Access Control Lists In Linux Filesystems?

oracleofbargth asks: "Is there any project for implementing ACLs in the various filesystems supported under linux (ext2, ext3, etc...) that has the potential to become an official part of the kernel, rather than just a patch to it? The Linux ACL Project looks good, but is ext2 specific. Trustees also looks promising, but a system implemented in the filesystem itself would be preferable. RSBAC also has ACL capabilities, but on the whole goes a bit overboard in terms of what I'm looking for. Ideally, I need something that will work with ext3 so that the ACL information will be journaled."

ACLs are really not enough.

I've worked with ten or twelve operating systems at the system administration level, and I've done so in academic, corporate, medical, and military-industrial settings.

Most of the proprietary Unices (if you count different *nixen as separate OSes, double the OS count given above) have their own lame, incompatible implementations of ACLs. These are typically layered over the antique Unix rwxrwxrwx scheme.

"rwx" is insufficient. People often exhort others to "think unix" - and when you are talking about pipes & I/O redirection, or any of the other wonderful features of Unix, that's great. But if you "think unix" to the extent that you can't see how fundamentally LAME the unix access control mechanisms are, you are crippling yourself. To put it in perspective, consider the IBM MVS file protection system RACF - in RACF, you cannot grant a user write permission without also granting read permission. This is partially because of the underlying architecture of MVS, but that doesn't mean it's not lame and restrictive. However, most hardcore mainframers literally cannot conceive of a situation where they'd want write and not read.

Novell has the most advanced and useful system of file attributes I am aware of. For example, "create" and "write" are separate - this allows the creation of dead-drop boxes; folders where a user can create a file but cannot afterwards modify it. If you can't conceive a situation where you could put this to use, you are "thinking unix" to the point of wearing blinders. NOTE: the forgoing statement will cause this post to be labeled "flamebait" and modded into oblivion by self-righteous Berkleyites >:^} while simultaneously generating dozens of "oh yeah name one" followups.

There are many other aspects of the Novell system of file protection and user rights that are very advanced. Consult your local guru, but I'll mention "rename inhibit" as one useful ability. If Stef Murky, excuse me, Jeff Mirkey, ever gets his MANOS opsystem going under the GPL I personally will immediately convert to his Novell-clone filesystem. Even DEC VMS does not compare, and the VMS access control mechanisms beat Unix hands down.

I don't recommend Novell because it's not Open Source and because the complexity of X500 or NDS type "directory" systems adds instability and management overhead that is seldom warranted to achieve concrete goals. That being said, as the world becomes increasingly networked the previous statement becomes increasingly less accurate.

LDAP interfaces to SQL backends like MySQL and Postgres will eventually be the way to go (but not today, and ADS will never fit the problem space). The one warning I would sound is that when you keep file data and file attributes in separate places - as many systems do - you markedly decrease the robustness of your system. User data in the user directory, file attributes in the file header, is a better idea. Just like it's a better idea to put the comments in the source code than in a separate documentation file (don't get me started about that stupid practice).

Sorry my .02 pence is so lenghty. I could rant some more, but I think I got the major point across - ACLs on a "rwxrwxrwx" system is like streamlining a 1954 Volkswagen Beetle.

--Charlie

SGI's XFS has ACLs

[Yarn]

And it's journalling and quick. The only problem is that they're running on a fork of the kernel, so you have to either pray that large patches will take properly, or keep CVS'ing it.

http://linux-xfs.sgi.com/projects/xfs/

Ooh, and pre-release 0.9 is out. So, get it, or something.

ACLs *ARE NOT NECESSARY*

[Captain_Carnage]

There are two basic access needs that people need to have to data: the ability to READ the data, and the ability to MODIFY the data. In ALL cases (at least, in all useful cases), these priviledges can be granted using standard Unix permissions.

Let's say you have a directory full of files, and you need some people to be able to write to these files (which implies they'll also need to be able to read the files, to verify their changes), and you have another group of people who needs to be able to read the files. Everyone else in the organization should have NO access. This is the most complicated case.

Can this be done with standard Unix permissons? At first glance, you might think that you can't, because the only permissions provided in Unix are User (owner), Group, and Other (world). You can't control the access for a second group, which is what you need, right?

However, the answer is YES! You can do this. Here's how:

Create one group each for the people who need to be able to read the files, and write the files. For simplicity of the example, let's call the groups "read" and "write" respectively.

Now, add every user who needs read access to those files to the "read" group, and add all users who need write access to BOTH groups.

Now, create a top level directory, like this (only ownerships, permissions, and the name are shown for brevity):

drwxr-x--- root read topdir

# mkdir topdir
# chgrp read topdir
# chmod 750 topdir

Both groups we created can cd into this directory (because we added the "write" group to the "read" group, remember?). Now, under that directory, create one or more directories where your data will be stored, like this:

drwxrwsr-x root write datadir

# cd topdir
# mkdir datadir
# chgrp write datadir
# chmod 2775 datadir

The '2' sets the SGID bit on the directory, which forces all files created in this directory to be created group-owned by the "write" group (it copies the group ownership of the directory to all new files in it). It will also make new files created in this directory group writable by default (again, copying the group permissions from the directory).

You might also want to prevent users from deleting files they don't own, by setting the sticky bit on the directory, which will make the '2' a '3' instead.

Now, users in the "write" group can create and write to files in this directory, and users in the "read" group will be able to read them, because they will be readable by other (world). However, everyone else will NOT be able to read them, because in order to do so, they would have needed to be in the "read" group in order to cd into topdir to get to datadir (which is why we also included the users in the "write" group in the "read" group)!

Thus, your problem is solved. Do this for every directory where the groups of people who need each type of access are different. This is BETTER than ACLs because a) it is either the same amount of administrative effort than managing ACL's on a per-directory basis (but you manage group membership instead), or LESS administrative effort than managing ACLs on a per-file basis; and b) it FORCES you to organize your data heirarchically by who has access to it.

Get over ACLs... they are a waste of time and programming effort.

You could argue that you might want some third group of people to have write access ONLY, but the practical value of this is very limited. If you feel that you need this you are probably being silly or WAY too paranoid, even for a system administrator. Limiting people from reading data that they can over-write is generally nonsensical.

I don't deny that there are certain very narrow applications for that sort of access limitation, but the likelihood that such an application would also present the need to have groups with each of those access requirements (read, read/write, and write-only) seems rather slim.

Note to slashdot maintainers: PLEASE make the damn text box for typing comments into bigger! The one currently provided on the web form makes typing long comments especially painful. And allowing the CODE HTML tag would be nice too.

AFS has very good support for ACLs

[Doodhwala]

This is a networked file system, but OpenAFS has excellent support for ACLs. I am personally using it at Carnegie Mellon and its used at a host of other places like MIT. And its not a patch but simply a module you compile for the kernel. I got it running on my linux system in 15 minutes. Also has excellent support for security (see Kerberos).

Some questions remain(?)

[coyote-san]

I haven't been following the kernel discussion for some time, but I recall that there was some concern over how to handle ACLs.

The problem is that Linux supports a *lot* of different filesystems, and they often have different ACL semantics. (Think standard Unix ACLs, NT ACLs keyed by UUIDs, and network FS ACLs.) The way to implement any single set of semantics is obvious, but the way to implement a virtual ACL level so you can hide the details from applications is not.

Until this has been figured out -- or the cost of maintaining multiple ACL semantics outweighs the cost of not having ACL support -- all of the ACL patches will remain outside of the main kernel tree.

XFS supports ACLs

[be-fan]

I've been playing around with XFS for a few weeks, and I must say it kicks total ass. It's a good bit faster than ReiserFS and seems to have fewer problems with latencies. On the Bonnie benchmark (which are apparently biased according to some kernel developers) XFS get 3x the I/Os per second, and in real world cp and tar testing, it is noticably faster. That said, it seems to also have ACL support.

Re:Thank you!

[Nailer]

Does anyone know what is keeping ACLs out of the kernel? Has Linus ever said where he stands on a standard ACL implementation for Linux?

I asked Alan Cox about this and he said thatcapabilities were pretty much unrecognized by the wider comunity. But IMHO, cpaabilties aren't nearly as clean as ACLs.

There's a large portion of (well, dickheads, really) who think any idea implemented in NT doesn't belong in Linux. This ignored the fac that the Trusted flavos of varios closed source Unixes and VMS have had the same system for years. And that Microsoft, while not having the worlds best business practices, can occassionally make goodOS deesign decisions, and even sometimes be the best tool for the job.

I'm not sure what Linux would say, but I'd like to echo those sentiments exactly. There's no reason I, not and service, ever neeed to run as root. Why does my mail server need a small program with permissions to install a rootkit in /dev? Why can't I delegate the task of adding and deleting users to a minion without worrying they will corrupt the filesystem.

Sudo is a hack.

Re:Why does everyone like ext3?

[blakestah]

Tux2 has a much more interesting technology

Tux2 is still vaporware. I agree, it will be great when it comes out. However, it is currently vaporware.

ReiserFS and XFS are also really great,

So these have log structure (or btree) and journalling. However, ReiserFS is broken with NFS currently, and that is a BIG problem. XFS is still beta and not merged with the main kernel tree, which is also a BIG problem. Ever see the fallout when Alexander Viro (kernel VFS hacker) takes a newly merged filesystem to task ?? It is not pretty.

Ext3 has some advantages. It has been running stably for a long time now under development. It is journaled, and has a small code base. It also only exists for the 2.2 kernel series.

Phillips is also making a judgment call. He wants to build on ext2 with tux2. Ext2 is not log structured, which is why ReiserFS can beat it in well-structure benchmark tests run by Hans.

The future, IMHO, is a log structured file system with NO journaling and atomic updates. This creature already exists, and it is called FFS with Soft Updates, from the FreeBSD developers. Here is the breakdown.

Journalling is tricky, as it requires lots of intervention at other places in the kernel. You need to keep something synchronous - journalling just makes that something very small. Atomic updates avoid synchronous issues altogether. Instead, they structure the file system in groups of data and metadata. In each group, there is an atomic bit. When set, it means the group is intact. So, upon looking through the groups, you can immediately determine which ones are intact and which are incomplete. Recovery is REALLY fast after a power outage, in theory even faster than a journal recovery.

WRT log structuring and btrees, these allow small and large files to live together easily, and allow rapid searches in large directories. Both of these have substantial advantages.

And the future for linux file systems ?? I don't know, it is always interesting to see where things will head. The world is clamoring for easy crash recovery, and ext2's days are numbered. I think most people would be quite happy to simply add journaling to ext2. Or atomic updates. So I predict, after consulting the crystal ball, that tux2 develops a large following after release, and that Phillips then adds btree searches and log structuring, making it the first linux file system with all that.

That would then bring the state of the art file systems for linux up to par with those of FreeBSD. Of course, in linux at that time you can also use JFS, XFS, ReiserFS, or ext3 journaled file systems.

But journaling is worse than atomic updates, both for complexity and speed.