Linux trustees (ACL) project

The problem

One of the very common task that should implement a system administrator is
" to create a directory that available for some people in write mode, for
another group - in read only. The files in the directory and subdirectories
should inherits the parent's behavior, unless other is stated explicitly.
Using standard UNIX (and linux) security model it is generally speaking
impossible to implement the situation when different groups have read/write
and read/only permissions. This issue can be resolved by ext2-fs ACL
project, but the problem is that nobody wants to copy mask or ACLs from
parent directory to subdirectories either by hands or using special
scripts.

The solution

The solution proposed is mainly inspired by Novell Netware approach and my
own experience of Netware administration. In addition to standard UNIX
permission,  special objects (called trustees) can be bounded to every file
a directory.  Trustee object means that certain user or group has
additional rights to a given file (or directory and its descendants). The
following rights are applicable

             SymbolMeaning
             R     Read files
             W     Write files and directories
             B     Browse (like UNIX execute for directories)
             E     rEad directories
             X     eXecute files
             U     Use UNIX permissions
             C     Clear the permissions (instead of set them)
             D     Deny access (instead of grant)

The trustees objects are stored in the kernel memory (I hope that even if
somebody will have thousands of trustees, it will be OK) that allows very
quick lookup.
The permission to access a file (or directory) is calculated using the
following algorithm: Deference file name (all symbolic links are replaced
by physical path). Set initial deny mask to [] (empty mask) and allow mask
to [U] (use unix rights by default). Check all the parents of file and file
itself (starting from root directory) and find applicable  trustees objects
(it means that names are equal and user is equals to user_id in trustee or
belongs to group  in trustee object), and set (or clear, if C in the
trustee mask)  the bits in trustee mask in  allow (or deny, if D in trustee
mask) permission mask. After the mask for file name is calculated:

   * If user is the superuser, grant the access.
   * If at least one of the access mode requested is denied, deny the
     access.
   * If U flag is set in allow , and U flag is not set in deny, and the
     normal Linux permission code allows the access, grant access
   * I all the access flags requested set in allow mask, grant the access
   * Otherwise, deny

Note, that string name (not inode numbers) are stored in trustees object,
so the trustee system is work despite of the mount points, filesystem types
etc.

Status

This is alpha code. Although I and my friends carefully tested it and put
to a production server, use it at your own risk. Only i386 architecture is
tested yes, I am especially not sure about arm & ppc ports.

Quick start

The patch provided can be applied to any 2.2.X or 2.3.X kernel. cd /usr/src
and
patch -p0 <trustees.XX.patch
cd linux
make xconfig or menuconfig or config
Answer Yes to CONFIG_TRUSTEES question (in FileSystems section)
make dep; make install; make modules; make modules_install
Create file /etc/trustee.conf
Format is follows. Each line is a comment (started from #) or trustee
objects for the same filename. It is allowed to have a lot of lines with
same filenames in config file. The starting / is mandatory, double / are
prohibited, trailing slashes are not recommended
So, a line has the following format
<File or directory name>:<trustee object info>:.....:<trustee object info>
Where <trustee object info> is
user_name:mask
or
+group_name:mask
e.g.

/:very_trusted_user:RWEBX
/top_secred_path:+big_group:DRWEBX

Compile program settrustee.c , type ./settrustee --help and read the help.
Put settrustee in a startup script.
Reboot the system

Download

   * The kernel patch for linux-2.3.5: trustees.11.patch
   * The kernel patch for linux-2.2.9 or linux-2.3.3: trustees.10.patch
     (actually, there were only minor changes from 1.0 to 1.1, so we do not
     provide 1.1 patch for old kernels. Probably, new patch should be
     aplicable anywhere.
   * User level program: settrustee.c
   * Config samples : One of the variants used for testing & Production
     variant

Contributions welcomed

   * Comprehensive testing, especially in SMP enveroments and with samba
   * A nice user-level & and administration program
   * Non i386 ports testing and debugging
   * Currently samba forks in order to check rigths to a file. I
     implemented a syscall access_uid(char * name, int mode, uid_t uid,
     gid_t gid). I would like somebody to make samba use this syscall and
     benchmark it.

Contacting author

Please report bugs and succesfull testing to zavadsky@mzor.com