NFS V4.1 Acls and Windows Correspondents

NFS v4.1 ACLs and Windows correspondents

Alan Yoder

The following flags in Windows, settable on DACLs, are pertinent to NFS. Corresponding flags in NFS v4.1, if any, are shown in blue under the Windows flag name. Proposed NFS flags in red.

SE_DACL_AUTO_INHERIT_REQ
ACL4_AUTO_INHERIT
(Bruce) / Requests automatic propagation to child objects, and setting of the SE_DACL_AUTO_INHERITED bit in the securitydescriptors of the object and its child objects.
SE_DACL_AUTO_INHERITED / Always set for Win2k DACLs
If this bit is truly always set, per the documentation, it is Windows-specific and we can ignore it.
SE_DACL_DEFAULTED
ACL4_DEFAULTED
(Alan) / DACL was set based on creator's security descriptor
This could be useful. It's a rough ACL equivalent of the UMASK.
SE_DACL_PROTECTED
ACL4_PROTECTED
(Bruce) / Protects the DACL of the security descriptor from being modified by inheritable ACEs.
SE_DACL_UNTRUSTED / Indicates that the ACL was provided by an untrusted source.
I think we can ignore this or wait for folks like Mike to propose it.

The following flags are used on Security ACLs, or SACLs

SE_SACL_AUTO_INHERIT_REQ / SE_DACL_AUTO_INHERIT_REQ for SACLs
SE_SACL_AUTO_INHERITED / SE_DACL_AUTO_INHERITED for SACLs
SE_SACL_DEFAULTED / SE_DACL_DEFAULTED for SACLs
SE_SACL_PROTECTED / SE_DACL_PROTECTED for SACLs

The following flags are used on ACEs in Windows. Their correspondents in NFSv4.1, are noted in blue beneath the Windows name for the flag. Our missing friend is in red.

CONTAINER_INHERIT_ACE
ACE4_DIRECTORY_INHERIT_ACE / Child objects that are containers, such as directories, inherit the ACE as an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
FAILED_ACCESS_ACE_FLAG
ACE4_FAILED_ACCESS_ACE_FLAG / Used with system-audit ACEs in a SACL to generate audit messages for failed access attempts.
INHERIT_ONLY_ACE
ACE4_INHERIT_ONLY_ACE / An ACE to be inherited to children, but not used on this object
INHERITED_ACE
ACE4_INHERITED_ACE
(Bruce) / The client sets this bit when it propagates an inherited ACE to a child object.
NO_PROPAGATE_INHERIT_ACE
ACE4_FILE_INHERIT_ACE +
ACE4_DIRECTORY_INHERIT_ACE +
ACE4_NO_PROPAGATE_INHERIT_ACE / Means only auto inherit the ACE to child objects, not to descendants of those.
NB: the wording for ACE4_NO_PROPAGATE_INHERIT_ACE is ambiguous in the spec. It doesn't really say whether the flag should be placed on the child or not, though one can reason that the wording implies one should not.
OBJECT_INHERIT_ACE
For files:
ACE4_FILE_INHERIT_ACE
For directories:
ACE4_NO_PROPAGATE_INHERIT_ACE ?
0 :
ACE4_INHERIT_ONLY_ACE / Noncontainer child objects inherit the ACE as an effective ACE.
For child objects that are containers, the ACE is inherited as an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
SUCCESSFUL_ACCESS_ACE_FLAG
ACE4_SUCCESSFUL_ACCESS_ACE_FLAG / Used with system-audit ACEs in a SACL to generate audit messages for successful access attempts.

Recommendation: I think Bruce's proposal is good as it stands. Notice that propagation is requested per ACL, but performed per ACE. I also propose adding the ACL4_DEFAULTED bit, as discussed during the meeting today.

Alan