PowerScale: OneFS: Traverse checking in OneFS and how to enforce it
Summary: What is Traverse checking, how does it work, and how do you enforce it in OneFS?
Instructions
Traverse Checking
By default, in OneFS, the following is true regarding path traversal:
- If an ACL exists on a directory, the traverse permission is granted (bypass traverse checking),
- The "Traverse" permission allows for path traversal. This allows the user to navigate without the need for an "execute" permission.
- The "Traverse" permission is different to the "execute" permission and only exists in an ACL
- If no ACL exists (synthetic/POSIX), an explicit execute permission is required.
- Meaning the ability to move to a certain path requires a minimum of "execute" permissions on the parent directory so traversal can be allowed.
Bypass Traverse Checking
A Microsoft Windows environment has a GPO called "bypass traverse checking" which allows users to access a directory path (\\server\root\folder\path). This is where intermediate paths are "bypassed" for "traverse checking" (validating the traverse/execute right is granted).
OneFS does not enforce the Microsoft GPO set forth in Active Directory, but implements "bypass traverse checking" through the existence of an NTFS ACL.
How to Disable "Bypass Traverse Checking" / How to enforce Traverse Checking:
Some users may want to disable "bypass traverse checking" so as to enforce checking of the traverse permission on each intermediate directory. This enforces an 'Access denied" when the permission is not granted explicitly. This change should not be done lightly, as it is a global configuration and will impact all clients accessing the cluster.
The ability to alter the behavior through the UI/CLI interface was added since 8.2 and after code. See the administrative guide for your code level here: PowerScale OneFS Manuals and Documents
Additional Information
If there is a desire to use SMB or NFSv4 protocols on a cluster, specific permissions may be required to facilitate this on all parent paths leading up to the relevant share or export. It is up to the administrators of the cluster to ensure that permissions are set accordingly prior to enabling and implementing protocols for client access. Failure to do so may result in clients not able to access shares or exports. NFSv3 does not require this.
Permissions that OneFS has for NTFS-style ACLs (Directories Only):
- traverse - The right to traverse the directory. In Windows, this would be the FILE_TRAVERSE permission.
- dir_gen_execute - This includes the traverse, std_read_dac and std_synchronize permissions.
The POSIX-style equivalent to the above would be the execute permission (seen as an "x") in the mode bits for permissions of a directory.
See example below, where the "x" denotes execute permissions for the owner (root) and other (everyone).
# ls -led /ifs/data/test1
drwx-----x 2 root wheel 0 Apr 28 18:09 /ifs/data/test1
OWNER: user:root
GROUP: group:wheel
SYNTHETIC ACL
0: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child
1: group:wheel allow std_read_dac,std_synchronize,dir_read_attr
2: everyone allow dir_gen_execute,dir_read_attr
Details on permissions and authentication are available in the following white paper: Dell PowerScale OneFS: Authentication, Identity Management, and Authorization