Feature #15338
Updated by Gordon Ross 2 months ago
ZFS currently grants some implicit permissions to the owner of an object. In particular, "Read_Control" and "Write_DAC" are granted to owners of objects even if those rights are not in the owner ACE. That was the traditional behavior on ZFS, and Windows systems before 2008. The old behavior (implicit rights for owner) is now considered a security flaw, so customers want a way to turn that off. On modern Windows systems (Win2008 and later), the implicit rights for owner are conditional. When an ACL contains an ACE with the "Owner Rights" SID (S-1-3-4) then the rights from that ACE are used _instead_ of the implicit rights. See the description of "S-1-3-4" (Owner Rights) in: [understand-special-identities-groups](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-special-identities-groups) We'd like similarly flexible behavior from ZFS re. owner rights. Now one challenge (or opportunity) is that with ZFS we _already_ have an ACE type that serves the role that the "Owner Rights" SID serves, and that's our "owner@" ACE type. One simple approach here would be to treat the rights in the "owner@" ACE as explicit/definitive, and not add the implicit owner rights to those explicitly granted. I had initially thought to make ZFS _always_ behave the way Windows would when the "S-1-3-4" is present, not granting implicit rights to file owners in the code paths for write_owner and write_acl. After some discussion, I now think It would be safer to make this configurable, in case there are environments that require the traditional "implicit owner rights" behavior. We could make this configurable the same way Windows does, but that's a fairly complicated configuration method and we don't need granularity of this setting at the per-object level. Instead, we can let this configuration have granularity at the level of ZFS datasets, using a new ZFS property "aclimplicit" (implicit owner rights, owner_rights, true/false). When true, the dataset will keep the traditional behavior, and when false, owner gets only the rights explicitly granted in the "owner@" ACEs. For the new property "aclimplicit", we will let the default be "on", which adheres to the principle of "least surprise" by maintaining the current behavior as seen on systems before this change. One must set this property "aclimplicit=off" to disable implicit owner rights. Note that during testing, we found that "aclimplicit=off" really only makes sense with "aclmode=passthrough" and "aclinherit=passthrough". With other aclmode and aclinherit settings, one ends up with the "write_acl" flag in the "owner@" ACE such that "aclimplicit" would have no impact. Note that ZFS on Linux has completely different ACL code, and does not fully implement fine-grained ACLs, so this change should probably does not affect them.