Access Control Lists In Linux Filesystems?

ACLs are really not enough. by Anonymous Coward · 2001-02-25 03:28 · Score: 4

I've worked with ten or twelve operating systems at the system administration level, and I've done so in academic, corporate, medical, and military-industrial settings.

Most of the proprietary Unices (if you count different *nixen as separate OSes, double the OS count given above) have their own lame, incompatible implementations of ACLs. These are typically layered over the antique Unix rwxrwxrwx scheme.

"rwx" is insufficient. People often exhort others to "think unix" - and when you are talking about pipes & I/O redirection, or any of the other wonderful features of Unix, that's great. But if you "think unix" to the extent that you can't see how fundamentally LAME the unix access control mechanisms are, you are crippling yourself. To put it in perspective, consider the IBM MVS file protection system RACF - in RACF, you cannot grant a user write permission without also granting read permission. This is partially because of the underlying architecture of MVS, but that doesn't mean it's not lame and restrictive. However, most hardcore mainframers literally cannot conceive of a situation where they'd want write and not read.

Novell has the most advanced and useful system of file attributes I am aware of. For example, "create" and "write" are separate - this allows the creation of dead-drop boxes; folders where a user can create a file but cannot afterwards modify it. If you can't conceive a situation where you could put this to use, you are "thinking unix" to the point of wearing blinders. NOTE: the forgoing statement will cause this post to be labeled "flamebait" and modded into oblivion by self-righteous Berkleyites >:^} while simultaneously generating dozens of "oh yeah name one" followups.

There are many other aspects of the Novell system of file protection and user rights that are very advanced. Consult your local guru, but I'll mention "rename inhibit" as one useful ability. If Stef Murky, excuse me, Jeff Mirkey, ever gets his MANOS opsystem going under the GPL I personally will immediately convert to his Novell-clone filesystem. Even DEC VMS does not compare, and the VMS access control mechanisms beat Unix hands down.

I don't recommend Novell because it's not Open Source and because the complexity of X500 or NDS type "directory" systems adds instability and management overhead that is seldom warranted to achieve concrete goals. That being said, as the world becomes increasingly networked the previous statement becomes increasingly less accurate.

LDAP interfaces to SQL backends like MySQL and Postgres will eventually be the way to go (but not today, and ADS will never fit the problem space). The one warning I would sound is that when you keep file data and file attributes in separate places - as many systems do - you markedly decrease the robustness of your system. User data in the user directory, file attributes in the file header, is a better idea. Just like it's a better idea to put the comments in the source code than in a separate documentation file (don't get me started about that stupid practice).

Sorry my .02 pence is so lenghty. I could rant some more, but I think I got the major point across - ACLs on a "rwxrwxrwx" system is like streamlining a 1954 Volkswagen Beetle.

--Charlie

SGI's XFS has ACLs by Yarn · 2001-02-25 01:22 · Score: 4

And it's journalling and quick. The only problem is that they're running on a fork of the kernel, so you have to either pray that large patches will take properly, or keep CVS'ing it.

http://linux-xfs.sgi.com/projects/xfs/

Ooh, and pre-release 0.9 is out. So, get it, or something.

--
-Yarn - Rio Karma: Excellent

Re:ACLs *ARE NOT NECESSARY* by mce · 2001-02-25 08:25 · Score: 2

Others have already mentioned that the above proposal suffers from combinatorial explosion. Hence, I will limit myself to these:

Organizing your data hierarchically by who has access to it is bad. Data should be organised based mainly on its (hopefully somewhat constant) logical structure, not by something as volatile as who is allowed to see it at any given moment in time.
NFS (at least up to version 3) does not support more than 1 primary + 15 other groups per user.

--

--
Linux user since early January 1992.

Re:DANGER WILL ROBINSON! by RelliK · 2001-02-25 11:11 · Score: 2

I'm not allowed to change into directory X, but since file.txt is world readable, I can go vi /home/X/file.txt and see what is there...)

That's not true. r controls whether you can read the directory (i.e. do ls in it). x controls whether you can cd into a directory or access any files in it. If both r and x are disabled, then you can neither ls a directory nor access any files in it. The Unix permission system has its problems but this is not one of them.
___

--
___
If you think big enough, you'll never have to do it.

ACLs *ARE NOT NECESSARY* by Captain_Carnage · 2001-02-25 06:30 · Score: 5

There are two basic access needs that people need to have to data: the ability to READ the data, and the ability to MODIFY the data. In ALL cases (at least, in all useful cases), these priviledges can be granted using standard Unix permissions.

Let's say you have a directory full of files, and you need some people to be able to write to these files (which implies they'll also need to be able to read the files, to verify their changes), and you have another group of people who needs to be able to read the files. Everyone else in the organization should have NO access. This is the most complicated case.

Can this be done with standard Unix permissons? At first glance, you might think that you can't, because the only permissions provided in Unix are User (owner), Group, and Other (world). You can't control the access for a second group, which is what you need, right?

However, the answer is YES! You can do this. Here's how:

Create one group each for the people who need to be able to read the files, and write the files. For simplicity of the example, let's call the groups "read" and "write" respectively.

Now, add every user who needs read access to those files to the "read" group, and add all users who need write access to BOTH groups.

Now, create a top level directory, like this (only ownerships, permissions, and the name are shown for brevity):

drwxr-x--- root read topdir

# mkdir topdir # chgrp read topdir # chmod 750 topdir

Both groups we created can cd into this directory (because we added the "write" group to the "read" group, remember?). Now, under that directory, create one or more directories where your data will be stored, like this:

drwxrwsr-x root write datadir

# cd topdir # mkdir datadir # chgrp write datadir # chmod 2775 datadir

The '2' sets the SGID bit on the directory, which forces all files created in this directory to be created group-owned by the "write" group (it copies the group ownership of the directory to all new files in it). It will also make new files created in this directory group writable by default (again, copying the group permissions from the directory).

You might also want to prevent users from deleting files they don't own, by setting the sticky bit on the directory, which will make the '2' a '3' instead.

Now, users in the "write" group can create and write to files in this directory, and users in the "read" group will be able to read them, because they will be readable by other (world). However, everyone else will NOT be able to read them, because in order to do so, they would have needed to be in the "read" group in order to cd into topdir to get to datadir (which is why we also included the users in the "write" group in the "read" group)!

Thus, your problem is solved. Do this for every directory where the groups of people who need each type of access are different. This is BETTER than ACLs because a) it is either the same amount of administrative effort than managing ACL's on a per-directory basis (but you manage group membership instead), or LESS administrative effort than managing ACLs on a per-file basis; and b) it FORCES you to organize your data heirarchically by who has access to it.

Get over ACLs... they are a waste of time and programming effort.

You could argue that you might want some third group of people to have write access ONLY, but the practical value of this is very limited. If you feel that you need this you are probably being silly or WAY too paranoid, even for a system administrator. Limiting people from reading data that they can over-write is generally nonsensical.

I don't deny that there are certain very narrow applications for that sort of access limitation, but the likelihood that such an application would also present the need to have groups with each of those access requirements (read, read/write, and write-only) seems rather slim.

Note to slashdot maintainers: PLEASE make the damn text box for typing comments into bigger! The one currently provided on the web form makes typing long comments especially painful. And allowing the CODE HTML tag would be nice too.

Re:ACLs *ARE NOT NECESSARY* by coyote-san · 2001-02-25 07:52 · Score: 3

There are three small problems with this scheme.

First, you run into combinatorical explosion in the real world. Try running through your example in a small CS department with 5 professors, 50 students, and each student enrolled in three classes. Everyone has to work in teams, but the teams are different in each class. So each student needs to see his own files, and *some* of the files in 6-12 other user accounts (with team sizes from 3-5 people). He can't see all because that would be "cheating."

Now maintain that over 5 years, as students enroll, graduate, etc.

The second problem is that ACLs often support much more than simple read/write/execute. There's "modify" vs. "append." That is so important that ext2 supports "append-only" as one of the extended attributes. There's "change attributes (chattr)" as a separate permission than "write." Some ACL systems even control your ability to "stat" a file, to determine its ownership, size, time of access, etc. Some of this can be handled by your scheme, but it makes it much more complex.

The final problem is that ACLs are far more powerful than most implementations would suggest. Besides being able to grant - or revoke - access to individuals for read/write/execute/modify/append/delete/chattr/sta t, I've seen ACL specs which allowed restriction based on time-of-day, day-of-week, and even access terminal (local vs. network). You can use 'cron' to automatically change some bits, but it's hard to set it up so that, e.g., the faculty can play games any time, the staff can play them after hours, and the students can play them on weekends.

--
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Re:ACLs *ARE NOT NECESSARY* by Baki · 2001-02-25 20:31 · Score: 2

Real world problems that suffer from mentioned combinatorial explosion, are too complex: The business model in such cases should be simplified. The sulution to complex access schemes is not to add a complex technical implementation, but to simplify the scheme.
The (many) times I've seen ACL's in action to implement overly complex access control schemes, it bacame chaos, and nobody knew anymore who was allowed to see what, and why the ACL's were the way they were. Maybe massive beaurocratic measurements could prevent chaos in such cases, but one had better rethink the way permissions are granted.
As for modify/append: There are a couple of very specific (system) tasks where append-only might be useful, especially for logfiles that intruders may not tamper with. But for general purpose use, I don't see the need. Append-only can just as well be implemented as a write-only directory (a la /tmp on Unix systems) where a user can "append" a record by creating a new file. Then cat them all in order of mtime, and you have about the same.
Time-dependant access etc is insane to administer, and again IMO the business model should rather be simplified.
Maybe ACL's are nice for control-freak type of system administrators that don't have much work to do, but for normal situations they're no good.
Re:ACLs *ARE NOT NECESSARY* by StormyMonday · 2001-02-25 23:28 · Score: 2

Get over ACLs... they are a waste of time and programming effort.

IMHO, access lists are only useful to allow you to fill in the little checkbox on government/military procurement forms "access lists? (y/n)" with a "y". No access lists? Gotta use NT, because it has access lists. Why do we need access lists? The spec says so. Why does ... we get lost in an infinite regression.

Every attempt that I've seen to actually *use* access lists for anything useful has quickly degenerated into an unusable swamp.

Most Unix admins and users can't deal with the idea of separate groups for separate projects. You want them to try to figure out access lists?

Now, admittedly, standard Unix permissions are really lame. Unfortunately, access lists aren't the answer. Adding "capabilities" to Unix (the real way to fix the permission problem) would require enough changes that the resulting system couldn't really be called "Unix" anymore.

--

--
Welcome to the Turing Tarpit, where everything is possible but nothing interesting is easy.

Re:Why does everyone like ext3? by Phexro · 2001-02-25 04:26 · Score: 2

"However, ReiserFS is broken with NFS currently..."

really? i sure didn't notice:

phexro!Phaktory:~$ mount -tnfs helix:/usr/local/share/audio/mp3 on /net/mp3 type nfs (rw,rsize=8192,wsize=8192,soft,addr=192.168.128.25 0) phexro!Phaktory:~$ ssh helix mount -treiserfs phexro@helix's password: /dev/hdc1 on /usr/local type reiserfs (rw) phexro!Phaktory:~$

or are you talking about something more subtle?
--

Re:New filesystem by Phexro · 2001-02-26 03:11 · Score: 2

"...there was no information in yours."

nonsense. what do you call this?

"...i predict that your filesystem 'Won't ever see the light of day.'"

sounds like information to me.

and who says that humor is a waste of time? lauging is good for you.

besides which, you completely missed the point of my post; your project is vapor. you have no code (released, anyways, which is what counts), no name, nothing to show but a bunch of buzzwords thrown together in a slashdot post. you don't even have an empty sourceforge project.

now, you sound like you might have some good ideas. and as much as good ideas are necessary, good implementations are much more necessary. you'd be much better off helping integrate your ideas into an existing project. there are so many players in the next-linux-filesystem arena that even if you do manage to make a stable release, it will probably die due to one of the other projects.

--

Re:Thank you! by IntlHarvester · 2001-02-25 02:58 · Score: 2

Agreed! UGO does not scale when you are talking about a centralized directory with tens of thousands of users in it. Especially the G and the O parts.

I also find it funny that everytime ACLs come up, someone posts "ACLs are bad because they are too complicated and the sysadmin can shoot himself in the foot". Which is fucking hilarious attitude towards Unix, where one of the central tenent is "The Sysadmin Can Blow His Leg Off, so be careful".
--

--
Business. Numbers. Money. People. Computer World.

AFS has very good support for ACLs by Doodhwala · 2001-02-25 01:18 · Score: 4

This is a networked file system, but OpenAFS has excellent support for ACLs. I am personally using it at Carnegie Mellon and its used at a host of other places like MIT. And its not a patch but simply a module you compile for the kernel. I got it running on my linux system in 15 minutes. Also has excellent support for security (see Kerberos).

Re:AFS has very good support for ACLs by Salamander · 2001-02-25 10:04 · Score: 2

Any robust networked FS needs strong central authentication.

Strong? Definitely. Central? Not so clear.

--
Slashdot - News for Herds. Stuff that Splatters.
Re:AFS has very good support for ACLs by coyote-san · 2001-02-25 01:55 · Score: 2

Any robust networked FS needs strong central authentication. The alternative is NFS where any idiot with local root access can impersonate anyone else.

--
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken

Re:Why does everyone like ext3? by cpeterso · 2001-02-25 04:32 · Score: 3

http://www.lwn.net/2001/0222/kernel.php3

ReiserFS and NFS. The various problems that have bit (a small number of) ReiserFS users in 2.4 are being cleared up. But one larger problem remains: ReiserFS, as shipped in 2.4, does not support NFS. That limitation gets in the way of quite a few people who would like to use ReiserFS, but who also need to be able to export their filesystems.

For the short term, those who are not afraid of kernel patches can have a look at this message from Neil Brown describing where to get the patches he has made available. They are still under development, but they provide "reasonable NFS service" in their current state.

The picture for the longer term is a bit less clear. Neil has a plan for proper support of NFS with ReiserFS, and for improving NFS service in general. It is, however, a large change, requiring tweaks to every filesystem which needs to support NFS. Filesystem changes tend to make kernel hackers nervous, especially in the middle of a stable kernel series. And, in fact, Alan Cox responded that he was not interested in such an extensive patch.

Those who are curious about the troubles with NFS should look at Neil's justification for the changes. It is a lengthy, detailed, and well-argued discussion of how the current NFS implementation fails to mesh well with the various Linux filesystems, and exactly what needs to be fixed to make things work better. It was persuasive enough that Alan agreed that the approach made sense - for the 2.5 kernel series.

Thus, the 2.4 kernel may never support exporting of ReiserFS filesystems over NFS. Those who need this capability will have to apply the patch themselves. That is, if the distributors do not apply the patch themselves before shipping the 2.4 kernel. SuSE, at least, applied such a patch when it shipped ReiserFS with 2.2, so it would not be surprising to see that happen again.

--
cpeterso

Re:Are ACLs overrated? by the+eric+conspiracy · 2001-02-25 02:14 · Score: 2

Perhaps my problem is that my exposure to ACLs has been primarily with NT and that can be *very* difficult to manage.

This was the primary objection that I saw on the kernel mailing list the last time it was discussed. While ACL's offer finer grain control of a system, they also make auditing much more difficult.

MOVE 'ZIG'.

Re:ACL's are important by the+eric+conspiracy · 2001-02-25 05:10 · Score: 2

and building the intranet in ASP.

At least use JSP. Then when Linux gets ACL or whatever you aren't locked in to the evil empire.

MOVE 'ZIG'.

Re:"watchdogs" by Dr.+Sp0ng · 2001-02-26 03:29 · Score: 2

One concept I would love to see implemented is "watchdogs." This is the ability to specify a program which should be run whenever a file or directory is accessed, opened for reads, opened for writes, written to, etc. Basically anything at the VFS level. :-)

Yeah, BeOS has that - it lets them do some really neat stuff. Unfortunately I can't deal with BeOS on a day-to-day basis without going insane, so I'd love to see Linux or FreeBSD support this.
--

Re:solarix by x0 · 2001-02-25 11:58 · Score: 2

No, but it has had a logging option to mount since Solaris 7.

--
In the immortal words of Socrates, who said; 'I drank what?'

Re:Why does everyone like ext3? by Salamander · 2001-02-25 05:39 · Score: 2

Tux2 is still vaporware.

I think that's a little unfair. The comparison was between Tux2 and ext3, and if one is vapor then both are. They're at similar stages in development and their authors present similar pictures of their progress.

The future, IMHO, is a log structured file system with NO journaling and atomic updates. This creature already exists, and it is called FFS

Please, please, please try to keep straight the differences between journaling and log-structured filesystems. There's enough confusion on this issue already, and FFS is not log-structured. AFAIK nothing being actively developed for Linux is log-structured.

I think you're right, though, about journaling vs. soft updates (of which I think Tux2's atomic update is a sub-category, though DP might disagree). Soft updates are more flexible than journaling, and - with a filesystem whose basic structures are designed to take advantage - perform better than journaling. I find it just slightly weird that there's so much focus on journaling when a superior alternative is known. I shouldn't bitch, though. For years certain people's ignorance, unwillingness to learn, and territoriality stood in the way of any progress in this area, and I for one am glad that the threat of competition has finally shaken their "hours-long fsck is OK for me" complacency. It would have been even nicer if they had responded by embracing the new entries instead of scrambling to maintain the incumbent's dominance by upgrading it just enough to stay competitive (does that remind anyone else of MS tactics?) but one can't make a purse out of a sow's ear.

Disclaimer: all views expressed are my own. If my employer took my views more seriously, their stock might not have tanked so badly.

--
Slashdot - News for Herds. Stuff that Splatters.

"watchdogs" by coyote-san · 2001-02-25 03:11 · Score: 2

One concept I would love to see implemented is "watchdogs." This is the ability to specify a program which should be run whenever a file or directory is accessed, opened for reads, opened for writes, written to, etc. Basically anything at the VFS level. :-)

Logging is trivial to implement.

ACLs are trivial to implement. The program looks at the user and can indicate (via return code) whether to permit access.

Compression and encryption are relatively easy to implement, if you also retain some state information betweens calls.

Even virtual files and directories can be implemented. This could be used to implement things like "ftp" and "http" mounts.

There's a lot of similarities with "user space" file systems, and that concept might be preferred now.