Ways to overlay ACLs into existing OSes (was: Re: Filesystem with ACLs (fwd))

Robert Watson robert at cyrus.watson.org
Fri Oct 1 14:09:42 GMT 1999 

This was my recent post to freebsd-security about the problems with
attempting to add ACLs to existing code in FreeBSD.  In my recent post to
Ilmar, I suggested userfs as another approach to the problem, to at least
get prototype code out there in the hopes of the general OS community (in
this case, FreeBSD) accepting the concept and agreeing to integrate it
more closely.

Extending VFS and then using layering seems like the most scalable
approach to adding security properties to operating systems--it allows
easy addition of FS services over existing file systems, and doesn't
require modification of the disk block algorithms to get started.

If we're interested in portability (hint: we are), the userfs approach
might end up being best.  The Arla kernel module, for example, is
available on a wide range of operating systems on a number of platforms
(including Irix?).  A single ACLfs implementation in userland could easily
be ported to other Arla-supported platforms, although I guess you'd have
to do the ACL syscalls via the Arla IOCTL approach unless you wanted to
expand the VFS on all the platforms.

I must admit, however, that I was impressed to find the ACL support in the
default Solaris file system :-).

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

---------- Forwarded message ----------
Date: Thu, 30 Sep 1999 15:21:47 -0400 (EDT)
From: Robert Watson <robert at cyrus.watson.org>
Reply-To: Robert Watson <robert+freebsd at cyrus.watson.org>
To: Lev Serebryakov <lev at imc.macro.ru>
Cc: freebsd-security at FreeBSD.ORG
Subject: Re: Filesystem with ACLs

On Wed, 29 Sep 1999, Lev Serebryakov wrote:

> Hi, All!
> 
>   Is here some FS with ACLs (NT or Novell Netware-like) for FreeBSD or
>   some project to add ACLs to FFS?

Over the past couple of years, a number of people have expressed interest
in an ACLfs, but the big sticking point has been the way to implement it.
The easiest way to implement would be via a file system layer--i.e.,
rather than modifying FFS itself, have a layer that you slap on top that
adds ACLs to an existing FFS file system.  However, the layering code is
at present broken in FreeBSD, so before a layer like that could be
developed, we'd have to wait for layering to be fixed :-).

The other alternatives considered include modifying FFS at a disk block
level to add space for ACLs, bind them to directories and/or files.  This
means modifying the FFS code, the file system checker, etc, and that would
be fairly painful, and probably less likely to be integrated into the base
OS because of the changes.

Another alternative is to follow the model of the Quota people--store ACL
informatino in t a file in the root directory of the FS, and dump changes
out to that file as required.

None of these is ideal--the quota and layer mechanisms due to the lack of
underlying support, and also because of the consistency issue--ACLs are
important when it comes to maintaining consistent versions of meta-data on
disk for a file.  The modification of FFS introduces significant
complications also.

If I had to implement ACLfs today, I'd probably do it the quota approach,
even though I think that's an ugly solution, as it would be easiest to
implement.  Anyone who lives in FS-land have ay news about when/whether
layering will work again someday? :-)  I saw a sequence of posts on
freebsd-fs a while back discussing fixes to the infrastructure for locking
and aliasing, but I'm really not up on that stuff.

As to the semantics of ACLs--Posix.1e defines a set of semantics and
utilities for managing ACLs.  My personal feeling is that they are overly
complex and not all that intuitive (they are the same, for reference, as
Solaris ACLs).  I prefer the Coda/AFS model of having ACLs on directories,
and having only limited permissions on files.  While this would be messy
for a lot of existing UNIX utitilies/directories, and messes up hard
links, it provides a really simple and intuitive approach to ACL
management.  At first I found it constraining, but in the end it
encouraged me to manage my directory structure better :-).  And it was
certainly easier to manage 90 sets of directory permissions that over
4000 sets of file permissions.

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo at FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list