ZFS implicit owner rights should be configurable
ZFS currently grants some implicit permissions to the owner of an object.
In particular, "Read_Control" and "Write_DAC" are granted to owners of
objects even if those rights are not in the owner ACE. That was the
traditional behavior on ZFS, and Windows systems before 2008.
The old behavior (implicit rights for owner) is now considered a
security flaw, so customers want a way to turn that off.
On modern Windows systems (Win2008 and later), the implicit rights
for owner are conditional. When an ACL contains an ACE with the
"Owner Rights" SID (S-1-3-4) then the rights from that ACE are used
instead of the implicit rights.
See the description of "S-1-3-4" (Owner Rights) in:
We'd like similarly flexible behavior from ZFS re. owner rights.
Now one challenge (or opportunity) is that with ZFS we already have an
ACE type that serves the role that the "Owner Rights" SID serves, and
that's our "owner@" ACE type. One simple approach here would be to
treat the rights in the "owner@" ACE as explicit/definitive, and not add
the implicit owner rights to those explicitly granted.
I had initially thought to make ZFS always behave the way Windows would
when the "S-1-3-4" is present, not granting implicit rights to file owners in the
code paths for write_owner and write_acl. After some discussion, I now think
It would be safer to make this configurable, in case there are environments that
require the traditional "implicit owner rights" behavior.
We could make this configurable the same way Windows does, but that's a
fairly complicated configuration method and we don't need granularity of
this setting at the per-object level. Instead, we can let this configuration
have granularity at the level of ZFS datasets, using a new ZFS property
"aclimplicit" (implicit owner rights, true/false). When true, the dataset will
keep the traditional behavior, and when false, owner gets only the rights
explicitly granted in the "owner@" ACEs.
For the new property "aclimplicit", we will let the default be "on", which
adheres to the principle of "least surprise" by maintaining the current
behavior as seen on systems before this change. One must set this
property "aclimplicit=off" to disable implicit owner rights.
Note that during testing, we found that "aclimplicit=off" really only makes sense
with "aclmode=passthrough" and "aclinherit=passthrough". With other
aclmode and aclinherit settings, one ends up with the "write_acl" flag in
the "owner@" ACE such that "aclimplicit" would have no impact.
Note that ZFS on Linux has completely different ACL code, and does not
fully implement fine-grained ACLs, so this change should not affect them.