Linux Kernel – Advanced Filesystem ACLs Beyond Traditional RWX and POSIX ACL

acllinux-kernel

Are there any simple and integrated (i.e. embedded into filesystem) ACL patches for Linux kernel exist at all?

The problem is simple: I need something more flexible and advanced beyond classic 'rwx' chmod on Linux.

My requirements are:

Having more fragmented restrictions:
- At least permit user to delete, but not to create
- Reverse: permit create and append, but not delete
- Hide files from anyone except superuser and owner/group
- It is better to fragment those into separate permission flags
Separated permissions for files and directories
More advanced control over appending to files/directories
Large number of permission entries going beyond standard user:group model (like POSIX ACL does)
Being integrated into filesystem (perhaps via xattrs)
Not requiring sophisticated and bloated programs and security frameworks (I already walked through grsecurity and I dislike it)
Unified tools to manage them from userspace

The reason for that is a number of advanced file servers I usually build become very limited or insecure because there is only so limited POSIX ACL exist which only extends a number of 'rwx' entries on inode.

Things that are not apply here:

Any Linux kernel LSM (SELinux etc.)
chattr/lsattr
grsecurity

And as last resort, if there are no any packages/kernel patches providing such functionality, then I will be forced to start hacking my own.

Best Answer

There is nothing that is called POSIX ACLs. What some people call POSIX ACLs is a draft proposal from 1993 that was withdrawn in 1997.

There is however a ACL standard: NFSv4 ACLs also known as NTFS ACLs.

NFSv4 ACLs are now supported by Solaris, Mac OS X, FreeBSD and AIX and even Linux started to implement them recently. On Linux they are called "richacls".

NFSv4 ACLs are supported natively on ZFS and on the filesystems from OS X and AIX.

See http://schillix.sourceforge.net/man/man1/chmod.1.html for a desription.

The new ACL standard is not really simple, but it implements what you like to see.

The NFSv4 ACL implementation on Linux was done by the same person who did the implementation for the withdrawn draft. Unfortunately on Linux, there is usually no ACL code installed by default. Also note that while Solaris supports up to 1024 ACL entries, the limit for Linux is much smaller. NTFS ACLs on Win-DOS support a maximum of 1820 entries.

You might be interested that last year, there was no working library support for SuSE Linux and as a result, I could not yet add Linux NFSv4 ACL support to star while this exists for Solaris, OS X and FreeBSD.

Note that there is only broken ACL support in gtar, so if you like to play with ACLs, you would need to use staranyway.

P.S. If someone finds a Linux system with working NFSv4 acls, send me a note. I am interested to add Linux NFSv4 support to star even though they seem to use an incompatible library interface.

Your example

Now let's take a look at your example and break it down.

group (sales)
members of sales group (bob, joe)

Now let's break down the permissions on file /home/foo/docs/foo.txt. ACLs also encapsulate the same permissions that most people should be familiar with on Unix, mainly the User, Group, and Other bits. So let's pull those out first.

user:: r--
group::r--
other::---

These would typically look like this in an ls -l:

$ ls -l /home/foo/docs/foo.txt
-r--r----- 1 jane executives 24041 Sep 17 15:09 /home/foo/docs/foo.txt

You can see who owns the file and what the group is with these ACL lines:

# owner: jane
# group: executives

So now we get into the nitty gritty of ACLs:

user:bob:rw-
user:joe:rwx
group:sales:rwx

This is showing that user bob has rw, while user joe has rwx. There is also a group which also has rwx similar to joe. These permissions are as if the user column in our ls -l output had 3 owners (jane, bob, and joe) as well as 2 groups (executives & sales). There is no distinction other than they are ACLs.

Lastly the mask line:

mask::rwx

In this case we're not masking anything, it's wide open. So if users bob and joe have these lines:

user:bob:rw-
user:joe:rwx

Then those are their effective permissions. If the mask were like this:

mask::r-x

Then their effective permissions would be like this:

user:bob:rw-    # effective:r--
user:joe:rwx    # effective:r-x

This is a powerful mechanism for curtailing permissions that are granted in a wholesale way.

NOTE: The file owner and others permissions are not affected by the effective rights mask; all other entries are! So with respect to the mask, the ACL permissions are second class citizens when compared to the traditional Unix permissions.

Best Answer

Related Solutions

Linux ACL – How ACL Permissions Are Processed and Applied

Your example

References

Related Question