Feature #15338

Updated by Gordon Ross 2 months ago

ZFS currently grants some implicit permissions to the owner of an object. 
 In particular, "Read_Control" and "Write_DAC" are granted to owners of 
 objects even if those rights are not in the owner ACE.  That was the 
 traditional behavior on ZFS, and Windows systems before 2008. 
 The old behavior (implicit rights for owner) is now considered a 
 security flaw, so customers want a way to turn that off. 

 On modern Windows systems (Win2008 and later), the implicit rights 
 for owner are conditional.  When an ACL contains an ACE with the 
 "Owner Rights" SID (S-1-3-4) then the rights from that ACE are used 
 _instead_ of the implicit rights. 

 See the description of "S-1-3-4" (Owner Rights) in: 
 We'd like similarly flexible behavior from ZFS re. owner rights. 

 Now one challenge (or opportunity) is that with ZFS we _already_ have an 
 ACE type that serves the role that the "Owner Rights" SID serves, and 
 that's our "owner@" ACE type.  One simple approach here would be to 
 treat the rights in the "owner@" ACE as explicit/definitive, and not add 
 the implicit owner rights to those explicitly granted. 

 I had initially thought to make ZFS _always_ behave the way Windows would 
 when the "S-1-3-4" is present, not granting implicit rights to file owners in the 
 code paths for write_owner and write_acl. After some discussion, I now think 
 It would be safer to make this configurable, in case there are environments that 
 require the traditional "implicit owner rights" behavior. 

 We could make this configurable the same way Windows does, but that's a 
 fairly complicated configuration method and we don't need granularity of 
 this setting at the per-object level. Instead, we can let this configuration 
 have granularity at the level of ZFS datasets, using a new ZFS property 
 "aclimplicit" (implicit owner rights, owner_rights, true/false). When true, the dataset will 
 keep the traditional behavior, and when false, owner gets only the rights 
 explicitly granted in the "owner@" ACEs. 

 For the new property "aclimplicit", we will let the default be "on", which 
 adheres to the principle of "least surprise" by maintaining the current 
 behavior as seen on systems before this change.    One must set this 
 property "aclimplicit=off" to disable implicit owner rights. 

 Note that during testing, we found that "aclimplicit=off" really only makes sense 
 with "aclmode=passthrough" and "aclinherit=passthrough".    With other 
 aclmode and aclinherit settings, one ends up with the "write_acl" flag in 
 the "owner@" ACE such that "aclimplicit" would have no impact. 

 Note that ZFS on Linux has completely different ACL code, and does not 
 fully implement fine-grained ACLs, so this change should probably does not affect them.