SFTP ACLs need inheritance support

To: <ietf-ssh%netbsd.org@localhost>
Subject: SFTP ACLs need inheritance support
From: denis bider <ietf-ssh%denisbider.com@localhost>
Date: Sun, 4 Dec 2005 00:57:18 +0100

Hello all,

I believe the ACL support which SFTP has lifted from NFS v4 is insufficient. It seems as if this system was developed directly with Windows NT4 ACLs in mind. It does not support inheritance which is an important feature of NTFS file security since Windows 2000.

To address this, I suggest the following additions to the SFTP draft:

1. In the Attributes structure, in addition to the ACL string, there should be an "ACL flags" value containing any combination of the following values:

DACL present = ...
DACL protected = ...
SACL present = ...
SACL protected = ...

Without the DACL present and SACL present flags, there is no way for a server to know whether the client, by sending an ACL with no system audit entries, wishes to clear the SACL or leave it intact. This is important because a special privilege is required to set or clear the SACL, and this privilege is not held by regular users. An explicit flag would make it easier for the server to determine the user's intent.

The "protected" flags are necessary to control inheritance of ACEs from the parent container. Without these flags, there is no way for the SFTP client to control ACE inheritance.

2. The ACE flags need to be extended with something like "INHERITED_ACE_FLAG". When the client retrieves an ACL, this flag would be set by the server to indicate that the particular ACE entry is inherited from a parent directory. The SFTP client would

Obviously we probably won't call this ACE4_INHERITED_ACE_FLAG, since this flag is not in NFS v4.

3. Optionally, one might also choose to support "inherited from" information so that the SFTP client could be told about the source of an inherited ACE.

I believe these changes are necessary to implement a quality SFTP client. If these additions are not agreed to, I will have to devise a private extension for them. That will be bad for interoperability.

If these additions are incorporated into the SFTP draft, they could be made backwards compatible by specifying the Attributes structure ACL flag as an extension. However, as far as I'm concerned, the protocol version might also be bumped up to 7; that seems a bit cleaner, but otherwise it is all the same to me.

So, what does everyone think?

Best regards,

denis

Follow-Ups:
- Re: SFTP ACLs need inheritance support
  - From: Joseph Galbraith
- Re: SFTP ACLs need inheritance support
  - From: denis bider

Prev by Date: Re: collated comments for -dns (RFC 4255) and -kbdinteract (RFC 4256)
Next by Date: Re: collated comments for -dns (RFC 4255) and -kbdinteract (RFC 4256)
Previous by Thread: Core IDs - last review
Next by Thread: Re: SFTP ACLs need inheritance support
Indexes:

Home | Main Index | Thread Index | Old Index