Date: Sun, 28 Nov 1999 07:43:50 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Assar Westerlund <assar@sics.se> Cc: "Ilmar S. Habibulin" <ilmar@ints.ru>, Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, freebsd-security@freebsd.org Subject: Re: ACLs 0.1 for FreeBSD 3.3-RELEASE Message-ID: <Pine.BSF.3.96.991128073147.6450A-100000@fledge.watson.org> In-Reply-To: <5laenzf8te.fsf@assail.s3.kth.se>
next in thread | previous in thread | raw e-mail | index | archive | help
(Assar -- hope you don't mind--I added back in the CC list) On 28 Nov 1999, Assar Westerlund wrote: > Robert Watson <robert@cyrus.watson.org> writes: > > Due to interest on freebsd-security and a number of personal emails to me, > > I've decided I'd go ahead and put online my current work on ACLs for > > FreeBSD. It is available for download at > > > > http://www.watson.org/fbsd-hardening/posix1e/acl/ > > So I ported it to -current (and fixed some nits at the same time). > But now that machine doesn't seem to come back up and I don't have > physically access to it. :-( But I should be able to send you the > code hopefully later today or tomorrow. Next step is adding support > for vop_{get,set}acl to arla :-) Sounds great :-). We should actually talk about the details of this however -- I defined the generic read/write/execute bits which are discussed in POSIX.1e, but they actually don't preclude the possibility of other rights being associated with files or directories. So we could introduce some of the AFS/Coda directory permissions and only allow them to be used with file systems that supported them. Similarly, there are a few semantic details to work out with directory vs. file ACLs -- POSIX.1e defines two ACLs for directories (access ACL, default ACL for new children) and one ACL per file (access ACL). Presumably all we care about is the directory access ACL in the context of Coda and Arla, and the rest can be emulated for vop_getacl, and probably EOPNOTSUPP'd for setacl. I guess the real issue is to figure how to expose the AFS/Coda rights vs. POSIX.1e rights. > I assume you intended on acl_syscall_delete_def_file and > acl_syscall_delete_def_fd also being syscalls? I did add them to > syscalls.master. Yes -- this was a change I was making over the DARPA ActiveNets workshop and lost track of, as I didn't have a crash machine with me. I guess the best thing to do would be to get your version committed to -CURRENT, and then I can resync on -CURERNT as my development tree and continue work from there? I feel two directions of pull here--the first is to produce as near-POSIX.1e implementation as possible to maximize the chances of portability and consistency across platforms; the other is to maximize what I think of as the most desirable functionality, which approximates what Coda and AFS use (directory-only permissions, and a bit more specific than read/write/execute). For the implementation, I went with almost-exactly-POSIX, and feel we should probably do that for local file systems, but that the issue of introducing Coda/AFS permission sets into the interface, as they are permitted by the draft, is an interesting one and should be looked at in detail. If you don't have a copy of the spec, we should get a copy to you. I believe Winni put a copy online and posted to bugtraq a while back, and that it is off of his POSIX.1e page? We have permission from IEEE to redistribute it as long as new downloaders agree not to redistribute it themselves, the normal "don't blaim IEEE if it breaks your life", etc, etc. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.991128073147.6450A-100000>