idnits 2.17.1 

draft-bfields-nfsv4-umask-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an Introduction section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (February 22, 2016) is 2976 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Unused Reference: 'LEGAL' is defined on line 167, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC4506' is defined on line 179, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC5661' is defined on line 182, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC5662' is defined on line 186, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 5661 (Obsoleted by RFC 8881)


     Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	NFSv4                                                          J. Fields
3	Internet-Draft                                            A. Gruenbacher
4	Intended status: Informational                                   Red Hat
5	Expires: August 25, 2016                               February 22, 2016

7	         Allowing inheritable NFSv4 ACLs to override the umask
8	                      draft-bfields-nfsv4-umask-01

10	Abstract

12	   In some environments, inheritable NFSv4 ACLs can be rendered
13	   ineffective by the application of the per-process umask.  This is
14	   easily worked around by transmitting the umask and create mode
15	   separately to allow servers to make more intelligent decisions about
16	   the new mode on a file.

18	Status of This Memo

20	   This Internet-Draft is submitted in full conformance with the
21	   provisions of BCP 78 and BCP 79.

23	   Internet-Drafts are working documents of the Internet Engineering
24	   Task Force (IETF).  Note that other groups may also distribute
25	   working documents as Internet-Drafts.  The list of current Internet-
26	   Drafts is at http://datatracker.ietf.org/drafts/current/.

28	   Internet-Drafts are draft documents valid for a maximum of six months
29	   and may be updated, replaced, or obsoleted by other documents at any
30	   time.  It is inappropriate to use Internet-Drafts as reference
31	   material or to cite them other than as "work in progress."

33	   This Internet-Draft will expire on August 25, 2016.

35	Copyright Notice

37	   Copyright (c) 2016 IETF Trust and the persons identified as the
38	   document authors.  All rights reserved.

40	   This document is subject to BCP 78 and the IETF Trust's Legal
41	   Provisions Relating to IETF Documents
42	   (http://trustee.ietf.org/license-info) in effect on the date of
43	   publication of this document.  Please review these documents
44	   carefully, as they describe your rights and restrictions with respect
45	   to this document.  Code Components extracted from this document must
46	   include Simplified BSD License text as described in Section 4.e of
47	   the Trust Legal Provisions and are provided without warranty as
48	   described in the Simplified BSD License.

50	Table of Contents

52	   1.  Conventions Used in This Document . . . . . . . . . . . . . .   2
53	   2.  Problem Statement . . . . . . . . . . . . . . . . . . . . . .   2
54	   3.  mode_umask Attribute  . . . . . . . . . . . . . . . . . . . .   3
55	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
56	   5.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
57	   Appendix A.  Acknowledgments  . . . . . . . . . . . . . . . . . .   5
58	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

60	1.  Conventions Used in This Document

62	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
63	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
64	   document are to be interpreted as described in [RFC2119].

66	2.  Problem Statement

68	   On Unix-like systems, each process is associated with a file mode
69	   creation mask (umask).  In the absence of inheritable permissions,
70	   the umask specifies which permissions must be turned off when
71	   creating new file system objects.  With "POSIX" Access Control Lists
72	   [POSIX-1003.1e], in the presence of inheritable permissions, the
73	   umask must be ignored.  Other Access Control List implementations on
74	   Unix-like systems may ignore the umask in a similar way.

76	   The NFSv4 protocol currently does not include the umask concept;
77	   applying the umask is left to clients.  Unfortunately, clients have
78	   no way of atomically checking for inheritable permissions and
79	   applying the umask only when necessary.  Instead, they err on the
80	   safe side and always apply the umask.  Thus the mode the server
81	   receives in an OPEN already has the umask applied.

83	   When applying the mode, section 6.4.1.1 of [RFC7530] recommends that
84	   servers SHOULD restrict permissions granted to any user or group
85	   named in the ACL to be no more than the permissions granted by the
86	   MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP bits.  Servers aiming to
87	   provide clients with Unix-like chmod behavior may also be motivated
88	   by the same requirements in [SUSv4].  (See the discussion of
89	   additional and alternate access control mechanisms in section "4.4
90	   File Permissions".)

92	   On many existing installations, all ordinary users by default use the
93	   same effective group ID.  To prevent granting all users full access
94	   to each other's files, such installations usually default to a umask
95	   with very restrictive permissions.  Thus the named users and groups
96	   in an inherited ACL end up being mostly ignored.

98	   This leads to file permissions which are more restrictive than they
99	   should be in common cases; permission inheritance over NFSv4 is
100	   broken.

102	   To address this problem, a new attribute is proposed which allows the
103	   server to apply the umask only when there are no inheritable
104	   permissions.

106	3.  mode_umask Attribute

108	         struct mode_umask4 {
109	           mode4  mu_mode;
110	           mode4  mu_umask;
111	         };

113	           +------------+----+-------------+-----+------------+
114	           | Name       | Id | Data Type   | Acc | Defined in |
115	           +------------+----+-------------+-----+------------+
116	           | mode_umask | 81 | mode_umask4 | W   | Section 3  |
117	           +------------+----+-------------+-----+------------+

119	                                  Table 1

121	   The NFSv4.2 mode_umask attribute is based on the open mode and umask
122	   that together determine the mode of a newly created UNIX file.  Only
123	   the nine low-order mode4 bits of mu_umask are defined.  A server MUST
124	   return NFS4ERR_INVAL if bits other than those nine are set.

126	   The mode_umask attribute is only meaningful for operations that
127	   create objects (CREATE and OPEN); the server SHOULD reject it for
128	   other operations that take fattr4 arguments.

130	   The server MUST ignore any mode attribute set in the same operation
131	   as mode_umask.

133	   When the server supports the mode_umask attribute, a client creating
134	   a file should use mode_umask in place of mode, with mu_mode set to
135	   the unmodified mode provided by the user, and mu_umask set to the
136	   umask of the requesting process.

138	   The server then uses mode_umask as follows:

140	   o  On a server that supports ACL attributes, if an object inherits
141	      any ACEs from its parent directory, mu_mode SHOULD be used, and
142	      mu_umask ignored.

144	   o  Otherwise, mu_umask MUST be used to limit the mode: all bits in
145	      the mode MUST be turned off which are set in the umask; the mode
146	      to use for creating the object becomes (mu_mode & ~mu_umask)
147	      instead.

149	4.  Security Considerations

151	   The proposed attribute allows to shift the decision when to apply the
152	   umask to the server.  Becuse the server MUST apply the umask if there
153	   are no inheritable permissions, the traditional semantics are
154	   preserved in the absence of a permission inheritance mechanism.  The
155	   proposal specifies that servers SHOULD ignore the umask if there are
156	   inheritable permissions, allowing servers to ignore this
157	   recommendation in cases when that should be preferable.

159	   The practice of ignoring the umask when there are inheritable
160	   permissions in the form of a "POSIX" default ACL is common practice;
161	   there are no known security concerns.  The "POSIX" default ACL
162	   mechanism and the mechanism of inheriting permissions in NFSv4 is
163	   equivalent for this purpose.

165	5.  Normative References

167	   [LEGAL]    IETF Trust, "Legal Provisions Relating to IETF Documents",
168	              November 2008, <http://trustee.ietf.org/docs/
169	              IETF-Trust-License-Policy.pdf>.

171	   [POSIX-1003.1e]
172	              Portable Applications Standards Committee of the IEEE
173	              Compute Society, "POSIX 1003.1e Withdrawn Draft 17",
174	              October 1997.

176	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
177	              Requirement Levels", March 1997.

179	   [RFC4506]  Eisler, M., "XDR: External Data Representation Standard",
180	              STD 67, RFC 4506, May 2006.

182	   [RFC5661]  Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed.,
183	              "Network File System (NFS) Version 4 Minor Version 1
184	              Protocol", RFC 5661, January 2010.

186	   [RFC5662]  Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed.,
187	              "Network File System (NFS) Version 4 Minor Version 1
188	              External Data Representation Standard (XDR) Description",
189	              RFC 5662, January 2010.

191	   [RFC7530]  Haynes, T. and D. Noveck, "Network File System (NFS)
192	              version 4 Protocol", RFC 7530, March 2015.

194	   [SUSv4]    The Open Group, "Single UNIX Specification Version 4",
195	              2013.

197	Appendix A.  Acknowledgments

199	   Thanks to Dave Noveck and Trond Myklebust for review.

201	Authors' Addresses

203	   J. Bruce Fields
204	   Red Hat, Inc.

206	   Email: bfields@redhat.com

208	   Andreas Gruenbacher
209	   Red Hat, Inc.

211	   Email: agruenba@redhat.com