idnits 2.17.1 

draft-bfields-nfsv4-umask-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an Introduction section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (February 03, 2016) is 3005 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Unused Reference: 'LEGAL' is defined on line 163, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC4506' is defined on line 175, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC5661' is defined on line 178, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC5662' is defined on line 182, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 5661 (Obsoleted by RFC 8881)


     Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	NFSv4                                                          J. Fields
3	Internet-Draft                                            A. Gruenbacher
4	Intended status: Informational                                   Red Hat
5	Expires: August 06, 2016                               February 03, 2016

7	         Allowing inheritable NFSv4 ACLs to override the umask
8	                    draft-bfields-nfsv4-umask-00.txt

10	Abstract

12	   In some environments, inheritable NFSv4 ACLs can be rendered
13	   ineffective by the application of the per-process umask.  This is
14	   easily worked around by transmitting the umask and create mode
15	   separately to allow servers to make more intelligent decisions about
16	   the new mode on a file.

18	Status of This Memo

20	   This Internet-Draft is submitted in full conformance with the
21	   provisions of BCP 78 and BCP 79.

23	   Internet-Drafts are working documents of the Internet Engineering
24	   Task Force (IETF).  Note that other groups may also distribute
25	   working documents as Internet-Drafts.  The list of current Internet-
26	   Drafts is at http://datatracker.ietf.org/drafts/current/.

28	   Internet-Drafts are draft documents valid for a maximum of six months
29	   and may be updated, replaced, or obsoleted by other documents at any
30	   time.  It is inappropriate to use Internet-Drafts as reference
31	   material or to cite them other than as "work in progress."

33	   This Internet-Draft will expire on August 06, 2016.

35	Copyright Notice

37	   Copyright (c) 2016 IETF Trust and the persons identified as the
38	   document authors.  All rights reserved.

40	   This document is subject to BCP 78 and the IETF Trust's Legal
41	   Provisions Relating to IETF Documents
42	   (http://trustee.ietf.org/license-info) in effect on the date of
43	   publication of this document.  Please review these documents
44	   carefully, as they describe your rights and restrictions with respect
45	   to this document.  Code Components extracted from this document must
46	   include Simplified BSD License text as described in Section 4.e of
47	   the Trust Legal Provisions and are provided without warranty as
48	   described in the Simplified BSD License.

50	Table of Contents

52	   1.  Conventions Used in This Document . . . . . . . . . . . . . .   2
53	   2.  Problem Statement . . . . . . . . . . . . . . . . . . . . . .   2
54	   3.  umask Attribute . . . . . . . . . . . . . . . . . . . . . . .   3
55	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
56	   5.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
57	   Appendix A.  RFC Editor Notes . . . . . . . . . . . . . . . . . .   5
58	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

60	1.  Conventions Used in This Document

62	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
63	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
64	   document are to be interpreted as described in [RFC2119].

66	2.  Problem Statement

68	   On Unix-like systems, each process is associated with a file mode
69	   creation mask (umask).  In the absence of inheritable permissions,
70	   the umask specifies which permissions must be turned off when
71	   creating new file system objects.  With "POSIX" Access Control Lists
72	   [POSIX-1003.1e], in the presence of inheritable permissions, the
73	   umask must be ignored.  Other Access Control List implementations on
74	   Unix-like systems may ignore the umask in a similar way.

76	   The NFSv4 protocol currently does not include the umask concept;
77	   applying the umask is left to clients.  Unfortunately, clients have
78	   no way of atomically checking for inheritable permissions and
79	   applying the umask only when necessary.  Instead, they err on the
80	   safe side and always apply the umask.  Thus the mode the server
81	   receives in an OPEN already has the umask applied.

83	   When applying the mode, section 6.4.1.1 of [RFC7530] recommends
84	   servers "SHOULD" restrict permissions granted to any user or group
85	   named in the ACL to be no more than the permissions granted by the
86	   MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP bits.  Servers aiming to
87	   provide clients with Unix-like chmod behavior may also be motivated
88	   by the same requirements in [SUSv4].  (See the discussion of
89	   additional and alternate access control mechanisms in section "4.4
90	   File Permissions".)

92	   On may existing installations, all ordinary users by default use the
93	   same effective group ID.  To prevent granting all users full access
94	   to each other's files, such installations usually default to a umask
95	   with very restrictive permissions.  Thus the named users and groups
96	   in an inherited ACL end up being mostly ignored.

98	   This leads to file permissions which are more restrictive than they
99	   should be in common cases; permission inheritance over NFSv4 is
100	   broken.

102	   To address this problem, a new umask attribute is proposed which
103	   allows the server to apply the umask only when there are no
104	   inheritable permissions.

106	3.  umask Attribute

108	               +-------+----+-----------+-----+------------+
109	               | Name  | Id | Data Type | Acc | Defined in |
110	               +-------+----+-----------+-----+------------+
111	               | umask | 81 | mode4     | W   | Section 3  |
112	               +-------+----+-----------+-----+------------+

114	                                  Table 1

116	   The NFSv4.2 umask attribute is based on the UNIX file mode creation
117	   mask.  Only the nine low-order mode4 permission bits are defined.  A
118	   server MUST return NFS4ERR_INVAL if bits other than those nine are
119	   set.

121	   The umask attribute is only meaningful for operations that create
122	   objects (CREATE and OPEN); the server SHOULD reject it for other
123	   operations that take fattr4 arguments.

125	   The umask may only be set when the mode is also set.  If the server
126	   receives a CREATE or OPEN with a fattr4 argument including the umask
127	   attribute but not (in that same fattr4 argument) the mode attribute,
128	   the server MUST fail the operation with NFS4ERR_INVAL.

130	   When both the server and client support the umask attribute, a client
131	   that creates a file SHOULD NOT apply the umask to the mode attribute
132	   set at creation time.  Instead, it should set the mode attribute to
133	   the unmodified mode provided by the user, and the umask attribute to
134	   the umask of the requesting process.

136	   The server then uses the umask as follows:

138	   o  On a server that supports ACL attributes, if an object inherits
139	      any ACEs from its parent directory, the umask SHOULD be ignored.

141	   o  Otherwise, the umask MUST be used to limit the mode: all bits in
142	      the mode MUST be turned off which are set in the umask; the mode
143	      to use for creating the object becomes (mode & ~umask) instead.

145	4.  Security Considerations

147	   The proposed attribute allows to shift the decision when to apply the
148	   umask to the server.  Becuse the server MUST apply the umask if there
149	   are no inheritable permissions, the traditional semantics are
150	   preserved in the absence of a permission inheritance mechanism.  The
151	   proposal specifies that servers SHOULD ignore the umask if there are
152	   inheritable permissions, allowing servers to ignore this
153	   recommendation in cases when that should be preferable.

155	   The practice of ignoring the umask when there are inheritable
156	   permissions in the form of a "POSIX" default ACL is common practice;
157	   there are no known security concerns.  The "POSIX" default ACL
158	   mechanism and the mechanism of inheriting permissions in NFSv4 is
159	   equivalent for this purpose.

161	5.  Normative References

163	   [LEGAL]    IETF Trust, "Legal Provisions Relating to IETF Documents",
164	              November 2008, <http://trustee.ietf.org/docs/IETF-Trust-
165	              License-Policy.pdf>.

167	   [POSIX-1003.1e]
168	              Portable Applications Standards Committee of the IEEE
169	              Compute Society, "POSIX 1003.1e Withdrawn Draft 17",
170	              October 1997.

172	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
173	              Requirement Levels", March 1997.

175	   [RFC4506]  Eisler, M., "XDR: External Data Representation Standard",
176	              STD 67, RFC 4506, May 2006.

178	   [RFC5661]  Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed.,
179	              "Network File System (NFS) Version 4 Minor Version 1
180	              Protocol", RFC 5661, January 2010.

182	   [RFC5662]  Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed.,
183	              "Network File System (NFS) Version 4 Minor Version 1
184	              External Data Representation Standard (XDR) Description",
185	              RFC 5662, January 2010.

187	   [RFC7530]  Haynes, T. and D. Noveck, "Network File System (NFS)
188	              version 4 Protocol", RFC 7530, March 2015.

190	   [SUSv4]    The Open Group, "Single UNIX Specification Version 4",
191	              2013.

193	Appendix A.  RFC Editor Notes

195	   [RFC Editor: please remove this section prior to publishing this
196	   document as an RFC]

198	   [RFC Editor: prior to publishing this document as an RFC, please
199	   replace all occurrences of RFCTBD10 with RFCxxxx where xxxx is the
200	   RFC number of this document]

202	Authors' Addresses

204	   J. Bruce Fields
205	   Red Hat, Inc.

207	   Email: bfields@redhat.com

209	   Andreas Gruenbacher
210	   Red Hat, Inc.

212	   Email: agruenba@redhat.com