Storage of ACLs in file systems: platform overview (draft v1)

Robert Watson robert at cyrus.watson.org
Fri Oct 15 14:22:35 GMT 1999 

So based on the emails that have gone around, and my initial readings of
various documents (could be incorrect), it looks like various OS's do ACL
storage in a number of ways.  I've described them here as I understand
them, with some commentary, but please send me suggestions!  This should
be considered draftish only.

Solaris: "Shadow Inodes"
	It looks like normal inodes can be linked to an additional inode
	that references a file describing the ACL.  The document I read
	referenced modifying the ACL in kernel via an attribute mechanism,
	so it was unclear to me whether ACLs are a hack using a second
	inode/file, or whether it is just that this file is used for
	their attribute mechanism, of which the ACL is just one part.  If
	there is an attribute mechanism, I assumed it is a named
	attribute?  Would love clarification here.

	For efficiency, these blocks are ref-counted to prevent multiple-
	storage.

	If this is a general attribute system, then this is scalable
	other types of security labels (MAC, etc).  If not, it isn't.

	It does not look like inode and ACL consistency are guaranteed.

IRIX: Attributes
	XFS supports extended attributes on file system objects, so
	ACLs are stored there.  It wasn't clear to me from the white-
	paper on XFS that I found how rights to modify attributes are
	handled--the document suggested storing icons in attributes,
	which suggests direct user modification?  If it's only the
	owner, that's fine of course, but...

	Because this is a general-purpose attribute system, it is
	scalable to the handling of other types of security attributes,
	including MAC labels.  Clearly the user-modification issue is
	relevant in this case however.

	Because I don't know much about attributes, I don't know about
	the efficiency concerns--because it sounds like it's user
	modifiable, it may be the case that one ACL is stored per
	file system object without checks for redundant storage.
	(clarification here would be great)

	Since XFS is journaled, inode and ACL consistency are
	guaranteed.

Linux: ACL Blocks
	An additional pointer appears in all file system object inodes,
	which may point to single file blocks containing ACLs.  This
	makes each ACL use one fs block, but redundancy is detected to
	improve efficiency, and a block isn't allocated for no ACL
	being used.

	Because this is sort of a hackish approach, it does not appear
	to be scalable to other security-relevant labels (such as MAC
	labels).  In theory you could add a type to the top of the
	block, but then you can't have more than one :-).  You could
	also add type/block data within the raw block, but then the
	space limitation is a problem.

	Consistency between inodes and their ACLs are not guaranteed.

*BSD: None
	No support currently available for security labels on objects.
	The suggested means include file system layers, per-fs in-fs
	storage repositories (a file in the root of the partition, in
	the style of quotas), the loose block mechanism, and a couple
	of others.  None provide much efficiency, and none guarantee
	consistency.


On all these, I'd love corrections/clarifications, or even additional
operating systems.  The major concerns in my mind are flexibility of the
labeling system (can we add new types of ACLs, security labels, etc),
efficiency of storage on disk and use in kernel (everyone sounded like
they had fairly efficient in-kernel mechanisms, but I should add that to
these), and the ability to maintain transaction-like consistency between
fs objects and the security labels on the objects--preferably also to the
rest of the meta-data layout.

This I think is important because it is easy for users of current systems
to cause denial of service attacks (power outgage, kernel crash, high
load, etc) meaning they might be able to induce a failure causing the
commital of only some of the security or meta-data on OS's that don't
support journaling.  When the system comes back up, if they are lucky or
smart, protections on objects could be weaker than they started out, or
just incorrect resulting in failures in the system that might be to the
advantage of the cracker.  For example, the disappearence of a MAC label
from an object might be bad--so might the removal of an ACL on a file (or
the use of an incorrect ACL).  Correct handling is a hard service to
provide, and presumably is best done through underlying FS support, as in
the case of IRIX.

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list