| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Sep 2011 19:53:39 -0400 From: "J. Bruce Fields" <bfields@...ldses.org> To: Casey Schaufler <casey@...aufler-ca.com> Cc: Valdis.Kletnieks@...edu, "Aneesh Kumar K.V" <aneesh.kumar@...ux.vnet.ibm.com>, agruen@...nel.org, akpm@...ux-foundation.org, dhowells@...hat.com, linux-fsdevel@...r.kernel.org, linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org, LSM <linux-security-module@...r.kernel.org> Subject: Re: [PATCH -V6 00/26] New ACL format for better NFSv4 acl interoperability On Mon, Sep 12, 2011 at 04:23:24PM -0700, Casey Schaufler wrote: > On 9/12/2011 3:43 PM, J. Bruce Fields wrote: > > On Mon, Sep 12, 2011 at 03:38:24PM -0700, Casey Schaufler wrote: > >> On 9/12/2011 3:20 PM, J. Bruce Fields wrote: > >>> On Mon, Sep 12, 2011 at 02:34:04PM -0700, Casey Schaufler wrote: > >>>> On 9/7/2011 5:46 PM, Valdis.Kletnieks@...edu wrote: > >>>>> On Mon, 05 Sep 2011 15:42:17 PDT, Casey Schaufler said: > >>>>>> On 9/5/2011 10:25 AM, Aneesh Kumar K.V wrote: > >>>>>>> The following set of patches implements VFS and ext4 changes needed to implement > >>>>>>> a new acl model for linux. Rich ACLs are an implementation of NFSv4 ACLs, > >>>>>>> extended by file( masks to fit into the standard POSIX file permission model. > >>>>>>> They are designed to work seamlessly locally as well as across the NFSv4 and > >>>>>>> CIFS/SMB2 network file system protocols. > >>>>>> POSIX ACLs predate the LSM and can't be done as an LSM due to > >>>>>> the interactions between mode bits and ACLs as defined by the > >>>>>> POSIX DRAFT specification. > >>> I don't know LSM so don't understand what you mean when you say that > >>> interactions between mode bits and ACLs would make an ACL model hard to > >>> implement as an LSM. > >> POSIX ACLs require that the file permission bits change when > >> the ACL changes. This interaction violates the strict "additional > >> restriction" model of the LSM. > > Oh, OK. Yes, rich ACLs are the same as POSIX ACLs in this respect. > > When you set an ACL the mode bits are reset to represent an "upper > > bound" on the permissions granted by the ACL. > > One of the areas in which the POSIX group was careful almost beyond > reason was the program that uses chmod() judiciously in the absence > of ACLs and how the presence of ACLs might result in a less secure > situation. Thus, a program that does > stat(..., &buf); > chmod(..., 0); > chmod(..., buf.st_mode) > > should get the exact same access at the end as it had at the beginning > and the file must be completely inaccessible after the chmod(..., 0) > regardless of the content of the ACL. Without this requirement the ACL > scheme would have worked fine as an LSM. If rich ACLs can't make these > claims, they aren't safe. Yes, see the patches--rich ACLs have the same property, using a similar mechanism. (They're essentially windows/NFSv4 ACLs + mask bits.) --b. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists