Access Control Lists In Linux Filesystems? 116
oracleofbargth asks: "Is there any project for implementing ACLs in the various filesystems supported under linux (ext2, ext3, etc...) that has the potential to become an official part of the kernel, rather than just a patch to it? The Linux ACL Project looks good, but is ext2 specific. Trustees also looks promising, but a system implemented in the filesystem itself would be preferable. RSBAC also has ACL capabilities, but on the whole goes a bit overboard in terms of what I'm looking for. Ideally, I need something that will work with ext3 so that the ACL information will be journaled."
Re:ACLs are really not enough. (Score:1)
Oh, yeah? NAME ONE such situation!
--moribund meisterberger
Re:Are ACLs overrated? (Score:1)
ACLs are really not enough. (Score:4)
Most of the proprietary Unices (if you count different *nixen as separate OSes, double the OS count given above) have their own lame, incompatible implementations of ACLs. These are typically layered over the antique Unix rwxrwxrwx scheme.
"rwx" is insufficient. People often exhort others to "think unix" - and when you are talking about pipes & I/O redirection, or any of the other wonderful features of Unix, that's great. But if you "think unix" to the extent that you can't see how fundamentally LAME the unix access control mechanisms are, you are crippling yourself. To put it in perspective, consider the IBM MVS file protection system RACF - in RACF, you cannot grant a user write permission without also granting read permission. This is partially because of the underlying architecture of MVS, but that doesn't mean it's not lame and restrictive. However, most hardcore mainframers literally cannot conceive of a situation where they'd want write and not read.
Novell has the most advanced and useful system of file attributes I am aware of. For example, "create" and "write" are separate - this allows the creation of dead-drop boxes; folders where a user can create a file but cannot afterwards modify it. If you can't conceive a situation where you could put this to use, you are "thinking unix" to the point of wearing blinders. NOTE: the forgoing statement will cause this post to be labeled "flamebait" and modded into oblivion by self-righteous Berkleyites >:^} while simultaneously generating dozens of "oh yeah name one" followups.
There are many other aspects of the Novell system of file protection and user rights that are very advanced. Consult your local guru, but I'll mention "rename inhibit" as one useful ability. If Stef Murky, excuse me, Jeff Mirkey, ever gets his MANOS opsystem going under the GPL I personally will immediately convert to his Novell-clone filesystem. Even DEC VMS does not compare, and the VMS access control mechanisms beat Unix hands down.
I don't recommend Novell because it's not Open Source and because the complexity of X500 or NDS type "directory" systems adds instability and management overhead that is seldom warranted to achieve concrete goals. That being said, as the world becomes increasingly networked the previous statement becomes increasingly less accurate.
LDAP interfaces to SQL backends like MySQL and Postgres will eventually be the way to go (but not today, and ADS will never fit the problem space). The one warning I would sound is that when you keep file data and file attributes in separate places - as many systems do - you markedly decrease the robustness of your system. User data in the user directory, file attributes in the file header, is a better idea. Just like it's a better idea to put the comments in the source code than in a separate documentation file (don't get me started about that stupid practice).
Sorry my
--Charlie
SGI's XFS has ACLs (Score:4)
http://linux-xfs.sgi.com/projects/xfs/
Ooh, and pre-release 0.9 is out. So, get it, or something.
Re:ACLs *ARE NOT NECESSARY* (Score:1)
Regarding the access vs. content stuff: What about having multiple versions of the same document? E.g. a complete one for the developers, and an executive overview for the users, and an executive executive overview with possibly some extra confidential long term strategic annotations for the PHBs? Those belong together (hell, they might even be derived from the same LaTeX source), yet security is very different. And next thing you know is that security requirements change (I've had this happen several times: stuff that starts out as "developers only" gradually gets propagated upwards and outwards.)
--
Re:ACLs *ARE NOT NECESSARY* (Score:2)
--
NSA Linux (Score:1)
http://www.nsa.gov/selinux/ [nsa.gov]
(Note to the conspiracy theorists: it's covered under the GPL, and source is available.)
Re:ACL's are important (Score:1)
The neat thing is that this should drive the bestbits patch to be accepted into 2.4.
Re:Some questions remain(?) (Score:1)
Why couldn't Linux use the same paradigm for ACLs? All the native file systems would support the same ACL semantics and all the non-native ones would continue to be mapped to a single set of permissions. Or am I missing something?
___
Re:Why does everyone like ext3? (Score:1)
Can somebody please explain what this means?
___
Re:TrustedBSD?? (Score:1)
Me neither. But since you're talking about NT file server, the clients are windows boxes. In this case you can use Samba which supports just that. So at the local file system level you will not have this kind of flexibility. But when you export a share over samba you can specify just that.
How about allowing a group of folks the right to write to a file, but not delete it?
That's easy. Just give them write access to the file but not to the directory where the file lives. Well, the side effect of that is that they will not be able to create new files in that directory either.
Thing is, without the granularity of ACL's I can't leave NTFS behind when it comes to the more complex task of file sharing to a bunch of users on a LAN.
Ever heard of Solaris or Digital Unix or AIX? They all support ACLs too, you know.
Additionally, I've gotten quite used to the notion of leaving the OS permissions to Everyone on my files on the server, then restrict access via the share permissions. The server itself is physically locked in a room so I'm not normally concerned with local security. As cool as Samba is, it makes no provisions for implementing permissions of any sort.
What a pile of BS! Samba can do just that. Why don't you RTFM before you spit out nonsence!
___
Re:Some questions remain(?) (Score:1)
Well, this is not what happens now and I don't see it as a problem. NTFS is sufficiently different from a Linux native file system that this kind of ACL mapping would be next to impossible. But I don't see a problem with treating NTFS as a foreign file system and mapping everything on it to a single UID & GID. This is how it works now and even without introducing ACLs into VFS this is extremely unlikely to change because M$ is not releasing the specs for NTFS.
Once again, I would be perfectly happy with having ACLs only on Linux native file systems. The foreign file systems could (and in fact should) still be treated the same way they are now. I don't see the need of mapping NT ACLs into Linux ACLs, especially if removable media is involved.
___
Re:solarix (Score:1)
Solaris does *not* have journalling. Unless you want to spend $10K for Veritas
___
Re:solarix (Score:1)
Which one do want more?
___
Re:DANGER WILL ROBINSON! (Score:2)
That's not true. r controls whether you can read the directory (i.e. do ls in it). x controls whether you can cd into a directory or access any files in it. If both r and x are disabled, then you can neither ls a directory nor access any files in it. The Unix permission system has its problems but this is not one of them.
___
Re:ACLs *ARE NOT NECESSARY* (Score:1)
Re:ACLs *ARE NOT NECESSARY* (Score:1)
In the University example that you describe, it is unlikely that all of these classes will have people working in teams for every assignment. In many such courses, the students' work is entirely individual.
In those cases where it is not, you simply need to create a Unix group for each team. All of the files for that team's project are kept in a central project-related directory. There is no reason whatsoever for any user not in that group to have access of any kind to the files of that group's project, so a more complicated scheme is not necessary.
Moreover, the classes offered from semester to semester don't tend to change much, so for the most part the groups will stay the same too, so you're not likely to need to spend a lot of time maintaining that, nor are you likely to run out of groups, even in a much larger CS department.
In the "real world", your first case just isn't really a problem. I learned how to use Unix permissions from the sysadmin of my college, whose CS department has over a thousand users, who successfully employed this tecnique for years.
The second case, modify vs. append: To me the latter is just a special case of the former. I personally see no reason why one should be treated differently from the other. If you have a compelling reason why someone should be allowed to append data to a file, but not modify the data that's already in the file, I'd certainly like to hear it.
Your permission to stat a file is controlled by whether or not you have read access to the directory the file is in. What legitimate reason can you suggest for preventing a user from seeing SOME files in a directory they legitimately have access to, but not others? What practical purpose does this serve?
The last case just doesn't seem very convincing to me at all. There are few practical arguments for limiting, to use your example, times that people can play games on a given system.
If you don't want the games eating up server CPU cycles, don't put them on the server! Students have no "off-hours" to speak of; they tend to work all throughout the night when a project is due.
So in order to be fair to everyone, there shouldn't be time limits.
If you're concerned about IRC or tank battle using up your network bandwitdh, don't bother, because the students can easily consume much more bandwidth from the PC in their dorm room, and probably are already.
In a non-university environment, most of these just aren't issues. There will be a limit to the number of projects your company is working on via a given fileserver. People have their own workstations (or PCs) to play games on, so you don't need to worry about when they are doing that. If you're going to let them play games at all, they're certainly not going to prevent another user from getting their job done due to resource starvation.
I'm not saying there's no value to having some of these features. But I do fail to see a compelling NEED. Also, capabilities addresses some of the things you're looking for, further suggesting that ACLs are not necessary.
Re:ACLs *ARE NOT NECESSARY* (Score:1)
The two are interlinked.
If you have a programmer working on more than 15 projects at a time, HE'S REALLY OVERWORKED!
Re:DANGER WILL ROBINSON! (Score:1)
If you do not have access to a directory (i.e. the read and execute permissions for whatever user class you fall into -- probably "other" -- are TURNED off), YOU CAN NOT READ THE FILES IN IT. PERIOD.
Re:ACLs *ARE NOT NECESSARY* (Score:1)
Re:Therefore ... (Score:1)
Re:ACLs *ARE NOT NECESSARY* (Score:1)
This is the problem... people who insist that ACLs are necessary either don't completely understand Unix permissions, or refuse to spend time thinking about how to solve their problem with Unix permissions. I have been a Unix System administrator for 5 years, and a syadmin of other OSes for longer than that, in a variety of environments, including several with Windows integrated into the environtment, and I have NEVER encountered a problem I couldn't solve with Unix permissions (except for one application which was ported from DOS without any regard for access control -- but here the problem is the poor design of the application, NOT Unix permissions).
A few people raised some interesting points (like appending to log files) but Unix has already proven that there are other ways to solve those problems without ACLs (like using syslog for logging, which if set up properly allows anyone to add log entries, but only the superuser to remove them).
While ACLs might have some valid uses, those applications can generally all be implemented in other ways without ACLs, especially now that the Linux kernel has capabilities (which people keep overlooking). The problem is NOT that Unix permissions are inadequate, but that people refuse to THINK about the problem they are trying to solve. ACLs are most often a cop-out for lazy system administrators. As others have pointed out, they are clunky, error prone, and complicated to administer. They leave too many opportunities for sloppy administrators to create endless streams of access lists which, in the end, no one understands, and which no one can clean up, because in so trying they will break the application they are trying to fix.
Oh, and someone is bound to point out that Unix has security holes that can allow non-priviledged users to become root and (for example) remove log entries we were trying to protect in the previous example. That may be true, but virtually ALL operating systems have such problems, including those that have ACLs like Windows NT. All OSes in common usage have weaknesses that can be exploited. Informed system administrators CAN make efforts to plug up those holes, drastically reducing the risks. This is, after all, the point of having a system administrator. If your sysadmin sucks, get a new one. But you still don't need ACLs.
ACLs *ARE NOT NECESSARY* (Score:5)
Let's say you have a directory full of files, and you need some people to be able to write to these files (which implies they'll also need to be able to read the files, to verify their changes), and you have another group of people who needs to be able to read the files. Everyone else in the organization should have NO access. This is the most complicated case.
Can this be done with standard Unix permissons? At first glance, you might think that you can't, because the only permissions provided in Unix are User (owner), Group, and Other (world). You can't control the access for a second group, which is what you need, right?
However, the answer is YES! You can do this. Here's how:
Create one group each for the people who need to be able to read the files, and write the files. For simplicity of the example, let's call the groups "read" and "write" respectively.
Now, add every user who needs read access to those files to the "read" group, and add all users who need write access to BOTH groups.
Now, create a top level directory, like this (only ownerships, permissions, and the name are shown for brevity):
drwxr-x--- root read topdir
# mkdir topdir
# chgrp read topdir
# chmod 750 topdir
Both groups we created can cd into this directory (because we added the "write" group to the "read" group, remember?). Now, under that directory, create one or more directories where your data will be stored, like this:
drwxrwsr-x root write datadir
# cd topdir
# mkdir datadir
# chgrp write datadir
# chmod 2775 datadir
The '2' sets the SGID bit on the directory, which forces all files created in this directory to be created group-owned by the "write" group (it copies the group ownership of the directory to all new files in it). It will also make new files created in this directory group writable by default (again, copying the group permissions from the directory).
You might also want to prevent users from deleting files they don't own, by setting the sticky bit on the directory, which will make the '2' a '3' instead.
Now, users in the "write" group can create and write to files in this directory, and users in the "read" group will be able to read them, because they will be readable by other (world). However, everyone else will NOT be able to read them, because in order to do so, they would have needed to be in the "read" group in order to cd into topdir to get to datadir (which is why we also included the users in the "write" group in the "read" group)!
Thus, your problem is solved. Do this for every directory where the groups of people who need each type of access are different. This is BETTER than ACLs because a) it is either the same amount of administrative effort than managing ACL's on a per-directory basis (but you manage group membership instead), or LESS administrative effort than managing ACLs on a per-file basis; and b) it FORCES you to organize your data heirarchically by who has access to it.
Get over ACLs... they are a waste of time and programming effort.
You could argue that you might want some third group of people to have write access ONLY, but the practical value of this is very limited. If you feel that you need this you are probably being silly or WAY too paranoid, even for a system administrator. Limiting people from reading data that they can over-write is generally nonsensical.
I don't deny that there are certain very narrow applications for that sort of access limitation, but the likelihood that such an application would also present the need to have groups with each of those access requirements (read, read/write, and write-only) seems rather slim.
Note to slashdot maintainers: PLEASE make the damn text box for typing comments into bigger! The one currently provided on the web form makes typing long comments especially painful. And allowing the CODE HTML tag would be nice too.
Re:ACLs are really not enough. (Score:1)
"Please copy your FINAL weekly timesheets in the 'Payroll' directory."
"Save your final budget in the 02Budget directory for consolidation by 1:00 PM EST. No changes to your budget will be permitted after submission without explicit permission of the CFO."
Re:New filesystem (Score:1)
On the other hand, "VaporFS" has a beautiful succinctness.
Decisions, decisions.
--
Re:New filesystem (Score:1)
I could name it for you -- 'TrollFS'"
now hang on a second here.
my post was hardly a waste of time. it was an honest suggestion, based on my honest opionion, with a dash of humor thrown in. just because you don't agree with me doesn't mean that you have to go sling the t-word around here.
and if you actually bothered to check my user-info, you'd see that i'm not a troll at all. perhaps offensive, blunt, rude, callous and opinionated. but hardly a troll.
and grow up. if you act that way towards anyone who has an opinion contrary to your own, your little project will fork before you manage to write, much less release, a single line of code.
--
Re:Why does everyone like ext3? (Score:2)
really? i sure didn't notice:
phexro!Phaktory:~$ mount -tnfs
helix:/usr/local/share/audio/mp3 on
phexro!Phaktory:~$ ssh helix mount -treiserfs
phexro@helix's password:
/dev/hdc1 on
phexro!Phaktory:~$
or are you talking about something more subtle?
--
Re:New filesystem (Score:2)
nonsense. what do you call this?
"...i predict that your filesystem 'Won't ever see the light of day.'"
sounds like information to me.
and who says that humor is a waste of time? lauging is good for you.
besides which, you completely missed the point of my post; your project is vapor. you have no code (released, anyways, which is what counts), no name, nothing to show but a bunch of buzzwords thrown together in a slashdot post. you don't even have an empty sourceforge project.
now, you sound like you might have some good ideas. and as much as good ideas are necessary, good implementations are much more necessary. you'd be much better off helping integrate your ideas into an existing project. there are so many players in the next-linux-filesystem arena that even if you do manage to make a stable release, it will probably die due to one of the other projects.
--
Re:Some questions remain(?) (Score:1)
The problem is not reading or writing, but modifying the permissions. You are completly right that the normal access check is hidden in the kernel, but you need a standardized API to modify ACLs on all FSs.
Or maybe we mean different things by application. I would expect each ACL implementation to have it's own tools for maintaining the ACL.
Would you be happy if you had to use a special tool for every fstype? I think most people would like to set permissions from their favorite file manager (kfm/konqueror, mc, gmc ...)
Jo
Re:Thank you! (Score:2)
I also find it funny that everytime ACLs come up, someone posts "ACLs are bad because they are too complicated and the sysadmin can shoot himself in the foot". Which is fucking hilarious attitude towards Unix, where one of the central tenent is "The Sysadmin Can Blow His Leg Off, so be careful".
--
Re:ACLs *ARE NOT NECESSARY* (Score:1)
Because you don't want people modifying or deleting the contents of the file. They do need to add things to it though. Log files are the obvious example. Though the property can be useful for other things as well. Leaving an audit trail of messages or whatever...
Re:ACLs *ARE NOT NECESSARY* (Score:1)
In very high-security applications (government facilities, military, etc), there is no root.
There are administrators, who can control certain daemons and such, but they cannot read the top-secret data contained in other users' accounts.
Granted, many people using ACL's will not be using cables with shielded pressurized tubes around them, but it is still a very convenient and often necessary feature on multiuser systems.
ACL System independent of the Filesystems (Score:1)
I have implemented it into the Mandrake 7.2 Kernel without breaking anything and it works extremely well. So.. it is something you can consider looking into for your requirements since it is implemented into the kernel and pretty much filesystem independent as far I know of.
Re:AFS has very good support for ACLs (Score:1)
Not true at all... as afs is a Network file system,
AFS has very good support for ACLs (Score:4)
How about eDirectory? (Score:1)
http://www.novell.com/products/nds/details.html#f
possible solution (Score:1)
Re:Why does everyone like ext3? (Score:3)
ReiserFS and NFS. The various problems that have bit (a small number of) ReiserFS users in 2.4 are being cleared up. But one larger problem remains: ReiserFS, as shipped in 2.4, does not support NFS. That limitation gets in the way of quite a few people who would like to use ReiserFS, but who also need to be able to export their filesystems.
For the short term, those who are not afraid of kernel patches can have a look at this message from Neil Brown describing where to get the patches he has made available. They are still under development, but they provide "reasonable NFS service" in their current state.
The picture for the longer term is a bit less clear. Neil has a plan for proper support of NFS with ReiserFS, and for improving NFS service in general. It is, however, a large change, requiring tweaks to every filesystem which needs to support NFS. Filesystem changes tend to make kernel hackers nervous, especially in the middle of a stable kernel series. And, in fact, Alan Cox responded that he was not interested in such an extensive patch.
Those who are curious about the troubles with NFS should look at Neil's justification for the changes. It is a lengthy, detailed, and well-argued discussion of how the current NFS implementation fails to mesh well with the various Linux filesystems, and exactly what needs to be fixed to make things work better. It was persuasive enough that Alan agreed that the approach made sense - for the 2.5 kernel series.
Thus, the 2.4 kernel may never support exporting of ReiserFS filesystems over NFS. Those who need this capability will have to apply the patch themselves. That is, if the distributors do not apply the patch themselves before shipping the 2.4 kernel. SuSE, at least, applied such a patch when it shipped ReiserFS with 2.2, so it would not be surprising to see that happen again.
Re:Are ACLs overrated? (Score:2)
This was the primary objection that I saw on the kernel mailing list the last time it was discussed. While ACL's offer finer grain control of a system, they also make auditing much more difficult.
MOVE 'ZIG'.
Re:ACL's are important (Score:2)
At least use JSP. Then when Linux gets ACL or whatever you aren't locked in to the evil empire.
MOVE 'ZIG'.
Re:AFS has very good support for ACLs (Score:1)
solarix (Score:1)
Re:"watchdogs" (Score:2)
Yeah, BeOS has that - it lets them do some really neat stuff. Unfortunately I can't deal with BeOS on a day-to-day basis without going insane, so I'd love to see Linux or FreeBSD support this.
--
Re:solarix (Score:2)
Re:Why does everyone like ext3? (Score:2)
I think that's a little unfair. The comparison was between Tux2 and ext3, and if one is vapor then both are. They're at similar stages in development and their authors present similar pictures of their progress.
Please, please, please try to keep straight the differences between journaling and log-structured filesystems. There's enough confusion on this issue already, and FFS is not log-structured. AFAIK nothing being actively developed for Linux is log-structured.
I think you're right, though, about journaling vs. soft updates (of which I think Tux2's atomic update is a sub-category, though DP might disagree). Soft updates are more flexible than journaling, and - with a filesystem whose basic structures are designed to take advantage - perform better than journaling. I find it just slightly weird that there's so much focus on journaling when a superior alternative is known. I shouldn't bitch, though. For years certain people's ignorance, unwillingness to learn, and territoriality stood in the way of any progress in this area, and I for one am glad that the threat of competition has finally shaken their "hours-long fsck is OK for me" complacency. It would have been even nicer if they had responded by embracing the new entries instead of scrambling to maintain the incumbent's dominance by upgrading it just enough to stay competitive (does that remind anyone else of MS tactics?) but one can't make a purse out of a sow's ear.
Disclaimer: all views expressed are my own. If my employer took my views more seriously, their stock might not have tanked so badly.
Re:AFS has very good support for ACLs (Score:2)
Strong? Definitely. Central? Not so clear.
Re:TrustedBSD?? (Score:1)
Re:AFS has very good support for ACLs (Score:2)
"watchdogs" (Score:2)
Logging is trivial to implement.
ACLs are trivial to implement. The program looks at the user and can indicate (via return code) whether to permit access.
Compression and encryption are relatively easy to implement, if you also retain some state information betweens calls.
Even virtual files and directories can be implemented. This could be used to implement things like "ftp" and "http" mounts.
There's a lot of similarities with "user space" file systems, and that concept might be preferred now.
Re:Some questions remain(?) (Score:2)
The problem is that there's no obvious connection between NTFS ownerships and the user/group of the host Linux system. If you trust root to identify the mapping you leave the system open to attack by anyone with local root access. This would prevent Linux from being adopted in some environments.
A similar problem occurs with the network file systems. You want to avoid the biggest headache in NFS, the ability of someone with local root access to impersonate any other user. It's possible, but it requires the system distinguish between network and local user ids.
Re:Some questions remain(?) (Score:3)
If there's a single VACL layer, any application that supports one underlying FS will support all.
If there's multiple ACL layers, then you'll need separate tools for each type of filesystem. This means you have to know what FS you're residing on. This is a Bad Thing (TM).
Re:Some questions remain(?) (Score:3)
I think you're too quick to dismiss the idea of unified ACL tools, though. Could you imagine the chaos if the VFS didn't exist and you had to use "ls" on ext2, "dir" on dos/vfat/iso, "nls" on nfs, etc.? Can you imagine the pain of keeping track of which application works on each directory? Many people would prefer to see a minimal set of ACL semantics that work everywhere (if supported at all) than a more robust set that only works part of the time.
But the key point which I think you're missing is that you're thinking of ACLs as what lives on a Unix disk locally mounted. If you've mounted a NTFS partition, there is no "user/group" in the ACL, there's only a list of UUIDs. If you've mounted an AFS image, there's globally unique user-ids which may not correspond cleanly to your local users. (One thing everyone agrees on is that networked ACLs should not be vulnerable to the same trivial spoofing as NFS ownerships!)
Conceptually, all ACLs are doing the same thing so it should be possible to identify an abstraction. In practice, this hadn't been done at the time I last investigated the issue.
Re:Are ACLs overrated? (Score:3)
An example of where ACLs would be required would be a well-run law or medical office. Each person would have their own user id, and would be in a couple groups. (Doctors, lawyers, secretaries, nurses, paralegals, etc., plus departmental groups.)
But confidentially still means that many files should be accessible only to a few people, e.g., one lawyer, one paralegal and one legal secretary. If someone goes on vacation, their replacement needs to have access during the period they're covering the regular person, but no longer. If someone else needs to be brought in for consultation, they might need read-only access for a while.
Try doing that with Unix permissions. It's possible, but it is *extremely* difficult and runs into combinatorical explosion with more than a handful of people. (Basically you need to create a "group" with every possible subset of users. You then change the group permissions to implement these semantics.)
Re:ACLs *ARE NOT NECESSARY* (Score:3)
First, you run into combinatorical explosion in the real world. Try running through your example in a small CS department with 5 professors, 50 students, and each student enrolled in three classes. Everyone has to work in teams, but the teams are different in each class. So each student needs to see his own files, and *some* of the files in 6-12 other user accounts (with team sizes from 3-5 people). He can't see all because that would be "cheating."
Now maintain that over 5 years, as students enroll, graduate, etc.
The second problem is that ACLs often support much more than simple read/write/execute. There's "modify" vs. "append." That is so important that ext2 supports "append-only" as one of the extended attributes. There's "change attributes (chattr)" as a separate permission than "write." Some ACL systems even control your ability to "stat" a file, to determine its ownership, size, time of access, etc. Some of this can be handled by your scheme, but it makes it much more complex.
The final problem is that ACLs are far more powerful than most implementations would suggest. Besides being able to grant - or revoke - access to individuals for read/write/execute/modify/append/delete/chattr/st
Some questions remain(?) (Score:5)
The problem is that Linux supports a *lot* of different filesystems, and they often have different ACL semantics. (Think standard Unix ACLs, NT ACLs keyed by UUIDs, and network FS ACLs.) The way to implement any single set of semantics is obvious, but the way to implement a virtual ACL level so you can hide the details from applications is not.
Until this has been figured out -- or the cost of maintaining multiple ACL semantics outweighs the cost of not having ACL support -- all of the ACL patches will remain outside of the main kernel tree.
Are ACLs overrated? (Score:2)
In Solaris, the OS uses standard Unix permissions, with the possibility of optionally using ACLs (I don't know about other Unices). This gives admins the options of using ACLs for a few limited cases - anything more, and it's probably better to setup a special Unix group of something.
Perhaps my problem is that my exposure to ACLs has been primarily with NT and that can be *very* difficult to manage.
Re:ACLs *ARE NOT NECESSARY* (Score:1)
Posix permissions as a solution for access control are barely better no access control at all.
Filesystem ACLs provide much more granularity and greatly improve the security on any system that implements them. They are, however, only a partial solution to improving security on Linux; a true solution would include ACLs at all levels of the OS. Medusa [fornax.sk] is one such a solution.
Re:ACLs *ARE NOT NECESSARY* (Score:1)
But the users don't manage the composition of the groups. This requires a superuser.
Who creates the groups? Not the user. What, you're going to have one generic "read" group for everybody on the system who wants to provide read access to their file? Obviously not. You'll need multiple groups for multiple users. If I want Bob and Sue to be able to read file A, Jim and Jill to be able to read file B, and Sue and Jill to be able to read file C, I need three different groups. Oh, and those groups are only useful for that instance. Next week I may want file D to be read by Jill and Bob, so I'll need another group. AND, once file A is deleted, I don't need that first group any more. Who is managing all of these groups for me? Are you, as a sysadmin, going to create a group for each unique combination of users on your system? Good luck -- you've got an exponential group growth problem.
Posix file permissions are completely inadequate for situations like this, because they are largely dependant on a super-user to maintain groups. Any system which requires action on the part of the sysadmin on a regular basis will be inadequate.
Re:AFS has very good support for ACLs (Score:1)
I agree with everything else you said, but this is, of course, overstated. File permission bits are treated identically for everyone who has access to the directory, but they aren't ignored. All users with access to the directory use the owner permission bits for the files in it.
Re:New filesystem (Score:2)
I could name it for you -- "TrollFS"
- - - - -
Re:New filesystem (Score:2)
- - - - -
Re:New filesystem (Score:2)
(cross platform FS)
Good suggestion! Thanks!
- - - - -
New filesystem (Score:3)
It emulates unix-type bitmask permissions with ACLs, and optimizes for the common cases. This means that chown, chmod, chgrp, etc. will all work unmodified.
We should be ready to do an initial beta release in one to two months for Linux 2.2.18. After that, we'll have ports for Windows 2000, FreeBSD and maybe Linux 2.4 -- depending on how stable its VFS, VM, etc. interfaces look at the time. We also plan SOlaris and HPUX ports.
An additional feature is that file system metadata is endianness-independant, so you can use the same filesystem with big or little-endian hardware. And it will be possible to pull a drive out of a Linux machine running this FS, mount it under Windows 2000, copy data back and forth, set ACLs, etc, then put it back in the Linux machine and keep on using it. Which will be sweet. Of course, it'll also mean that people who dual-boot with Linux and Win2k can have a common filesystem.
We've tentatively named the filesystem "CXFS" -- but we realize that SGI also has a "CXFS." What do you think would be a good (short, meaningful, catchy) name for an efficient cross-platform journaled filesystem?
- - - - -
tricky (Score:1)
--
Re:XFS supports ACLs (Score:2)
XFS supports ACLs (Score:5)
Forget ACL's, you want Capabilities (Score:2)
What is a Capability, Anyway? [eros-os.org]
Where Capabilities Come From [eros-os.org]
Comparing ACLs and Capabilities [eros-os.org]
Re:Thank you! (sanity checked version) (Score:2)
I asked Alan Cox about this and he said that capabilities were pretty much unrecognized by the wider comunity, and thus there were no need for ACLs. But IMHO, capabilties aren't nearly as clean as ACLs (rwxs + capabilities can be confusing, ACLS put everything neatly in one permission system).
There's a large portion of (well, dickheads, really) who think any idea implemented in NT doesn't belong in Linux. This ignored the fact that the Trusted flavors of various closed source Unixes and VMS have had the same system for years. And that Microsoft, whilst not having the worlds best business practices, can occassionally make good OS deesign decisions
(and even sometimes be the best tool for the job, but that's OT).
I'm not sure what Linus would say, but I'd like to echo those sentiments exactly. There's no reason I, nor any service, ever need to run as root.
* Why does my mail server need a small program with permissions to install a rootkit in
* Why can't I delegate the task of adding and deleting users to a minion without worrying they will corrupt the filesystem?
* When I want full access to a file, managers to have read and execute access, employees to have read access, and nobody else to have any access at all, why can't I just DO IT?
Rwxs wasn't designed for security. ACLs even fit in better with the Unix philosophy of giving users and processes only the permissions they need to use the system and no more.
Sudo is a hack.
Re:ACL's are important - But your problem is solve (Score:2)
Use Halycon Software of Chilisoft to deploy your ASP app on Linux.
Re:Thank you! (Score:5)
I asked Alan Cox about this and he said thatcapabilities were pretty much unrecognized by the wider comunity. But IMHO, cpaabilties aren't nearly as clean as ACLs.
There's a large portion of (well, dickheads, really) who think any idea implemented in NT doesn't belong in Linux. This ignored the fac that the Trusted flavos of varios closed source Unixes and VMS have had the same system for years. And that Microsoft, while not having the worlds best business practices, can occassionally make goodOS deesign decisions, and even sometimes be the best tool for the job.
I'm not sure what Linux would say, but I'd like to echo those sentiments exactly. There's no reason I, not and service, ever neeed to run as root. Why does my mail server need a small program with permissions to install a rootkit in
Sudo is a hack.
acl status (Score:1)
Re:ACLs *ARE NOT NECESSARY* (Score:2)
The (many) times I've seen ACL's in action to implement overly complex access control schemes, it bacame chaos, and nobody knew anymore who was allowed to see what, and why the ACL's were the way they were. Maybe massive beaurocratic measurements could prevent chaos in such cases, but one had better rethink the way permissions are granted.
As for modify/append: There are a couple of very specific (system) tasks where append-only might be useful, especially for logfiles that intruders may not tamper with. But for general purpose use, I don't see the need. Append-only can just as well be implemented as a write-only directory (a la /tmp on Unix systems) where a user can "append" a record by creating a new file. Then cat them all in order of mtime, and you have about the same.
Time-dependant access etc is insane to administer, and again IMO the business model should rather be simplified.
Maybe ACL's are nice for control-freak type of system administrators that don't have much work to do, but for normal situations they're no good.
Access Control? Gak. (Score:1)
*sigh*... long night.
Re:solarix (Score:1)
Re:Why does everyone like ext3? (Score:2)
Check out the mailing list archives here [innominate.org]
For directories with over 20000 files, the results are 10 times faster with the indexed searching. The ratio gets better with more than that. So I guess ext2 won't have to wait long for btrees. If Tux2 happens sometime soon then it will really rock ! Great job Daniel !
Re:Why does everyone like ext3? (Score:3)
Except that you can download working ext3 code, and have been able to for more than a year. As of yet Tux2 is still design plans, without any public working implementation.
Re:Why does everyone like ext3? (Score:5)
Tux2 is still vaporware. I agree, it will be great when it comes out. However, it is currently vaporware.
ReiserFS and XFS are also really great,
So these have log structure (or btree) and journalling. However, ReiserFS is broken with NFS currently, and that is a BIG problem. XFS is still beta and not merged with the main kernel tree, which is also a BIG problem. Ever see the fallout when Alexander Viro (kernel VFS hacker) takes a newly merged filesystem to task ?? It is not pretty.
Ext3 has some advantages. It has been running stably for a long time now under development. It is journaled, and has a small code base. It also only exists for the 2.2 kernel series.
Phillips is also making a judgment call. He wants to build on ext2 with tux2. Ext2 is not log structured, which is why ReiserFS can beat it in well-structure benchmark tests run by Hans.
The future, IMHO, is a log structured file system with NO journaling and atomic updates. This creature already exists, and it is called FFS with Soft Updates, from the FreeBSD developers. Here is the breakdown.
Journalling is tricky, as it requires lots of intervention at other places in the kernel. You need to keep something synchronous - journalling just makes that something very small. Atomic updates avoid synchronous issues altogether. Instead, they structure the file system in groups of data and metadata. In each group, there is an atomic bit. When set, it means the group is intact. So, upon looking through the groups, you can immediately determine which ones are intact and which are incomplete. Recovery is REALLY fast after a power outage, in theory even faster than a journal recovery.
WRT log structuring and btrees, these allow small and large files to live together easily, and allow rapid searches in large directories. Both of these have substantial advantages.
And the future for linux file systems ?? I don't know, it is always interesting to see where things will head. The world is clamoring for easy crash recovery, and ext2's days are numbered. I think most people would be quite happy to simply add journaling to ext2. Or atomic updates. So I predict, after consulting the crystal ball, that tux2 develops a large following after release, and that Phillips then adds btree searches and log structuring, making it the first linux file system with all that.
That would then bring the state of the art file systems for linux up to par with those of FreeBSD. Of course, in linux at that time you can also use JFS, XFS, ReiserFS, or ext3 journaled file systems.
But journaling is worse than atomic updates, both for complexity and speed.
ACLs are a Bad Idea (tm) (Score:1)
IMHO the original Unix user-group-world read-write-execute is one of the great 80/20 points in computing history. The biggest downside of ACLs is their potential to reduce security due to inevitable human error introduced in dealing with the complexity.
Perhaps the canonical example is (old-fart alert) release X.0 (I forget X) of the late unlamented VAX/VMS, which ignored all the lessons of Linux except for (in early releases) the user-group-world model, except for they added an idiotic and useless "delete" access.
Anyhow, in X.0, VMS introduced ACLs; rather good and clean ones. Unfortunately, they screwed up the ACL on one of the core system name translation tables, and left it wide-open to subersion by anybody who wandered by and noticed.
I tend to think that this pattern is the rule rather than the exception... the cost of ACLs immensely exceeds the benefit, which isn't hard since it's often negative.
Cheers, Tim
Re:Why does everyone like ext3? (Score:1)
Look at TOPS-10 method (Score:1)
Re:ACL's are important (Score:1)
Re:Why does everyone like ext3? (Score:2)
Re:Thank you! (Score:2)
Re:Thank you! (sanity checked version) (Score:2)
Re:New filesystem (Score:1)
(cross platform FS)
Dimwitts (Score:1)
Re:ACL System independent of the Filesystems (Score:1)
TrustedBSD?? (Score:3)
For myself, I know that ACL's are the #1 reason why my primary file server at work is still an NT. Maybe I just don't fully grasp all the ways you can tweak *nix file permissions. I just don't see how you can assign one group ownership rights, one group read/write, and yet another group read only while not allowing "everyone" any kind of access. How about allowing a group of folks the right to write to a file, but not delete it?
I do prefer FreeBSD for specific server tasks. Web serving is certainly the top of that list. Thing is, without the granularity of ACL's I can't leave NTFS behind when it comes to the more complex task of file sharing to a bunch of users on a LAN.
Additionally, I've gotten quite used to the notion of leaving the OS permissions to Everyone on my files on the server, then restrict access via the share permissions. The server itself is physically locked in a room so I'm not normally concerned with local security. As cool as Samba is, it makes no provisions for implementing permissions of any sort. Heck, for 95% of my ACL needs, they could be implemented in Samba and never touch the FS.
Re:Are ACLs overrated? (Score:2)
ACLs are a good idea, but as one poster said above, it's writing a common layer to deal with the fact that all filesystems handle them in different ways, from not at all to user-specific permissions.
Re:Thank you! - No thank *you*! (Score:1)
I'm so glad that you posted this. As a decade-long NetWare guy I've never been able to understand why UNIX permissions seem so limited. For so long I've simply thought that my lack of understanding was keeping me from implementing UNIX permissions the way that I want to.
It's just so *easy* in NetWare to lay out filesystem (and NDS) access across multiple groups, users, etc. I mean is it too much to ask to be able to assign RO access to a directory to one group and RW to a different group? There's probably a way to do this, but it doesn't readily present itself to the novice.
Thank you! (Score:2)
Does anyone know what is keeping ACLs out of the kernel? Has Linus ever said where he stands on a standard ACL implementation for Linux?
Re:Some questions remain(?) (Score:2)
The Linux ACL Project implementation totally hides it from the application. Only the tools to maintain the ACL need know about how it's implemented. Or am I missing something?
Re:Some questions remain(?) (Score:2)
The difference is that with an ACL the kernel checks the ACL to see if that user/group has access to a file instead of just checking the basic modes.
Or maybe we mean different things by application. I would expect each ACL implementation to have it's own tools for maintaining the ACL. By application I'm talking about things like "lynx" or other user apps.
Re:ACLs *ARE NOT NECESSARY* (Score:2)
IMHO, access lists are only useful to allow you to fill in the little checkbox on government/military procurement forms "access lists? (y/n)" with a "y". No access lists? Gotta use NT, because it has access lists. Why do we need access lists? The spec says so. Why does
Every attempt that I've seen to actually *use* access lists for anything useful has quickly degenerated into an unusable swamp.
Most Unix admins and users can't deal with the idea of separate groups for separate projects. You want them to try to figure out access lists?
Now, admittedly, standard Unix permissions are really lame. Unfortunately, access lists aren't the answer. Adding "capabilities" to Unix (the real way to fix the permission problem) would require enough changes that the resulting system couldn't really be called "Unix" anymore.
--
Therefore ... (Score:2)
IMHO, access lists are only useful to allow you to fill in the little checkbox on government/military procurement forms "access lists? (y/n)" with a "y"
Only way you're gonna get Linux into government/military stuff is to have access lists. Full stop. Therefore, ACLs are very useful (vital, actually) as a patch to some standard filesystem, just so you can check the little box. As to merging them into the kernel, forget it. They really accomplish nothing, and just get in the way.
--
Re:DANGER WILL ROBINSON! (Score:2)
ALL YOUR BASE ARE BELONG TO US!
It's not because of NT. (Score:2)
See, and that's at the heart of the design issue. Many of the "limited" permissions you might construct with ACLs turn out to be equivalent to "root" permissions anyway; having ACLs gives you a false sense of security. Delegation of specific privileges generally only works reliably with very careful programmatic permission checking. That's why UNIX has setuid programs.
Re:Are ACLs overrated? (Score:2)
The problem with ACLs is that they provide such fine control that they lead to maintenance problems.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Yes, and ACLs are a good example of that.
ACLs aren't necessarily good (Score:3)
ACLs allow users to come up with quick workarounds to access control problems. It's easy for the administrator in the short run because people won't bother you about this or that. But you end up with an incomprehensible mess of access rights, and you end up with lots of questions of why something does or does not work.
The traditional UNIX system, instead, forces people to think ahead and define clearly what they are trying to accomplish. Then they define a group for that purpose. The end result is easier to understand and easier to analyze.
On balance, I'd rather not have ACLs. There is value in keeping things simple.
Why does everyone like ext3? (Score:3)