When ACLs Attack: Cross-Platform File Permissions Andrew Leonard ISB IT Exchange July 13, 2012
In the beginning: "Traditional" Unix Permissions Write Execute Read Not permitted drwxr-x--- Other User Group
Playing Nice With Other (Unix) Users Some tactics: ● drwxrws---: Use setgid bit to force files and directories created within a directory to inherit its group id, rather than be assigned user's primary group id. (c. 1972?) ● umask 002: Don't limit group permissions, or read/execute permissions for others. (c. 1982?) ● drwxrwxrwt: Only the item's owner, directory's owner, or root can rm or mv contained files. (c. 1986) ● User private groups: Group containing single user, allows private files when setting umask 002. (Red Hat c. 2002) Take dates above with a giant grain of salt, they could be way off.
POSIX.1e ACLs ● Allow setting permissions for multiple users and groups per file. ● Set explicit defaults (beyond the setgid bit). user::rwx user:aleonard:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:aleonard:rwx default:group::r-x default:mask::rwx default:other::r-x
Meanwhile, in Redmond... NTFS ACLs: Standard Permissions Advanced Permissions ● Modify ● Full Control ● Read & Execute ● Traverse Folder/Execute ● Read File ● Write ● List Folder/Read Data ● List Folder Contents ● Read Attributes ● Read Extended Attributes ● Create Files/Write Data ● Create Folders/Append Data ● Write Attributes ● Write Extended Attributes ● Delete Subfolders & Files ● Delete ● Read Permissions ● Change Permissions ● Take Ownership
Enter NFSv4 ACLs A Standard, as of 2000: http://ietfreport.isoc.org/idref/draft-falkner-nfsv4-acls/ https://tools.ietf.org/html/rfc3010 https://tools.ietf.org/html/rfc3530 # file: . # owner: root # group: bifx group:bifx:rwxpDdaARWcCos:fd----:allow owner@:rwxp--aARWcCos:------:allow group@:rwxp--a-R-c--s:------:allow everyone@:r-x---a-R-c--s:------:allow ● Each Access Control Entry (ACE) is made up of four parts: identifier, access rights, flags, type (allow, deny, audit, alarm). ● ACEs are traversed in order. ● Access rights are NTFS compatible.
NFSv4 Privileges and Abbreviations Privilege (abbreviation): Access Privileges (Linux, FreeBSD/Solaris) Flags (Linux, FreeBSD/Solaris) ● read_data, list_directory (r, r) ● file_inherit (f, f) ● write_data, add_file (w, w) ● dir_inherit (d, d) ● execute (x, x) ● inherit_only (i, i) ● append_data, add_subdirectory (a, p) ● no_propagate (n, n) ● delete_child (D, D) ● delete (d, d) ● read_attributes (t, a) ● write_attributes (T, A) ● read_xattr (n, R) ● write_xattr (N, W) ● read_acl (c, c) ● write_acl (C, C) ● write_owner (o, o) ● synchronize (y, s)
But: ACLs Aren't All Rainbows and Unicorns Assuming the trade-off of flexibility for additional complexity is acceptable: ● Does your file system support them? Do your clients? ● Tools to manipulate ACLs are inconsistent and sometimes inefficient. ● Does your backup software preserve ACLs? ● Do your everyday file system utilities handle them correctly? ● Does your vendor understand them? How buggy is their implementation? ● How do new-style ACLs interact with legacy permission schemes?
Specifics: Seattle BioMed NAS Environment ● NetApp ○ NFSv3/SMBv2 ○ Mix of "office" and "science" data. ○ Home directories, group shares. ● FreeBSD/ZFS ○ ZFS v28 ○ NFSv3, NFSv4/SMBv1 ○ Serves NFSv4 via newnfs ○ Uses Samba for SMB ○ Larger shares, mostly scientific data
Specifics: Our Client Environment Pretty standard stuff, in order of prevalence: ● Windows Desktops - SMBv1, SMBv2 ○ 7, XP ○ 2000, NT4, sigh. ● OS X - SMB, no NFS ● Linux - NFSv3, NFSv4 ○ CentOS ○ Ubuntu
Details: ACLs and NetApp ● NetApp has three different security modes you can choose from at a volume or qtree level. ○ "unix" mode: Unix-style permission bits. ○ "ntfs" mode: "For CIFS requests, Windows NT permissions determine user access. For NFS requests, the filer generates and stores a set of UNIX-style permission bits that are at least as restrictive as the Windows NT permissions. The filer grants NFS access only if the UNIX-style permission bits allow the user access." ○ They also have a third "mixed" mode, but nobody seems to use it: "A file's security style depends on whether the permission was last set from CIFS or NFS." ● (We're not using NFSv4 on NetApp today.) ○ http://www.netapp.com/us/communities/tech-ontap/nfsv4-0408.html
Details: ACLs and ZFS ZFS has native NFSv4 ACLs. Important issue: ● What happens to an NFSv4 ACL when you chmod(2) is important. If a file has an NFSv4 ACL, do you: ○ Edit only the file's mode ("passthrough")? ○ Remove any NFSv4 ACL ("discard")? ○ Do something in-between ("groupmask")? ○ Let the admin decide on a per-file system basis? On ZFS, this is controlled by the "aclmode" property. Sun removed this shortly before the Oracle acquisition, enforcing "discard" on all ZFS file systems; however, FreeBSD and Illumos have added "aclmode" back. http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum
Usage notes: User mapping matters You can't share files across platforms if you can't map identities across platforms. We use Active Directory as our source of truth for users and groups; NetApp and FreeBSD systems access this information using LDAP.
Usage notes: General notes ● Simple permissions solve most of our use cases ○ User home directories are on NetApp, using unix- mode, 0700 permissions. ○ Ntfs-mode qtrees work well for most groups. ○ Many of our complex permission structures are SMB-only and therefore use ntfs-mode. ○ For those that need them, unix-mode qtrees are often enough. ● For everything else, there's NFSv4 ACLs on ZFS.
Usage notes: NetApp + ntfs-mode ● What you see with an ntfs qtree over NFS is often not what you get: $ ls -ld somedir drwxrwxrwx 40 root root 8192 Mar 16 10:45 somedir $ cd somedir -bash: cd: somedir: Permission denied ● Some apps try to be good citizens and check permissions before carrying out an action, and then fail. Others complain when they can't set permissions within an ntfs-mode qtree. ○ Setting cifs.ntfs_ignore_unix_security_ops (silently discard NFS permission operations) and nfs. ntacl_display_permissive_perms (displayed permissions are based on the maximum access granted to any user) to 'on'can help here.
Usage notes: NetApp + unix-mode For simple configurations, these cifs shares flags may get you what you need: Make created files belong to a group: -forcegroup <groupname> Set initial permissions of newly created files and directories: -umask <mask> -dir_umask <mask> -file_umask <mask>
Usage notes: ZFS on which operating system? We're using FreeBSD 8-STABLE, as we often need fixes before they wind up in a -RELEASE. The freebsd-fs@freebsd.org and freebsd- stable@freebsd.org mailing lists have been indispensable. On the Solaris side of ZFS, there's always Oracle Solaris 11. As far as Ilumos, Nexenta is always an option, and I hear there's neat stuff being built on OmniOS. There's also ZFS-on-Linux.
Usage Notes: ZFS file system properties We generally set permissions at the top of a share, and have them inherited down into the share, so we: zfs set aclinherit=passthrough-x Inherits all inheritable ACL entries without modification, but inherit execute permission only if the file creation mode specifies it. zfs set aclmode=passthrough When chmod(2) is called, "no changes are made to the ACL other than creating or updating the necessary ACL entries to represent the new mode of the file or directory."
Usage notes: Samba configuration - simple permissions We frequently use this idiom when configuring Samba shares, roughly equivalent to umask 007 and a setgid directory under NFS: # Bitwise AND file/directory permissions with these masks: create mask = 0660 directory mask = 2770 # File/directory permission bits that will always be set: force create mode = 0660 force directory mode = 2770 # Assign group: force group = "somelab" # Limit permission bits that can be modified from Windows client - # these are forced on: force security mode = 0660 force directory security mode = 2770
Usage notes: Samba configuration - complex ACLs Set ACLs using native tools on ZFS as needed. In smb.conf, remove force group, adjust mask and mode settings as appropriate... and let the NFSv4 ACLs at the file system level do the rest. (Remember: Samba is just another application accessing files - v4 ACLs, including inheritance, are still applied.)
Usage notes: Samba on FreeBSD/ZFS config to allow ACL manipulation from Windows We haven't heavily used this, but it seems to work. Build Samba WITH_ACL_SUPPORT=true from FreeBSD ports; add the following to smb.conf: Global config: unix extensions = no Within a share definition: nt acl support = yes inherit acls = no map acl inherit = yes vfs objects = zfsacl nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes
Usage notes: Users increasingly want to manipulate their own ACLs In general, our users haven't wanted to understand or manage their own ACLs, so IT has done it for them. However, we now have one group of users - an internal service provider - that wants to actively manage their own ACLs on a wide scale. ● They use either nfs4_setfacl on Linux, or an IT-supplied script to adjust permissions. ● This is a fairly new development, so it's unclear what pitfalls await.
Closing: NFSv4 in 2012 Despite being 12 years old, NFSv4 isn't widely- or well-supported. Commercial vendors don't dedicate more resources to it because users aren't using it heavily; users don't use it heavily because vendors aren't dedicating resources to it. As a consequence, the best implementations and support today seem to be Open Source.

More Related Content

ODP
4. linux file systems
byMarian Marinov
 
PPTX
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
byAndrew Case
 
PDF
AOS Lab 10: File system -- Inodes and beyond
byZubair Nabi
 
PDF
Course 102: Lecture 5: File Handling Internals
byAhmed El-Arabawy
 
PPT
Introduction to UNIX
bySimonas Kareiva
 
PDF
De-Anonymizing Live CDs through Physical Memory Analysis
byAndrew Case
 
PDF
Linux fundamental - Chap 02 perm
byKenny (netman)
 
PDF
Lecture 5 Kernel Development
byMohammed Farrag
 
4. linux file systems
byMarian Marinov
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
byAndrew Case
 
AOS Lab 10: File system -- Inodes and beyond
byZubair Nabi
 
Course 102: Lecture 5: File Handling Internals
byAhmed El-Arabawy
 
Introduction to UNIX
bySimonas Kareiva
 
De-Anonymizing Live CDs through Physical Memory Analysis
byAndrew Case
 
Linux fundamental - Chap 02 perm
byKenny (netman)
 
Lecture 5 Kernel Development
byMohammed Farrag
 

What's hot

PDF
Linux Security
byMahdi Cherif
 
PDF
The basic concept of Linux FIleSystem
byHungWei Chiu
 
PDF
Linux Directory Structure
byKevin OBrien
 
PPT
Linux ppt
byRohit Kumar
 
PDF
Linux fundamental - Chap 10 fs
byKenny (netman)
 
PPT
Basic Unix
byRajesh Kumar
 
PDF
Linux practicals T.Y.B.ScIT
byvignesh0009
 
PPT
Device drivers tsp
byPradeep Kumar TS
 
PDF
Introduction to Unix-like systems (Part I-IV)
byhildenjohannes
 
ODP
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
byUtah Networxs Consultoria e Treinamento
 
DOCX
Linux admin interview questions
byKavya Sri
 
PDF
Linux containers-namespaces(Dec 2014)
byRalf Dannert
 
PPT
Linux: Basics OF Linux
byOmkar Walavalkar
 
PPTX
Linux standard file system
byTaaanu01
 
PPT
Unix file systems 2 in unix internal systems
bysenthilamul
 
PDF
AOS Lab 9: File system -- Of buffers, logs, and blocks
byZubair Nabi
 
PPT
Online Training in Unix Linux Shell Scripting in Hyderabad
byRavikumar Nandigam
 
PPT
Linuxppt
byTSUBHASHRI
 
PPTX
Redis
byRhythm Shahriar
 
PDF
Lecture2 process structure and programming
byMohammed Farrag
 
Linux Security
byMahdi Cherif
 
The basic concept of Linux FIleSystem
byHungWei Chiu
 
Linux Directory Structure
byKevin OBrien
 
Linux ppt
byRohit Kumar
 
Linux fundamental - Chap 10 fs
byKenny (netman)
 
Basic Unix
byRajesh Kumar
 
Linux practicals T.Y.B.ScIT
byvignesh0009
 
Device drivers tsp
byPradeep Kumar TS
 
Introduction to Unix-like systems (Part I-IV)
byhildenjohannes
 
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
byUtah Networxs Consultoria e Treinamento
 
Linux admin interview questions
byKavya Sri
 
Linux containers-namespaces(Dec 2014)
byRalf Dannert
 
Linux: Basics OF Linux
byOmkar Walavalkar
 
Linux standard file system
byTaaanu01
 
Unix file systems 2 in unix internal systems
bysenthilamul
 
AOS Lab 9: File system -- Of buffers, logs, and blocks
byZubair Nabi
 
Online Training in Unix Linux Shell Scripting in Hyderabad
byRavikumar Nandigam
 
Linuxppt
byTSUBHASHRI
 
Redis
byRhythm Shahriar
 
Lecture2 process structure and programming
byMohammed Farrag
 

Viewers also liked

PDF
NFS(Network File System)
byudamale
 
PPTX
Server hardening
byTeja Babu
 
PDF
How Many Linux Security Layers Are Enough?
byMichael Boelen
 
PDF
Auditing unix linux system use with tivoli access manager for operating syste...
byBanking at Ho Chi Minh city
 
PPT
CITI, NFSv4, and ASCI
bypeterhoneyman
 
PDF
sVirt: Hardening Linux Virtualization with Mandatory Access Control
byJames Morris
 
PPT
slides
bywebhostingguy
 
PDF
Fear (Halloween Event in Winnipeg) Sponsorship Deck
byJay Hall
 
NFS(Network File System)
byudamale
 
Server hardening
byTeja Babu
 
How Many Linux Security Layers Are Enough?
byMichael Boelen
 
Auditing unix linux system use with tivoli access manager for operating syste...
byBanking at Ho Chi Minh city
 
CITI, NFSv4, and ASCI
bypeterhoneyman
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
byJames Morris
 
slides
bywebhostingguy
 
Fear (Halloween Event in Winnipeg) Sponsorship Deck
byJay Hall
 

Similar to When ACLs Attack

PPT
Unix File System
bystudent(MCA)
 
PPT
OS_Ch11
bySupriya Shrivastava
 
PPT
OSCh11
byJoe Christensen
 
PPT
Ch11 OS
byC.U
 
PPT
Distributed File Systems
byawesomesos
 
PDF
ZFS Tutorial USENIX June 2009
byRichard Elling
 
PPTX
Module 5 File system.Details regarding how files are handeled by the operatin...
byvaishalibagewadikar1
 
PPT
Distributed System by Pratik Tambekar
byPratik Tambekar
 
PPT
file management_osnotes.ppt
byHelalMirzad
 
PPT
operating system File - System Interface
byDr. Chandrakant Divate
 
ODP
NTFS and Inode
byAmit Seal Ami
 
PPT
Unit 3 chapter 1-file management
byKalai Selvi
 
PPTX
Filesth file handling in language dile
bylomic31750
 
PDF
ITFT_File system interface in Operating System
bySneh Prabha
 
PPT
Integrity and Security in Filesystems
byConferencias FIST
 
PPT
Os6
bygopal10scs185
 
PPTX
Chapter 3
bylopjuan
 
PDF
Effective Access Controls with Directories, Services and Sharepoints
byBronson Tubb
 
PDF
Ch10 file system interface
byWelly Dian Astika
 
PPT
Os10
byissbp
 
Unix File System
bystudent(MCA)
 
OS_Ch11
bySupriya Shrivastava
 
OSCh11
byJoe Christensen
 
Ch11 OS
byC.U
 
Distributed File Systems
byawesomesos
 
ZFS Tutorial USENIX June 2009
byRichard Elling
 
Module 5 File system.Details regarding how files are handeled by the operatin...
byvaishalibagewadikar1
 
Distributed System by Pratik Tambekar
byPratik Tambekar
 
file management_osnotes.ppt
byHelalMirzad
 
operating system File - System Interface
byDr. Chandrakant Divate
 
NTFS and Inode
byAmit Seal Ami
 
Unit 3 chapter 1-file management
byKalai Selvi
 
Filesth file handling in language dile
bylomic31750
 
ITFT_File system interface in Operating System
bySneh Prabha
 
Integrity and Security in Filesystems
byConferencias FIST
 
Os6
bygopal10scs185
 
Chapter 3
bylopjuan
 
Effective Access Controls with Directories, Services and Sharepoints
byBronson Tubb
 
Ch10 file system interface
byWelly Dian Astika
 
Os10
byissbp
 

Recently uploaded

DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
software-security-intro in information security.ppt
byismaeelsahib032
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 

When ACLs Attack

  • 1.
    When ACLs Attack: Cross-PlatformFile Permissions Andrew Leonard ISB IT Exchange July 13, 2012
  • 2.
    In the beginning:"Traditional" Unix Permissions Write Execute Read Not permitted drwxr-x--- Other User Group
  • 3.
    Playing Nice WithOther (Unix) Users Some tactics: ● drwxrws---: Use setgid bit to force files and directories created within a directory to inherit its group id, rather than be assigned user's primary group id. (c. 1972?) ● umask 002: Don't limit group permissions, or read/execute permissions for others. (c. 1982?) ● drwxrwxrwt: Only the item's owner, directory's owner, or root can rm or mv contained files. (c. 1986) ● User private groups: Group containing single user, allows private files when setting umask 002. (Red Hat c. 2002) Take dates above with a giant grain of salt, they could be way off.
  • 4.
    POSIX.1e ACLs ● Allowsetting permissions for multiple users and groups per file. ● Set explicit defaults (beyond the setgid bit). user::rwx user:aleonard:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:aleonard:rwx default:group::r-x default:mask::rwx default:other::r-x
  • 5.
    Meanwhile, in Redmond... NTFSACLs: Standard Permissions Advanced Permissions ● Modify ● Full Control ● Read & Execute ● Traverse Folder/Execute ● Read File ● Write ● List Folder/Read Data ● List Folder Contents ● Read Attributes ● Read Extended Attributes ● Create Files/Write Data ● Create Folders/Append Data ● Write Attributes ● Write Extended Attributes ● Delete Subfolders & Files ● Delete ● Read Permissions ● Change Permissions ● Take Ownership
  • 6.
    Enter NFSv4 ACLs AStandard, as of 2000: http://ietfreport.isoc.org/idref/draft-falkner-nfsv4-acls/ https://tools.ietf.org/html/rfc3010 https://tools.ietf.org/html/rfc3530 # file: . # owner: root # group: bifx group:bifx:rwxpDdaARWcCos:fd----:allow owner@:rwxp--aARWcCos:------:allow group@:rwxp--a-R-c--s:------:allow everyone@:r-x---a-R-c--s:------:allow ● Each Access Control Entry (ACE) is made up of four parts: identifier, access rights, flags, type (allow, deny, audit, alarm). ● ACEs are traversed in order. ● Access rights are NTFS compatible.
  • 7.
    NFSv4 Privileges andAbbreviations Privilege (abbreviation): Access Privileges (Linux, FreeBSD/Solaris) Flags (Linux, FreeBSD/Solaris) ● read_data, list_directory (r, r) ● file_inherit (f, f) ● write_data, add_file (w, w) ● dir_inherit (d, d) ● execute (x, x) ● inherit_only (i, i) ● append_data, add_subdirectory (a, p) ● no_propagate (n, n) ● delete_child (D, D) ● delete (d, d) ● read_attributes (t, a) ● write_attributes (T, A) ● read_xattr (n, R) ● write_xattr (N, W) ● read_acl (c, c) ● write_acl (C, C) ● write_owner (o, o) ● synchronize (y, s)
  • 8.
    But: ACLs Aren'tAll Rainbows and Unicorns Assuming the trade-off of flexibility for additional complexity is acceptable: ● Does your file system support them? Do your clients? ● Tools to manipulate ACLs are inconsistent and sometimes inefficient. ● Does your backup software preserve ACLs? ● Do your everyday file system utilities handle them correctly? ● Does your vendor understand them? How buggy is their implementation? ● How do new-style ACLs interact with legacy permission schemes?
  • 9.
    Specifics: Seattle BioMedNAS Environment ● NetApp ○ NFSv3/SMBv2 ○ Mix of "office" and "science" data. ○ Home directories, group shares. ● FreeBSD/ZFS ○ ZFS v28 ○ NFSv3, NFSv4/SMBv1 ○ Serves NFSv4 via newnfs ○ Uses Samba for SMB ○ Larger shares, mostly scientific data
  • 10.
    Specifics: Our ClientEnvironment Pretty standard stuff, in order of prevalence: ● Windows Desktops - SMBv1, SMBv2 ○ 7, XP ○ 2000, NT4, sigh. ● OS X - SMB, no NFS ● Linux - NFSv3, NFSv4 ○ CentOS ○ Ubuntu
  • 11.
    Details: ACLs andNetApp ● NetApp has three different security modes you can choose from at a volume or qtree level. ○ "unix" mode: Unix-style permission bits. ○ "ntfs" mode: "For CIFS requests, Windows NT permissions determine user access. For NFS requests, the filer generates and stores a set of UNIX-style permission bits that are at least as restrictive as the Windows NT permissions. The filer grants NFS access only if the UNIX-style permission bits allow the user access." ○ They also have a third "mixed" mode, but nobody seems to use it: "A file's security style depends on whether the permission was last set from CIFS or NFS." ● (We're not using NFSv4 on NetApp today.) ○ http://www.netapp.com/us/communities/tech-ontap/nfsv4-0408.html
  • 12.
    Details: ACLs andZFS ZFS has native NFSv4 ACLs. Important issue: ● What happens to an NFSv4 ACL when you chmod(2) is important. If a file has an NFSv4 ACL, do you: ○ Edit only the file's mode ("passthrough")? ○ Remove any NFSv4 ACL ("discard")? ○ Do something in-between ("groupmask")? ○ Let the admin decide on a per-file system basis? On ZFS, this is controlled by the "aclmode" property. Sun removed this shortly before the Oracle acquisition, enforcing "discard" on all ZFS file systems; however, FreeBSD and Illumos have added "aclmode" back. http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum
  • 13.
    Usage notes: Usermapping matters You can't share files across platforms if you can't map identities across platforms. We use Active Directory as our source of truth for users and groups; NetApp and FreeBSD systems access this information using LDAP.
  • 14.
    Usage notes: Generalnotes ● Simple permissions solve most of our use cases ○ User home directories are on NetApp, using unix- mode, 0700 permissions. ○ Ntfs-mode qtrees work well for most groups. ○ Many of our complex permission structures are SMB-only and therefore use ntfs-mode. ○ For those that need them, unix-mode qtrees are often enough. ● For everything else, there's NFSv4 ACLs on ZFS.
  • 15.
    Usage notes: NetApp+ ntfs-mode ● What you see with an ntfs qtree over NFS is often not what you get: $ ls -ld somedir drwxrwxrwx 40 root root 8192 Mar 16 10:45 somedir $ cd somedir -bash: cd: somedir: Permission denied ● Some apps try to be good citizens and check permissions before carrying out an action, and then fail. Others complain when they can't set permissions within an ntfs-mode qtree. ○ Setting cifs.ntfs_ignore_unix_security_ops (silently discard NFS permission operations) and nfs. ntacl_display_permissive_perms (displayed permissions are based on the maximum access granted to any user) to 'on'can help here.
  • 16.
    Usage notes: NetApp+ unix-mode For simple configurations, these cifs shares flags may get you what you need: Make created files belong to a group: -forcegroup <groupname> Set initial permissions of newly created files and directories: -umask <mask> -dir_umask <mask> -file_umask <mask>
  • 17.
    Usage notes: ZFSon which operating system? We're using FreeBSD 8-STABLE, as we often need fixes before they wind up in a -RELEASE. The freebsd-fs@freebsd.org and freebsd- stable@freebsd.org mailing lists have been indispensable. On the Solaris side of ZFS, there's always Oracle Solaris 11. As far as Ilumos, Nexenta is always an option, and I hear there's neat stuff being built on OmniOS. There's also ZFS-on-Linux.
  • 18.
    Usage Notes: ZFSfile system properties We generally set permissions at the top of a share, and have them inherited down into the share, so we: zfs set aclinherit=passthrough-x Inherits all inheritable ACL entries without modification, but inherit execute permission only if the file creation mode specifies it. zfs set aclmode=passthrough When chmod(2) is called, "no changes are made to the ACL other than creating or updating the necessary ACL entries to represent the new mode of the file or directory."
  • 19.
    Usage notes: Sambaconfiguration - simple permissions We frequently use this idiom when configuring Samba shares, roughly equivalent to umask 007 and a setgid directory under NFS: # Bitwise AND file/directory permissions with these masks: create mask = 0660 directory mask = 2770 # File/directory permission bits that will always be set: force create mode = 0660 force directory mode = 2770 # Assign group: force group = "somelab" # Limit permission bits that can be modified from Windows client - # these are forced on: force security mode = 0660 force directory security mode = 2770
  • 20.
    Usage notes: Sambaconfiguration - complex ACLs Set ACLs using native tools on ZFS as needed. In smb.conf, remove force group, adjust mask and mode settings as appropriate... and let the NFSv4 ACLs at the file system level do the rest. (Remember: Samba is just another application accessing files - v4 ACLs, including inheritance, are still applied.)
  • 21.
    Usage notes: Sambaon FreeBSD/ZFS config to allow ACL manipulation from Windows We haven't heavily used this, but it seems to work. Build Samba WITH_ACL_SUPPORT=true from FreeBSD ports; add the following to smb.conf: Global config: unix extensions = no Within a share definition: nt acl support = yes inherit acls = no map acl inherit = yes vfs objects = zfsacl nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes
  • 22.
    Usage notes: Usersincreasingly want to manipulate their own ACLs In general, our users haven't wanted to understand or manage their own ACLs, so IT has done it for them. However, we now have one group of users - an internal service provider - that wants to actively manage their own ACLs on a wide scale. ● They use either nfs4_setfacl on Linux, or an IT-supplied script to adjust permissions. ● This is a fairly new development, so it's unclear what pitfalls await.
  • 23.
    Closing: NFSv4 in2012 Despite being 12 years old, NFSv4 isn't widely- or well-supported. Commercial vendors don't dedicate more resources to it because users aren't using it heavily; users don't use it heavily because vendors aren't dedicating resources to it. As a consequence, the best implementations and support today seem to be Open Source.