<-- Back to schedule

Implementing Native NFSv4 ACLs in Linux

The NFSv4 standard defines an advanced security model which provides
detailed and flexible Access Control Lists. These allow system
administrators very fine-grained control of user privileges over files.

Unlike the traditional POSIX access model using a 9-bit mask, NFSv4
ACLs allow privileges to be granted to more detailed sets of users
than just the file's owner, the file's group, or everyone else. For
example, you can express rules like "all the people in Accounts can
read this file, the Auditors can read this file, Fred can write it,
and nobody else can read or write it".

Unlike the draft POSIX standard ACL model, NFSv4 ACLs provide a
finer grained set of privileges that can be granted, and also allow
the system administrator to deny privileges as all grant them.
This makes it much easier to express some security policies. For
example, you can express rules like "all the people in Accounts can
read this file, except Jane".

SE/Linux fans please note: this is Discretionary Access Control,
*not* Mandatory Access Control nor Multi Level Security.

Linux supports NFSv4 ACLs...kinda. Few filesystems support NFSv4
ACLs, so ACLs usually only come into play when files are being
accessed remotely via NFS or CIFS. For example, the NFS server and
Samba can use native filesystem support for POSIX ACLs to implement
poor approximations of NFSv4 ACLs. There are a number of technical
difficulties with this approach which make it unattractive.

On the other hand, NFSv4 ACLs are rather an attractive feature of a
NAS file server, especially one where Windows clients using the CIFS
protocol need to co-exist with Linux clients using NFS. The NFSv4
ACL model is quite close (but not identical) to the Windows model,
so the mapping is relatively straightforward.

In 2008 SGI decided to implement end-to-end native NFSv4 ACL support
as part of our NAS file server product. In collaboration with Andreas
Gruenbacher of SUSE, we conducted a cross-team effort including
contributions to XFS, ext3, the Linux VFS, Samba, and the NFS server
and client.

In this talk I'll describe how the NFSv4 ACL model works, and contrast
it to the POSIX model you're probably more familiar with. I'll cover
the theoretical and practical challenges we encountered when choosing what
parts of the standard to implement and how accurately to implement them.
I'll talk about the organisational challenges involved, and briefly
cover how the code hangs together.

People with an interest in kernel development, enterprise file serving,
networking, or security will get the most out of this talk.

Greg Banks

Greg is a Principal Engineer working in the File Serving Technologies
group of Silicon Graphics, Inc. He's been doing Linux kernel
development work on and off since 1999, and has worked on Linux NFS
since 2003.