SlideShare a Scribd company logo
1 of 23
Download to read offline
When ACLs Attack:
Cross-Platform File
Permissions

Andrew Leonard
ISB IT Exchange
July 13, 2012
In the beginning: "Traditional" Unix
Permissions

              Write
                       Execute
          Read
                              Not permitted

             drwxr-x---

                                 Other
           User
                      Group
Playing Nice With Other (Unix) Users
Some tactics:
● drwxrws---: Use setgid bit to force files and
  directories created within a directory to inherit its group
  id, rather than be assigned user's primary group id. (c.
  1972?)
● umask 002: Don't limit group permissions, or
  read/execute permissions for others. (c. 1982?)
● drwxrwxrwt: Only the item's owner, directory's owner,
  or root can rm or mv contained files. (c. 1986)
● User private groups: Group containing single user,
  allows private files when setting umask 002. (Red Hat
  c. 2002)
                            Take dates above with a giant grain of salt, they could be way off.
POSIX.1e ACLs
● Allow setting permissions for multiple users and groups
     per file.
●    Set explicit defaults (beyond the setgid bit).
user::rwx
user:aleonard:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:aleonard:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
Meanwhile, in Redmond...
NTFS ACLs:
  Standard Permissions        Advanced Permissions

   ●   Modify                  ●   Full Control
   ●   Read & Execute          ●   Traverse Folder/Execute
   ●   Read                        File
   ●   Write                   ●   List Folder/Read Data
   ●   List Folder Contents    ●   Read Attributes
                               ●   Read Extended Attributes
                               ●   Create Files/Write Data
                               ●   Create Folders/Append Data
                               ●   Write Attributes
                               ●   Write Extended Attributes
                               ●   Delete Subfolders & Files
                               ●   Delete
                               ●   Read Permissions
                               ●   Change Permissions
                               ●   Take Ownership
Enter NFSv4 ACLs
A Standard, as of 2000:
http://ietfreport.isoc.org/idref/draft-falkner-nfsv4-acls/
https://tools.ietf.org/html/rfc3010
https://tools.ietf.org/html/rfc3530

# file: .
# owner: root
# group: bifx
        group:bifx:rwxpDdaARWcCos:fd----:allow
             owner@:rwxp--aARWcCos:------:allow
             group@:rwxp--a-R-c--s:------:allow
          everyone@:r-x---a-R-c--s:------:allow


 ●    Each Access Control Entry (ACE) is made up of four parts: identifier,
      access rights, flags, type (allow, deny, audit, alarm).
 ●    ACEs are traversed in order.
 ●    Access rights are NTFS compatible.
NFSv4 Privileges and Abbreviations
Privilege (abbreviation):

      Access Privileges (Linux, FreeBSD/Solaris)              Flags (Linux, FreeBSD/Solaris)

        ●   read_data, list_directory              (r,   r)    ●    file_inherit    (f,   f)
        ●   write_data, add_file                   (w,   w)    ●    dir_inherit     (d,   d)
        ●   execute                                (x,   x)    ●    inherit_only    (i,   i)
        ●   append_data, add_subdirectory          (a,   p)    ●    no_propagate    (n,   n)
        ●   delete_child                           (D,   D)
        ●   delete                                 (d,   d)
        ●   read_attributes                        (t,   a)
        ●   write_attributes                       (T,   A)
        ●   read_xattr                             (n,   R)
        ●   write_xattr                            (N,   W)
        ●   read_acl                               (c,   c)
        ●   write_acl                              (C,   C)
        ●   write_owner                            (o,   o)
        ●   synchronize                            (y,   s)
But: ACLs Aren't All Rainbows and
Unicorns
Assuming the trade-off of flexibility for additional complexity
is acceptable:
 ● Does your file system support them? Do your clients?
 ● Tools to manipulate ACLs are inconsistent and
    sometimes inefficient.
 ● Does your backup software preserve ACLs?
 ● Do your everyday file system utilities handle them
    correctly?
 ● Does your vendor understand them? How buggy is
    their implementation?
 ● How do new-style ACLs interact with legacy permission
    schemes?
Specifics: Seattle BioMed NAS
Environment
● NetApp
  ○ NFSv3/SMBv2
  ○ Mix of "office" and "science" data.
  ○ Home directories, group shares.
● FreeBSD/ZFS
  ○   ZFS v28
  ○   NFSv3, NFSv4/SMBv1
  ○   Serves NFSv4 via newnfs
  ○   Uses Samba for SMB
  ○   Larger shares, mostly scientific data
Specifics: Our Client Environment
Pretty standard stuff, in order of prevalence:
● Windows Desktops - SMBv1, SMBv2
   ○ 7, XP
   ○ 2000, NT4, sigh.
● OS X - SMB, no NFS
● Linux - NFSv3, NFSv4
   ○ CentOS
   ○ Ubuntu
Details: ACLs and NetApp
● NetApp has three different security modes
  you can choose from at a volume or qtree
  level.
  ○ "unix" mode: Unix-style permission bits.
  ○ "ntfs" mode: "For CIFS requests, Windows NT permissions
      determine user access. For NFS requests, the filer generates and
      stores a set of UNIX-style permission bits that are at least as
      restrictive as the Windows NT permissions. The filer grants NFS
      access only if the UNIX-style permission bits allow the user access."
  ○ They also have a third "mixed" mode, but nobody
    seems to use it: "A file's security style depends on whether the
      permission was last set from CIFS or NFS."
● (We're not using NFSv4 on NetApp today.)
  ○   http://www.netapp.com/us/communities/tech-ontap/nfsv4-0408.html
Details: ACLs and ZFS
ZFS has native NFSv4 ACLs. Important issue:
● What happens to an NFSv4 ACL when you chmod(2) is
     important. If a file has an NFSv4 ACL, do you:
      ○ Edit only the file's mode ("passthrough")?
      ○ Remove any NFSv4 ACL ("discard")?
      ○ Do something in-between ("groupmask")?
      ○ Let the admin decide on a per-file system basis?

On ZFS, this is controlled by the "aclmode" property. Sun removed this shortly
before the Oracle acquisition, enforcing "discard" on all ZFS file systems;
however, FreeBSD and Illumos have added "aclmode" back.

http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum
Usage notes: User mapping matters
You can't share files across platforms if you
can't map identities across platforms.

We use Active Directory as our source of truth
for users and groups; NetApp and FreeBSD
systems access this information using LDAP.
Usage notes: General notes
● Simple permissions solve most of our use
  cases
  ○ User home directories are on NetApp, using unix-
    mode, 0700 permissions.
  ○ Ntfs-mode qtrees work well for most groups.
  ○ Many of our complex permission structures are
    SMB-only and therefore use ntfs-mode.
  ○ For those that need them, unix-mode qtrees are
    often enough.
● For everything else, there's NFSv4 ACLs on
  ZFS.
Usage notes: NetApp + ntfs-mode
● What you see with an ntfs qtree over NFS is often not
  what you get:
      $ ls -ld somedir
      drwxrwxrwx 40 root root 8192 Mar 16 10:45 somedir
      $ cd somedir
      -bash: cd: somedir: Permission denied

● Some apps try to be good citizens and check
   permissions before carrying out an action, and then fail.
   Others complain when they can't set permissions within
   an ntfs-mode qtree.
   ○ Setting cifs.ntfs_ignore_unix_security_ops (silently
      discard NFS permission operations) and nfs.
      ntacl_display_permissive_perms (displayed permissions are
      based on the maximum access granted to any user) to 'on'can help
      here.
Usage notes: NetApp + unix-mode
For simple configurations, these cifs shares
flags may get you what you need:

Make created files belong to a group:
-forcegroup <groupname>

Set initial permissions of newly created files and directories:
-umask <mask>
-dir_umask <mask>
-file_umask <mask>
Usage notes: ZFS on which
operating system?
We're using FreeBSD 8-STABLE, as we often
need fixes before they wind up in a -RELEASE.

The freebsd-fs@freebsd.org and freebsd-
stable@freebsd.org mailing lists have been
indispensable.

                  On the Solaris side of ZFS, there's always Oracle Solaris 11.
                                As far as Ilumos, Nexenta is always an option,
                          and I hear there's neat stuff being built on OmniOS.
                                                    There's also ZFS-on-Linux.
Usage Notes: ZFS file system
properties
We generally set permissions at the top of a
share, and have them inherited down into the
share, so we:
zfs set aclinherit=passthrough-x
Inherits all inheritable ACL entries without modification, but
inherit execute permission only if the file creation mode
specifies it.

zfs set aclmode=passthrough
When chmod(2) is called, "no changes are made to the
ACL other than creating or updating the necessary ACL
entries to represent the new mode of the file or directory."
Usage notes: Samba configuration -
simple permissions
We frequently use this idiom when configuring Samba
shares, roughly equivalent to umask 007 and a setgid
directory under NFS:
# Bitwise AND file/directory permissions with these masks:
create mask = 0660
directory mask = 2770
# File/directory permission bits that will always be set:
force create mode = 0660
force directory mode = 2770
# Assign group:
force group = "somelab"
# Limit permission bits that can be modified from Windows client -
# these are forced on:
force security mode = 0660
force directory security mode = 2770
Usage notes: Samba configuration -
complex ACLs
Set ACLs using native tools on ZFS as needed.

In smb.conf, remove force group, adjust
mask and mode settings as appropriate... and
let the NFSv4 ACLs at the file system level do
the rest.

(Remember: Samba is just another application
accessing files - v4 ACLs, including inheritance,
are still applied.)
Usage notes: Samba on FreeBSD/ZFS config to
allow ACL manipulation from Windows

We haven't heavily used this, but it seems to work.
Build Samba WITH_ACL_SUPPORT=true from FreeBSD ports; add the
following to smb.conf:

Global config:
unix extensions = no


Within a share definition:
nt acl support = yes
inherit acls = no
map acl inherit = yes
vfs objects = zfsacl
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
Usage notes: Users increasingly
want to manipulate their own ACLs
In general, our users haven't wanted to
understand or manage their own ACLs, so IT
has done it for them. However, we now have
one group of users - an internal service
provider - that wants to actively manage their
own ACLs on a wide scale.
● They use either nfs4_setfacl on Linux, or
   an IT-supplied script to adjust permissions.
● This is a fairly new development, so it's
   unclear what pitfalls await.
Closing: NFSv4 in 2012
Despite being 12 years old, NFSv4 isn't widely-
or well-supported. Commercial vendors don't
dedicate more resources to it because users
aren't using it heavily; users don't use it heavily
because vendors aren't dedicating resources to
it.

As a consequence, the best implementations
and support today seem to be Open Source.

More Related Content

What's hot

Linux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITLinux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITvignesh0009
 
Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems senthilamul
 
Lecture2 process structure and programming
Lecture2   process structure and programmingLecture2   process structure and programming
Lecture2 process structure and programmingMohammed Farrag
 
Linux fundamental - Chap 10 fs
Linux fundamental - Chap 10 fsLinux fundamental - Chap 10 fs
Linux fundamental - Chap 10 fsKenny (netman)
 
The basic concept of Linux FIleSystem
The basic concept of Linux FIleSystemThe basic concept of Linux FIleSystem
The basic concept of Linux FIleSystemHungWei Chiu
 
Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)hildenjohannes
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Ralf Dannert
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory StructureKevin OBrien
 
Online Training in Unix Linux Shell Scripting in Hyderabad
Online Training in Unix Linux Shell Scripting in HyderabadOnline Training in Unix Linux Shell Scripting in Hyderabad
Online Training in Unix Linux Shell Scripting in HyderabadRavikumar Nandigam
 
AOS Lab 9: File system -- Of buffers, logs, and blocks
AOS Lab 9: File system -- Of buffers, logs, and blocksAOS Lab 9: File system -- Of buffers, logs, and blocks
AOS Lab 9: File system -- Of buffers, logs, and blocksZubair Nabi
 
Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questionsKavya Sri
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file systemTaaanu01
 

What's hot (20)

Linux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITLinux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScIT
 
Basic Unix
Basic UnixBasic Unix
Basic Unix
 
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH  HEARTBEAT + DRBD + OCFS2HIGH AVAILABLE CLUSTER IN WEB SERVER WITH  HEARTBEAT + DRBD + OCFS2
HIGH AVAILABLE CLUSTER IN WEB SERVER WITH HEARTBEAT + DRBD + OCFS2
 
Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems
 
Device drivers tsp
Device drivers tspDevice drivers tsp
Device drivers tsp
 
Lecture2 process structure and programming
Lecture2   process structure and programmingLecture2   process structure and programming
Lecture2 process structure and programming
 
Linux fundamental - Chap 10 fs
Linux fundamental - Chap 10 fsLinux fundamental - Chap 10 fs
Linux fundamental - Chap 10 fs
 
The basic concept of Linux FIleSystem
The basic concept of Linux FIleSystemThe basic concept of Linux FIleSystem
The basic concept of Linux FIleSystem
 
Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
 
Linux ppt
Linux pptLinux ppt
Linux ppt
 
Online Training in Unix Linux Shell Scripting in Hyderabad
Online Training in Unix Linux Shell Scripting in HyderabadOnline Training in Unix Linux Shell Scripting in Hyderabad
Online Training in Unix Linux Shell Scripting in Hyderabad
 
Linuxppt
LinuxpptLinuxppt
Linuxppt
 
AOS Lab 9: File system -- Of buffers, logs, and blocks
AOS Lab 9: File system -- Of buffers, logs, and blocksAOS Lab 9: File system -- Of buffers, logs, and blocks
AOS Lab 9: File system -- Of buffers, logs, and blocks
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Linux: Basics OF Linux
Linux: Basics OF LinuxLinux: Basics OF Linux
Linux: Basics OF Linux
 
Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questions
 
Redis
RedisRedis
Redis
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file system
 

Viewers also liked

Auditing unix linux system use with tivoli access manager for operating syste...
Auditing unix linux system use with tivoli access manager for operating syste...Auditing unix linux system use with tivoli access manager for operating syste...
Auditing unix linux system use with tivoli access manager for operating syste...Banking at Ho Chi Minh city
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlJames Morris
 
CITI, NFSv4, and ASCI
CITI, NFSv4, and ASCICITI, NFSv4, and ASCI
CITI, NFSv4, and ASCIpeterhoneyman
 
Fear (Halloween Event in Winnipeg) Sponsorship Deck
Fear (Halloween Event in Winnipeg) Sponsorship DeckFear (Halloween Event in Winnipeg) Sponsorship Deck
Fear (Halloween Event in Winnipeg) Sponsorship DeckJay Hall
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
NFS(Network File System)
NFS(Network File System)NFS(Network File System)
NFS(Network File System)udamale
 

Viewers also liked (8)

Auditing unix linux system use with tivoli access manager for operating syste...
Auditing unix linux system use with tivoli access manager for operating syste...Auditing unix linux system use with tivoli access manager for operating syste...
Auditing unix linux system use with tivoli access manager for operating syste...
 
sVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access ControlsVirt: Hardening Linux Virtualization with Mandatory Access Control
sVirt: Hardening Linux Virtualization with Mandatory Access Control
 
CITI, NFSv4, and ASCI
CITI, NFSv4, and ASCICITI, NFSv4, and ASCI
CITI, NFSv4, and ASCI
 
Fear (Halloween Event in Winnipeg) Sponsorship Deck
Fear (Halloween Event in Winnipeg) Sponsorship DeckFear (Halloween Event in Winnipeg) Sponsorship Deck
Fear (Halloween Event in Winnipeg) Sponsorship Deck
 
Server hardening
Server hardeningServer hardening
Server hardening
 
slides
slidesslides
slides
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
 
NFS(Network File System)
NFS(Network File System)NFS(Network File System)
NFS(Network File System)
 

Similar to When ACLs Attack

Similar to When ACLs Attack (20)

Linux administration training
Linux administration trainingLinux administration training
Linux administration training
 
FreeBSD Portscamp, Kuala Lumpur 2016
FreeBSD Portscamp, Kuala Lumpur 2016FreeBSD Portscamp, Kuala Lumpur 2016
FreeBSD Portscamp, Kuala Lumpur 2016
 
Root file system for embedded systems
Root file system for embedded systemsRoot file system for embedded systems
Root file system for embedded systems
 
Linux introduction (eng)
Linux introduction (eng)Linux introduction (eng)
Linux introduction (eng)
 
Linux redhat final
Linux redhat finalLinux redhat final
Linux redhat final
 
Linux
Linux Linux
Linux
 
17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards17 Linux Basics #burningkeyboards
17 Linux Basics #burningkeyboards
 
Lamp ppt
Lamp pptLamp ppt
Lamp ppt
 
Solaris basics
Solaris basicsSolaris basics
Solaris basics
 
Lamp ppt
Lamp pptLamp ppt
Lamp ppt
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
 
Inspection and maintenance tools (Linux / OpenStack)
Inspection and maintenance tools (Linux / OpenStack)Inspection and maintenance tools (Linux / OpenStack)
Inspection and maintenance tools (Linux / OpenStack)
 
Linux
LinuxLinux
Linux
 
Edubooktraining
EdubooktrainingEdubooktraining
Edubooktraining
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Linux Presentation
Linux PresentationLinux Presentation
Linux Presentation
 
101 2.1 design hard disk layout v2
101 2.1 design hard disk layout v2101 2.1 design hard disk layout v2
101 2.1 design hard disk layout v2
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in Linux
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
 

Recently uploaded

Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxJennifer Lim
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimaginedpanagenda
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 

Recently uploaded (20)

Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 

When ACLs Attack

  • 1. When ACLs Attack: Cross-Platform File Permissions Andrew Leonard ISB IT Exchange July 13, 2012
  • 2. In the beginning: "Traditional" Unix Permissions Write Execute Read Not permitted drwxr-x--- Other User Group
  • 3. Playing Nice With Other (Unix) Users Some tactics: ● drwxrws---: Use setgid bit to force files and directories created within a directory to inherit its group id, rather than be assigned user's primary group id. (c. 1972?) ● umask 002: Don't limit group permissions, or read/execute permissions for others. (c. 1982?) ● drwxrwxrwt: Only the item's owner, directory's owner, or root can rm or mv contained files. (c. 1986) ● User private groups: Group containing single user, allows private files when setting umask 002. (Red Hat c. 2002) Take dates above with a giant grain of salt, they could be way off.
  • 4. POSIX.1e ACLs ● Allow setting permissions for multiple users and groups per file. ● Set explicit defaults (beyond the setgid bit). user::rwx user:aleonard:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:aleonard:rwx default:group::r-x default:mask::rwx default:other::r-x
  • 5. Meanwhile, in Redmond... NTFS ACLs: Standard Permissions Advanced Permissions ● Modify ● Full Control ● Read & Execute ● Traverse Folder/Execute ● Read File ● Write ● List Folder/Read Data ● List Folder Contents ● Read Attributes ● Read Extended Attributes ● Create Files/Write Data ● Create Folders/Append Data ● Write Attributes ● Write Extended Attributes ● Delete Subfolders & Files ● Delete ● Read Permissions ● Change Permissions ● Take Ownership
  • 6. Enter NFSv4 ACLs A Standard, as of 2000: http://ietfreport.isoc.org/idref/draft-falkner-nfsv4-acls/ https://tools.ietf.org/html/rfc3010 https://tools.ietf.org/html/rfc3530 # file: . # owner: root # group: bifx group:bifx:rwxpDdaARWcCos:fd----:allow owner@:rwxp--aARWcCos:------:allow group@:rwxp--a-R-c--s:------:allow everyone@:r-x---a-R-c--s:------:allow ● Each Access Control Entry (ACE) is made up of four parts: identifier, access rights, flags, type (allow, deny, audit, alarm). ● ACEs are traversed in order. ● Access rights are NTFS compatible.
  • 7. NFSv4 Privileges and Abbreviations Privilege (abbreviation): Access Privileges (Linux, FreeBSD/Solaris) Flags (Linux, FreeBSD/Solaris) ● read_data, list_directory (r, r) ● file_inherit (f, f) ● write_data, add_file (w, w) ● dir_inherit (d, d) ● execute (x, x) ● inherit_only (i, i) ● append_data, add_subdirectory (a, p) ● no_propagate (n, n) ● delete_child (D, D) ● delete (d, d) ● read_attributes (t, a) ● write_attributes (T, A) ● read_xattr (n, R) ● write_xattr (N, W) ● read_acl (c, c) ● write_acl (C, C) ● write_owner (o, o) ● synchronize (y, s)
  • 8. But: ACLs Aren't All Rainbows and Unicorns Assuming the trade-off of flexibility for additional complexity is acceptable: ● Does your file system support them? Do your clients? ● Tools to manipulate ACLs are inconsistent and sometimes inefficient. ● Does your backup software preserve ACLs? ● Do your everyday file system utilities handle them correctly? ● Does your vendor understand them? How buggy is their implementation? ● How do new-style ACLs interact with legacy permission schemes?
  • 9. Specifics: Seattle BioMed NAS Environment ● NetApp ○ NFSv3/SMBv2 ○ Mix of "office" and "science" data. ○ Home directories, group shares. ● FreeBSD/ZFS ○ ZFS v28 ○ NFSv3, NFSv4/SMBv1 ○ Serves NFSv4 via newnfs ○ Uses Samba for SMB ○ Larger shares, mostly scientific data
  • 10. Specifics: Our Client Environment Pretty standard stuff, in order of prevalence: ● Windows Desktops - SMBv1, SMBv2 ○ 7, XP ○ 2000, NT4, sigh. ● OS X - SMB, no NFS ● Linux - NFSv3, NFSv4 ○ CentOS ○ Ubuntu
  • 11. Details: ACLs and NetApp ● NetApp has three different security modes you can choose from at a volume or qtree level. ○ "unix" mode: Unix-style permission bits. ○ "ntfs" mode: "For CIFS requests, Windows NT permissions determine user access. For NFS requests, the filer generates and stores a set of UNIX-style permission bits that are at least as restrictive as the Windows NT permissions. The filer grants NFS access only if the UNIX-style permission bits allow the user access." ○ They also have a third "mixed" mode, but nobody seems to use it: "A file's security style depends on whether the permission was last set from CIFS or NFS." ● (We're not using NFSv4 on NetApp today.) ○ http://www.netapp.com/us/communities/tech-ontap/nfsv4-0408.html
  • 12. Details: ACLs and ZFS ZFS has native NFSv4 ACLs. Important issue: ● What happens to an NFSv4 ACL when you chmod(2) is important. If a file has an NFSv4 ACL, do you: ○ Edit only the file's mode ("passthrough")? ○ Remove any NFSv4 ACL ("discard")? ○ Do something in-between ("groupmask")? ○ Let the admin decide on a per-file system basis? On ZFS, this is controlled by the "aclmode" property. Sun removed this shortly before the Oracle acquisition, enforcing "discard" on all ZFS file systems; however, FreeBSD and Illumos have added "aclmode" back. http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum
  • 13. Usage notes: User mapping matters You can't share files across platforms if you can't map identities across platforms. We use Active Directory as our source of truth for users and groups; NetApp and FreeBSD systems access this information using LDAP.
  • 14. Usage notes: General notes ● Simple permissions solve most of our use cases ○ User home directories are on NetApp, using unix- mode, 0700 permissions. ○ Ntfs-mode qtrees work well for most groups. ○ Many of our complex permission structures are SMB-only and therefore use ntfs-mode. ○ For those that need them, unix-mode qtrees are often enough. ● For everything else, there's NFSv4 ACLs on ZFS.
  • 15. Usage notes: NetApp + ntfs-mode ● What you see with an ntfs qtree over NFS is often not what you get: $ ls -ld somedir drwxrwxrwx 40 root root 8192 Mar 16 10:45 somedir $ cd somedir -bash: cd: somedir: Permission denied ● Some apps try to be good citizens and check permissions before carrying out an action, and then fail. Others complain when they can't set permissions within an ntfs-mode qtree. ○ Setting cifs.ntfs_ignore_unix_security_ops (silently discard NFS permission operations) and nfs. ntacl_display_permissive_perms (displayed permissions are based on the maximum access granted to any user) to 'on'can help here.
  • 16. Usage notes: NetApp + unix-mode For simple configurations, these cifs shares flags may get you what you need: Make created files belong to a group: -forcegroup <groupname> Set initial permissions of newly created files and directories: -umask <mask> -dir_umask <mask> -file_umask <mask>
  • 17. Usage notes: ZFS on which operating system? We're using FreeBSD 8-STABLE, as we often need fixes before they wind up in a -RELEASE. The freebsd-fs@freebsd.org and freebsd- stable@freebsd.org mailing lists have been indispensable. On the Solaris side of ZFS, there's always Oracle Solaris 11. As far as Ilumos, Nexenta is always an option, and I hear there's neat stuff being built on OmniOS. There's also ZFS-on-Linux.
  • 18. Usage Notes: ZFS file system properties We generally set permissions at the top of a share, and have them inherited down into the share, so we: zfs set aclinherit=passthrough-x Inherits all inheritable ACL entries without modification, but inherit execute permission only if the file creation mode specifies it. zfs set aclmode=passthrough When chmod(2) is called, "no changes are made to the ACL other than creating or updating the necessary ACL entries to represent the new mode of the file or directory."
  • 19. Usage notes: Samba configuration - simple permissions We frequently use this idiom when configuring Samba shares, roughly equivalent to umask 007 and a setgid directory under NFS: # Bitwise AND file/directory permissions with these masks: create mask = 0660 directory mask = 2770 # File/directory permission bits that will always be set: force create mode = 0660 force directory mode = 2770 # Assign group: force group = "somelab" # Limit permission bits that can be modified from Windows client - # these are forced on: force security mode = 0660 force directory security mode = 2770
  • 20. Usage notes: Samba configuration - complex ACLs Set ACLs using native tools on ZFS as needed. In smb.conf, remove force group, adjust mask and mode settings as appropriate... and let the NFSv4 ACLs at the file system level do the rest. (Remember: Samba is just another application accessing files - v4 ACLs, including inheritance, are still applied.)
  • 21. Usage notes: Samba on FreeBSD/ZFS config to allow ACL manipulation from Windows We haven't heavily used this, but it seems to work. Build Samba WITH_ACL_SUPPORT=true from FreeBSD ports; add the following to smb.conf: Global config: unix extensions = no Within a share definition: nt acl support = yes inherit acls = no map acl inherit = yes vfs objects = zfsacl nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes
  • 22. Usage notes: Users increasingly want to manipulate their own ACLs In general, our users haven't wanted to understand or manage their own ACLs, so IT has done it for them. However, we now have one group of users - an internal service provider - that wants to actively manage their own ACLs on a wide scale. ● They use either nfs4_setfacl on Linux, or an IT-supplied script to adjust permissions. ● This is a fairly new development, so it's unclear what pitfalls await.
  • 23. Closing: NFSv4 in 2012 Despite being 12 years old, NFSv4 isn't widely- or well-supported. Commercial vendors don't dedicate more resources to it because users aren't using it heavily; users don't use it heavily because vendors aren't dedicating resources to it. As a consequence, the best implementations and support today seem to be Open Source.