draft-ietf-nfsv4-acl-mapping-02.txt   draft-ietf-nfsv4-acl-mapping-03.txt 
Network Working Group Marius Aamodt Eriksen Network Working Group Marius Aamodt Eriksen
Internet Draft J. Bruce Fields Internet Draft J. Bruce Fields
Document: draft-ietf-nfsv4-acl-mapping-02.txt October 2004 Document: draft-ietf-nfsv4-acl-mapping-03.txt February 2005
Mapping Between NFSv4 and Posix Draft ACLs Mapping Between NFSv4 and Posix Draft ACLs
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed, patent or other IPR claims of which I am aware have been disclosed,
or will be disclosed, and any of which I become aware will be dis- or will be disclosed, and any of which I become aware will be dis-
closed, in accordance with RFC 3668. closed, in accordance with RFC 3668.
skipping to change at page 2, line 5 skipping to change at page 2, line 5
"Copyright (C) The Internet Society (2002-2004). All Rights "Copyright (C) The Internet Society (2002-2004). All Rights
Reserved." Reserved."
Abstract Abstract
NFS version 4 [rfc3530] (NFSv4) specifies a flavor of Access Control NFS version 4 [rfc3530] (NFSv4) specifies a flavor of Access Control
Lists (ACLs) resembling Windows NT ACLs. A number of operating sys- Lists (ACLs) resembling Windows NT ACLs. A number of operating sys-
tems use a different flavor of ACL based on a withdrawn POSIX draft. tems use a different flavor of ACL based on a withdrawn POSIX draft.
NFSv4 clients and servers on such operating systems may wish to map NFSv4 clients and servers on such operating systems may wish to map
Mapping NFSv4 ACLs October 2004 Mapping NFSv4 ACLs February 2005
between NFSv4 ACLs and their native ACLs. To this end, we describe a between NFSv4 ACLs and their native ACLs. To this end, we describe a
mapping from POSIX draft ACLs to a subset of NFSv4 ACLs. mapping from POSIX draft ACLs to a subset of NFSv4 ACLs.
Mapping NFSv4 ACLs October 2004 Mapping NFSv4 ACLs February 2005
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. NFSv4 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. NFSv4 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. POSIX ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. POSIX ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Mapping Posix ACLs to NFSv4 ACLs . . . . . . . . . . . . . . 6 4. Mapping POSIX ACLs to NFSv4 ACLs . . . . . . . . . . . . . . 6
5. Using the Mapping in NFSv4 Implementations . . . . . . . . . 8 5. Using the Mapping in NFSv4 Implementations . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . 10 6. Security Considerations . . . . . . . . . . . . . . . . . 11
7. Bibliography . . . . . . . . . . . . . . . . . . . . . . . 11 7. Bibliography . . . . . . . . . . . . . . . . . . . . . . . 12
8. Author's Address . . . . . . . . . . . . . . . . . . . . . 12 8. Author's Address . . . . . . . . . . . . . . . . . . . . . 13
9. Copyright . . . . . . . . . . . . . . . . . . . . . . . . 12 9. Copyright . . . . . . . . . . . . . . . . . . . . . . . . 13
Mapping NFSv4 ACLs October 2004 Mapping NFSv4 ACLs February 2005
1. Introduction 1. Introduction
Access Control Lists (ACLs) are used to specify fine-grained access Access Control Lists (ACLs) are used to specify fine-grained access
rights to file system objects. An ACL consists of a number of Access rights to file system objects. An ACL is a list of Access Control
Control Entries (ACEs), each specifying some level of access for an Entries (ACEs), each specifying an entity (such as a user) and some
entity. The entity may be a user, a group, or a special entity (such level of access for that entity.
as "everyone"). The level of access is described using an access
mask, which is a bitmask with each bit corresponding to a type of
access (such as "read" or "append").
In the following sections we describe two ACL models: NFSv4 ACLs, and In the following sections we describe two ACL models: NFSv4 ACLs, and
ACLs based on a withdrawn POSIX draft, which we will refer to as ACLs based on a withdrawn POSIX draft. We will refer to the latter
"POSIX ACLs". Since NFSv4 ACLs are much finer-grained than POSIX as "POSIX ACLs". Since NFSv4 ACLs are more fine-grained than POSIX
ACLs, it is not possible in general to map an arbitrary NFSv4 ACL to ACLs, it is not possible in general to map an arbitrary NFSv4 ACL to
a POSIX ACL with the same semantics. It does, however, turn out to a POSIX ACL with the same semantics. However, it is possible to map
be possible to map any POSIX ACL to a NFSv4 ACL that has nearly iden- any POSIX ACL to a NFSv4 ACL with nearly identical semantics. We
tical semantics. We will describe such a mapping, and discuss how it will describe such a mapping, and discuss its use in NFSv4 clients
might be used in NFSv4 client and server implementations. and servers.
2. NFSv4 ACLs 2. NFSv4 ACLs
An NFSv4 ACL is an ordered sequence of ACEs, each having an entity, a An NFSv4 ACL is an ordered sequence of ACEs, each having an entity, a
type, and an access mask. The entity may be the name of a user or type, some flags, and an access mask.
group, or may also be one of a small set of special entities. Among
the special entities are "OWNER" (the current owner of the file),
"GROUP" (the group associated with the file), and "EVERYONE".
The access mask includes bits for access types that are more fine- The entity may be the name of a user or group, or may be one of a
grained than the traditional "read", "write", and "execute" permis- small set of special entities. Among the special entities are
sions used in UNIX mode bits. "OWNER@" (the current owner of the file), "GROUP@" (the group associ-
ated with the file), and "EVERYONE@".
The type may be ALLOW or DENY. (AUDIT or ALARM are also allowed, but The type may be ALLOW or DENY. (AUDIT or ALARM are also allowed, but
they are not relevant to our discussion). they are not relevant to our discussion).
The NFSv4 ACL permission-checking algorithm is straightforward. The access mask has 14 separate bits, including bits to control read,
Given an ACL and a requestor asking for a set of permissions speci- write, execute, append, ACL modification, file owner modification,
fied by an access mask: etc.; consult [rfc3530] for the full list.
1) Walk through the list of ACEs from the ACL in order.
2) Ignore any ACE for with an entity not matching requestor.
Mapping NFSv4 ACLs October 2004
3) Process all ACEs until all the bits in the requested access mask Of the flags, four are relevant here. The ACE4_IDENTIFIER_GROUP flag
have been ALLOWed by an ALLOW ace with that bit set. Once a par- is used to indicate that the entity name is the name of a group. The
ticular bit has been ALLOWed by an ACE, it is no longer considered other three concern inheritance: ACE4_DIRECTORY_INHERIT_ACE indicates
in further processing. that the ACE should be added to new subdirectories of the directory;
ACE4_FILE_INHERIT_ACE does the same for new files; and
ACE4_INHERIT_ONLY indicates that the ACE should be ignored when
determining access to the directory itself.
4) If a bit in the requested access mask is DENYed (while that bit is The NFSv4 ACL permission-checking algorithm is straightforward.
still under consideration), the request is denied. Assume a a requester asks for access, as specified by a single bit in
5) If all bits have been ALLOWed, the access is granted. Otherwise Mapping NFSv4 ACLs February 2005
behavior is undefined.
There are also a number of flags that can be applied to an NFSv4 ACE. the access bitmask. We allow the access if the first ACE in the ACL
Three flags that we will need to use in the following discussion that matches the requester and that has that bit set is an ALLOW ACE,
apply to ACEs in a directory ACL. They are: ACE4_DIREC- and we deny the access if the first such ACE is a DENY ACE. If no
TORY_INHERIT_ACE, which indicates that the ACE should be added to new matching ACE has the bit in question set, behaviour is undefined. If
subdirectories of the directory; ACE4_FILE_INHERIT_ACE, which does an access mask consisting of more than one bit is requested, it suc-
the same for new files; and ACE4_INHERIT_ONLY, which indicates that ceeds if and only if each bit in the mask is allowed.
the ACE should be ignored when determining access to the directory
itself.
We refer the reader to [rfc3530] for further details. We refer the reader to [rfc3530] for further details.
3. POSIX ACLs 3. POSIX ACLs
A number of operating systems, including Linux and FreeBSD, implement A number of operating systems implement ACLs based on the withdrawn
ACLs based on the withdrawn POSIX 1003.1e/1003.2c Draft Standard 17 POSIX 1003.1e/1003.2c Draft Standard 17 [posixacl]. We will refer to
[posixacl]. We will refer to such ACLs as "POSIX ACLs". such ACLs as "POSIX ACLs".
POSIX ACLs use access masks with only the traditional "read", POSIX ACLs use access masks with only the traditional "read",
"write", and "execute" bits. Each ACE in a POSIX ACL is one of five "write", and "execute" bits. Each ACE in a POSIX ACL is one of five
types: ACL_USER_OBJ, ACL_USER, ACL_GROUP_OBJ, ACL_GROUP, ACL_MASK, types: ACL_USER_OBJ, ACL_USER, ACL_GROUP_OBJ, ACL_GROUP, ACL_MASK,
and ACL_OTHER. Each ACL_USER ACE has a uid associated with it, and and ACL_OTHER. Each ACL_USER ACE has a uid associated with it, and
each ACL_GROUP ACE has a gid associated with it. Every POSIX ACL each ACL_GROUP ACE has a gid associated with it. Every POSIX ACL
must have exactly one ACL_USER_OBJ, ACL_GROUP, and ACL_OTHER ACE, and must have exactly one ACL_USER_OBJ, ACL_GROUP, and ACL_OTHER ACE, and
at most one ACL_MASK ace. The ACL_MASK ace is required if the ACL at most one ACL_MASK ACE. The ACL_MASK ACE is required if the ACL
has any ACL_USER or ACL_GROUP aces. There may not be two ACL_USER has any ACL_USER or ACL_GROUP ACEs. There may not be two ACL_USER
aces with the same uid, and there may not be two ACL_GROUP aces with ACEs with the same uid, and there may not be two ACL_GROUP ACEs with
the same gid. the same gid.
Given a POSIX ACL and a requestor asking for access, permission is Given a POSIX ACL and a requester asking for access, permission is
determined as follows: determined as follows:
1) If the requestor is the file owner, then allow or deny access 1) If the requester is the file owner, then allow or deny access
depending on whether the ACL_USER_OBJ ACE allows or denies it. depending on whether the ACL_USER_OBJ ACE allows or denies it.
Mapping NFSv4 ACLs October 2004
Otherwise, Otherwise,
2) if the requestor's uid matches the uid of one of the ACL_USER 2) if the requester's uid matches the uid of one of the ACL_USER
ACE's, then allow or deny access depending on whether the ACEs, then allow or deny access depending on whether the
ACL_USER_OBJ ACE allows or denies it. Otherwise, ACL_USER_OBJ ACE allows or denies it. Otherwise,
3) Consider the set of all ACL_GROUP ACE's whose gid the requestor is 3) Consider the set of all ACL_GROUP ACEs whose gid the requester is
a member of. Add to that set the ACL_GROUP_OBJ ACE, if the a member of. Add to that set the ACL_GROUP_OBJ ACE, if the
requestor is also a member of that group. Allow access if one of requester is also a member of the file's group. Allow access if
the ACE's in the resulting set allows access. If the set of any ACE in the resulting set allows access. If the set of match-
matching ACEs is nonempty, and none allow access, then deny ing ACEs is nonempty, and none allow access, then deny access.
access. Otherwise, if none of these ACEs match, Otherwise, if the set of matching ACEs is empty,
Mapping NFSv4 ACLs February 2005
4) if the requester's access mask is allowed by the ACL_OTHER ACE, 4) if the requester's access mask is allowed by the ACL_OTHER ACE,
then grant access. Otherwise, deny access. then grant access. Otherwise, deny access.
Steps (2) and (3) have an additional criteria; in addition to check- The above description omits one detail: in steps (2) and (3), the
ing whether the requested access mask is allowed by the access mask requested bits must be granted both by the matching ACE and by the
in the ACE, the requested bits also have to be in the access mask of ACL_MASK ACE. The ACL_MASK ACE thus limits the maximum permissions
the special ACE with the ACL_MASK entity. This allows file owners to which may be granted by any ACL_USER or ACL_GROUP ACE, or by the
specify a maximum level of access allowed by any other user or group ACL_GROUP_OBJ ACE.
that has any access to the file system object.
In addition to a regular POSIX ACL, a directory in the file system Each file may have a single POSIX ACL associated with it, used to
may also have associated with it a default ACL. This default ACL determine access to that file. Directories, however, may have two
does not affect permissions to the directory itself. Instead, it ACLs: one, the "access ACL", used to determine access to the direc-
governs the ACL a file system object will be assigned initially when tory, and one, the "default ACL", used only as the ACL to be inher-
it is created as a child of the particular directory. ited by newly created objects in the directory.
4. Mapping Posix ACLs to NFSv4 ACLs 4. Mapping POSIX ACLs to NFSv4 ACLs
Given the differences between POSIX and NFSv4 ACLs, any conversion We now describe an algorithm which maps any POSIX ACL to an NFSv4 ACL
between the two is difficult. However, POSIX ACLs are a subset of with the same semantics.
NFSv4 ACLs, and any POSIX ACL can be emulated with an NFSv4 ACL using
the following mapping.
First, the uid's and gid's on the ACL_USER and ACL_GROUP ACEs must be First, translate the uid's and gid's on the ACL_USER and ACL_GROUP
translated into NFSv4 names--a system-dependent process, which, on ACEs into NFSv4 names. This is an implementation-dependent process.
UNIX for example, may be done by lookups to /etc/passwd. Also, the It might be done, for example, by consulting a directory service or a
special ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER ACEs must be password file. Also, the special ACL_USER_OBJ, ACL_GROUP_OBJ, and
translated to NFSv4 ACEs with the special entities "OWNER", "GROUP", ACL_OTHER ACEs must be translated to NFSv4 ACEs with the special
and "EVERYONE", respectively. entities "OWNER@", "GROUP@", and "EVERYONE@", respectively.
The ACE access mask is translated as follows. The read bit of the Next, map each POSIX ACE (excepting any mask ACE) in the given POSIX
POSIX access mask is translated to the logical OR of the ACL to an NFSv4 ALLOW ACE with an entity determined as above, and
with a bitmask determined from the permission bits on the POSIX ACE
as follows:
Mapping NFSv4 ACLs October 2004 1) If the read bit is set in the POSIX ACE, then set ACE4_READ_DATA.
ACE4_READ_DATA and ACE4_READ_NAMED_ATTRS NFSv4 access mask fields. 2) If the write bit is set in the POSIX ACE, then set ACE4_WRITE_DATA
The write bit of the POSIX access mask is translated to the logical and ACE4_APPEND_DATA. If the object carrying the ACL is a direc-
OR of the ACE4_WRITE_DATA, ACE4_WRITE_NAMED_ATTRS and tory, set ACE4_DELETE_CHILD as well.
ACE4_APPEND_DATA NFSv4 access mask fields. The execute bit of the
POSIX access mask is translated into the ACE4_EXECUTE and
ACE4_READ_DATA NFSv4 acess mask fields. Note that NFSv4 defines
ACE4_READ_DATA, ACE4_WRITE_DATA, and ACE4_APPEND_DATA to be equal to
ACE4_LIST_DIRECTORY, ACE4_ADD_FILE, and ACE4_ADD_SUBDIRECTORY,
respectively, so this translation makes sense for directories as
well. However, on directories the ACE4_DELETE_CHILD field must be
included in the translation of the POSIX write bit.
In addition to the above, the OWNER entity must always be given 3) If the execute bit is set in the POSIX ACE, then set ACE4_EXECUTE.
ACE4_WRITE_ACL and ACE4_WRITE_ATTRIBUTES, and all entities must be
given ACE4_READ_ACL, ACE4_READ_ATTRIBUTES, and ACE4_SYNCHRONIZE. The
ACE4_DELETE bit should be neither allowed nor denied by any ACE.
The ACE flag field also has a simple translation. If the file system 4) Set ACE4_READ_ACL, ACE4_READ_ATTRIBUTES, and ACE4_SYNCHRONIZE
object is a directory, and the POSIX ACE belongs to a default ACL, unconditionally.
the ACE4_INHERIT_ONLY_ACE, ACE4_DIRECTORY_INHERIT, and
ACE4_FILE_INHERIT flags are set in the NFSv4 ACE. If the entity in
the POSIX ACE refers to a group, the "ACE4_IDENTIFIER_GROUP" flag is
set in the NFSv4 ACE.
The POSIX ACL_USER_OBJ ACE is also always given the permission bits 5) If the ACE is for the special "OWNER@" entity, set ACE4_WRITE_ACL
"ACE4_READ_ACL" and "ACE4_WRITE_ACL." and ACE4_WRITE_ATTRIBUTES.
Completing the mapping reduces to being able to emulate an ACL_MASK Mapping NFSv4 ACLs February 2005
and compensate for some differences in the permission-checking algo-
rithms of the two ACL implementations.
The difference in permission-checking algorithms is handled as fol- 6) Clear all other bits in the NFSv4 bitmask.
lows:
Every user ACE in the POSIX ACL maps into 2 NFSv4 ACEs; one ALLOW ACE In addition, we set the GROUP flag in each ACE which corresponds to a
which is translated as specified by the above scheme, then a comple- named group (but not in the GROUP@ ACE, or any of the other special
menting DENY ACE which is also translated as specified by the above entity ACEs). At this point, we've replaced the POSIX ACL by an
scheme, with the exception that the access mask is inverted. Note NFSv4 ACL with the same number of ACEs (ignoring any mask ACE). To
that the ACL_USER_OBJ ACE is placed first in this list. emulate the POSIX ACL permission-checking algorithm, we need to mod-
ify the ACL further, as follows:
Every group ACE in the POSIX ACL produces a similar pair, but instead 1) Order the ACL so that the OWNER@ ACE is the first ACE of the ACL,
of being in sequence, all of the ALLOW ACEs are all in sequence, fol- followed by any user ACEs, followed by the GROUP@ ACE, followed by
lowed by all the DENY ACEs. The ACL_GROUP_OBJ ACE is placed first in any group ACEs, and ending finally with the EVERYONE@ ACE.
both lists.
Lastly, the POSIX ACL_OTHER ACE is translated into a pair of ACEs as 2) The POSIX algorithm stops as soon as the requester matches an
in the user ACE case. ACL_USER_OBJ, ACL_OTHER, or ACL_USER ACE. To emulate this
behaviour, add a single DENY ACE after each ALLOW ACE for OWNER@,
EVERYONE@, or any named user. The DENY ACE should have the same
entity and flags as the corresponding ALLOW ACE. The bitmask on
the DENY ACE should be the bitwise NOT of the bitmask on the ALLOW
ACE, except that the ACE4_WRITE_OWNER and ACE4_DELETE bits should
be cleared, and the ACE4_DELETE_CHILD bit should be cleared on
non-directories. (Also, in the xdr-encoded ACL that is transmit-
ted, all bits not defined in the protocol should be cleared.)
Mapping NFSv4 ACLs October 2004 3) Unlike the other ACEs in step 2, all of the ACL_GROUP_OBJ and
ACL_GROUP ACEs are consulted by the POSIX algorithm before deter-
mining permissions. However, if the requester matches any one of
them, then it must deny any permissions they do not allow. To
emulate this behaviour, instead of adding a single DENY after each
corresponding GROUP@ or named group ACE, we insert a list of DENY
ACEs at the end of the list of GROUP@ and named group ACEs. Each
DENY ACE is determined from its corresponding ALLOW ACE exactly as
in step 2, and should occur in the inserted list in the same posi-
tion as the corresponding ALLOW ACE occurs in the list of ALLOW
ACEs.
With this done, the NFSv4 permission-checking algorithm applied to 4) Finally, we enforce the POSIX mask ACE by prepending each ALLOW
the resulting NFSv4 ACL will produce the same result as the POSIX ACE for a named user, GROUP@, or named group, with a single DENY
permission-checking algorithm did on the original POSIX ACL. ACE whose entity and flags are the same as those for the corre-
sponding ALLOW ACE, but whose bitmask is the inverse of the bit-
mask determined from the mask ACE, with the inverse calculated as
described in step 2.
To handle the special POSIX entity ACL_MASK, we slightly modify the As an example, take a POSIX ACL with two named users (u1 and u2) and
above translation: two named groups (g1 and g2), in addition to the required
ACL_USER_OBJ, ACL_GROUP_OBJ, ACL_OTHER, and ACL_MASK ACEs.
With the exception of the "OWNER" and "EVERYONE" ACEs, another ACE is Such an ACL will map to an NFSv4 ACL of the form
prepended to the ACE. The prepended ACE is a DENY ACE with the same
entity as the following ALLOW ACE, but with a permission mask set to
the complement of the POSIX ACL_MASK.
This method allows us to preserve the real permission bits of each Mapping NFSv4 ACLs February 2005
ACE should the ACL_MASK be changed.
ALLOW OWNER@
DENY OWNER@
DENY u1 (mask)
ALLOW u1
DENY u1
DENY u2 (mask)
ALLOW u2
DENY u2
DENY GROUP@ (mask)
ALLOW GROUP@
DENY g1 (mask)
ALLOW g1
DENY g2 (mask)
ALLOW g2
DENY GROUP@
DENY g1
DENY g2
ALLOW EVERYONE@
DENY EVERYONE@
where the ACEs marked with (mask) are those whose bitmask are deter-
mined from the ACL_MASK ACE as described in step 4 above.
In general, a POSIX ACL with m named users and n named groups will
map to an NFSv4 ACL with (3*(m + n) + 7) ACLs, unless m and n are
both zero, in which case the result will have either 6 or 7 ACLs,
depending on whether the original ACL had an ACL_MASK ACE.
On directories with default ACLs, we translate the default ACL as
above, but set the ACE4_INHERIT_ONLY_ACE, ACE4_DIRECTORY_INHERIT_ACE,
and ACE4_FILE_INHERIT_ACE flags on every ACE in the resulting ACL.
On directories with both default and access ACLs, we translate the
two ACLs and then concatenate them. The order of the concatenation
is unimportant.
There is one extremely minor inaccuracy in this mapping: if a
requester that is a member of more than one group listed in the ACL
requests multiple bits simultaneously, the POSIX algorithm requires
all of the bits to be granted simultaneously by one of the group
ACEs. Thus a POSIX ACL such as
ACL_USER_OBJ: ---
ACL_GROUP_OBJ: ---
g1: r--
g2: -w-
ACL_MASK: rw-
ACL_OTHER: ---
Mapping NFSv4 ACLs February 2005
will prevent a user that is a member of groups g1 and g2 from opening
a file for both read and write, even though read and write would be
individually permitted.
The NFSv4 ACL permission-checking algorithm has the property that it
permits a group of bits whenever it would permit each bit individu-
ally, so it is impossible to mimic this behaviour with an NFSv4 ACL.
5. Using the Mapping in NFSv4 Implementations 5. Using the Mapping in NFSv4 Implementations
Note that the algorithm described in the previous section not only Examination of the algorithm described in the previous section shows
provides a way to map any POSIX ACL to be mapped to an NFSv4 ACL with that no information is lost; the original POSIX ACL can be recon-
similar semantics, but also provides the reverse mapping in the case structed from the mapped NFSv4 ACL. Thus we also have a way to map
where the NFSv4 ACL is precisely in the format of an ACL produced by NFSv4 ACLs to POSIX ACLs in the case where the NFSv4 ACL is precisely
the algorithm above. in the format of an ACL produced by the algorithm above.
The algorithm can therefore be used to implement a subset of the The algorithm can therefore be used to implement a subset of the
NFSv4 ACL model. This may be useful to NFSv4 clients and servers NFSv4 ACL model. This may be useful to NFSv4 clients and servers
with preexisting system interfaces that support POSIX ACLs and that with preexisting system interfaces that support POSIX ACLs and that
cannot be modified to support NFSv4 ACLs. cannot be modified to support NFSv4 ACLs.
A server, for example, that wishes to export via NFSv4 a filesystem A server, for example, that wishes to export via NFSv4 a filesystem
that supports only POSIX ACLs, may use this mapping to answer client that supports only POSIX ACLs, may use this mapping to answer client
requests for existing ACLs by translating POSIX ACLs on its filesys- requests for existing ACLs by translating POSIX ACLs on its filesys-
tem to NFSv4 ACLs to send to the client. However, when a client tem to NFSv4 ACLs to send to the client. However, when a client
attempts to set an ACL, the server faces a problem. If the given ACL attempts to set an ACL, the server faces a problem. If the given ACL
happens to be in precisely the format of an ACL produced by this map- is not in precisely the format of an ACL produced by this mapping,
ping (as would happen if, for example, the client was performing the then the server may be required to return an error to avoid inaccu-
same translation), then the server can map it to a POSIX ACL to store rately representing the client's intention. The correct error to
on the filesystem. But for any other NFSv4 ACL, the server should return in this case is NFS4ERR_ATTRNOTSUPP.
return an error to avoid any chance of inaccurately representing the
client's intention.
The language of [rfc3530] allows a server some flexibility in han- In the case where a client sets an ACL that leaves certain bits nei-
dling ACLs that it cannot enforce completely accurately, as long as ther allowed nor denied, the server may choose to allow or deny those
it adheres to "the guiding principle... that the server must not bits as necessary to make mapping possible. In some situations it
accept ACLs that appear to make [a file] more secure than it really may also be possible for a server to map the ACL if it adds a DENY
is." ACE or denies a few additional bits. The language of [rfc3530]
allows a server some flexibility in handling ACLs that it cannot
enforce completely accurately, as long as it adheres to "the guiding
principle... that the server must not accept ACLs that appear to make
[a file] more secure than it really is."
Mapping NFSv4 ACLs October 2004 Given the choice, as long as the "guiding principle" is not violated,
servers should opt to be forgiving. The complexity of the
POSIX<->NFSv4 mapping makes difficult the task of generating ACLs
It may therefore be possible for a server to accept a wider range of Mapping NFSv4 ACLs February 2005
NFSv4 ACLs, as long as it can ensure that in every case the resulting
POSIX ACL denies at least all access that the original NFSv4 ACL
denied. The results of such a mapping may, however, be somewhat
unexpected, and it is preferable simply to refuse all NFSv4 ACLs that
do not map accurately, and provide clients with software to help gen-
erate POSIX-mappable NFSv4 ACLs if necessary.
Similarly, a client that uses NFSv4 ACLS to implement user interfaces that will satisfy a server using the mapping. By making the mapping
that only deal in POSIX ACLs may handle user requests to set ACLs more forgiving, the server can simplify that task, improving interop-
easily enough, but should return errors when the user requests ACLs erability.
that, on consulting the server, turn out to not be mappable to POSIX
ACLs.
Mapping NFSv4 ACLs October 2004 Servers that implement the full NFSv4 protocol should also handle
carefully ACLs that leave bits neither allowed nor denied. It is
better to fall back on some reasonable default rather than to always
allow or always deny. A client that, for example, sets
ACE4_WRITE_DATA but leaves unspecified ACE4_APPEND_DATA probably does
so because its system interfaces are incapable of independently rep-
resenting ACE4_APPEND_DATA, not because it intends to deny
ACE4_APPEND_DATA. By leaving the bit unspecified, the client leaves
the server the opportunity to provide the reasonable default of set-
ting it to match ACE4_WRITE_DATA.
Similar issues exist when a client uses NFSv4 ACLs to implement user
interfaces that only deal in POSIX ACLs. When the client translates
ACLs received from the server to POSIX ACLs, some flexibility may
help interopability, but the client must take care not to represent
any ACLs as stricter than they really are. Clients that provide
access to the full set of NFSv4 ACLs may also wish to provide users
with utilities to generate and interpret POSIX-mapped NFSv4 ACLs, to
aid users working with servers using the POSIX mapping.
Mapping NFSv4 ACLs February 2005
6. Security Considerations 6. Security Considerations
Any automatic mapping from one ACL model to another must provide Any automatic mapping from one ACL model to another must provide
guarantees that the mapping preserves semantics, or risk misleading guarantees as to how the mapping affects the meaning of ACLs, or risk
users about the permissions set on filesystem objects. For this rea- misleading users about the permissions set on filesystem objects.
son, we recommend performing such mapping only when it can be done For this reason, caution is recommended when implementing this map-
accurately, and returning errors in all other cases. ping. It is better to return errors than to break any such guaran-
tees.
Mapping NFSv4 ACLs October 2004 Note also that this ACL mapping requires mapping between NFSv4 user-
names and local id's. When the mapping of id's depends on remote
services, the method used for the mapping must be at least as secure
as the method used to set or get ACLs.
Mapping NFSv4 ACLs February 2005
7. Bibliography 7. Bibliography
[rfc3530] [rfc3530]
Shepler, S. et. al., "NFS version 4 Protocol", April 2003. Shepler, S. et. al., "NFS version 4 Protocol", April 2003.
http://www.ietf.org/rfc/rfc3530.txt http://www.ietf.org/rfc/rfc3530.txt
[posixacl] [posixacl]
IEEE, "IEEE Draft P1003.1e", October 1997 (last draft). IEEE, "IEEE Draft P1003.1e", October 1997 (last draft).
http://wt.xpilot.org/publications/posix.1e/download.html http://wt.xpilot.org/publications/posix.1e/download.html
Mapping NFSv4 ACLs October 2004 Mapping NFSv4 ACLs February 2005
8. Author's Address 8. Author's Address
Address comments related to this memorandum to: Address comments related to this memorandum to:
marius@umich.edu bfields@umich.edu marius@umich.edu bfields@umich.edu
Marius Aamodt Eriksen Marius Aamodt Eriksen
J. Bruce Fields J. Bruce Fields
University of Michigan / CITI University of Michigan / CITI
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/