Access Control Lists In Linux Filesystems?

oracleofbargth asks: "Is there any project for implementing ACLs in the various filesystems supported under linux (ext2, ext3, etc...) that has the potential to become an official part of the kernel, rather than just a patch to it? The Linux ACL Project looks good, but is ext2 specific. Trustees also looks promising, but a system implemented in the filesystem itself would be preferable. RSBAC also has ACL capabilities, but on the whole goes a bit overboard in terms of what I'm looking for. Ideally, I need something that will work with ext3 so that the ACL information will be journaled."

ACLs *ARE NOT NECESSARY*

[Captain_Carnage]

There are two basic access needs that people need to have to data: the ability to READ the data, and the ability to MODIFY the data. In ALL cases (at least, in all useful cases), these priviledges can be granted using standard Unix permissions.

Let's say you have a directory full of files, and you need some people to be able to write to these files (which implies they'll also need to be able to read the files, to verify their changes), and you have another group of people who needs to be able to read the files. Everyone else in the organization should have NO access. This is the most complicated case.

Can this be done with standard Unix permissons? At first glance, you might think that you can't, because the only permissions provided in Unix are User (owner), Group, and Other (world). You can't control the access for a second group, which is what you need, right?

However, the answer is YES! You can do this. Here's how:

Create one group each for the people who need to be able to read the files, and write the files. For simplicity of the example, let's call the groups "read" and "write" respectively.

Now, add every user who needs read access to those files to the "read" group, and add all users who need write access to BOTH groups.

Now, create a top level directory, like this (only ownerships, permissions, and the name are shown for brevity):

drwxr-x--- root read topdir

# mkdir topdir
# chgrp read topdir
# chmod 750 topdir

Both groups we created can cd into this directory (because we added the "write" group to the "read" group, remember?). Now, under that directory, create one or more directories where your data will be stored, like this:

drwxrwsr-x root write datadir

# cd topdir
# mkdir datadir
# chgrp write datadir
# chmod 2775 datadir

The '2' sets the SGID bit on the directory, which forces all files created in this directory to be created group-owned by the "write" group (it copies the group ownership of the directory to all new files in it). It will also make new files created in this directory group writable by default (again, copying the group permissions from the directory).

You might also want to prevent users from deleting files they don't own, by setting the sticky bit on the directory, which will make the '2' a '3' instead.

Now, users in the "write" group can create and write to files in this directory, and users in the "read" group will be able to read them, because they will be readable by other (world). However, everyone else will NOT be able to read them, because in order to do so, they would have needed to be in the "read" group in order to cd into topdir to get to datadir (which is why we also included the users in the "write" group in the "read" group)!

Thus, your problem is solved. Do this for every directory where the groups of people who need each type of access are different. This is BETTER than ACLs because a) it is either the same amount of administrative effort than managing ACL's on a per-directory basis (but you manage group membership instead), or LESS administrative effort than managing ACLs on a per-file basis; and b) it FORCES you to organize your data heirarchically by who has access to it.

Get over ACLs... they are a waste of time and programming effort.

You could argue that you might want some third group of people to have write access ONLY, but the practical value of this is very limited. If you feel that you need this you are probably being silly or WAY too paranoid, even for a system administrator. Limiting people from reading data that they can over-write is generally nonsensical.

I don't deny that there are certain very narrow applications for that sort of access limitation, but the likelihood that such an application would also present the need to have groups with each of those access requirements (read, read/write, and write-only) seems rather slim.

Note to slashdot maintainers: PLEASE make the damn text box for typing comments into bigger! The one currently provided on the web form makes typing long comments especially painful. And allowing the CODE HTML tag would be nice too.

Some questions remain(?)

[coyote-san]

I haven't been following the kernel discussion for some time, but I recall that there was some concern over how to handle ACLs.

The problem is that Linux supports a *lot* of different filesystems, and they often have different ACL semantics. (Think standard Unix ACLs, NT ACLs keyed by UUIDs, and network FS ACLs.) The way to implement any single set of semantics is obvious, but the way to implement a virtual ACL level so you can hide the details from applications is not.

Until this has been figured out -- or the cost of maintaining multiple ACL semantics outweighs the cost of not having ACL support -- all of the ACL patches will remain outside of the main kernel tree.

XFS supports ACLs

[be-fan]

I've been playing around with XFS for a few weeks, and I must say it kicks total ass. It's a good bit faster than ReiserFS and seems to have fewer problems with latencies. On the Bonnie benchmark (which are apparently biased according to some kernel developers) XFS get 3x the I/Os per second, and in real world cp and tar testing, it is noticably faster. That said, it seems to also have ACL support.

Re:Thank you!

[Nailer]

Does anyone know what is keeping ACLs out of the kernel? Has Linus ever said where he stands on a standard ACL implementation for Linux?

I asked Alan Cox about this and he said thatcapabilities were pretty much unrecognized by the wider comunity. But IMHO, cpaabilties aren't nearly as clean as ACLs.

There's a large portion of (well, dickheads, really) who think any idea implemented in NT doesn't belong in Linux. This ignored the fac that the Trusted flavos of varios closed source Unixes and VMS have had the same system for years. And that Microsoft, while not having the worlds best business practices, can occassionally make goodOS deesign decisions, and even sometimes be the best tool for the job.

I'm not sure what Linux would say, but I'd like to echo those sentiments exactly. There's no reason I, not and service, ever neeed to run as root. Why does my mail server need a small program with permissions to install a rootkit in /dev? Why can't I delegate the task of adding and deleting users to a minion without worrying they will corrupt the filesystem.

Sudo is a hack.

Re:Why does everyone like ext3?

[blakestah]

Tux2 has a much more interesting technology

Tux2 is still vaporware. I agree, it will be great when it comes out. However, it is currently vaporware.

ReiserFS and XFS are also really great,

So these have log structure (or btree) and journalling. However, ReiserFS is broken with NFS currently, and that is a BIG problem. XFS is still beta and not merged with the main kernel tree, which is also a BIG problem. Ever see the fallout when Alexander Viro (kernel VFS hacker) takes a newly merged filesystem to task ?? It is not pretty.

Ext3 has some advantages. It has been running stably for a long time now under development. It is journaled, and has a small code base. It also only exists for the 2.2 kernel series.

Phillips is also making a judgment call. He wants to build on ext2 with tux2. Ext2 is not log structured, which is why ReiserFS can beat it in well-structure benchmark tests run by Hans.

The future, IMHO, is a log structured file system with NO journaling and atomic updates. This creature already exists, and it is called FFS with Soft Updates, from the FreeBSD developers. Here is the breakdown.

Journalling is tricky, as it requires lots of intervention at other places in the kernel. You need to keep something synchronous - journalling just makes that something very small. Atomic updates avoid synchronous issues altogether. Instead, they structure the file system in groups of data and metadata. In each group, there is an atomic bit. When set, it means the group is intact. So, upon looking through the groups, you can immediately determine which ones are intact and which are incomplete. Recovery is REALLY fast after a power outage, in theory even faster than a journal recovery.

WRT log structuring and btrees, these allow small and large files to live together easily, and allow rapid searches in large directories. Both of these have substantial advantages.

And the future for linux file systems ?? I don't know, it is always interesting to see where things will head. The world is clamoring for easy crash recovery, and ext2's days are numbered. I think most people would be quite happy to simply add journaling to ext2. Or atomic updates. So I predict, after consulting the crystal ball, that tux2 develops a large following after release, and that Phillips then adds btree searches and log structuring, making it the first linux file system with all that.

That would then bring the state of the art file systems for linux up to par with those of FreeBSD. Of course, in linux at that time you can also use JFS, XFS, ReiserFS, or ext3 journaled file systems.

But journaling is worse than atomic updates, both for complexity and speed.