IETF Logo Mail Archive

Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME

Trond Myklebust <trond.myklebust@fys.uio.no> Thu, 17 April 2008 21:18 UTC

Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: nfsv4-archive@megatron.ietf.org
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 421693A6C39; Thu, 17 Apr 2008 14:18:29 -0700 (PDT)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F1C73A6ABA for <nfsv4@core3.amsl.com>; Thu, 17 Apr 2008 14:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.6
X-Spam-Level:
X-Spam-Status: No, score=0.6 tagged_above=-999 required=5 tests=[J_CHICKENPOX_56=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfmoYe7XGkhi for <nfsv4@core3.amsl.com>; Thu, 17 Apr 2008 14:18:26 -0700 (PDT)
Received: from pat.uio.no (pat.uio.no [129.240.10.15]) by core3.amsl.com (Postfix) with ESMTP id 6A9A13A7010 for <nfsv4@ietf.org>; Thu, 17 Apr 2008 14:18:26 -0700 (PDT)
Received: from mail-mx4.uio.no ([129.240.10.45]) by pat.uio.no with esmtp (Exim 4.67) (envelope-from <trond.myklebust@fys.uio.no>) id 1JmbUu-0000mg-NN; Thu, 17 Apr 2008 23:18:24 +0200
Received: from smtp.uio.no ([129.240.10.9] helo=mail-mx4.uio.no) by mail-mx4.uio.no with esmtp (Exim 4.67) (envelope-from <trond.myklebust@fys.uio.no>) id 1JmbUu-0002zx-CQ; Thu, 17 Apr 2008 23:18:24 +0200
Received: from c-69-242-210-120.hsd1.mi.comcast.net ([69.242.210.120] helo=[192.168.0.101]) by mail-mx4.uio.no with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.67) (envelope-from <trond.myklebust@fys.uio.no>) id 1JmbUt-0002zh-Eb; Thu, 17 Apr 2008 23:18:24 +0200
From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: Mike Eisler <mre-ietf@eisler.com>
In-Reply-To: <60470.198.95.226.230.1208462485.squirrel@webmail.eisler.com>
References: <26301.198.95.226.230.1208116510.squirrel@webmail.eisler.com> <C98692FD98048C41885E0B0FACD9DFB806B0BAC9@exnane01.hq.netapp.com> <14599.198.95.226.230.1208460696.squirrel@webmail.eisler.com> <60470.198.95.226.230.1208462485.squirrel@webmail.eisler.com>
Date: Thu, 17 Apr 2008 17:18:20 -0400
Message-Id: <1208467100.30399.13.camel@heimdal.trondhjem.org>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.1
X-UiO-Resend: resent
X-UiO-Spam-info: not spam, SpamAssassin (score=0.0, required=5.0, autolearn=disabled, none)
X-UiO-Scanned: 2C9712F964879393F4B39F36D89972F86BEA02D9
X-UiO-SR-test: 8E576882668F2A389C39150A6F95FC49AB18578F
X-UiO-SPAM-Test: remote_host: 129.240.10.9 spam_score: 0 maxlevel 200 minaction 2 bait 0 mail/h: 187 total 7951319 max/h 8345 blacklist 0 greylist 0 ratelimit 0
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org

On Thu, 2008-04-17 at 13:01 -0700, Mike Eisler wrote:
> Ah, now I see why LINK and RENAME have to return NFS4ERR_WRONGSEC.
> 
> PUTFH followed by SAVEFH cannot return NFS4ERR_WRONGSEC.

I agree that this makes it consistent. You've just restated Dave's "1N
2N" case.

I just don't see a justification for why we need to defer the WRONGSEC
from PUTFH+SAVEFH to the RESTOREFH case.

Trond

> LINK and RENAME don't require a RESTOREFH. If there is a strict
> security policy on the saved fh used for LINK and RENAME, then without
> NFS4ERR_WRONGSEC, that policy could be circumvented.
> 
> So, knowing what I know now (and I may know more later, so this is subject
> to change), my new plan is:
> 
>  Make the errors chapter synchronized with the SECINFO section:
>  add LINK and RENAME as valid operations that can return
>  NFS4ERR_WRONGSEC.
> 
> On Thu, April 17, 2008 12:31 pm, Mike Eisler wrote:
> > I was in the process of making the edits to remove RESTOREFH from
> > the list of operations that can return NFS4ERR_WRONGSEC and came
> > across this:
> >
> >
> >   <section anchor="using_secinfo" title="Using NFS4ERR_WRONGSEC, SECINFO,
> > and SE
> > CINFO_NO_NAME">
> >   <t>
> >    This section explains of the mechanics of NFSv4.1 security negotiation.
> >    The term "put filehandle operation" refers to
> >    PUTROOTFH, PUTPUBFH, PUTFH, and RESTOREFH.
> >   </t>
> >
> >    <section anchor="PUTFH + SAVEFH"
> >     title="Put Filehandle Operation + SAVEFH">
> >    <t>
> >     The client is saving a filehandle for a future RESTOREFH. The
> >     server MUST NOT return NFS4ERR_WRONGSEC to either the put filehandle
> >     operation or SAVEFH.
> >    </t>
> >    </section> <!-- Put Filehandle Operation + SAVEFH -->
> >
> > ----------
> >
> > There's a reason, which I do not recall, why a put filehandle op
> > followed by SAVEFH is not allowed to return NFS4ERR_WRONGSEC.
> >
> > But because, e.g. PUTFH, SAVEFH cannot return _WRONGSEC, this
> > means RESTOREFH has to return WRONGSEC.
> >
> >
> > Now we could state that PUTFH, SAVEFH can return NFS4ERR_WRONGSEC,
> > and that seems like it is OK. But then so did eliminating WRONGSEC
> > from the list of errors RESTOREFH can return.
> > But I have no time to figure why the spec disallows WRONGSEC on the
> > PUTFH, SAVEFH case.
> >
> > So I intend to make SECINFO synchronized with the errors chapter:
> > remove LINK and RENAME as valid operations that can return
> > NFS4ERR_WRONGSEC.
> >
> > to the spec (i.e. producing an RFC that is broken).
> > On Sun, April 13, 2008 1:54 pm, Noveck, Dave wrote:
> >>> > So I think you have two questions:
> >>> >
> >>> > 1) Can security policies be on name-pattern-defined classes of
> >> objects?
> >>> >
> >>> > 2) Is the saved fh protected in the same way as current fh?
> >>> >
> >>> > So my take is:
> >>> >
> >>> > 1Y, 2Y: CREATE, LINK, RENAME
> >>>
> >>> I think it is:
> >>>
> >>> 1Y, 2Y: REMOVE
> >>>
> >>> Why isn't REMOVE among the list? The target could have a policy.
> >>
> >> My intention was that REMOVE was implicitly included in all the options,
> >> just as LOOKUP is.
> >>
> >>> Why is CREATE on the list? If the object doesn't
> >>> exist, it has no policy. If it does exist, then
> >>> NFS4ERR_EXIST is what must be returned.
> >>
> >> Under 1Y, objects can implicitly have policies based on their names.
> >> With the example of "*.secret" requiring kerberos, AUTH_SYS creation of
> >> "big.secret" would return WRONGSEC.
> >>
> >>> Why are LINK and RENAME on the list? The saved
> >>> fh is protected.
> >>
> >>> LINK is linking one of the two filehandles; we've
> >>> already checked their policies. Note that if the
> >>> target name exists, we return NFS4ERR_EXIST. This
> >>> is the same as CREATE.
> >>
> >> Here I was thinking of a name-based policy where the link matched the
> >> link pattern.
> >>
> >>> RENAME: security policies should not be protecting
> >>> the rename of the policied object. SECINFO is not
> >>> that smart.
> >>
> >> RENAME identifies an existing object by name.  If the caller would get
> >> WRONGSEC doing a LOOKUP of that object, he certainly should get one
> >> renaming it.
> >>
> >>> > 1Y, 2N: CREATE, LINK, RENAME, RESTOREFH
> >>
> >>> I think it should be:
> >>
> >>> 1Y, 2N: REMOVE, LINK, RENAME, RESTOREFH
> >>
> >>> for the same reasons as the previous 1Y, 2Y case.
> >>
> >> OK.
> >>
> >>> > 1N, 2Y: none of the above
> >>
> >>> Dave noted this should have had RENAME. I'm not
> >>> seeing it. A RENAME amounts to adding a directory
> >>> entry and deleting a directory entry. If REMOVE
> >>> and CREATE are not on the list, why should RENAME
> >>> be on the list?
> >>
> >> REMOVE was intended to be implicitly on the list as discussed above.
> >>
> >> The difference between CREATE and RENAME is similar to that between
> >> CREATE and OPEN.  RENAME works on an existing object which may have
> >> previously acquired a policy.
> >>
> >>> > So I think it is:
> >>
> >>> > 1N, 2Y: none of the above
> >>
> >> I think it would be RENAME and REMOVE.
> >>
> >>> > 1N, 2N: LINK, RENAME, RESTOREFH
> >>
> >>> I agree.
> >>
> >>> So while eliminating RESTOREFH from the list of
> >>> operations that can return NFS4ERR_WRONGSEC is
> >>> going to create a lot editing work for me, I agree
> >>> that 1N, 2Y is the easiest case and the sanest way
> >>> to deal draft-21's current inconsistency.
> >>
> >> I agree.
> >>
> >> -----Original Message-----
> >> From: Mike Eisler [mailto:mre-ietf@eisler.com]
> >> Sent: Sunday, April 13, 2008 3:55 PM
> >> To: nfsv4@ietf.org
> >> Subject: Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
> >>
> >>> From: Noveck, Dave
> >>> Sent: Sunday, April 13, 2008 9:09 AM
> >>> To: 'Trond Myklebust'; Mike Eisler
> >>> Cc: nfsv4@ietf.org
> >>> Subject: RE: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
> >>
> >>
> >>>> Also, just out of curiosity, why do we have RESTOREFH in the above
> >>>> two
> >>>
> >>>> lists? Aren't you pretty much guaranteed to get a WRONGSEC error on
> >>>> the filehandle before you get round to the SAVEFH?
> >>>
> >>> I think this may relate to the issue of LINK and RENAME.  If you
> >>> create an object and continue to use it in the COMPOUND, you could
> >>> conceive, since it is not atomic, that between two ops the server
> >>> changes his security policy for the object in question (if you can
> >>> ever get WRONGSEC subsequently, it has to change some time, so it
> >>> might be before the COMPOUND is done), but the protocol has decided,
> >>> in order to simplify client implementations, to avoid the possiblity
> >>> of getting WRONGSEC for the current fh.  At any time that for the
> >>> current fh, you are guaranteed not to get the error on a current fh
> >>> once vetted when established.  You could apply the same to the saved
> >>> fh, but you don't have to.  Not protecting the saved fh in this way
> >>> would only mean that you had to check the error at RESTOREFH and
> >>> anywhere that the saved fh was actually used (only LINK and RENAME, I
> >>> think)
> >>
> >> Makes sense.
> >>
> >>> So I think you have two questions:
> >>>
> >>> 1) Can security policies be on name-pattern-defined classes of
> >> objects?
> >>>
> >>> 2) Is the saved fh protected in the same way as current fh?
> >>>
> >>> So my take is:
> >>>
> >>> 1Y, 2Y: CREATE, LINK, RENAME
> >>
> >> I think it is:
> >>
> >> 1Y, 2Y: REMOVE
> >>
> >> Why isn't REMOVE among the list? The target could have a policy.
> >>
> >> Why is CREATE on the list? If the object doesn't exist, it has no
> >> policy. If it does exist, then NFS4ERR_EXIST is what must be returned.
> >>
> >> Why are LINK and RENAME on the list? The saved fh is protected.
> >>
> >> LINK is linking one of the two filehandles; we've already checked their
> >> policies. Note that if the target name exists, we return NFS4ERR_EXIST.
> >> This is the same as CREATE.
> >>
> >> RENAME: security policies should not be protecting the rename of the
> >> policied object. SECINFO is not that smart.
> >>
> >>> 1Y, 2N: CREATE, LINK, RENAME, RESTOREFH
> >>
> >> I think it should be:
> >>
> >> 1Y, 2N: REMOVE, LINK, RENAME, RESTOREFH
> >>
> >> for the same reasons as the previous 1Y, 2Y case.
> >>
> >>> 1N, 2Y: none of the above
> >>
> >> Dave noted this should have had RENAME. I'm not seeing it. A RENAME
> >> amounts to adding a directory entry and deleting a directory entry. If
> >> REMOVE and CREATE are not on the list, why should RENAME be on the list?
> >>
> >> So I think it is:
> >>
> >> 1N, 2Y: none of the above
> >>
> >>> 1N, 2N: LINK, RENAME, RESTOREFH
> >>
> >> I agree.
> >>
> >> So while eliminating RESTOREFH from the list of operations that can
> >> return NFS4ERR_WRONGSEC is going to create a lot editing work for me, I
> >> agree that 1N, 2Y is the easiest case and the sanest way to deal
> >> draft-21's current inconsistency.
> >>
> >>
> >>
> >> _______________________________________________
> >> nfsv4 mailing list
> >> nfsv4@ietf.org
> >> https://www.ietf.org/mailman/listinfo/nfsv4
> >>
> >
> >
> > --
> > Mike Eisler, Senior Technical Director, NetApp, 719 599 9026,
> > http://blogs.netapp.com/eislers_nfs_blog/
> >
> >
> >
> > _______________________________________________
> > nfsv4 mailing list
> > nfsv4@ietf.org
> > https://www.ietf.org/mailman/listinfo/nfsv4
> >
> 
> 

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email