Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

NFS Security

NFS is a very widely-used file sharing protocol. It allows servers running nfsd and mountd to "export" entire file systems to other machines using NFS filesystem support built in to their kernels (or some other client support if they are not Linux machines). mountd keeps track of mounted file systems in /etc/mtab, and can display them with showmount. Many sites use NFS to serve home directories to users, so that no matter what machine in the cluster they login to, they will have all their home files.  There is some small amount of security allowed in exporting file systems. You can make your nfsd map the remote root user (uid=0) to the nobody user, denying them total access to the files exported. However, since individual users have access to their own (or at least the same uid) files, the remote root user can login or su to their account and have total access to their files. This is only a small hindrance to an attacker that has access to mount your remote file systems. If you must use NFS, make sure you export to only those machines that you really need to. Never export your entire root directory; export only directories you need to export.

• Kerberos
• SPKM
• LIPKEY

For each flavor, there may be multiple implementations. For instance, with Kerberos there are both "MIT Kerberos", and "Heimdal Kerberos".

The NFSv4 also introduces a new ACL (Access Control List) format that introduces more detailed file security attributes, making NFSv4 controlled files more secure. Several operating systems like AIX 5.3 and  Sun Solaris (ZFS only) have implemented NFSv4 ACL in their filesystems. There have pretty Chrismas tree style set of permissions (which violates classic rule of seven, see the list below). It is overly complex for normal system administrator (who usually have problems even with simplistic in comparison classic Unix permissions model: few people understand SUID/SGID attributes and the fact that that the ability to write to the directory permits deleting files in it). As such it the net effect can be not enhanced security but the ability to create a security holes that are difficult to detect. Lets look more closely at those new granular permissions:

1. read_data: Ability to read the contents of a file
2. write_data: Ability to modify an existing file
3. list_directory: Ability to list the contents of a directory
4. add_file: Ability to add a new file to a directory
5. append_data: Ability to modify an existing file, but only from EOF
6. add_subdirectory: Ability to create subdirectories
7. read_xattr: Ability to read extended attributes
8. write_xattr: Ability to write extended attributes
9. execute: Ability to execute a file
10. delete_child: Ability to delete a file within a directory
11. read_attributes: Ability to read basic attributes (non-ACL) of a file (ie: ctime, mtime, atime, etc)
12. write_attributes: Ability to write basic attributes to a file or directory (ie: atime, mtime)
13. delete: Ability to delete a file
14. read_acl: Ability to read the ACL
15. write_acl: Ability to modify the ACL (needed to use chmod or setfacl)
16. write_owner: Ability to use chown to change ownership of a file
17. synchronize: Ability to access file locally via synchronous reads and writes

Solaris has better NFSv4 implementation then Linux.  It fully implement NFSv4 ACLs.  See NFSv4 ACLS: Where are we going?  IBM AIX  implementation  is also very good.

Old News

IBM Cluster information center

It can also be the case that NFS V4 ACLs have been set for some file system objects (directories and individual files) prior to administrator action to revert back to a POSIX-only configuration. Since the NFS V4 access evaluation will no longer be performed, it is desirable for the mmgetacl command to return an ACL representative of the evaluation that will now occur (translating NFS V4 ACLs into traditional POSIX style). The -k posix option returns the result of this translation.

1. By default, the mmgetacl command returns the ACL in a format consistent with the file system setting:
   • If posix only, it is shown as a traditional ACL.
   • If nfs4 only, it is shown as an NFS V4 ACL.
   • If all formats are supported, the ACL is returned in its true form.
2. The command mmgetacl -k nfs4 always produces an NFS V4 ACL.
3. The command mmgetacl -k posix always produces a traditional ACL.
4. The command mmgetacl -k native always shows the ACL in its true form, regardless of the file system setting.

In general, users should continue to use the mmgetacl and mmeditacl commands without the -k flag, allowing the ACL to be presented in a form appropriate for the file system setting. Since the NFS V4 ACLs are more complicated and therefore harder to construct initially, users that want to assign an NFS V4 ACL should use the command mmeditacl -k nfs4 to start with a translation of the current ACL, and then make any necessary modifications to the NFS V4 ACL that is returned.

Parent topic: NFS V4 ACL administration

NFS V4 ACL Syntax

Related tasks
 

Displaying NFS V4 access control lists

Changing NFS V4 access control lists

[Sep 3, 2009] Working with filesystems using NFSv4 ACLs  by Samyak Jain

Jun 02,  2009  | IBM DeveloperWorks

Filesystems using NFS4 ACL

The NFSv4 (Network File System – Version 4) protocol introduces a new ACL (Access Control List) format that extends other existing ACL formats. NFSv4 ACL is easy to work with and introduces more detailed file security attributes, making NFSv4 ACLs more secure. Several operating systems like IBM® AIX®, Sun Solaris, and Linux® have implemented NFSv4 ACL in their filesystems.

Currently, the filesystems that support NFSv4 ACL in IBM AIX 5L version 5.3 and above are NFSv4, JFS2 with EAv2 (Extended Journaled Filesystem with Extended Attributes format version 2), and General Parallel Filesystem (GPFS). In Sun Solaris, this ACL model is supported by ZFS. In RedHat Linux, NFSv4 supports NFSv4 ACLs.

---

Back to top

What is an ACL?

An Access Control List (ACL) is used to specify access permissions to filesystem objects, like files and directories. Is a list of many Access Control Entries (ACEs), in which each entry defines a user or a group, and different permissions to each of them.

---

Back to top

About ZFS ACLs

ZFS file system, introduced by Sun, is available in the Solaris 10 OS pack.

ZFS supports the NFSv4 ACL model, and has implemented the commands in the form of new options to the existing ls and chmod commands. Thus, the ACLs can be set and displayed using the chmod and ls commands; no new command has been introduced. Because of this, it is very easy to work with ACLs in ZFS.

ZFS ACL format

ZFS ACLs follow a well-defined format. The format and the entities involved in this format are:

Syntax A
 

ACL_entry_type:Access_permissions/…/[:Inheritance_flags]:deny or allow

 

ACL_entry_type includes "owner@", "group@", or "everyone@".

For example:

group@:write_data/append_data/execute:deny

Syntax B
 

ACL_entry_type: ACL_entry_ID:Access_permissions/…/[:Inheritance_flags]:deny or allow

 

ACL_entry_type includes "user", or "group".

ACL_entry_ID includes "user_name", or "group_name".

For example:

user:samy:list_directory/read_data/execute:allow

Inheritance flags
 

f : FILE_INHERIT d : DIRECTORY_INHERIT i : INHERIT_ONLY n : NO_PROPAGATE_INHERIT S : SUCCESSFUL_ACCESS_ACE_FLAG F : FAILED_ACCESS_ACE_FLAG

 

Listing ACLs of ZFS files and directories

ACLs can be listed using the ls command using the -v and -V options. For listing directory ACLs, use the -d option.

Operation	Command
Listing ACL entries of files	ls –[v | V] <file_name>
Listing ACL entries of dirs	ls –d[v | V] <dir_name>

Example for listing ACLs of a file
 

ls -v file.1 -rw-r--r-- 1 root root 2703 Nov 4 12:37 file.1 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes/ write_acl/write_owner:deny 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow

Example for listing ACLs of a directory
 

# ls -dv dir.1 drwxr-xr-x 2 root root 2 Nov 1 14:51 dir.1 0:owner@::deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory/ append_data/write_xattr/execute/write_attributes/write_acl/write_owner:allow 2:group@:add_file/write_data/add_subdirectory/append_data:deny 3:group@:list_directory/read_data/execute:allow 4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr / write_attributes/write_acl/write_owner:deny 5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes / read_acl/synchronize:allow

Example for listing ACLs in a compact format
 

# ls -Vd dir.1 drwxr-xr-x 2 root root 2 Sep 1 05:46 d owner@:--------------:------:deny owner@:rwxp---A-W-Co-:------:allow group@:-w-p----------:------:deny group@:r-x-----------:------:allow everyone@:-w-p---A-W-Co-:------:deny everyone@:r-xp--a-R-c--s:------:allow

 

In above examples, ACLs are displayed in a compact format. In this, access permissions and inheritance flags are displayed using masks. One ACL entry is displayed in each line, making the view easier to understand.

Modifying ACLs of ZFS files and directories
 

ACLs can be set or modified using the chmod command. The chmod command uses the ACL-specification, which includes the ACL-format (Syntax A or B), listed earlier.

Operation	Command
Adding an ACL entry by index-ID	# chmod Aindex_ID+acl_specification filename
Adding an ACL entry for a user	# chmod A+acl_specification filename
Removing an ACL entry by index_ID	# chmod Aindex_ID- filename
Removing an ACL entry by user	# chmod A-acl_specification filename
Removing an ACL from a file	# chmod A- filename
Replacing an ACL entry at index_ID	# chmod Aindex_ID=acl_specification filename
Replacing an ACL of a file	# chmod A=acl_specification filename

Examples of ZFS ACLs modifications

List ACL entries
 

# ls –v a -rw-r--r-- 1 root root 0 Sep 1 04:25 a 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes/ write_acl/write_owner:deny 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow

Add ACL entries
 

# chmod A+user:samy:read_data:allow a # ls -v a -rw-r--r--+ 1 root root 0 Sep 1 02:01 a 0:user:samy:read_data:allow 1:owner@:execute:deny 2:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 3:group@:write_data/append_data/execute:deny 4:group@:read_data:allow 5:everyone@:write_data/append_data/write_xattr/execute/write_attributes/ write_acl/write_owner:deny 6:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow # chmod A1+user:samy:execute:deny a # ls -v a -rw-r--r--+ 1 root root 0 Sep 1 02:01 a 0:user:samy:read_data:allow 1:user:samy:execute:deny 2:owner@:execute:deny 3:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 4:group@:write_data/append_data/execute:deny 5:group@:read_data:allow 6:everyone@:write_data/append_data/write_xattr/execute/write_attributes/ write_acl/write_owner:deny 7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow

Replace ACL entries
 

# chmod A0=user:samy:read_data/write_data:allow a # ls -v total 2 -rw-r--r--+ 1 root root 0 Sep 1 02:01 a 0:user:samy:read_data/write_data:allow 1:user:samy:execute:deny 2:owner@:execute:deny 3:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 4:group@:write_data/append_data/execute:deny 5:group@:read_data:allow 6:everyone@:write_data/append_data/write_xattr/execute/write_attributes/ write_acl/write_owner:deny 7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow # chmod A=user:samy:read_data/write_data/append_data:allow a # ls -v a ----------+ 1 root root 0 Sep 1 02:01 a 0:user:samy:read_data/write_data/append_data:allow

 

ACLs can also be modified using the masks instead of specifying complete names.

Modifying ACL entries using masks
 

# ls -V a -rw-r--r--+ 1 root root 0 Sep 5 01:50 a user:samy:--------------:------:deny user:samy:rwx-----------:------:allow owner@:--x-----------:------:deny owner@:rw-p---A-W-Co-:------:allow group@:-wxp----------:------:deny group@:r-------------:------:allow everyone@:-wxp---A-W-Co-:------:deny everyone@:r-----a-R-c--s:------:allow # chmod A1=user:samy:rwxp:allow a # ls -V a -rw-r--r--+ 1 root root 0 Sep 5 01:50 a user:samy:--------------:------:deny user:samy:rwxp----------:------:allow owner@:--x-----------:------:deny owner@:rw-p---A-W-Co-:------:allow group@:-wxp----------:------:deny group@:r-------------:------:allow everyone@:-wxp---A-W-Co-:------:deny everyone@:r-----a-R-c--s:------:allow

Remove ACL entries
 

# ls -v a -rw-r-----+ 1 root root 0 Sep 5 01:50 a 0:user:samy:read_data/write_data/execute:allow 1:owner@:execute:deny 2:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 3:group@:write_data/append_data/execute:deny 4:group@:read_data:allow 5:everyone@:read_data/write_data/append_data/write_xattr/execute/ write_attributes/write_acl/write_owner:deny 6:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow # chmod A- a # ls -v a -rw-r----- 1 root root 0 Sep 5 01:50 a 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:read_data/write_data/append_data/write_xattr/execute/ write_attributes/write_acl/write_owner:deny 5:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow # chmod A5- a # ls -v a -rw-r----- 1 root root 0 Sep 5 01:50 a 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:read_data/write_data/append_data/write_xattr/execute/ write_attributes/write_acl/write_owner:deny

 

---

Back to top

About JFS2 ACLs

The Enhanced Journaled File System (JFS2) is built into the base AIX operating system. To have the NFSv4 ALC support on JFS2 filesystem, you need to enable "Extended Attribute Format - Version 2" at the time of creating the filesystem. This feature cannot be enabled or disabled once the filesystem is created.

In subsequent references to JFS2, this article assumes that "Extended Attribute Format - Version 2" is enabled.

JFS2 ACL format

The format and the entities involved in this format are:

Syntax
 

IDENTITY ACE_TYPE ACE_MASK INHERITANCE_AND_AUDIT_ATTRS Where: IDENTITY has format: 'IDENTITY_type:IDENTITY_name(IDENTITY_who):' Where: IDENTITY_type is one of the following: u : user g : group s : special who string (IDENTITY_who must be a special who) IDENTITY_name => user/group name IDENTITY_who => who string ACE_TYPE is one of the following ACE Type: a : allow d : deny l : alarm u : audit

Inheritance flags
 

INHERITANCE_AND_AUDIT_ATTRS (Optional) is one or more of the following: fi : FILE_INHERIT di : DIRECTORY_INHERIT oi : INHERIT_ONLY ni : NO_PROPAGATE_INHERIT sf : SUCCESSFUL_ACCESS_ACE_FLAG ff : FAILED_ACCESS_ACE_FLAG

 

Listing ACLs of JFS2 files and directories

JFS provides the following commands related to ACLs.

Operation	Command
Display ACLs of a file	aclget <filename>
Set ACLs of a file	aclput [-i infile] [-t acl_type] [-v] <filename>
Edit ACLs of a file	acledit [-t acl_type] <filename>
Converts ACLs of a file from one type to another	aclconvert [ -R ] -t <acltype> <filename>
Gets ACL types supported by a file system path	aclgettypes <filename>

In JFS2 partition, AIX Classic (AIXC) ACLs are enabled by default, and not NFS4 ACLs. You need to convert the AIXC ACLs to NFS4.

The following command lists the ACLs of a new file in JFS2 partition:

Display ACLs
 

# aclget file1 * * ACL_type AIXC * attributes: base permissions owner(root): rw- group(system): r-- others: r-- extended permissions disabled

 

In this example, AIXC shows that these are the AIX classic ACLs.

To convert to any other type, you need to know what ACL types are supported by this filesystem.

Display supported ACL types:
 

# aclgettypes file1 Supported ACL types are: AIXC NFS4

 

Now, you can convert the AIXC ACLs to NFS4 as follows:

Convert ACLs from AIX classic form to NFSv4 form
 

# aclconvert -t NFS4 file1 # aclget a * * ACL_type NFS4 * * * Owner: root * Group: system * s:(OWNER@): a rwpRWaAdcCs s:(OWNER@): d xo s:(GROUP@): a rRadcs s:(GROUP@): d wpWxACo s:(EVERYONE@): a rRadcs s:(EVERYONE@): d wpWxACo

 

Modifying ACLs of JFS2 files and directories

To modify the ACLs, you can use either the aclput or acledit command. The best way to set the ACLs is first to get the ACLs of a file using the aclget command, and save it in a file. Then, modify the ACLs in that file, and store them using aclput –i <input_acl_file>.

The acledit command uses an editor to display and modify the ALCs. You need to set the environment variable EDITOR before you use the acledit command.

To avoid converting the ACLS of new files from AIXC type to NFS4 inside a directory each time, set the appropriate Inheritance flag in that directory.

The previous commands can also be used for NFSv4 filesystem to manage NFSv4 ACLs on AIX

Recommended Links

---

In case of broken links please try to use Google search. If you find the page please notify us about new location

• IBM Redbooks Securing NFS in AIX An Introduction to NFS v4 in AIX 5L Version 5.3
• Managing NFS and NIS, 2nd Edition   Chapter 15: Debugging Network Problems
• NFS V4 ACL administration
• NFSv4 ACLs- Present and Future
• NFS (in)security administration and information clearinghouse
• Security Guide - Network File System (NFS) Security
• [Doc] NFS Security
• NFS [Ch 20 of PUIS]
• Satan
  • Tutorial - Unprivileged NFS access
  • Tutorial - Portmapper exports
• Tutorial - Unrestricted NFS export
• NetManage Tutorials
• Firewalls Mailing List Re NFS proxies