From: Andreas Gruenbacher <agruen@suse.de>
To: Lisa Week <Lisa.Week@sun.com>
Cc: Sam Falkner <Sam.Falkner@sun.com>,
nfs@lists.sourceforge.net,
Spencer Shepler <spencer.shepler@sun.com>,
Brian Pawlowski <beepy@netapp.com>,
nfsv4@ietf.org
Subject: Re: Re: NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready
Date: Thu, 27 Jul 2006 04:57:39 +0200 [thread overview]
Message-ID: <200607270457.39532.agruen@suse.de> (raw)
In-Reply-To: <200607270259.04405.agruen@suse.de>
Lisa,
On Thursday, 27. July 2006 02:59, Andreas Gruenbacher wrote:
> Let's assume that ACE4_WRITE_OWNER was indeed outside of the access control
> mechanisms defined by POSIX as a counter example. A POSIX application does
> a chmod to mode 0600 (rw-------) in order to restrict access to the file
> owner. After that, the application can perfectly well write information
> that is confidential to the owner into the file -- after all, only the
> owner will have access, right?
>
> Well, not quite, because an ACL might still grant ACE4_WRITE_OWNER to some
> other user on the system. That other user could simply take over ownership
> of the file, and do whatever he wants with it. Here we have it, a perfect
> security hole; all POSIX applications potentially broken!
>
> Therefore, there cannot be any file access control mechanisms which are
> neither defined by POSIX, nor additional or alternate.
I forgot to mention that an analogous case can be made for additional file
access control mechanisms as well: POSIX applications cannot know which
additional file access control mechanisms a particular implementation may
support; they are free to rely on invariants under POSIX, such as a chmod
from one mode to another, which should be a no-op. Additional file access
control mechanisms must make sure that POSIX invariants will not change the
permissions granted.
This contradicts with having a chmod write through to OWNER@, GROUP@, and
EVERYONE@ ACEs: consider the same ACE we had before with a file mode of 0740
(rwxr-----):
OWNER@:READ_DATA/APPEND_DATA/EXECUTE::ALLOW
If a chmod to 0640 and back to 0740 writes through to the OWNER@ ACE, the
entry will change to:
OWNER@:READ_DATA/WRITE_DATA/APPEND_DATA/EXECUTE::ALLOW
So a POSIX application has added mask flags in a supposed invariant. That's
also a security hole, but not one as severe as the first because the only
mask flag affected is APPEND_DATA (I believe).
I have pointed this out before in Section 4.7. "Mode Changes and the OWNER@,
GROUP@, and EVERYONE@ ACEs".
Andreas
--
Andreas Gruenbacher <agruen@suse.de>
Novell / SUSE Labs
_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4
next prev parent reply other threads:[~2006-07-27 2:57 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-03 21:10 NFSv4 ACL and POSIX interaction / mask Andreas Gruenbacher
2006-07-07 11:55 ` NFSv4 ACL and POSIX interaction / mask, draft-ietf-nfsv4-acls-00 not ready Andreas Gruenbacher
2006-07-08 3:45 ` Sam Falkner
2006-07-08 6:51 ` [nfsv4] " Lisa Week
2006-07-10 21:09 ` Andreas Gruenbacher
2006-07-08 14:32 ` Sam Falkner
2006-07-09 16:22 ` [nfsv4] " Andreas Gruenbacher
2006-07-10 13:29 ` Sam Falkner
2006-07-10 14:15 ` [nfsv4] " J. Bruce Fields
2006-07-10 15:32 ` Sam Falkner
2006-07-10 18:57 ` [NFS] " J. Bruce Fields
2006-07-10 22:26 ` [nfsv4] " Sam Falkner
2006-07-10 22:39 ` J. Bruce Fields
2006-07-10 22:43 ` J. Bruce Fields
2006-07-11 0:44 ` Andreas Gruenbacher
2006-07-11 0:15 ` Andreas Gruenbacher
2006-07-11 5:42 ` [nfsv4] " Sam Falkner
2006-07-11 8:05 ` Andreas Gruenbacher
2006-07-11 12:29 ` [nfsv4] " Sam Falkner
2006-07-11 13:46 ` J. Bruce Fields
2006-07-15 13:56 ` [nfsv4] " Sam Falkner
2006-07-11 0:01 ` Andreas Gruenbacher
2006-07-11 0:28 ` [nfsv4] " J. Bruce Fields
2006-07-11 0:48 ` Andreas Gruenbacher
2006-07-10 22:50 ` Andreas Gruenbacher
2006-07-11 6:17 ` [nfsv4] " Sam Falkner
2006-07-11 8:45 ` Andreas Gruenbacher
2006-07-11 12:44 ` [nfsv4] " Sam Falkner
2006-07-11 6:50 ` Lisa Week
2006-07-11 8:55 ` Andreas Gruenbacher
2006-07-27 0:59 ` Andreas Gruenbacher
2006-07-27 2:57 ` Andreas Gruenbacher [this message]
2006-07-28 6:32 ` Lisa Week
2006-08-01 10:36 ` [nfsv4] " Andreas Gruenbacher
2006-07-14 17:59 ` [NFS] " J. Bruce Fields
2006-07-14 18:22 ` J. Bruce Fields
2006-07-14 19:02 ` Andreas Gruenbacher
2006-07-14 19:13 ` J. Bruce Fields
-- strict thread matches above, loose matches on Subject: below --
2006-07-08 15:04 Noveck, Dave
2006-07-10 8:07 ` [nfsv4] " Andreas Gruenbacher
2006-07-10 14:24 ` J. Bruce Fields
2006-07-10 15:25 ` Spencer Shepler
2006-07-10 23:48 ` Andreas Gruenbacher
2006-07-11 0:09 ` J. Bruce Fields
2006-07-19 1:48 Noveck, Dave
2006-07-20 22:57 ` Sam Falkner
2006-07-21 15:10 Noveck, Dave
2006-07-21 18:10 ` J. Bruce Fields
2006-07-23 15:47 ` Sam Falkner
2006-07-25 0:32 ` [nfsv4] " a.gruenbacher
2006-07-25 4:26 ` Sam Falkner
2006-07-25 20:15 ` Andreas Gruenbacher
2006-07-26 4:59 ` Sam Falkner
2006-07-21 17:16 Yoder, Alan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200607270457.39532.agruen@suse.de \
--to=agruen@suse.de \
--cc=Lisa.Week@sun.com \
--cc=Sam.Falkner@sun.com \
--cc=beepy@netapp.com \
--cc=nfs@lists.sourceforge.net \
--cc=nfsv4@ietf.org \
--cc=spencer.shepler@sun.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox