patch draft for extended attributes on linux

jw schultz jw at pegasys.ws
Thu Jun 26 18:16:06 EST 2003 

On Thu, Jun 26, 2003 at 03:29:04AM -0400, Carson Gaspar wrote:
> --On Wednesday, June 25, 2003 10:01 PM -0700 jw schultz <jw at pegasys.ws> 
> wrote:
> 
> >I'd say that a security regimen that requires xattrs to
> >tighten security is misguided.
> 
> And you'd be wrong. Simple user/group security is not _nearly_ enough for 
> all sorts of use cases. Simple use case:
> 
> - Alice and Bob need to read the file
> - Charlie and David need read/write access
> - Nobody else should have any access
> 
> Impossible with simple user/group permissions.

Not impossible.  I've done that sort of thing many times.

-rwxr-x---    1 charlie   cdab         3658 Jan 20 17:35 .
-rw-rw-r--    1 charlie   david        3658 Jan 20 17:35 the_file
Or so you don't need root to "chgrp david the_file"
-rw-rw-r--    1 charlie   charliedave  3658 Jan 20 17:35 the_file

Be very careful stating that something is impossible.  Just
because you haven't imagined how doesn't mean that there
isn't a way.  For that matter what often seems impossible is
in reality trivial when looked at from another perspective.
There are more complex scenarios i can imagine for which 
acceptable solutions without ACLs are not available.

But that is beside the point.  I'm still right.  You have
misunderstood.  I did not say that simple user/group
permissions were sufficient for all problems.  Nor did i did
impune the use of xattrs to loosen security.

You will find that most definitions of ACLs--including
POSIX--only allow you to grant access, not revoke it.
In the case of your example you would not give the file 666
permissions and then tighten it down with ACLs.  You would
give the file 600 perms and then use ACLs to grant
permissions to non-owners.

You also removed the context of my statement which was
Martin's comment:
| In cases where xattrs are used for security information, it
| might not be sufficient to apply them just at the end of the
| transfer.  That might make the permissions on the temporary
| file too weak.  Or perhaps not -- I just didn't want to
| think about it. :-)

My point is that i'm not going to anguish over broken
regimens that use xattrs to tighten the security.

ACLs and capabilities should be used to grant, not revoke.
That way if something happens that looses or disables xattrs
your system is not compromised.  Further by applying the
xattrs last you ensure that the file is intact with correct
ownership before enabling anything.


-- 
________________________________________________________________
	J.W. Schultz            Pegasystems Technologies
	email address:		jw at pegasys.ws

		Remember Cernan and Schmitt

More information about the rsync mailing list