From: Andreas Gruenbacher <agruen@suse.de>
To: Lisa Week <Lisa.Week@sun.com>
Cc: Sam Falkner <Sam.Falkner@sun.com>,
nfs@lists.sourceforge.net,
Spencer Shepler <spencer.shepler@sun.com>,
Brian Pawlowski <beepy@netapp.com>,
nfsv4@ietf.org
Subject: Re: Re: NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
Date: Thu, 27 Jul 2006 04:57:39 +0200 [thread overview]
Message-ID: <200607270457.39532.agruen@suse.de> (raw)
In-Reply-To: <200607270259.04405.agruen@suse.de>
Lisa,
On Thursday, 27. July 2006 02:59, Andreas Gruenbacher wrote:
> Let's assume that ACE4_WRITE_OWNER was indeed outside of the access control
> mechanisms defined by POSIX as a counter example. A POSIX application does
> a chmod to mode 0600 (rw-------) in order to restrict access to the file
> owner. After that, the application can perfectly well write information
> that is confidential to the owner into the file -- after all, only the
> owner will have access, right?
>
> Well, not quite, because an ACL might still grant ACE4_WRITE_OWNER to some
> other user on the system. That other user could simply take over ownership
> of the file, and do whatever he wants with it. Here we have it, a perfect
> security hole; all POSIX applications potentially broken!
>
> Therefore, there cannot be any file access control mechanisms which are
> neither defined by POSIX, nor additional or alternate.
I forgot to mention that an analogous case can be made for additional file
access control mechanisms as well: POSIX applications cannot know which
additional file access control mechanisms a particular implementation may
support; they are free to rely on invariants under POSIX, such as a chmod
from one mode to another, which should be a no-op. Additional file access
control mechanisms must make sure that POSIX invariants will not change the
permissions granted.
This contradicts with having a chmod write through to OWNER@, GROUP@, and
EVERYONE@ ACEs: consider the same ACE we had before with a file mode of 0740
(rwxr-----):
OWNER@:READ_DATA/APPEND_DATA/EXECUTE::ALLOW
If a chmod to 0640 and back to 0740 writes through to the OWNER@ ACE, the
entry will change to:
OWNER@:READ_DATA/WRITE_DATA/APPEND_DATA/EXECUTE::ALLOW
So a POSIX application has added mask flags in a supposed invariant. That's
also a security hole, but not one as severe as the first because the only
mask flag affected is APPEND_DATA (I believe).
I have pointed this out before in Section 4.7. "Mode Changes and the OWNER@,
GROUP@, and EVERYONE@ ACEs".
Andreas
--
Andreas Gruenbacher <agruen@suse.de>
Novell / SUSE Labs
_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4
next prev parent reply other threads:[~2006-07-27 2:57 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-03 21:10 NFSv4 ACL and POSIX interaction / mask Andreas Gruenbacher
2006-07-07 11:55 ` NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready Andreas Gruenbacher
2006-07-08 3:45 ` Sam Falkner
2006-07-08 6:51 ` [nfsv4] " Lisa Week
2006-07-10 21:09 ` Andreas Gruenbacher
2006-07-08 14:32 ` Sam Falkner
2006-07-09 16:22 ` [nfsv4] " Andreas Gruenbacher
2006-07-10 13:29 ` Sam Falkner
2006-07-10 14:15 ` [nfsv4] " J. Bruce Fields
2006-07-10 15:32 ` Sam Falkner
2006-07-10 18:57 ` [NFS] " J. Bruce Fields
2006-07-10 22:26 ` [nfsv4] " Sam Falkner
2006-07-10 22:39 ` J. Bruce Fields
2006-07-10 22:43 ` J. Bruce Fields
2006-07-11 0:44 ` Andreas Gruenbacher
2006-07-11 0:15 ` Andreas Gruenbacher
2006-07-11 5:42 ` [nfsv4] " Sam Falkner
2006-07-11 8:05 ` Andreas Gruenbacher
2006-07-11 12:29 ` [nfsv4] " Sam Falkner
2006-07-11 13:46 ` J. Bruce Fields
2006-07-15 13:56 ` [nfsv4] " Sam Falkner
2006-07-11 0:01 ` Andreas Gruenbacher
2006-07-11 0:28 ` [nfsv4] " J. Bruce Fields
2006-07-11 0:48 ` Andreas Gruenbacher
2006-07-10 22:50 ` Andreas Gruenbacher
2006-07-11 6:17 ` [nfsv4] " Sam Falkner
2006-07-11 8:45 ` Andreas Gruenbacher
2006-07-11 12:44 ` [nfsv4] " Sam Falkner
2006-07-11 6:50 ` Lisa Week
2006-07-11 8:55 ` Andreas Gruenbacher
2006-07-27 0:59 ` Andreas Gruenbacher
2006-07-27 2:57 ` Andreas Gruenbacher [this message]
2006-07-28 6:32 ` Lisa Week
2006-08-01 10:36 ` [nfsv4] " Andreas Gruenbacher
2006-07-14 17:59 ` [NFS] " J. Bruce Fields
2006-07-14 18:22 ` J. Bruce Fields
2006-07-14 19:02 ` Andreas Gruenbacher
2006-07-14 19:13 ` J. Bruce Fields
-- strict thread matches above, loose matches on Subject: below --
2006-07-08 15:04 Noveck, Dave
2006-07-10 8:07 ` [nfsv4] " Andreas Gruenbacher
2006-07-10 14:24 ` J. Bruce Fields
2006-07-10 15:25 ` Spencer Shepler
2006-07-10 23:48 ` Andreas Gruenbacher
2006-07-11 0:09 ` J. Bruce Fields
2006-07-19 1:48 Noveck, Dave
2006-07-20 22:57 ` Sam Falkner
2006-07-21 15:10 Noveck, Dave
2006-07-21 18:10 ` J. Bruce Fields
2006-07-23 15:47 ` Sam Falkner
2006-07-25 0:32 ` [nfsv4] " a.gruenbacher
2006-07-25 4:26 ` Sam Falkner
2006-07-25 20:15 ` Andreas Gruenbacher
2006-07-26 4:59 ` Sam Falkner
2006-07-21 17:16 Yoder, Alan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200607270457.39532.agruen@suse.de \
--to=agruen@suse.de \
--cc=Lisa.Week@sun.com \
--cc=Sam.Falkner@sun.com \
--cc=beepy@netapp.com \
--cc=nfs@lists.sourceforge.net \
--cc=nfsv4@ietf.org \
--cc=spencer.shepler@sun.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.