Re: SFTP ACLs need inheritance support

[Joseph Galbraith <galb-list%vandyke.com@localhost>]

Do you think this should be added to SFTP v6, or
do we need a v7?  Has anyone begun implementing
yet?

What do others think?

I did try to address the dacl presence / absence
problem, but in the end, it seemed _very_ windows
specific.

I've started twice today to spec something out, and
haven't liked what I got either time... I'm tempted
to do this with an extension.

What would you think of the following extension:

string "win32-acl-flags"
string extension-data
  uint32 acl-flags

If the extension is not absent, then all
bit values default to '0'

SFX_DACL_PRESENT
  This bit need be set if and only if the DACL
  is present and empty (0 ALLOW/0 DENY entries
  in the ACL.)  If the DACL is present and empty,
  this implies that no access is granted.

  If the DACL is not present (i.e., 0 ALLOW/0 DENY
  entries) this implies that access to the file
  is either granted to all users or governed by
  another mechanism, such as the permissions
  mask.

SFX_DACL_PROTECTED
  If this bit is set, then the DACL may not be
  modified by inherited ACEs.

SFX_SACL_PRESENT
  This bit need be set if and only if the SACL
  is present and empty (0 AUDIT/0 ALARM entries in
  the ACL.)
NOTE> Does this even have significant meaning?

SFX_SACL_PROTECTED
  If this bit is set, then the SACL may not be
  modified by inherited ACEs.

Thanks,

Joseph

denis bider wrote:
> Hello all,
> 
> I believe the ACL support which SFTP has lifted from NFS v4 is insufficient. It seems as if this system was developed directly with Windows NT4 ACLs in mind. It does not support inheritance which is an important feature of NTFS file security since Windows 2000.
> 
> To address this, I suggest the following additions to the SFTP draft:
> 
> 
> 1. In the Attributes structure, in addition to the ACL string, there should be an "ACL flags" value containing any combination of the following values:
> 
>   DACL present = ...
>   DACL protected = ...
>   SACL present = ...
>   SACL protected = ...
> 
> Without the DACL present and SACL present flags, there is no way for a server to know whether the client, by sending an ACL with no system audit entries, wishes to clear the SACL or leave it intact. This is important because a special privilege is required to set or clear the SACL, and this privilege is not held by regular users. An explicit flag would make it easier for the server to determine the user's intent.
> 
> The "protected" flags are necessary to control inheritance of ACEs from the parent container. Without these flags, there is no way for the SFTP client to control ACE inheritance.
> 
> 
> 2. The ACE flags need to be extended with something like "INHERITED_ACE_FLAG". When the client retrieves an ACL, this flag would be set by the server to indicate that the particular ACE entry is inherited from a parent directory. The SFTP client would 
> 
> Obviously we probably won't call this ACE4_INHERITED_ACE_FLAG, since this flag is not in NFS v4.
> 
> 
> 3. Optionally, one might also choose to support "inherited from" information so that the SFTP client could be told about the source of an inherited ACE.
> 
> 
> I believe these changes are necessary to implement a quality SFTP client. If these additions are not agreed to, I will have to devise a private extension for them. That will be bad for interoperability.
> 
> If these additions are incorporated into the SFTP draft, they could be made backwards compatible by specifying the Attributes structure ACL flag as an extension. However, as far as I'm concerned, the protocol version might also be bumped up to 7; that seems a bit cleaner, but otherwise it is all the same to me.
> 
> So, what does everyone think?
> 
> 
> Best regards,
> 
> denis
> 
>