This document has been updated for the behaviors that are present in the S10 FCS version of the NFSv4 ACL implementation. Current Solaris behavior is modeled after the internet draft http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-acl-mapping-02.txt by Marius Aamodt Eriksen and J. Bruce Fields, as much as possible. This document describes what the Solaris NFSv4 Server will accept for ACLs when it must map to POSIX-draft ACLs for a UFS filesystem. 1. ACE Type (acetype4 type) Server returns NFS4ERR_ATTRNOTSUPP if it gets an ace with one of the following types: ACE4_SYSTEM_AUDIT_ACE_TYPE ACE4_SYSTEM_ALARM_ACE_TYPE SUPPORTED types include: ACE4_ACCESS_ALLOWED_ACE_TYPE ACE4_ACCESS_DENIED_ACE_TYPE 2. ACE flag (aceflag4 flag) Server returns NFS4ERR_ATTRNOTSUPP if it gets a flag with one of the following fields set: ACE4_SUCCESSFUL_ACCESS_ACE_FLAG ACE4_FAILED_ACCESS_ACE_FLAG ACE4_NO_PROPAGATE_INHERIT_ACE - Current Solaris filesystem (UFS) is not able to turn off default ACLs at any arbitrary point in the tree. SUPPORTED flags include: ACE4_INHERIT_ONLY_ACE ACE4_FILE_INHERIT_ACE ACE4_DIRECTORY_INHERIT_ACE ACE4_IDENTIFIER_GROUP All three or NONE of the following can be set or the server returns NFS4ERR_ATTRNOTSUPP: ACE4_FILE_INHERIT_ACE ACE4_DIRECTORY_INHERIT_ACE ACE4_INHERIT_ONLY_ACE ACE4_IDENTIFIER_GROUP is SUPPORTED and used to tell the difference between group and user ACEs. If (flag & ACE4_IDENTIFIER_GROUP), 'who' is a group, otherwise 'who' is a user. 3. ACE Access Mask (acemask4 access_mask) 3.1 Supported and Unsupported Masks Any mask (DENY or ALLOW) with the following set will automatically return NFS4ERR_ATTRNOTSUPP: ACE4_WRITE_OWNER Supported masks include: ACE4_READ_DATA ACE4_WRITE_DATA ACE4_APPEND_DATA ACE4_EXECUTE ACE4_READ_ATTRIBUTES ACE4_WRITE_ATTRIBUTES ACE4_READ_ACL ACE4_WRITE_ACL ACE4_DELETE_CHILD ACE4_DELETE ACE4_SYNCHRONIZE ACE4_WRITE_NAMED_ATTRS ACE4_READ_NAMED_ATTRS 3.1.1 In depth explanation of controversial access mask bits 3.1.1.1 ACE4_DELETE ACE4_DELETE is not set in any ACEs of the ACLs that we produce on the Solaris client or server. The Solaris server will accept any ACL with either ACE4_DELETE in the ALLOW ACEs or without ACE4_DELETE defined in any ACE, but will error with NFS4ERR_ATTRNOTSUPP if ACE4_DELETE is set in any DENY ACE. 3.1.1.2 ACE4_WRITE_OWNER ACE4_WRITE_OWNER is not set in any ACEs of the ACLs that we produce on the Solaris client or server. The Solaris server will not accept any ACL with ACE4_WRITE_OWNER set in any ACE. We will error with NFS4ERR_ATTRNOTSUPP if ACE4_WRITE_OWNER is set in any ACE that we receive. 3.1.1.3 ACE4_SYNCHRONIZE ACE4_SYNCHRONIZE is set in the ALLOW ACEs of the ACLs that we produce. The Solaris server will accept any ACL with either ACE4_SYNCHRONIZE in the ALLOW ACEs or without ACE4_SYNCHRONIZE defined in any ACE, but will error with NFS4ERR_ATTRNOTSUPP if ACE4_SYNCRHONIZE is set in any DENY ACE. 3.1.1.4 ACE4_WRITE_NAMED_ATTRS ACE4_WRITE_NAMED_ATTRS is not set in any ACEs of the ACLs that we produce on the Solaris client or server. The Solaris server will accept any ACL with either ACE4_WRITE_NAMED_ATTRS in the ALLOW ACEs or without ACE4_WRITE_NAMED_ATTRS defined in any ACE, but will error with NFS4ERR_ATTRNOTSUPP if ACE4_WRITE_NAMED_ATTRS is set in any DENY ACE. 3.1.1.5 ACE4_READ_NAMED_ATTRS ACE4_READ_NAMED_ATTRS is not set in any ACEs of the ACLs that we produce on the Solaris client or server. The Solaris server will accept any ACL with either ACE4_READ_NAMED_ATTRS in the ALLOW ACEs or without ACE4_READ_NAMED_ATTRS defined in any ACE, but will error with NFS4ERR_ATTRNOTSUPP if ACE4_READ_NAMED_ATTRS is set in any DENY ACE. 3.2 Required Masks ACE4_READ_ACL and ACE4_READ_ATTRIBUTES must be set on all ALLOW ACEs. Additionally, if the "who" field is "OWNER@", ACE4_WRITE_ACL and ACE4_WRITE_ATTRIBUTES must be set on ALLOW ACEs. Neither ACE4_WRITE_ACL nor ACE4_WRITE_ATTRIBUTES may be present in an ALLOW ACE with a "who" field other than "OWNER@", Failure to meet these requirements will result in the server returning NFS4ERR_ATTRNOTSUPP. 3.3 Supported Combinations of Masks Please be reminded that the following flags are equal. One defines flags for files, the other defines flags for directories. ACE4_READ_DATA = ACE4_LIST_DIRECTORY ACE4_WRITE_DATA = ACE4_ADD_FILE ACE4_APPEND_DATA = ACE4_ADD_SUBDIRECTORY The following tables define which combinations of access mask flags are supported and which are not. 3.3.1 ACE4_READ_NAMED_ATTRS, ACE4_READ_ATTRIBUTES and ACE4_READ_DATA In the table below, A = ACE4_READ_ATTRIBUTES N = ACE4_READ_NAMED_ATTRS D = ACE4_READ_DATA The values that are given represent the presence or absence of the mask in an ALLOW ACE. D = 0 D = 1 --------------------------------------------------------------- N = 0 / A = 0 NFS4ERR_ATTRNOTSUPP (1) NFS4ERR_ATTRNOTSUPP (1) --------------------------------------------------------------- N = 0 / A = 1 SUPPORTED (2) SUPPORTED (*) --------------------------------------------------------------- N = 1 / A = 0 NFS4ERR_ATTRNOTSUPP (1) NFS4ERR_ATTRNOTSUPP (1) --------------------------------------------------------------- N = 1 / A = 1 SUPPORTED (*) SUPPORTED * Changed in s10_b74L1. (1) This is not supported because ACE4_READ_ATTRIBUTES is false and as the I-D says, every ACE must have ACE4_READ_ATTRIBUTES and ACE4_READ_ACL set. (2) An example of this is that a regular user doesn't have read permissions on /etc/shadow, but ls -l still works. 3.3.2 ACE4_WRITE_DATA and ACE4_APPEND_DATA These two masks must always be ALLOWED together or DENIED together. Any mis-match will fail with NFS4ERR_ATTRNOTSUPP. 3.3.3 ACE4_WRITE_NAMED_ATTRS, ACE4_WRITE_ATTRIBUTES and ACE4_WRITE_DATA In the table below, A = ACE4_WRITE_ATTRIBUTES N = ACE4_WRITE_NAMED_ATTRS D = ACE4_WRITE_DATA The values that are given represent the presence or absence of the mask in an ALLOW ACE. D = 0 D = 1 -------------------------------------------------------------- N = 0 / A = 0 if who == "OWNER@" (1) if who == "OWNER@" (1)(*) NFS4ERR_ATTRNOTSUPP NFS4ERR_ATTRNOTSUPP else SUPPORTED else SUPPORTED -------------------------------------------------------------- N = 0 / A = 1 if who == "OWNER@" (2) if who == "OWNER@" (2)(*) SUPPORTED SUPPORTED else NFS4ERR_ATTRNOTSUPP else NFS4ERR_ATTRNOTSUPP -------------------------------------------------------------- N = 1 / A = 0 If who == "OWNER@" (1)(*) if who == "OWNER@" (1) NFS4ERR_ATTRNOTSUPP NFS4ERR_ATTRNOTSUPP else SUPPORTED else SUPPORTED -------------------------------------------------------------- N = 1 / A = 1 if who == "OWNER@" (2)(*) if who == "OWNER@" (2) SUPPORTED SUPPORTED else NFS4ERR_ATTRNOTSUPP else NFS4ERR_ATTRNOTSUPP * Changed in s10_b74L1. (1) The owner of the file cannot be denied the ability to write basic attributes. OWNER@ must have ACE4_WRITE_ATTRIBUTES set in it's ALLOW ACE. (2) The ability to write basic attributes cannot be given to any users (or groups) besides the owner of the file. 3.4 Converting masks into POSIX mode bits *(Change for s10_b74L1, the read bit no longer includes ACE4_READ_NAMED_ATTRS): If an ALLOW ace contains ACE4_READ_DATA, we set the read bit (04). *(Change for s10_b74L1, the write bit no longer includes ACE4_WRITE_NAMED_ATTRS): If an ALLOW ACE contains ACE4_WRITE_DATA and ACE4_APPEND_DATA, we set the write bit (02). If the object is a directory, we also require ACE4_DELETE_CHILD. If an ALLOW ACE contains ACE4_EXECUTE, we set the execute bit (01). 4. ACE who (utf8string who) Return NFS4ERR_ATTRNOTSUPP if we get an ACE with any of the following who values: "INTERACTIVE@" "NETWORK@" "DIALUP@" "BATCH@" "ANONYMOUS@" "AUTHENTICATED@" "SERVICE@" Supported special identifiers for the ACE who field: "OWNER@" "GROUP@" "EVERYONE@" 5. ACE ordering ACEs must be received in an order compatible with the document "draft-ietf-nfsv4-acl-mapping-02.txt". An ACL containing ACEs in an incompatible order will result in the server returning NFS4ERR_ATTRNOTSUPP. 6. Additional access_mask requirements It is also required that the masks on the ALLOW ACEs and the DENY ACEs be complimentary with respect to the supported masks, except for ACE4_DELETE, ACE4_SYNCHRONIZE, ACE4_WRITE_NAMED_ATTRS, and ACE4_READ_NAMED_ATTRS. Supported masks are listed earlier in this document. An exception would be that an ACL applied to something other than a directory should not have ACE4_DELETE_CHILD on either its ALLOW ACEs nor its DENY ACEs.