draft-ietf-nfsv4-acl-mapping-03.txt   draft-ietf-nfsv4-acl-mapping-04.txt 
Network Working Group Marius Aamodt Eriksen
Internet Draft J. Bruce Fields Network Working Group M. Eriksen
Document: draft-ietf-nfsv4-acl-mapping-03.txt February 2005 Internet-Draft J. Fields
Expires: November 16, 2006 CITI
May 15, 2006
Mapping Between NFSv4 and Posix Draft ACLs Mapping Between NFSv4 and Posix Draft ACLs
draft-ietf-nfsv4-acl-mapping-04
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, each author represents that any
patent or other IPR claims of which I am aware have been disclosed, applicable patent or other IPR claims of which he or she is aware
or will be disclosed, and any of which I become aware will be dis- have been or will be disclosed, and any of which he or she becomes
closed, in accordance with RFC 3668. aware will be disclosed, in accordance with Section 6 of BCP 79.
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference mate- time. It is inappropriate to use Internet-Drafts as reference
rial or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
"Copyright (C) The Internet Society (2002-2004). All Rights This Internet-Draft will expire on November 16, 2006.
Reserved."
Abstract
NFS version 4 [rfc3530] (NFSv4) specifies a flavor of Access Control
Lists (ACLs) resembling Windows NT ACLs. A number of operating sys-
tems use a different flavor of ACL based on a withdrawn POSIX draft.
NFSv4 clients and servers on such operating systems may wish to map
Mapping NFSv4 ACLs February 2005
between NFSv4 ACLs and their native ACLs. To this end, we describe a
mapping from POSIX draft ACLs to a subset of NFSv4 ACLs.
Mapping NFSv4 ACLs February 2005 Copyright Notice
Table of Contents Copyright (C) The Internet Society (2006).
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 Abstract
2. NFSv4 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. POSIX ACLs . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Mapping POSIX ACLs to NFSv4 ACLs . . . . . . . . . . . . . . 6
5. Using the Mapping in NFSv4 Implementations . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . 11
7. Bibliography . . . . . . . . . . . . . . . . . . . . . . . 12
8. Author's Address . . . . . . . . . . . . . . . . . . . . . 13
9. Copyright . . . . . . . . . . . . . . . . . . . . . . . . 13
Mapping NFSv4 ACLs February 2005 A number of filesystems and applications support ACLs based on a
withdrawn POSIX draft [2]. Those ACLs differ significantly from NFS
version 4 (NFSv4) ACLs [1]. We describe how to translate between the
two types of ACLs.
1. Introduction 1. Introduction
Access Control Lists (ACLs) are used to specify fine-grained access Access Control Lists (ACLs) are used to specify fine-grained access
rights to file system objects. An ACL is a list of Access Control rights to file system objects. An ACL is a list of Access Control
Entries (ACEs), each specifying an entity (such as a user) and some Entries (ACEs), each specifying an entity (such as a user) and some
level of access for that entity. level of access for that entity.
In the following sections we describe two ACL models: NFSv4 ACLs, and In the following sections we describe two ACL models: NFSv4 ACLs, and
ACLs based on a withdrawn POSIX draft. We will refer to the latter ACLs based on a withdrawn POSIX draft. We will refer to the latter
as "POSIX ACLs". Since NFSv4 ACLs are more fine-grained than POSIX as "POSIX ACLs". Since NFSv4 ACLs are more fine-grained than POSIX
ACLs, it is not possible in general to map an arbitrary NFSv4 ACL to ACLs, it is not possible in general to map an arbitrary NFSv4 ACL to
a POSIX ACL with the same semantics. However, it is possible to map a POSIX ACL with the same semantics. However, it is possible to map
any POSIX ACL to a NFSv4 ACL with nearly identical semantics. We any POSIX ACL to a NFSv4 ACL with nearly identical semantics, and it
will describe such a mapping, and discuss its use in NFSv4 clients is possible to map any NFSv4 ACL to a POSIX ACL in a way that
and servers. preserves certain guarantees. We will explain how to do this, and
give guidelines for clients and servers performing such translation.
2. NFSv4 ACLs 2. NFSv4 ACLs
An NFSv4 ACL is an ordered sequence of ACEs, each having an entity, a An NFSv4 ACL is an ordered sequence of ACEs, each having an entity, a
type, some flags, and an access mask. type, some flags, and an access mask.
The entity may be the name of a user or group, or may be one of a The entity may be the name of a user or group, or may be one of a
small set of special entities. Among the special entities are small set of special entities. Among the special entities are
"OWNER@" (the current owner of the file), "GROUP@" (the group associ- "OWNER@" (the current owner of the file), "GROUP@" (the group
ated with the file), and "EVERYONE@". associated with the file), and "EVERYONE@".
The type may be ALLOW or DENY. (AUDIT or ALARM are also allowed, but The type may be ALLOW or DENY. (AUDIT or ALARM are also allowed, but
they are not relevant to our discussion). they are not relevant to our discussion).
The access mask has 14 separate bits, including bits to control read, The access mask has 14 separate bits, including bits to control read,
write, execute, append, ACL modification, file owner modification, write, execute, append, ACL modification, file owner modification,
etc.; consult [rfc3530] for the full list. etc.; consult [1] for the full list.
Of the flags, four are relevant here. The ACE4_IDENTIFIER_GROUP flag Of the flags, four are relevant here. The ACE4_IDENTIFIER_GROUP flag
is used to indicate that the entity name is the name of a group. The is used to indicate that the entity name is the name of a group. The
other three concern inheritance: ACE4_DIRECTORY_INHERIT_ACE indicates other three concern inheritance: ACE4_DIRECTORY_INHERIT_ACE indicates
that the ACE should be added to new subdirectories of the directory; that the ACE should be added to new subdirectories of the directory;
ACE4_FILE_INHERIT_ACE does the same for new files; and ACE4_FILE_INHERIT_ACE does the same for new files; and
ACE4_INHERIT_ONLY indicates that the ACE should be ignored when ACE4_INHERIT_ONLY indicates that the ACE should be ignored when
determining access to the directory itself. determining access to the directory itself.
The NFSv4 ACL permission-checking algorithm is straightforward. The NFSv4 ACL permission-checking algorithm is straightforward.
Assume a a requester asks for access, as specified by a single bit in Assume a a requester asks for access, as specified by a single bit in
Mapping NFSv4 ACLs February 2005
the access bitmask. We allow the access if the first ACE in the ACL the access bitmask. We allow the access if the first ACE in the ACL
that matches the requester and that has that bit set is an ALLOW ACE, that matches the requester and that has that bit set is an ALLOW ACE,
and we deny the access if the first such ACE is a DENY ACE. If no and we deny the access if the first such ACE is a DENY ACE. If no
matching ACE has the bit in question set, behaviour is undefined. If matching ACE has the bit in question set, behaviour is undefined. If
an access mask consisting of more than one bit is requested, it suc- an access mask consisting of more than one bit is requested, it
ceeds if and only if each bit in the mask is allowed. succeeds if and only if each bit in the mask is allowed.
We refer the reader to [rfc3530] for further details. We refer the reader to [1] for further details.
3. POSIX ACLs 3. POSIX ACLs
A number of operating systems implement ACLs based on the withdrawn A number of operating systems implement ACLs based on the withdrawn
POSIX 1003.1e/1003.2c Draft Standard 17 [posixacl]. We will refer to POSIX 1003.1e/1003.2c Draft Standard 17 [2]. We will refer to such
such ACLs as "POSIX ACLs". ACLs as "POSIX ACLs".
POSIX ACLs use access masks with only the traditional "read", POSIX ACLs use access masks with only the traditional "read",
"write", and "execute" bits. Each ACE in a POSIX ACL is one of five "write", and "execute" bits. Each ACE in a POSIX ACL is one of five
types: ACL_USER_OBJ, ACL_USER, ACL_GROUP_OBJ, ACL_GROUP, ACL_MASK, types: ACL_USER_OBJ, ACL_USER, ACL_GROUP_OBJ, ACL_GROUP, ACL_MASK,
and ACL_OTHER. Each ACL_USER ACE has a uid associated with it, and and ACL_OTHER. Each ACL_USER ACE has a uid associated with it, and
each ACL_GROUP ACE has a gid associated with it. Every POSIX ACL each ACL_GROUP ACE has a gid associated with it. Every POSIX ACL
must have exactly one ACL_USER_OBJ, ACL_GROUP, and ACL_OTHER ACE, and must have exactly one ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER ACE,
at most one ACL_MASK ACE. The ACL_MASK ACE is required if the ACL and at most one ACL_MASK ACE. The ACL_MASK ACE is required if the
has any ACL_USER or ACL_GROUP ACEs. There may not be two ACL_USER ACL has any ACL_USER or ACL_GROUP ACEs. There may not be two
ACEs with the same uid, and there may not be two ACL_GROUP ACEs with ACL_USER ACEs with the same uid, and there may not be two ACL_GROUP
the same gid. ACEs with the same gid.
Given a POSIX ACL and a requester asking for access, permission is Given a POSIX ACL and a requester asking for access, permission is
determined as follows: determined as follows:
1) If the requester is the file owner, then allow or deny access 1. If the requester is the file owner, then allow or deny access
depending on whether the ACL_USER_OBJ ACE allows or denies it. depending on whether the ACL_USER_OBJ ACE allows or denies it.
Otherwise, Otherwise,
2) if the requester's uid matches the uid of one of the ACL_USER 2. if the requester's uid matches the uid of one of the ACL_USER
ACEs, then allow or deny access depending on whether the ACEs, then allow or deny access depending on whether the
ACL_USER_OBJ ACE allows or denies it. Otherwise, ACL_USER_OBJ ACE allows or denies it. Otherwise,
3) Consider the set of all ACL_GROUP ACEs whose gid the requester is 3. Consider the set of all ACL_GROUP ACEs whose gid the requester is
a member of. Add to that set the ACL_GROUP_OBJ ACE, if the a member of. Add to that set the ACL_GROUP_OBJ ACE, if the
requester is also a member of the file's group. Allow access if requester is also a member of the file's group. Allow access if
any ACE in the resulting set allows access. If the set of match- any ACE in the resulting set allows access. If the set of
ing ACEs is nonempty, and none allow access, then deny access. matching ACEs is nonempty, and none allow access, then deny
Otherwise, if the set of matching ACEs is empty, access. Otherwise, if the set of matching ACEs is empty,
Mapping NFSv4 ACLs February 2005
4) if the requester's access mask is allowed by the ACL_OTHER ACE, 4. if the requester's access mask is allowed by the ACL_OTHER ACE,
then grant access. Otherwise, deny access. then grant access. Otherwise, deny access.
The above description omits one detail: in steps (2) and (3), the The above description omits one detail: in steps (2) and (3), the
requested bits must be granted both by the matching ACE and by the requested bits must be granted both by the matching ACE and by the
ACL_MASK ACE. The ACL_MASK ACE thus limits the maximum permissions ACL_MASK ACE. The ACL_MASK ACE thus limits the maximum permissions
which may be granted by any ACL_USER or ACL_GROUP ACE, or by the which may be granted by any ACL_USER or ACL_GROUP ACE, or by the
ACL_GROUP_OBJ ACE. ACL_GROUP_OBJ ACE.
Each file may have a single POSIX ACL associated with it, used to Each file may have a single POSIX ACL associated with it, used to
determine access to that file. Directories, however, may have two determine access to that file. Directories, however, may have two
ACLs: one, the "access ACL", used to determine access to the direc- ACLs: one, the "access ACL", used to determine access to the
tory, and one, the "default ACL", used only as the ACL to be inher- directory, and one, the "default ACL", used only as the ACL to be
ited by newly created objects in the directory. inherited by newly created objects in the directory.
4. Mapping POSIX ACLs to NFSv4 ACLs 4. Ordering of NFSv4 and POSIX ACLs
POSIX ACLs are unordered--the order in which the POSIX access-
checking algorithm considers the entries is determined entirely by
the type of the entries, so the entries don't need to be kept in any
particular order.
By contrast, the meaning of an NFSv4 ACL can be dramatically changed
by modifying the order that the entries are listed in.
In the following, we will say that an NFSv4 ACL is in the "canonical
order" if its entries are ordered in the order that the POSIX
algorithm would consider them. That is, with all OWNER@ entries
first, followed by user entries, followed by GROUP@ entries, followed
by group entries, with all EVERYONE@ entries at the end.
5. A Minor Eccentrity of POSIX ACLs
We will see below that it is possible to find an NFSv4 ACL with
precisely the same effect as any given POSIX ACL, with one extremely
minor exception: if a requester that is a member of more than one
group listed in the ACL requests multiple bits simultaneously, the
POSIX algorithm requires all of the bits to be granted simultaneously
by one of the group ACEs. Thus a POSIX ACL such as
ACL_USER_OBJ: ---
ACL_GROUP_OBJ: ---
g1: r--
g2: -w-
ACL_MASK: rw-
ACL_OTHER: ---
will prevent a user that is a member of groups g1 and g2 from opening
a file for both read and write, even though read and write would be
individually permitted.
The NFSv4 ACL permission-checking algorithm has the property that it
permits a group of bits whenever it would permit each bit
individually, so it is impossible to mimic this behaviour with an
NFSv4 ACL.
6. Mapping POSIX ACLs to NFSv4 ACLs
6.1. Requirements
In the next section we give an example of a mapping of POSIX ACLs
into NFSv4 ACLs. We permit a server or client to use a different
mapping, provided the mapping meets the following requirements:
It must map the POSIX ACL to an NFSv4 ACL with identical access
semantics, ignoring the minor exception described in the previous
section.
It must map the read mode bit to ACE4_READ_DATA, the write bit to
ACE4_WRITE_DATA and ACE4_APPEND_DATA (and ACE4_DELETE_CHILD for
directories), and the EXECUTE bit to ACE4_EXECUTE. It should also
allow ACE4_READ_ACL, ACE4_READ_ATTRIBUTES, and ACE4_SYNCHRONIZE
unconditionally, and allow ACE4_WRITE_ACL and ACE4_WRITE_ATTRIBUTES
to the owner. The handling of other NFSv4 mode bits may depend on
the implementation, but it is preferable to leave them unused.
It should avoid using DENY ACEs. If DENY ACEs are required, it
should attempt to place them at the beginning. (This is not always
possible.)
For simplicity's sake, the translator may choose to handle the mask
by first applying it to the USER, GROUP, and GROUP_OBJ ACEs, and then
mapping the resulting ACL. However, that will result in an ACL from
which it is impossible to determine the original value of the mask or
of the masked USER, GROUP, and GROUP_OBJ bitmasks. If the resulting
ACL is later translated back to a POSIX ACL, the translator will
assume that the value of the mask is the union of the bitmasks
permitted to any USER, GROUP, or GROUP_OBJ. If that would be
incorrect, the original translation should not modify the bitmasks of
the USER, GROUP, and GROUP_OBJ bitmasks, and should instead use
additional DENY ACEs as necessary to give the effect of the mask. It
should also arrange for the first GROUP@ ACE to be a DENY ACE whose
bitmask is determined by the mask, allowing that ACE to be used to
determine the original mask value.
6.2. Example POSIX->NFSv4 Mapping
We now describe an algorithm which maps any POSIX ACL to an NFSv4 ACL We now describe an algorithm which maps any POSIX ACL to an NFSv4 ACL
with the same semantics. with the same semantics, meeting the above requirements.
First, translate the uid's and gid's on the ACL_USER and ACL_GROUP First, translate the uid's and gid's on the ACL_USER and ACL_GROUP
ACEs into NFSv4 names. This is an implementation-dependent process. ACEs into NFSv4 names, using directory services, etc., as
It might be done, for example, by consulting a directory service or a appropriate, and translate ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER
password file. Also, the special ACL_USER_OBJ, ACL_GROUP_OBJ, and to the special NFSv4 names "OWNER@", "GROUP@", and "EVERYONE@",
ACL_OTHER ACEs must be translated to NFSv4 ACEs with the special respectively.
entities "OWNER@", "GROUP@", and "EVERYONE@", respectively.
Next, map each POSIX ACE (excepting any mask ACE) in the given POSIX Next, map each POSIX ACE (excepting any mask ACE) in the given POSIX
ACL to an NFSv4 ALLOW ACE with an entity determined as above, and ACL to an NFSv4 ALLOW ACE with an entity determined as above, and
with a bitmask determined from the permission bits on the POSIX ACE with a bitmask determined from the permission bits on the POSIX ACE
as follows: as follows:
1) If the read bit is set in the POSIX ACE, then set ACE4_READ_DATA. 1. If the read bit is set in the POSIX ACE, then set ACE4_READ_DATA.
2) If the write bit is set in the POSIX ACE, then set ACE4_WRITE_DATA 2. If the write bit is set in the POSIX ACE, then set
and ACE4_APPEND_DATA. If the object carrying the ACL is a direc- ACE4_WRITE_DATA and ACE4_APPEND_DATA. If the object carrying the
tory, set ACE4_DELETE_CHILD as well. ACL is a directory, set ACE4_DELETE_CHILD as well.
3) If the execute bit is set in the POSIX ACE, then set ACE4_EXECUTE. 3. If the execute bit is set in the POSIX ACE, then set
ACE4_EXECUTE.
4) Set ACE4_READ_ACL, ACE4_READ_ATTRIBUTES, and ACE4_SYNCHRONIZE 4. Set ACE4_READ_ACL, ACE4_READ_ATTRIBUTES, and ACE4_SYNCHRONIZE
unconditionally. unconditionally.
5) If the ACE is for the special "OWNER@" entity, set ACE4_WRITE_ACL 5. If the ACE is for the special "OWNER@" entity, set ACE4_WRITE_ACL
and ACE4_WRITE_ATTRIBUTES. and ACE4_WRITE_ATTRIBUTES.
Mapping NFSv4 ACLs February 2005 6. Clear all other bits in the NFSv4 bitmask.
6) Clear all other bits in the NFSv4 bitmask.
In addition, we set the GROUP flag in each ACE which corresponds to a In addition, we set the GROUP flag in each ACE which corresponds to a
named group (but not in the GROUP@ ACE, or any of the other special named group (but not in the GROUP@ ACE, or any of the other special
entity ACEs). At this point, we've replaced the POSIX ACL by an entity ACEs).
NFSv4 ACL with the same number of ACEs (ignoring any mask ACE). To
emulate the POSIX ACL permission-checking algorithm, we need to mod-
ify the ACL further, as follows:
1) Order the ACL so that the OWNER@ ACE is the first ACE of the ACL,
followed by any user ACEs, followed by the GROUP@ ACE, followed by
any group ACEs, and ending finally with the EVERYONE@ ACE.
2) The POSIX algorithm stops as soon as the requester matches an At this point, we've replaced the POSIX ACL by an NFSv4 ACL with the
ACL_USER_OBJ, ACL_OTHER, or ACL_USER ACE. To emulate this same number of ACEs (ignoring any mask ACE), all of them ALLOW ACEs.
behaviour, add a single DENY ACE after each ALLOW ACE for OWNER@,
EVERYONE@, or any named user. The DENY ACE should have the same
entity and flags as the corresponding ALLOW ACE. The bitmask on
the DENY ACE should be the bitwise NOT of the bitmask on the ALLOW
ACE, except that the ACE4_WRITE_OWNER and ACE4_DELETE bits should
be cleared, and the ACE4_DELETE_CHILD bit should be cleared on
non-directories. (Also, in the xdr-encoded ACL that is transmit-
ted, all bits not defined in the protocol should be cleared.)
3) Unlike the other ACEs in step 2, all of the ACL_GROUP_OBJ and Order this NFSv4 ACL in the canonical order: OWNER@, users, GROUP@,
ACL_GROUP ACEs are consulted by the POSIX algorithm before deter- groups, then EVERYONE@.
mining permissions. However, if the requester matches any one of
them, then it must deny any permissions they do not allow. To
emulate this behaviour, instead of adding a single DENY after each
corresponding GROUP@ or named group ACE, we insert a list of DENY
ACEs at the end of the list of GROUP@ and named group ACEs. Each
DENY ACE is determined from its corresponding ALLOW ACE exactly as
in step 2, and should occur in the inserted list in the same posi-
tion as the corresponding ALLOW ACE occurs in the list of ALLOW
ACEs.
4) Finally, we enforce the POSIX mask ACE by prepending each ALLOW If the bitmasks in the resulting ACEs are non-increasing (so no ACE
ACE for a named user, GROUP@, or named group, with a single DENY allows a bit not allowed by a previous ACE), then we can skip the
ACE whose entity and flags are the same as those for the corre- next step.
sponding ALLOW ACE, but whose bitmask is the inverse of the bit-
mask determined from the mask ACE, with the inverse calculated as
described in step 2.
As an example, take a POSIX ACL with two named users (u1 and u2) and Otherwise, we need to insert additional DENY ACE's to emulate the
two named groups (g1 and g2), in addition to the required first-match semantics of the POSIX ACL permission-checking algorithm:
ACL_USER_OBJ, ACL_GROUP_OBJ, ACL_OTHER, and ACL_MASK ACEs.
Such an ACL will map to an NFSv4 ACL of the form 1. If an ACL_USER_OBJ, ACL_OTHER, or ACL_USER ACE fails to grant
some permissions that are granted later in the ACL, then that ACE
must be prepended by a single DENY ACE. The DENY ACE should have
the same entity and flags as the corresponding ALLOW ACE, but the
bitmask on the DENY ACE should be the bitwise NOT of the bitmask
on the ALLOW ACE, except that the ACE4_WRITE_OWNER, ACE4_DELETE,
ACE4_READ_NAMED_ATTRIBUTES, ACE4_WRITE_NAMED_ATTRIBUTES bits
should be cleared, and the ACE4_DELETE_CHILD bit should be
cleared on non-directories. (Also, in the xdr-encoded ACL that
is transmitted, all bits not defined in the protocol should be
cleared.)
Mapping NFSv4 ACLs February 2005 2. All of the ACL_GROUP_OBJ and ACL_GROUP ACEs are consulted by the
POSIX algorithm before determining permissions. To emulate this
behaviour, instead of adding a single DENY before corresponding
GROUP@ or named group ACEs, we insert a list of DENY ACEs after
the list of GROUP@ and named group ACEs. Each DENY ACE is
determined from its corresponding ALLOW ACE exactly as in the
previous step. As before, these DENY aces should only be added
when they are necessitated by an ACE that is less permissive than
the final EVERYONE@ ace.
ALLOW OWNER@ Finally, we enforce the POSIX mask ACE by prepending each ALLOW ACE
DENY OWNER@ for a named user, GROUP@, or named group, with a single DENY ACE
DENY u1 (mask) whose entity and flags are the same as those for the corresponding
ALLOW u1 ALLOW ACE, but whose bitmask is the inverse of the bitmask determined
DENY u1 from the mask ACE, with the inverse calculated as described above.
DENY u2 (mask) In the case of named users, these DENY aces may be coalesced with any
ALLOW u2 existing prepended DENY aces. The DENY aces are omitted entirely if
DENY u2 they would have no affect, or if the mask ACE has the same bitmask as
DENY GROUP@ (mask) the maximum of the affected ACEs. (With the one exception that if
ALLOW GROUP@ the POSIX ACL posesses exactly 4 ACEs, then a mask-derived DENY ace
DENY g1 (mask) should be inserted before the GROUP@ ace, even if it would not
ALLOW g1 otherwise be.)
DENY g2 (mask)
ALLOW g2
DENY GROUP@
DENY g1
DENY g2
ALLOW EVERYONE@
DENY EVERYONE@
where the ACEs marked with (mask) are those whose bitmask are deter- Regardless of what scheme is used to represent the mask, the receiver
mined from the ACL_MASK ACE as described in step 4 above. will use the first GROUP@ DENY ace to determine the value of the mask
(if it is different from the union of the bitmasks on the affected
ACEs), and use the relevant ALLOWs to determine the pre-mask values
of user and group ACEs.
In general, a POSIX ACL with m named users and n named groups will The implementation may also choose to just mask out the bitmasks on
map to an NFSv4 ACL with (3*(m + n) + 7) ACLs, unless m and n are the relevant ALLOW ACEs. This will produce a simpler ACL (in
both zero, in which case the result will have either 6 or 7 ACLs, particular, an ACL that usually requires no DENY ACE's), at the
depending on whether the original ACL had an ACL_MASK ACE. expense of losing some ACL information after a chmod.
On directories with default ACLs, we translate the default ACL as On directories with default ACLs, we translate the default ACL as
above, but set the ACE4_INHERIT_ONLY_ACE, ACE4_DIRECTORY_INHERIT_ACE, above, but set the ACE4_INHERIT_ONLY_ACE, ACE4_DIRECTORY_INHERIT_ACE,
and ACE4_FILE_INHERIT_ACE flags on every ACE in the resulting ACL. and ACE4_FILE_INHERIT_ACE flags on every ACE in the resulting ACL.
On directories with both default and access ACLs, we translate the On directories with both default and access ACLs, we translate the
two ACLs and then concatenate them. The order of the concatenation two ACLs and then concatenate them. The order of the concatenation
is unimportant. is unimportant.
There is one extremely minor inaccuracy in this mapping: if a 7. Mapping NFSv4 ACLs to POSIX ACLs
requester that is a member of more than one group listed in the ACL
requests multiple bits simultaneously, the POSIX algorithm requires
all of the bits to be granted simultaneously by one of the group
ACEs. Thus a POSIX ACL such as
ACL_USER_OBJ: --- 7.1. Requirements
ACL_GROUP_OBJ: ---
g1: r--
g2: -w-
ACL_MASK: rw-
ACL_OTHER: ---
Mapping NFSv4 ACLs February 2005 Any mapping of NFSv4 ACLs to POSIX ACLs must map any NFSv4 ACL that
is semantically equivalent to a POSIX ACL (with the exception of the
"minor inaccuracy" mentioned above) to the equivalent POSIX ACL. It
should also extract the mask correctly; as the mask doesn't affect
the semantics of the NFSv4 ACL, and as there is more than one way the
mask might be encoded, we require a convention for this.
Specifically: we require that the mask be computed as the bitmask
used on the first GROUP@ DENY ACE which precedes any GROUP@ allow
ACE, unless no such DENY ACE exists, in which case the mask must be
computed as the union of the bitmasks allowed to all named users,
groups, and GROUP@ (where by the "bitmask allowed to" an entity we
mean the maximum bitmask that the ACL would permit to any user
matching the entity).
will prevent a user that is a member of groups g1 and g2 from opening Implementations may vary in how they deal with NFSv4 ACLs that are
a file for both read and write, even though read and write would be not precisely semantically equivalent to any POSIX ACL. In
individually permitted. particular they may return errors for such ACLs instead of attempting
to map them. However, when possible without compromising security,
they should attempt to be forgiving.
The NFSv4 ACL permission-checking algorithm has the property that it The language of [1] allows a server some flexibility in handling ACLs
permits a group of bits whenever it would permit each bit individu- that it cannot enforce completely accurately, as long as it adheres
ally, so it is impossible to mimic this behaviour with an NFSv4 ACL. to "the guiding principle... that the server must not accept ACLs
that appear to make [a file] more secure than it really is."
5. Using the Mapping in NFSv4 Implementations Note that an NFSv4 ACL consisting entirely of ALLOW ACLs can always
be transformed into a POSIX-equivalent ACL by first sorting it into
the canonical order, and then inserting DENY ACEs as necessary to
ensure POSIX first-match semantics. Since inserting DENY ACEs can
only restrict access, it is safe for a server to do this.
Examination of the algorithm described in the previous section shows We require any server to accept, at least, any NFSv4 ACL that
that no information is lost; the original POSIX ACL can be recon- consists entirely of ALLOW ACLs.
structed from the mapped NFSv4 ACL. Thus we also have a way to map
NFSv4 ACLs to POSIX ACLs in the case where the NFSv4 ACL is precisely
in the format of an ACL produced by the algorithm above.
The algorithm can therefore be used to implement a subset of the Clients should also be at least as forgiving, to promote
NFSv4 ACL model. This may be useful to NFSv4 clients and servers interoperability when heterogeneous clients share files.
with preexisting system interfaces that support POSIX ACLs and that
cannot be modified to support NFSv4 ACLs.
A server, for example, that wishes to export via NFSv4 a filesystem 7.2. Example NFSv4->POSIX Mapping
that supports only POSIX ACLs, may use this mapping to answer client
requests for existing ACLs by translating POSIX ACLs on its filesys-
tem to NFSv4 ACLs to send to the client. However, when a client
attempts to set an ACL, the server faces a problem. If the given ACL
is not in precisely the format of an ACL produced by this mapping,
then the server may be required to return an error to avoid inaccu-
rately representing the client's intention. The correct error to
return in this case is NFS4ERR_ATTRNOTSUPP.
In the case where a client sets an ACL that leaves certain bits nei- We now give an example of an algorithm that meets the above
ther allowed nor denied, the server may choose to allow or deny those requirements. We assume it is to be used by a server mapping client-
bits as necessary to make mapping possible. In some situations it provided NFSv4 ACLs to POSIX ACLs it can store in its filesystem, so
may also be possible for a server to map the ACL if it adds a DENY the translation errs on the side of making the ACL less permissive.
ACE or denies a few additional bits. The language of [rfc3530]
allows a server some flexibility in handling ACLs that it cannot
enforce completely accurately, as long as it adheres to "the guiding
principle... that the server must not accept ACLs that appear to make
[a file] more secure than it really is."
Given the choice, as long as the "guiding principle" is not violated, Given an NFSv4 ACL, first calculate the mask by taking the bitmask
servers should opt to be forgiving. The complexity of the from the first GROUP@ DENY ACE from the original NFSv4 ACL, if it
POSIX<->NFSv4 mapping makes difficult the task of generating ACLs exists. After doing so, remove that DENY ACE, and clear the bits in
its bitmask from any DENY ACE for a named user, group, or GROUP@
which precedes an ALLOW ACE for the same entity.
Mapping NFSv4 ACLs February 2005 In the case where there is no such GROUP@ DENY ACE, continue through
the rest of the algorithm and then calculate the mask as the union of
the calculated permissions of all named users, group, and the
GROUP_OBJ ACE.
that will satisfy a server using the mapping. By making the mapping Given an NFSv4 ACL, sort it into canonical order (OWNER@ ACEs first,
more forgiving, the server can simplify that task, improving interop- then user ACEs, then GROUP@ ACEs, then group ACEs, then EVERYONE@
erability. ACEs.) Also, sort the GROUP@ and group ACEs that all ALLOW ACEs
precede all DENY ACEs. To do so, take advantage of the following
observations:
Servers that implement the full NFSv4 protocol should also handle 1. If two consecutive ACEs are either both ALLOW ACEs, or both DENY
carefully ACLs that leave bits neither allowed nor denied. It is ACEs, then we can swap their order without changing the effect of
better to fall back on some reasonable default rather than to always the ACL.
allow or always deny. A client that, for example, sets
ACE4_WRITE_DATA but leaves unspecified ACE4_APPEND_DATA probably does
so because its system interfaces are incapable of independently rep-
resenting ACE4_APPEND_DATA, not because it intends to deny
ACE4_APPEND_DATA. By leaving the bit unspecified, the client leaves
the server the opportunity to provide the reasonable default of set-
ting it to match ACE4_WRITE_DATA.
Similar issues exist when a client uses NFSv4 ACLs to implement user 2. If it would be impossible for a single user to match both of the
interfaces that only deal in POSIX ACLs. When the client translates entities on two consecutive ACEs, then we can swap their order
ACLs received from the server to POSIX ACLs, some flexibility may without changing the effect of the ACL.
help interopability, but the client must take care not to represent
any ACLs as stricter than they really are. Clients that provide
access to the full set of NFSv4 ACLs may also wish to provide users
with utilities to generate and interpret POSIX-mapped NFSv4 ACLs, to
aid users working with servers using the POSIX mapping.
Mapping NFSv4 ACLs February 2005 3. If an ALLOW ACE is immediately followed by a DENY ACE, then
swapping the order of the two ACEs will not make the ACL any more
permissive.
6. Security Considerations 4. If a DENY ACE is immediately followed by an ALLOW ACE, then
swapping the order of the two ACEs will not make the ACL any more
permissive, *if* we modify the bitmask on the ALLOW ACE by
clearing any bits that are set in the DENY ACE.
The second observation is the trickiest: it may usually be safe to
assume that two distinct user names cannot match the same user. An
implementation with knowledge about group memberships or about the
current value of the file owner might also use that information, but
if it does so it will produce a translation that is no longer
accurate after owners or group memberships change.
Fortunately, observations 1, 3, and 4 are sufficient to sort any ACL
into canonical order, so a paranoid implementation can simply ignore
number 2 completely, while an implementation willing to sacrifice
some accuracy may choose to do something more complex.
Ensure that the resulting ACL posesses at least one each of OWNER@,
GROUP@, and EVERYONE@ ACEs, by inserting an ALLOW ACE with a zero
bitmask if necessary in the correct position.
Next, for each entity, calculate a bitmask for that entity as
follows: Starting with the first ACE for that entity (ignoring all
previous ACEs), perform the NFSv4 ACL-checking algorithm for a user
that is assumed to match the entity on every DENY ACE that a user
matching the given entity might match, but is assumed to match only
those entities on ALLOW ACEs that *any* user matching the current
entity must match.
Finally, construct the POSIX ACL by translating NFSv4 entity names to
uid's and gid's (and handling special entities in the obvious way),
then assign a POSIX bitmask determined by the NFSv4 bitmask
calculated in the previous step; the bitmask calculation should use
the inverse of the mapping described previously in the POSIX-to-NFSv4
mapping, erring on the side of denying bits if it cannot determine a
sensible mapping. However, if certain bits simply cannot be mapped
in a reasonable way to mode bits, the server may simply ignore them
rather than returning an error. (For example, the server should deny
write if either ACE4_WRITE_DATA or ACE4_APPEND_DATA are denied. But
it may choose to ignore ACE4_READ_ATTRIBUTES entirely.)
The resulting mapping errs on the side of creating a more restrictive
ACE. However it can be modified to produce a mapping that errs on
the side of permissiveness, for the purposes of translating a server-
provided NFSv4 ACL to a POSIX ACL to present to a user or
application, as follows:
1. When sorting ACEs, ALLOW ACEs can always be moved towards the
start of the ACL, but a DENY ACE can be moved towards the start
of the ACL only as long as we clear any of the DENY ACE's bitmask
bits that are set in the intervening ALLOW ACEs.
2. When calculating the NFSv4 bitmask for each entity, err on the
side of assuming that ALLOW ACEs apply and that DENY ACEs don't,
with the one exception that when calculating the GROUP@ and named
group bitmasks, ALLOW ACEs for groups other than the one under
consideration should be ignored.
3. When mapping the NFSv4 bitmask to POSIX mode bits, err on the
side of allowing access.
8. Security Considerations
Any automatic mapping from one ACL model to another must provide Any automatic mapping from one ACL model to another must provide
guarantees as to how the mapping affects the meaning of ACLs, or risk guarantees as to how the mapping affects the meaning of ACLs, or risk
misleading users about the permissions set on filesystem objects. misleading users about the permissions set on filesystem objects.
For this reason, caution is recommended when implementing this map- For this reason, caution is recommended when implementing this
ping. It is better to return errors than to break any such guaran- mapping. It is better to return errors than to break any such
tees. guarantees.
Note also that this ACL mapping requires mapping between NFSv4 user- That said, there may be cases where small losses in accuracy can
names and local id's. When the mapping of id's depends on remote avoid dramatic interoperability and usability problems; as long as
the losses in accuracy are clearly documented, these tradeoffs may be
found acceptable.
For example, a server unable to support all of the NFSv4 mode bits
does not have a way to communicate its exact limitations to clients,
so clients (and users) may be unable to recover from such errors.
For this reason we recommend ignoring bitmask bits that the server is
completely unable to map to mode bits, and advertising this fact
loudly in the server documentation. If this is considered
insufficient, we should add to the NFSv4 protocol additional
attributes necessary to advertise the server's limitations.
Note also that this ACL mapping requires mapping between NFSv4
usernames and local id's. When the mapping of id's depends on remote
services, the method used for the mapping must be at least as secure services, the method used for the mapping must be at least as secure
as the method used to set or get ACLs. as the method used to set or get ACLs.
Mapping NFSv4 ACLs February 2005 9. References
7. Bibliography
[rfc3530] [1] Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., Beame,
Shepler, S. et. al., "NFS version 4 Protocol", April 2003. C., Eisler, M., and D. Noveck, "Network File System (NFS)
version 4 Protocol", RFC 3530, April 2003.
http://www.ietf.org/rfc/rfc3530.txt [2] Institute of Electrical and Electronics Engineers, Inc., "IEEE
Draft P1003.1e", October 1997,
<http://wt.xpilot.org/publications/posix.1e/download.html>.
[posixacl] Authors' Addresses
IEEE, "IEEE Draft P1003.1e", October 1997 (last draft).
http://wt.xpilot.org/publications/posix.1e/download.html Marius Aamodt Eriksen
U. of Michigan Center for Information Technology Integration
Mapping NFSv4 ACLs February 2005 Email: marius@citi.umich.edu
8. Author's Address J. Bruce Fields
U. of Michigan Center for Information Technology Integration
Address comments related to this memorandum to: Email: marius@citi.umich.edu
marius@umich.edu bfields@umich.edu Intellectual Property Statement
Marius Aamodt Eriksen The IETF takes no position regarding the validity or scope of any
J. Bruce Fields Intellectual Property Rights or other rights that might be claimed to
University of Michigan / CITI pertain to the implementation or use of the technology described in
535 West William this document or the extent to which any license under such rights
Ann Arbor, Michigan might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
E-mail: marius@umich.edu Copies of IPR disclosures made to the IETF Secretariat and any
E-mail: bfields@umich.edu assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
9. Copyright The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Copyright (C) The Internet Society (2004). This document is subject Disclaimer of Validity
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFOR- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
MATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
 End of changes. 76 change blocks. 
254 lines changed or deleted 371 lines changed or added

This html diff was produced by rfcdiff 1.31. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/