Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
David Noveck <davenoveck@gmail.com> Sat, 01 January 2022 15:23 UTC
Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FA453A1351 for <nfsv4@ietfa.amsl.com>; Sat, 1 Jan 2022 07:23:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g4sIpPb5jzdw for <nfsv4@ietfa.amsl.com>; Sat, 1 Jan 2022 07:23:53 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C11B3A1352 for <nfsv4@ietf.org>; Sat, 1 Jan 2022 07:23:53 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id j21so118474733edt.9 for <nfsv4@ietf.org>; Sat, 01 Jan 2022 07:23:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0BB96aGHVp7C34frI/r/f8rXfGpzlTYdNJN63doBx3M=; b=UHuduAyBxQv4Le/B0/RKuOVct2Q6LQEW7cD143iOzkeqL5R+6HpiWznsxUUXn00L/u dAHvMWckS8JIaOO71jPj/Q+bWLeLU5MG6HXkAIUWVH9F7TI2oBoHoEkN7dFVM9e+aWJM SMu5X1njG3vM9eZsVL0XjHPwxhsw90UeMARNNXe+ZrS7LLDD1TVNqCUGQ+BYUahN4+pp TBVJDr2Zt6mfeSO5Iu//l5b20zXt6zCkWzY/1J2MFAhbxuWmgrA4nQ/63U1RhGri8T6Y VMEH+AMV/ZiSjLQOvxFtYfAx7sHgWDF/YqtzZKbN5dEBQ/9eW4FA+Z/SF0L4dbFct1oO U+ZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0BB96aGHVp7C34frI/r/f8rXfGpzlTYdNJN63doBx3M=; b=lX3vOziK09fAdjMOcSsfkiNl0SxAjz8e+6eJj3qi9SmcMLrPHQuEJuWZ4XNmI11u7g ZPBNIDLAjAdIFYgz7tki3qTYhKVw2GaYI9I0dR5JV+U/YWYEvQ3txol0j+w32PTmB1IH PFdHFF5LRjIeICdEEyxc7SlnUyOTIQSDTqMSKJwHr6YIpQpN/dqLm8E73gjT/dwiWph1 tqTuT0/bs+tH5E5OAjgETS+JdjbL12V6ahA0BcYJnIhVhL3y1n02finR70kXJoAwWYeS lYd4ZUi1hRmbF8TQoQhSF1g8w9VnibSmjEDA/5MsyD8aPGSk67JttxrJAO8vQDZv4Qtr y4Lw==
X-Gm-Message-State: AOAM532Mmnmwf/I/20N9KvXBb5e6x/E20zPdRHZH+v65e+/qubu0x+u0 gbTfNPAUzEhB3gwr6+m4ZurjGK6X2d0MBqe3P3YjiO4+
X-Google-Smtp-Source: ABdhPJwSubH07lEMajgHsTZpHVFw5DfdGNHxh+6IpSi1e3IwTpiFYqCZSEG31rPdDWbBtCgejzF/CuKC4I3+ze78viE=
X-Received: by 2002:a17:906:478a:: with SMTP id cw10mr30905055ejc.693.1641050629401; Sat, 01 Jan 2022 07:23:49 -0800 (PST)
MIME-Version: 1.0
References: <164035267965.25968.10921853654415505678@ietfa.amsl.com> <CADaq8jcXitpCCA+y3u6dYxGM95rfX6UtuZTm27g=Ht6=8x3+Qw@mail.gmail.com> <YQXPR0101MB096858749741A1191DE75279DD7F9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YTOPR0101MB09702834BC7C51CE9146389EDD409@YTOPR0101MB0970.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jc44Ua9CABd3tznCgqv4du6thfo7RAGmn_nA_jjQ-boDw@mail.gmail.com> <YQXPR0101MB09681E0D9ADE96C7C9A493DDDD419@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jcy4kE3+JQ2FBvWqDVZv+e+e21tWBgcJ8EywfnNWLrh4w@mail.gmail.com> <YQXPR0101MB096891D69ED7E94A526223A0DD449@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YQXPR0101MB096891D69ED7E94A526223A0DD449@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
From: David Noveck <davenoveck@gmail.com>
Date: Sat, 01 Jan 2022 10:23:38 -0500
Message-ID: <CADaq8jegH2veYcDCqA343tZm-51emfHWkG5Ri92H9dYOG9hzQA@mail.gmail.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d2f42d05d486df30"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/1Gst8MvynqJN9iUbXHzo3xsK-ek>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jan 2022 15:23:58 -0000
On Tue, Dec 28, 2021, 11:32 PM Rick Macklem <rmacklem@uoguelph.ca> wrote: > David Noveck wrote: > > On Sun, Dec 26, 2021, 11:45 AM Rick Macklem wrote: > > > David Noveck wrote: > > > > Rick Macklem wrote: > > > > [stuff snipped] > > > > > Does the Linux client expect "owner-override"? > > > > >If no one familiar with the Linux client answers this, I'll run a > test on a Linux > > > > > mount. > > > > I ran the following little test program. It ran fine on local file > systems and on > > > > an NFSv4 mount for both the FreeBSD and Linux-5.15.1 clients, if > > > > "owner-override" was applied to Read/Write. > > > > > > > Is there documentation for this option? I have googled for these > words several > > > > times and come up empty. We need a clear definition of these > semantics to > > > > resolve this issue in -05 and that documentation might be helpful. > If it isn't, > > > > could you point me to code, preferably in bsd, implementing that > option. > > > Well, I'm not sure if/when the term "owner-override" cropped up, but > here is > > >a description of it from RFC 1813 pg. 98: > > > > Thanks. This is helpful. > > > > Another problem arises due to the usually stateful open > > > operation. Most operating systems check permission at open > > > time, and then check that the file is open on each read and > > > write request. With stateless servers, the server cannot > > > detect that the file is open and must do permission checking > > > on each read and write call. UNIX client semantics of access > > > permission checking on open can be provided with the ACCESS > > > procedure call in this revision, which allows a client to > > > explicitly check access permissions without resorting to > > > trying the operation. On a local file system, a user can open > > > a file and then change the permissions so that no one is > > > allowed to touch it, but will still be able to write to the > > > file because it is open. On a remote file system, by > > > contrast, the write would fail. To get around this problem, > > > the server's permission checking algorithm should allow the > > > owner of a file to access it regardless of the permission > > > setting. This is needed in a practical NFS version 3 protocol > > > server implementation, but it does depart from correct local > > > file system semantics. This should not affect the return > > > result of access permissions as returned by the ACCESS. > > > > In -05, the Author Aside quotes this in full, but the replacement text refer to it without quoting it. > > > See the 3rd sentence from the end. > I notice that it use the (lower-case) word "should". given that RFC1813 is an informational RFC this probably isn't all that relevant. In the replacement text I make this a MAY, principally because there are other ways of providing for this > > > > > > As far as I know, servers implement the same thing for Read/Write > > > for NFSv4. > This will be a MAY in -05. > > > > From your description and the testing you have done, it seems there is a > > significant difference in that this special handling of the owner > permissions only > > applies to an open file in v4. Is there a v4 server that does this > v3-like thing even > > for files that are not open? > The FreeBSD server does. It does the "owner-override" for Read/Write using > special stateids (which is what I assume you mean by "not open"?). > Yes. This is not mentioned in -05 so is considered OK. > It only uses the stateid to check for a conflicting Open_Share_Deny. (For > special > stateids, any Open_Share_Deny for the type of I/O would be considered > conflicting. > > > > (FreeBSD does it for Read as well as Write, although the > > > above only refers to Write.) > > > > I don't have a problem with that as long as: > > - it is limited to open files > I can see an argument for not doing "owner-override" for special stateids. Me too, but I don't present that in -05. The counter argument would be along the lines of "nothing in the RFCs > says that it cannot be done for special stateids and defining that in this > draft changes the protocol. > I don't agree with that argument but I expect the working groups does and i am drafting -05 on that basis. It looks like we are stuck with this. > > To be honest, I am not aware of any extant clients that do Read/Write with > special stateids at this time. > I'm at a loss to understand what they were included in the first place. I have to check RFC8881 to see if server support is REQUIRED for this. > > > - It does not apply to the execute bit > Not sure why execute would be handled differently that Read? > I was just confused about that. Since this stuff does not apply to ACCESS, it doesn't matter. > > > > For NFSv4 over encryption with client peer authentication, I think you > > > can argue the following: > > > > > Although I don't want to get into arguing in a standards-track document, > > I think you have the essence of the matter right. > > > > Since v4 is stateful protocol, and now has reasonable security, we can > reasonably > > allow the server to rely on permission checking on open, if it chooses. > Doing this > > only for the owner would also be covered. > > > > > - Since the client can be trusted. > > > and > > > - Encryption subverts "man in the middle attacks" and the ability to > > > "sniff to acquire valid stateids". > > > that an appropriate Open/Lock/Delegation stateid is sufficient to > > > permission check the Read/Write and, as such, checking of mode/ACL > > > is not required. > > > > > > --> Appropriate stateid would refer to a current one issued to that > client > > > where either the Open associated with the Open/Lock stateid > includes > > > the needed OPEN_SHARE_ACCESS or the Delegation is of the correct > > > type (READ_DELEGATION or WRITE_DELEGATION). > > > > I will do something similar in -05. > This will be an alternate way of addressing the issue. Right now, both ways of doing this use MAY. A statement you SHOULD do one or the other is meaningless without a discussions of why you might bypass. MUST is a possibility but for -05, I will simply says that clients expect this behavior to be provided in some way. > > > > > The above *might* be preferred to "owner-override" for Read/Write > > > operations? > I try to explain plusses and minuses in -04 with giving a preference. > > > > > > rick > > > ps: I am not sure if any NFSv4 server uses the stateid in Read/Write in > > > the way described above. At this time, FreeBSD only uses these > > > stateids to check for conflicting Open/shares (byte range locks > are > > > always advisory). > This was simply meant to say "I do not know if any extant server does what > I argued could be reasonable, above. > > > > > > > If that's the case, then, for v4, the it and uw bits would be ignored > and your test > > > program would behave the same if you closed it and re-opened it before > the > > > write. > Not sure what you mean? The permission checking would not change for Opens. > If done locally on the client, due to a delegation being issued, an Access > operation > would be used. > Right. > > > Of that's the case, let me know so that I can address that issue for -05. > rick > > > > > If "owner-override" is turned off on the server, it fails for both the > FreeBSD > and Linux-5.15.1 client NFSv4 mounts. (The write(2) fails for FreeBSD and > the > close(2) fails for Linux, but that's ok. Unless there is an fsync(2), > flushing writes > to the server can be delayed until close(2). Both had empty files after the > failure.) > > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > #include <fcntl.h> > #include <errno.h> > #include <sys/param.h> > #include <sys/types.h> > #include <sys/stat.h> > #include <err.h> > #include <unistd.h> > > char buf[1024 * 1024]; > > int > main(int argc, char *argv[]) > { > int fd, i; > > fd = open(argv[1], O_CREAT | O_RDWR, 0666); > if (fd < 0) > err(1, "cannot open %s", argv[1]); > if (fchmod(fd, 0) < 0) > err(1, "cannot chmod %s", argv[1]); > for (i = 0; i < 10; i++) > if (write(fd, buf, sizeof(buf)) != sizeof(buf)) > err(1, "cannot write"); > if (lseek(fd, SEEK_SET, 0) < 0) > err(1, "cannot seek"); > for (i = 0; i < 10; i++) > if (read(fd, buf, sizeof(buf)) != sizeof(buf)) > err(1, "cannot read"); > if (close(fd) < 0) > err(1, "cannot close"); > } > > I do not have access to a Solaris or Mac OSX client to test, rick > > ________________________________________ > From: nfsv4 <nfsv4-bounces@ietf.org<mailto:nfsv4-bounces@ietf.org><mailto: > nfsv4-bounces@ietf.org<mailto:nfsv4-bounces@ietf.org>>> on behalf of > David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com><mailto: > davenoveck@gmail.com<mailto:davenoveck@gmail.com>>> > Sent: Friday, December 24, 2021 8:49 AM > To: NFSv4; nfsv4-chairs; nfsv4-ads@ietf.org<mailto:nfsv4-ads@ietf.org > ><mailto:nfsv4-ads@ietf.org<mailto:nfsv4-ads@ietf.org>> > Subject: [nfsv4] Fwd: New Version Notification for > draft-dnoveck-nfsv4-security-04.txt > > CAUTION: This email originated from outside of the University of Guelph. > Do not click links or open attachments unless you recognize the sender and > know the content is safe. If in doubt, forward suspicious emails to > IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca><mailto:IThelp@uoguelph.ca > <mailto:IThelp@uoguelph.ca>> > > > I've just posted security-04. Thanks to Rick Macklem and Chuck Lever who > made important suggestions that I hope are correctly addressed in this > version. An rfcdiff with -03 is not small but it is helpful to see what > has changed. > > As previously discussed, I am proposing that the working group adopt this > draft as a working group document. I expect Brian and Zahed to set the > timeline for that discussion. > > Please let me know about your suggestions for -05. > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org><mailto: > internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>><mailto: > internet-drafts@ietf.org<mailto:internet-drafts@ietf.org><mailto: > internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>>> > Date: Fri, Dec 24, 2021 at 8:31 AM > Subject: New Version Notification for draft-dnoveck-nfsv4-security-04.txt > To: David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com > ><mailto:davenoveck@gmail.com<mailto:davenoveck@gmail.com>><mailto: > davenoveck@gmail.com<mailto:davenoveck@gmail.com><mailto: > davenoveck@gmail.com<mailto:davenoveck@gmail.com>>>> > > > > A new version of I-D, draft-dnoveck-nfsv4-security-04.txt > has been successfully submitted by David Noveck and posted to the > IETF repository. > > Name: draft-dnoveck-nfsv4-security > Revision: 04 > Title: Security for the NFSv4 Protocols > Document date: 2021-12-24 > Group: Individual Submission > Pages: 129 > URL: > https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-04.txt > Status: > https://datatracker.ietf.org/doc/draft-dnoveck-nfsv4-security/ > Html: > https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-04.html > Htmlized: > https://datatracker.ietf.org/doc/html/draft-dnoveck-nfsv4-security > Diff: > https://www.ietf.org/rfcdiff?url2=draft-dnoveck-nfsv4-security-04 > > Abstract: > This document describes the core security features of the NFSv4 > family of protocols, applying to all minor versions. The discussion > includes the use of security features provided by RPC on a per- > connection basis. > > This preliminary version of the document, is intended, in large part, > to result in working group discussion regarding existing NFSv4 > security issues and to provide a framework for addressing these > issues and obtaining working group consensus regarding necessary > changes. > > When a successor document is eventually published as an RFC, it will > supersede the description of security appearing in existing minor > version specification documents such as RFC 7530 and RFC 8881. > > > > > The IETF Secretariat > > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org<mailto:nfsv4@ietf.org><mailto:nfsv4@ietf.org<mailto: > nfsv4@ietf.org>> > https://www.ietf.org/mailman/listinfo/nfsv4 >
- [nfsv4] Fwd: New Version Notification for draft-d… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] New Version Notification for draft-dn… Brian Pawlowski
- Re: [nfsv4] New Version Notification for draft-dn… Chuck Lever III
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… J. Bruce Fields
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever III
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Trond Myklebust