Exercise 2: Access control lists

Introduction

For this exercise you have to extend the MINIX file system with access control lists. These allow you to specify access permissions on a per user (principal) basis, rather than the current owner-group-other protection method. ACLs generally provide better security because they allow finer grained access control. For example, consider the /etc/passwd file with the following ACL:

    ast: ---
    jim: r--
    kjb: rw-
    lvd: rw-
    *: r--

Note: there was a mistake in earlier versions of this exercise: our examples as displayed on these web-pages did not include a space between the colon and the rwx bits. As you can see above, this space IS required - implementations lacking this space will be rejected on the basis of 'layout errors'.

For the ACL permissions we use the normal MINIX file permissions, i.e. r for read, w for write, and x for execute. The ACL listed above specify that the user ast has no rights and has therefore no access to the file. The user jim can read it, while kjb and lvd have the ability to modify the file. Everybody else can only read the file. A special default permission is used when the user id doesn't match any in the list. This is depicted by the special user name ``*''.

The super user has the same special privileges for filesystem objects with an ACL as in the normal protection scheme. The privileges are an extension of the normal rules, and are summarized as follows:

Root has read and write access on all filesystem objects.
Root has execute access on all directories.
Root has execute access on all filesystem objects other than directories, if at least 1 entry in the ACL has the x-bit turned on, or if one of the x-bits in the normal protection bits is turned on.

Assignment and hints

You have to modify the file system to support ACLs as described in acl(2). In addition you have to write an auxiliary program which allows you to manage the ACLs, as described in acl(1).
Remember that ACLs can be defined for any file system object, i.e. files, devices, and directories.
The system call number of the acl(2) system call is 77. It is obligatory to use this number.
The ACL definitions are stored in /usr/include/sys/acl.h which is included as an appendix to this document.
To send an ACL message to the file system one must use the stub routine given in acl.c. This routine defines the message format of the ACL message. The use of this routine is obligatory. This routine should be saved in a separate C source file, extra/acl.c.
The ACL implementation should use the following fall backs: when no ACL is defined for a particular uid, the default ACL should be used. In case there is no default ACL you should use the normal file permissions stored in the i-node.
You only have to implement ACLs for the V2 MINIX file system. The ACL information itself is stored as an array of NACLS acl_t records (see sys/acl.h). These are stored in a single disk block. A pointer to this block has to be stored in the triple indirect block pointer in the i-node, which is currently unused. A modified version of fsck(1) is available to handle this extra disk block.
The named pipe special file also uses the triple indirect block pointer in the i-node for a special purpose. Trying to add an ACL to or view the current ACL of this type of special file should therefore result in an error, with error number EPERM.
The implementation is not allowed to add extra constraints to the ACL block format on disk, i.e. sorted entries. All V2 MINIX file systems following the specified constraints should be handled correctly (see testing).
The implemention has to free the disk block after the ACL_CLR command.

Relevant information can be found in the OS book in sections: 5.6-7. Check at least the index for the following references:

MINIX system call: open
I-node
ACL

Testing

The following are some suggested tests. Your code should pass these tests to get a grade at all.

With these four tests you can see if the file system denies or grants access to files and directories according to the specified ACLs.

A file with an ACL for the owner which is different than the file permission bits.
Create a single default ACL which is different from the file permission bits.
Create ACLs for different users with different modes.
Create ACLs for devices and directories.

These tests focus on the interaction between user program and file system.

List the ACL.
Clear the ACL.

An interoperability test, checks for hidden assumptions in the implementation.

Find somebody who is also testing this exercise. Both, create a MINIX V2 file system on a floppy, and create files with ACLs on these floppies. Exchange floppies, and see if your implementation can handle the other's ACLs.

It is probably not enough to use only your user program to test the exercise. You should probably also write separate testing tools to test your code.

Manual pages

acl(1): manage access control lists for file system objects
acl(2): get or set a file's access control lists

Bits and pieces

sys/acl.h: Header file with ACL definitions
extra/acl.c: Source file implements with the acl() system call stub.
fsck: New fsck that knows about ACLs