Re: SFTP ACLs need inheritance support

[denis bider <ietf-ssh%denisbider.com@localhost>]

Hello all,

I think we are also missing an ACE mask flag for accessing system security.

When communicating with a Windows server, a client can open a file with READ_ACL and WRITE_ACL masks which will allow it to read or write the DACL later. However, the client has no way of opening a file handle in a way that will allow it to read or write AUDIT ACEs. In order to do this, the client needs to request the ACCESS_SYSTEM_SECURITY access right when opening the file, and the server needs to enable the Security privilege for the duration of the file open attempt.

We need an ACE mask flag that will be equivalent to ACCESS_SYSTEM_SECURITY. I suggest allocating 0x00200000 for this.

Best regards,

denis


On Sun, 4 Dec 2005 00:57:18 +0100, denis bider wrote:
> Hello all,
>
> I believe the ACL support which SFTP has lifted from NFS v4 is
> insufficient. It seems as if this system was developed directly
> with Windows NT4 ACLs in mind. It does not support inheritance
> which is an important feature of NTFS file security since Windows
> 2000.
>
> To address this, I suggest the following additions to the SFTP
> draft:
>
> 1. In the Attributes structure, in addition to the ACL string,
> there should be an "ACL flags" value containing any combination of
> the following values:
>
> DACL present = ...
> DACL protected = ...
> SACL present = ...
> SACL protected = ...
>
> Without the DACL present and SACL present flags, there is no way
> for a server to know whether the client, by sending an ACL with no
> system audit entries, wishes to clear the SACL or leave it intact.
> This is important because a special privilege is required to set or
> clear the SACL, and this privilege is not held by regular users. An
> explicit flag would make it easier for the server to determine the
> user's intent.
>
> The "protected" flags are necessary to control inheritance of ACEs
> from the parent container. Without these flags, there is no way for
> the SFTP client to control ACE inheritance.
>
>
> 2. The ACE flags need to be extended with something like
> "INHERITED_ACE_FLAG". When the client retrieves an ACL, this flag
> would be set by the server to indicate that the particular ACE
> entry is inherited from a parent directory. The SFTP client would
>
> Obviously we probably won't call this ACE4_INHERITED_ACE_FLAG,
> since this flag is not in NFS v4.
>
>
> 3. Optionally, one might also choose to support "inherited from"
> information so that the SFTP client could be told about the source
> of an inherited ACE.
>
>
> I believe these changes are necessary to implement a quality SFTP
> client. If these additions are not agreed to, I will have to devise
> a private extension for them. That will be bad for interoperability.
>
> If these additions are incorporated into the SFTP draft, they could
> be made backwards compatible by specifying the Attributes structure
> ACL flag as an extension. However, as far as I'm concerned, the
> protocol version might also be bumped up to 7; that seems a bit
> cleaner, but otherwise it is all the same to me.
>
> So, what does everyone think?
>
>
> Best regards,
>
> denis