--- title: WWDC2004 Session 611 framework: wwdc role: article path: wwdc/wwdc2004-611 --- # WWDC2004 Session 611 ## Transcript Kind: captions Language: en rusty Tucker thank you and good afternoon I the unit's permissions model has been around with us for a while now this weekend kind of tried to track it down what it you know how long it we've had it tracked it back to nineteen seventy nine in the UNIX be seven and then earlier today we tracked it back to nineteen seventy one so it's been around at least as far back as that I think now for Mac OS 10 it's time for us to to move beyond that and to actually introduce file system access control so today we're going to introduce you what we're doing in tiger with file system access controls and really try and answer three deceptively simple questions what are ACLs or ackles as we sometimes call them why are we adding them to Mac OS 10 but perhaps more importantly how do a CLS affect the way that you're developing software and managing your networks so today we're going to cover this in in seven different topics first an overview of filesystem acl's what are the key features and benefits of them and then present a high level view of the filesystem ACL model and it's some and its capabilities then we'll show you how we're changing Tiger 22 adapted to provide access to access control and then a more detailed look at how it's being supported in the colonel along with some specifics in how file access controls work and how the colonel access calculates permission I will show you the developer API is that are available for you for in controlling access on in file system and then wrap up with and how we've changed our group membership and adaptive Mac os10 to a more flexible group membership system let's get started the purpose of file access control so we can get be more expressive and more flexible than how permissions are used with files right now the existing model it's a bit too crude and a lot of times gets in the way of how we're trying to do our work come on a daily basis some of the key things that we'd like to achieve this with them access control support one to be able to support XP clients with our servers a lot of our customers are requiring it to be able to support their home directories and to provide workgroup services in their Microsoft networks and we like to do this with not ghosts and server in addition we'd like to enable better clients hidden of the Mac os10 duck desktop into active directory network so that the Mac os10 client connected the true peer to the other machines in those networks and have full understanding of the access controls that are in use today on the servers that are on those networks and also to provide a foundation technology for for collaborative applications so that's sharing between users and different groups that are easier and and more secure and finally we'd like to be able to enable workflow applications so that the right permissions are set under on documents as they work through as they go through our workflow in a somewhat automated fashion so connection conceptually an ACL is really very simple it's simply a list of access control entries each one of those entries identifies a user and a set of permissions that are either granted or denied for that option and then each of ACLs is then bound to a file or directory in the file system so for example we can take a look at this hypothetical math assignments document and how we might be able to use ACL to control access to it first of all we definitely have to be able to have so the teachers can read write and delete the documents so that at the assignment then we have a hypothetical student teacher called miss Buxton who is not really ready to provide assignments or edit assignments that she's going to be given read-only access but she's actually a member of the teachers group since she's a student teacher the math student will then have just read only access to the assignment and everyone else will have no access we'll revisit this example throughout the presentation providing some more detail around it and actually how it would work within our system so we go back to our original you know statement of flexibility for file system access controls and we've got some refinements now that we can apply to that one we definitely want to be able to associate multiple users and groups and assign those permissions to different file system objects as well to provide more granular permissions for example the delete permission which you cannot assign to an individual file today and then also to support for missions inheritance which will help enable our workflow situations and finally support empty compatibility of our client and server so now that we have our requirements let's take a look at what the file system APL model actually is we can compare this to existing models that are out there today that one might draw from first of all we can take a look at Apple share privileges which weren't really an ACL but we're more capable in some ways than the POSIX for missions that we have today for example we could have a sign a group as an owner and permissions inheritance was implicit in the fact that you could only assign permissions to folders there's also Andrew file system which is very popular for its a field and it provides the same abilities set to have multiple users in groups also assign permissions to folders and introduces some new permissions the ability to a admin and delete but it's not not NC compatible the windows NT model for example introduces fine-grained permission multiple users in group the ability to allow and deny permission as well as defining a rich set of rules for inheritance finally there was a POSIX draft one double O 3 1 dot 1e that define an ACL model for unix system as a proposal it provided the same set of permissions that we have today read write and execute but allowed also multiple users and groups with allow only entries and no deny entry its inheritance is somewhat limited and set to a system of default permissions for new item standard directory and this this proposal is a failed to gain standardization has been since withdrawn so the models that were actually going to provide in Tiger will support empty cymatics including the fine-grained permissions that are available on NT system as well as fun and nfsv4 will provide prosthetic inheritance so that you can use the NT rules of inheritance to define inheritance of permissions when items are merely created in a directory hierarchy as well as supporting allowing deny so that you can fine-tune permissions that are given to a user based on group memberships and so on the interesting innovation that we're going to provide here is combining the POSIX and UNIX permissions that we have today with an ACL which will minimize our ability to a migration impact and maximize compatibility with existing applications moreover that you will be able to on an existing volume assign a field and deploy them in specific parts of the filesystem certain directories individual file objects for example without having to reformat the entire volume to support that now finally we have an API based on the deposit extracted we had talked about earlier which provides a level of abstraction and flexibility to give us to allow for future extension the number of changes that we're going to make entire court file system APL first of that will be supporting acl's from the kernel acl's are part of a new extended security architecture those ptl's are fully a first-class security attribute for file and this will require support deep in the kernel and mike smith will come and explain this to us in detail later on as part of this weave I had to revisit how we address groups in Mac OS 10 so we're eliminating the existing 16 group membership limit and then support for nested group in hfs+ acl's will be sported based on the new support for extended attributes extended attributes are our new new functionality and hfs+ entire that's built on some pre-existing definition in the specification for HFS so that it doesn't require completely reformatting the volumes to take advantage of this it's the new structures and and information required in the volume format can be built out transparently as you assign ACLs and extended attributes to item and finally this will be available both in the tiger client and tiger server of course change in the SMB client is another important feature for us and the in our ACL strategy providing us with a good client fit in in Microsoft Network and the ability to view users and groups from Active Directory and edit v acl's that are in the files on NT servers of course will also be updating AFP and a FD client to support acls natively all together the changes in the kernel and file system provide us a good foundation for extended permission to tiger through the plastics and carbon layers your applications will gain access to the atl api so that you can change and manipulate a seals from your software and also providing command-line tools for management on for management of systems including LS and cha mod for example to give you an edit a CL but also in command line tools like CP because now we need to preserve this new information when we copy file we're changing the samba server to provide native support with full fidelity to the to SMB clients from Windows XP and other Microsoft platforms if if you're familiar it's a way that samba works first for its standard compile options you really have two different choices today either you can go with its private support for Windows acl's in which it does not use file system permissions from the file systems that it keeps the shadow database of its own commissions for items much in the way that a web server would provide access to an hehd access file the other option is to compile for the positive KCl format as is possible on Linux in doing that you really end up with a lossy translation between the POSIX ACLs and what's available on Windows NT between the client and server with our solution you actually end up with a full fidelity solution because the file system permissions already have the same finer grained permissions that are found on the NT systems that it's being served to and this is also reflected in the AFC server where we'll be showing free showing permissions as effective permission to panther or an earlier clients because they don't have the current a capability of understanding the more fine-grained ACL permissions but fully filled for missions will be exposed to tiger clients but both samba an AFE together we'll work from same basic set of permissions in the local file system providing very unified support to both clients and the same capabilities eh52 finder will be supporting editing ACLs from the desktop on both AFP SMB and local volumes and of course in our servers tools providing a very flexible management of ACL in a much more fine-grained manner including the ability for you to set presets and define your own permissions mask-making management of ACL very efficient and easy all in all I think we've got a very very complete and comprehensive set of changes in tiger for ACL and I would like to introduce to you Mike Smith from core OS engineering thanks I see so in the next few minutes i guess i'll be talking about the colonel changes the introduction of new centralized authorization infrastructure so we're calling chaos a little bit about some details of the ACL format must the internal details for reference purposes will work through a brief example using a scenario that sir the rusty raised earlier and then i'll talk a little bit about the developer api i'm not actually going to ball you by working through the entire api a detail by detail documentation all available in good time but we'll go through our code sample to give you a feel for or actually doing so we embarked on supporting exhales we already knew that we're going to need a centralized authorization infrastructure the existing authorization mechanisms inside the mac OS kernel whilst more than adequate to the task so relatively had hot water ization decisions are made all over the place there is some duplication of code in this works okay because then the model we've been working with it's in relatively simple however atl's and and the like introduced considerable complexities and so it's fairly important for us to reduce the amount of work that offers and developers need to do and also to just overall reduce the cobalt and replication of code authorization itself inside the colonel really involves knowing three things who you actually performing the action for what you're operating on and what the actual operation is specific details related to it chaos provides management for credentials which are our identification user identification it supports processing of ACL provides helper function so translation and the like and it provides a flexible mechanism for defining action as well as a plug-in architecture that allows so modules to participate in the authorization process on a first go places we expect this to particular interest to folks writing a virus filters but potentially also added content filters and the functionality is very much open ended so if you find yourself having a desire to control the way that access to particular resources is managed and you can you can basically write a module against our API and just get involved the consequence of all of this is that atl's are other than fully integrated with the colonel my authorization subsistence again in the Vayner by producing the amount of work that individual file systems and modules need to perform we've layered ACL implementation over the top quality standard attribute support so any file systems that support extended attributes gets acl's for free file systems that have their own ACO model can translate to and from our format as we're using the microsoft and the NFS before semantics this so generally generally for faucets include native SQL models these translations have really been explored them so they're well understood and again as rusty pointed out we will continue to support projects ACL the default processing for ACL leave you in situation when you're at the end of the ACL one I'll get into that in more detail on it a little bit where you would deny the request in our case we ultimately falter and consider the politics permission and this gives the expected behavior if you have a file with existing project submissions and you want to add extra control to it you can apply an ACL the processing of the two will behave pretty much that you expect it to this is a simplified overview of the way that the things look now with the kale subsystem interacting with the VFS to provide the new authorization functionality the interesting item on this particular diagram is the group membership as over as Rusty mentioned we're going to be on the 16 word limit integrating with Active Directory no longer become it's not a practical for us to keep a complete list of all of the groups that every credential is a member of inside the qur'an so in the next panel resolution service I can control briefly now about our format this is obviously not a comprehensive description we really rather the use our API extra traction and integrating l-e-e-et's but understanding what's going on other covers may help you because we keep keep up some terminology rostov's already briefly talked about access control entries they associate an identifier of some sort we have a set of commission an access control lists the word list is kind of important because it's an ordered list the processing of nacl is dependent upon the order of the entries animalist a user ID and group ID you should be submitted with already without the current 32-bit user and group identifier we've been using for some time we're introducing a new globally unique ID which can be applied to both users and groups this is to deal with a situation where you may have very large numbers of users or you may have groups of users or not in maintains coherently so you run the problem French the problems of either exhaust into user ID space or simply having collision to users numbers 500 for example the GUI d is randomly generated guaranteed to be unique operates in 128-bit space and so you can uniquely identify objects by their ownership even if you have definitive moving around you have a permanent handle for them and the discussions not really complete without mentioning microsoft's security identifier as as a structured data that item that is used with SMB operation it performs very much the same functionality as the GUI microsoft chose to embed information in there rather using a an indirect reference to the information the chaos subsystem provides functionality for translations between all of all of these these items so if you have a good you can get the uid you can get the suit on local file system that's using our extended attributes support will be storing a good for the owner of the object and the access control list in canaday p I as any incidental attribute obviously again we would like you knew our API functions i manipulating these may be getting a common theme here one useful thing to note is that because we are tracking the owner with a good it becomes possible for groups to own object rather than forcing you learn to create individual individual users just two tone particular infrastructure item they again associate an identifier if we sum access right and control this which is determined whether or not those right granted or denied and also some bits controlling and terrorism Melissa stuff these are the access permissions that we provide for controlling access to file you can independently control weeing writing executing file deletion of individual files obviously appending of data and then rewrite controller individually over the files basic attributes time Sam sanilac extended attributes with the exclusion of the security information their security information itself and you can also grant individuals or groups the rights to change the ownership of the file submissions associated with directories are very similar obviously we substitute we didn't write with less than add file searching in the directory it's possible to search within a directory for a file if you know the files name without having to have rights accesses it is a pretty much parallels to the current UNIX permission and again the controls on rewrite of attributes and ownership the slaves applied to an individual is obviously allow them tonight but the inter inheritance businesses that have something that's not quite so well walk quite the line understood Directory objects allow you to specify aces which will be inherited either by child directories or by files and also allow you to control whether those inherited one or multiple times this is what rusty was referring to as a deck inheritance and it effectively allows you to set up template ACL for both files and directories created inside others allows you to establish emissions on on objects so that an individual can create an object the may not necessarily subsequently have full access to that object it's a real support for the workflow environment so I'm going to come back to the Russkies scenario in here work through a couple of a brief example just to recap we have a school network we have a group which contains all the teachers we have a group which contains a math students we have a student teacher Miss buckland who is part of the teachers group because unions access to teachers only files but right now we don't want to grant her the ability to write to mr. GG on that assignment so we rephrase this is an ACL with 300 entries first up we put a denial entry which prevents a spokesman from either writing or deleting that math assignment we have a blanket allows for teachers that allows them to read write and deliver file and allows the map students actually want to read the file the one we're processing an ACL we process each entry in order entries ID is compared against the idea of the request but if they're not identical or if the requester is not a member of the group called out in the entries and we just ignore the entry if they do because I remember then we look at whether video entry is an allow or deny entry if it's a deny entry we take these emissions that are being requested by the operation if any of them are denied by the entry we start processing at that point alternatively if we cumulatively accumulate all the requested commissions from allow entries when we allow the operation in this particular example let's consider our math students who want to open the file read only that's they're copying it off to a private disk so I can take it home and work on it they'll be requesting read access we look at the first entry miss Buxton math students on this box of 5 second entry math students and other teachers ok ignore that one too so one math students ok they won't read it says they can have read they get to read the file um we look at another example miss Buxton is attempting to save over copy the math assignment and maybe she just make a mistake maybe she feels that she's going to be a hacker one of these days we know she's going to want she will have open the file using resubmissions would have looked at the first entry denied miss Buxton okay this applies to miss Buxton but it's only denying her right and delete okay so we're going to block her there take an entry if I finishes the teacher which is allowed read you can read the file comes time to save she wants right access first entry miss Buxton right denied so you can express things with with even a simple ACL like this that would not be possible with the traditional POSIX permissions and obviously I've kept this example short because it could go on forever the developer API we went around with this several times but ultimately decided that rather than trying to introduce a great deal of new API we would try and say as close to the deposit AP is the existing MPI that you folks are familiar with already certainly in philosophy obviously we needed some extra functionality and we had a bunch of more detail we try to avoid Lance Bass collisions so that you don't suddenly discover that there are symbols near application that are colliding with definitions that had evolved and we've avoided exposing any data structures directly rather we preferred to us to stick with access a function in a fashion that will allow you to remain binary compatible even if we need to add extra security information obviously if your application doesn't care about access controls I'm not so sure why you're here right now but your application you can continue to not care we're not really changing the basic concept of having security information associated with a file we're just being much more eloquent about what you can express with it it becomes particularly important with the extra complexity that the go with ACL that applications not try to simply look at a file security information and determine from that security information whether or not something that they're going to do is going to be successful the group membership resolution process can be time-consuming there may also be other things going on behind the scenes and finally the following your attempted access may actually not be on the local machine at all or maybe on a remote file server which essentially has completely different rules for evaluating whether or not you're going to have access so if you can all get away with it just go ahead and try the operation be prepared for it to fail have a good recovery we're back out scenario but don't count on on getting ahead of time whether or not you're going to be out research funding obviously some applications do you need to know if you want feedback for a GUI application you want to be able to grow out the icon is your mouse over at whatever we do provide interfaces for that deposits level you have access function there are other functions in carbon these will take a seals into account colleges the same chaos infrastructure that's used for actual access checking but there are scenarios in which even those aren't going to be able to give you answers so you need to be prepared for the situation where we simply can't tell you ahead of time whether something's going to success you're just going to have to quick edge to try out to deal with the situation so that some applications do you need to care obviously anyone who cares about security of the files they're working with my favors and copy is the one to be accurate want to preserve the information that they're really good standing in the security in edina security structures anyone who is providing file management functionality whether you're a fine durant along with your simply and enhanced open-close dialogue which you have some other way of representing files you're going to need to be able to provide folks with the opportunity to edit security information on the file and so you will need to use these api and need to count with you I and football and obviously we're building this this functionality so that us developers can produce things that we never thought of and so if you find that acl's are relevant to something you want to do then again with our follows with with this particular API our philosophy was to try and avoid unnecessary changes to keep with a spirit of the POSIX API and so we've encapsulated all of the file security information into an opaque object I think we call the file faq.txt and this is then passed around so stat becomes fedex with an NP suffix so that you know this is not a portable call and it returns your file faq.txt openx takes one instead of a mode to shimada X takes the fall back the same alloy around the ACL is part of the file security objects so where the owner the group deposits mode work lickable we provide an API for the manipulation of the Baltic basically get set check whether it's valid clear it functionality and we provide an API for manipulating to ACL itself which is based on projects one tablet or e 1 e API obviously we needed to make some changes to cope with the differences but since there is a good deal of established code and understanding and documentation is already available for the manipulation API we decided that was the best way to go I'm gonna finish out here with a brief fun a brief example creating a file with an ACL associated in this particular case we don't have to be the individual that that is passed in us because we can go ahead and as long as since we're creating the file we can basically apply whatever is here we like so we start off we create an empty ACL fairly straightforward we create an entry in that ACL at this point in time both ACL in the entry blank and then we apply the the qualifier which we apply the qualifier in this case the goods to the ACL sorry to the eighth my apologies and we'll turn this into an allow way because we're going to grant read write or read only access to the good that's been passed in so we fetch the flags for the eighth we clear them just as a proportion and then we set the allowable we get the submissions for the eighth again we'll clear them as a precaution and will grant the ability to read data attributes extended attributes and security information and then we apply those to the eighth and so right now we've created an ace with one entry grants this particular good we don't access to the file next we'll create ourselves the file security object since we're starting from scratch we don't have one of these from a spectacle we play that the ACL to the file security object and then we can drop the ACL because we've copied it into the car security object will turn off the POSIX permission so that only the ACL applies to this particular file and then we'll create the file as you can see this looks just like an open call if it's passing the file security object rather than a mode again as with the traditional open we can actually open for any sort of access regardless of the permissions with associated with the file this actually allows us to be able to create a file securely that we have write access to because they're copying into it or whatever but the no one else can open for writing and clean up we're done for the hand it back to Rusty now just a little bit about group membership now we're going to talk a bit about group membership and its relation to atl as we're going through the design of atl's it became very apparent that the existing model that we had for group membership really was not scalable enough nor was it precise enough for the things that we wanted to do with access control so in Tiger we're going to make it more scalable more robust eliminates the 16 group limit that we have today in Panther and this as you see is with the group membership resolver and the Colonel's ability to defer looking up groups until the time that it's actually necessary so today when you log in with a panther system it needs to go out onto the directory and discover all the groups to which you are a member even if there are only four or five or 16 taking the first 16 that it finds and those become the groups that you have from a derived permission from will also be supporting nested group the demon will be able to expand group memberships and and test membership against that as well as provide compatibility with on legacy software so in the directory will require a new group schema to support this this new group schema is based on an authoritative list of goods rather than using short names to define membership and these goods may reference I their other users or the group's which provides us the nesting capability and provides us for future expansion since Goods can really be referencing any type of object out there including computers or things of devices we haven't really thought of yet the groups are also further identified by their legacy group ID and optionally DNT secure ID this provides us with the ability to provide static translations for function for clients such as XP clients or a service such as the samba service when binding to Active Directory networks you don't need to change the schema there the new at the group resolution demon understands the schema that's present in Active Directory networks and contingent can work with them so as I said before Panthers using a 16 group array attacker will be using a new group membership service to take to replace that provides the group expansion capabilities and performance is caching the results of these queries in both positive and negative with the time to live and so that because groups and group memberships can be checked quite often especially when going through atl and then provides also the ID translation services so these i do these services are going to be available to your software as well through a new API that will allow you to test membership against groups so that you don't need to parse membership lists manually and also to provide the UID and guha translation services or as well and tss on the CID services so privileges processes today can edit their the groups to which they're being considered a member and and which are being evaluated and new API will be available to more precisely define that within this new scheme all of this really opens up the possibility for a new way to manage individuals on your network using smaller groups and method hierarchies of group so we can revisit the example that we have with the teachers and student teachers and and redo that in a more dynamic fashion rather than having a single group of teachers to represent all teachers and student teachers will create two separate groups one of the staff teachers and and another of just student teachers together these will be nested into one larger global teachers group for youth where that's appropriate in the example that we showed rather than having to have a deny entry specifically from its Buxton for that matter and we can simply say student teachers have read access to this file and then staff teachers have the necessary or read write and delete access what's really nice about going this way is that as roles as people's role change within your organization miss Buxton gets promoted to gets hired at the staff teacher you can simply reassign her membership within the in the directory system and she'll automatically be obtaining new permissions in the file system where that group is sized the new group membership is encountered so we'll kind of wrap up here with a little lot you know sneak peek at some proposed user interface to manage ACL first of all within finders get info window you can see it's very similar to what you have today but now we have the addition of an others listing which is not just a single group as it is now but another listing of both groups and users that can be assigned different permissions to this object the idea here is to keep something that's very simple manageable that people can use them from their own systems the initial view in the tiger server admin tools is a very similar file to same you know easy to use idea that we have in following and finder but also provides a more detailed view of the ACL and its associated access control entries allowing you to edit specific information about them as to whether it's an allow or deny record and also to be able to access preset groups of permission entries from the pop-up menu that you see here and those will provide customization abilities so that you can define your own sets of presets to manage to meet the way that your men submissions on your network and from there you can drill down and find more you know access more detailed permissions on the different objects to the ax get to the real fine grained permission control over inheritance and so forth so to summarize where we are with acls and tiger with providing a much more flexible way of expressing permissions on objects in the file system and reducing the arbitrary limits that we have today in the OS supporting compatibility with Microsoft in Microsoft networks in both our client and the server and providing a better platform for collaboration and workflow with that we're providing new information is now exposed in the file system both in terms of acl's and extended attributes that needs to be supported by software specifically copy engines archiver's and so on some of those changes will be making ourselves and some of those are going to be required by your third-party software and finally this may impact the way that you manage your network and hopefully we're able to give you enough of a some information here today that you can begin planning for those changes coming up