Friday, June 22, 2012

NFSv4 ACL summary

Solaris extends UNIX file system permissions through more granular NFSv4-like ACLs. 
The standard UNIX file system permissions are now simply called trivial-ACLs.
For plenty of information on ACLs, refer to acl(5).
 
Each ACL has many ordered allowing and/or denying ACEs combining the following permission and inheritance flags associated to a certain account.

The following is a list of just the permission flags:
(theoretically the most difficult part of an ACL)

 flag   file                    directory (not its contents) 

  r     read_data               list_directory  (ls) 
  w     write_data              add_file        (+modify, +delete) 
  x     execute                 execute         (=search, =enter)     

  p     append_data             add_subdirectory
  D                             delete_child

  d     delete                  delete

  a     read_attributes  (ls -l) 
  A     write_attributes

  R     read_xattr 
  W     write_xattr

  c     read_acl
  C     write_acl

  o     write_owner

  s     synchronize (not supported)


At least in Solaris, the compact form of an ACE comprises 4 parts delimited by colons and which are displayed with the -V option of ls(1). As a minimal example, the following ACL has just a single ACE:

prime@box-01:/export/project# ll -V Europe/Memo-01.txt
-rwx------+  1 prime  staff ... Europe/Memo-01.txt
             user:prime:rwxpdDaARWcCos:-------:allow


Briefly, these 4 parts are:
  1. The account (sometimes called principal or identity).
    It can be one of the following:
     
    • owner@          - for the Current Owner (prime)
    • group@          - for the Current Group (staff)
    • everyone@       - for the rest of the world
    • user:<account>  - for any other user account
    • group:<account> - for any other group account
     
  2. The permission flags already described.
     
  3. The inheritance flags:
    (it's advisable not to mix f and d on a single ACE)
    (only the last 2 seem more reasonable applicable to files)
     
       f-i----  
    - Only applies to new files
       f--n---
     
    - Also inherit just one level down to new files
       -d-----
      - Also inherit to new subdirectories
       -di----
      - Only applies to new subdirectories
       -d-n---
      - Also inherit just one level down to new subdirectories
       ------- 
    - No inheritance; all permissions are local only
       ------I
     
    - The permissions have been inherited
     
  4. The type of the ACE.
    Solaris 11.3 supports just 2 types: allow or deny.
    The deny type supports reasoning in terms of complements.
    (for instance: No Access could be thought as deny Full Control)
NOTE
The n flag in the inheritance flags (part 3 above) is a kind of general idiom when some sort of inheritance or hierarchy is involved. It's sort of a practical way of referring to the immediate (first generation) children of a parent.
As seen above, more options were added to the ls (the v|V options) and chmod (the A option) commands in order to allow managing these extended permissions. In addition, zfs(1M) properties (such as aclmode / aclinherit) affects the overall behavior as well.
  
To help start understanding the big picture of these complex extended permissions, it can be useful take a look at how are they generally gathered together in permissions sets as well as a few examples.

As extension to the topic in may be interesting to find out about mapping NFSv4 permissions to Windows environments or more generally to any platform that talks the SMB/CIFS protocol where permissions have to be dealt with.