Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
Trond Myklebust <trond.myklebust@fys.uio.no> Thu, 17 April 2008 21:18 UTC
Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: nfsv4-archive@megatron.ietf.org
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 421693A6C39; Thu, 17 Apr 2008 14:18:29 -0700 (PDT)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F1C73A6ABA for <nfsv4@core3.amsl.com>; Thu, 17 Apr 2008 14:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.6
X-Spam-Level:
X-Spam-Status: No, score=0.6 tagged_above=-999 required=5 tests=[J_CHICKENPOX_56=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfmoYe7XGkhi for <nfsv4@core3.amsl.com>; Thu, 17 Apr 2008 14:18:26 -0700 (PDT)
Received: from pat.uio.no (pat.uio.no [129.240.10.15]) by core3.amsl.com (Postfix) with ESMTP id 6A9A13A7010 for <nfsv4@ietf.org>; Thu, 17 Apr 2008 14:18:26 -0700 (PDT)
Received: from mail-mx4.uio.no ([129.240.10.45]) by pat.uio.no with esmtp (Exim 4.67) (envelope-from <trond.myklebust@fys.uio.no>) id 1JmbUu-0000mg-NN; Thu, 17 Apr 2008 23:18:24 +0200
Received: from smtp.uio.no ([129.240.10.9] helo=mail-mx4.uio.no) by mail-mx4.uio.no with esmtp (Exim 4.67) (envelope-from <trond.myklebust@fys.uio.no>) id 1JmbUu-0002zx-CQ; Thu, 17 Apr 2008 23:18:24 +0200
Received: from c-69-242-210-120.hsd1.mi.comcast.net ([69.242.210.120] helo=[192.168.0.101]) by mail-mx4.uio.no with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.67) (envelope-from <trond.myklebust@fys.uio.no>) id 1JmbUt-0002zh-Eb; Thu, 17 Apr 2008 23:18:24 +0200
From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: Mike Eisler <mre-ietf@eisler.com>
In-Reply-To: <60470.198.95.226.230.1208462485.squirrel@webmail.eisler.com>
References: <26301.198.95.226.230.1208116510.squirrel@webmail.eisler.com> <C98692FD98048C41885E0B0FACD9DFB806B0BAC9@exnane01.hq.netapp.com> <14599.198.95.226.230.1208460696.squirrel@webmail.eisler.com> <60470.198.95.226.230.1208462485.squirrel@webmail.eisler.com>
Date: Thu, 17 Apr 2008 17:18:20 -0400
Message-Id: <1208467100.30399.13.camel@heimdal.trondhjem.org>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.1
X-UiO-Resend: resent
X-UiO-Spam-info: not spam, SpamAssassin (score=0.0, required=5.0, autolearn=disabled, none)
X-UiO-Scanned: 2C9712F964879393F4B39F36D89972F86BEA02D9
X-UiO-SR-test: 8E576882668F2A389C39150A6F95FC49AB18578F
X-UiO-SPAM-Test: remote_host: 129.240.10.9 spam_score: 0 maxlevel 200 minaction 2 bait 0 mail/h: 187 total 7951319 max/h 8345 blacklist 0 greylist 0 ratelimit 0
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org
On Thu, 2008-04-17 at 13:01 -0700, Mike Eisler wrote: > Ah, now I see why LINK and RENAME have to return NFS4ERR_WRONGSEC. > > PUTFH followed by SAVEFH cannot return NFS4ERR_WRONGSEC. I agree that this makes it consistent. You've just restated Dave's "1N 2N" case. I just don't see a justification for why we need to defer the WRONGSEC from PUTFH+SAVEFH to the RESTOREFH case. Trond > LINK and RENAME don't require a RESTOREFH. If there is a strict > security policy on the saved fh used for LINK and RENAME, then without > NFS4ERR_WRONGSEC, that policy could be circumvented. > > So, knowing what I know now (and I may know more later, so this is subject > to change), my new plan is: > > Make the errors chapter synchronized with the SECINFO section: > add LINK and RENAME as valid operations that can return > NFS4ERR_WRONGSEC. > > On Thu, April 17, 2008 12:31 pm, Mike Eisler wrote: > > I was in the process of making the edits to remove RESTOREFH from > > the list of operations that can return NFS4ERR_WRONGSEC and came > > across this: > > > > > > <section anchor="using_secinfo" title="Using NFS4ERR_WRONGSEC, SECINFO, > > and SE > > CINFO_NO_NAME"> > > <t> > > This section explains of the mechanics of NFSv4.1 security negotiation. > > The term "put filehandle operation" refers to > > PUTROOTFH, PUTPUBFH, PUTFH, and RESTOREFH. > > </t> > > > > <section anchor="PUTFH + SAVEFH" > > title="Put Filehandle Operation + SAVEFH"> > > <t> > > The client is saving a filehandle for a future RESTOREFH. The > > server MUST NOT return NFS4ERR_WRONGSEC to either the put filehandle > > operation or SAVEFH. > > </t> > > </section> <!-- Put Filehandle Operation + SAVEFH --> > > > > ---------- > > > > There's a reason, which I do not recall, why a put filehandle op > > followed by SAVEFH is not allowed to return NFS4ERR_WRONGSEC. > > > > But because, e.g. PUTFH, SAVEFH cannot return _WRONGSEC, this > > means RESTOREFH has to return WRONGSEC. > > > > > > Now we could state that PUTFH, SAVEFH can return NFS4ERR_WRONGSEC, > > and that seems like it is OK. But then so did eliminating WRONGSEC > > from the list of errors RESTOREFH can return. > > But I have no time to figure why the spec disallows WRONGSEC on the > > PUTFH, SAVEFH case. > > > > So I intend to make SECINFO synchronized with the errors chapter: > > remove LINK and RENAME as valid operations that can return > > NFS4ERR_WRONGSEC. > > > > to the spec (i.e. producing an RFC that is broken). > > On Sun, April 13, 2008 1:54 pm, Noveck, Dave wrote: > >>> > So I think you have two questions: > >>> > > >>> > 1) Can security policies be on name-pattern-defined classes of > >> objects? > >>> > > >>> > 2) Is the saved fh protected in the same way as current fh? > >>> > > >>> > So my take is: > >>> > > >>> > 1Y, 2Y: CREATE, LINK, RENAME > >>> > >>> I think it is: > >>> > >>> 1Y, 2Y: REMOVE > >>> > >>> Why isn't REMOVE among the list? The target could have a policy. > >> > >> My intention was that REMOVE was implicitly included in all the options, > >> just as LOOKUP is. > >> > >>> Why is CREATE on the list? If the object doesn't > >>> exist, it has no policy. If it does exist, then > >>> NFS4ERR_EXIST is what must be returned. > >> > >> Under 1Y, objects can implicitly have policies based on their names. > >> With the example of "*.secret" requiring kerberos, AUTH_SYS creation of > >> "big.secret" would return WRONGSEC. > >> > >>> Why are LINK and RENAME on the list? The saved > >>> fh is protected. > >> > >>> LINK is linking one of the two filehandles; we've > >>> already checked their policies. Note that if the > >>> target name exists, we return NFS4ERR_EXIST. This > >>> is the same as CREATE. > >> > >> Here I was thinking of a name-based policy where the link matched the > >> link pattern. > >> > >>> RENAME: security policies should not be protecting > >>> the rename of the policied object. SECINFO is not > >>> that smart. > >> > >> RENAME identifies an existing object by name. If the caller would get > >> WRONGSEC doing a LOOKUP of that object, he certainly should get one > >> renaming it. > >> > >>> > 1Y, 2N: CREATE, LINK, RENAME, RESTOREFH > >> > >>> I think it should be: > >> > >>> 1Y, 2N: REMOVE, LINK, RENAME, RESTOREFH > >> > >>> for the same reasons as the previous 1Y, 2Y case. > >> > >> OK. > >> > >>> > 1N, 2Y: none of the above > >> > >>> Dave noted this should have had RENAME. I'm not > >>> seeing it. A RENAME amounts to adding a directory > >>> entry and deleting a directory entry. If REMOVE > >>> and CREATE are not on the list, why should RENAME > >>> be on the list? > >> > >> REMOVE was intended to be implicitly on the list as discussed above. > >> > >> The difference between CREATE and RENAME is similar to that between > >> CREATE and OPEN. RENAME works on an existing object which may have > >> previously acquired a policy. > >> > >>> > So I think it is: > >> > >>> > 1N, 2Y: none of the above > >> > >> I think it would be RENAME and REMOVE. > >> > >>> > 1N, 2N: LINK, RENAME, RESTOREFH > >> > >>> I agree. > >> > >>> So while eliminating RESTOREFH from the list of > >>> operations that can return NFS4ERR_WRONGSEC is > >>> going to create a lot editing work for me, I agree > >>> that 1N, 2Y is the easiest case and the sanest way > >>> to deal draft-21's current inconsistency. > >> > >> I agree. > >> > >> -----Original Message----- > >> From: Mike Eisler [mailto:mre-ietf@eisler.com] > >> Sent: Sunday, April 13, 2008 3:55 PM > >> To: nfsv4@ietf.org > >> Subject: Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME > >> > >>> From: Noveck, Dave > >>> Sent: Sunday, April 13, 2008 9:09 AM > >>> To: 'Trond Myklebust'; Mike Eisler > >>> Cc: nfsv4@ietf.org > >>> Subject: RE: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME > >> > >> > >>>> Also, just out of curiosity, why do we have RESTOREFH in the above > >>>> two > >>> > >>>> lists? Aren't you pretty much guaranteed to get a WRONGSEC error on > >>>> the filehandle before you get round to the SAVEFH? > >>> > >>> I think this may relate to the issue of LINK and RENAME. If you > >>> create an object and continue to use it in the COMPOUND, you could > >>> conceive, since it is not atomic, that between two ops the server > >>> changes his security policy for the object in question (if you can > >>> ever get WRONGSEC subsequently, it has to change some time, so it > >>> might be before the COMPOUND is done), but the protocol has decided, > >>> in order to simplify client implementations, to avoid the possiblity > >>> of getting WRONGSEC for the current fh. At any time that for the > >>> current fh, you are guaranteed not to get the error on a current fh > >>> once vetted when established. You could apply the same to the saved > >>> fh, but you don't have to. Not protecting the saved fh in this way > >>> would only mean that you had to check the error at RESTOREFH and > >>> anywhere that the saved fh was actually used (only LINK and RENAME, I > >>> think) > >> > >> Makes sense. > >> > >>> So I think you have two questions: > >>> > >>> 1) Can security policies be on name-pattern-defined classes of > >> objects? > >>> > >>> 2) Is the saved fh protected in the same way as current fh? > >>> > >>> So my take is: > >>> > >>> 1Y, 2Y: CREATE, LINK, RENAME > >> > >> I think it is: > >> > >> 1Y, 2Y: REMOVE > >> > >> Why isn't REMOVE among the list? The target could have a policy. > >> > >> Why is CREATE on the list? If the object doesn't exist, it has no > >> policy. If it does exist, then NFS4ERR_EXIST is what must be returned. > >> > >> Why are LINK and RENAME on the list? The saved fh is protected. > >> > >> LINK is linking one of the two filehandles; we've already checked their > >> policies. Note that if the target name exists, we return NFS4ERR_EXIST. > >> This is the same as CREATE. > >> > >> RENAME: security policies should not be protecting the rename of the > >> policied object. SECINFO is not that smart. > >> > >>> 1Y, 2N: CREATE, LINK, RENAME, RESTOREFH > >> > >> I think it should be: > >> > >> 1Y, 2N: REMOVE, LINK, RENAME, RESTOREFH > >> > >> for the same reasons as the previous 1Y, 2Y case. > >> > >>> 1N, 2Y: none of the above > >> > >> Dave noted this should have had RENAME. I'm not seeing it. A RENAME > >> amounts to adding a directory entry and deleting a directory entry. If > >> REMOVE and CREATE are not on the list, why should RENAME be on the list? > >> > >> So I think it is: > >> > >> 1N, 2Y: none of the above > >> > >>> 1N, 2N: LINK, RENAME, RESTOREFH > >> > >> I agree. > >> > >> So while eliminating RESTOREFH from the list of operations that can > >> return NFS4ERR_WRONGSEC is going to create a lot editing work for me, I > >> agree that 1N, 2Y is the easiest case and the sanest way to deal > >> draft-21's current inconsistency. > >> > >> > >> > >> _______________________________________________ > >> nfsv4 mailing list > >> nfsv4@ietf.org > >> https://www.ietf.org/mailman/listinfo/nfsv4 > >> > > > > > > -- > > Mike Eisler, Senior Technical Director, NetApp, 719 599 9026, > > http://blogs.netapp.com/eislers_nfs_blog/ > > > > > > > > _______________________________________________ > > nfsv4 mailing list > > nfsv4@ietf.org > > https://www.ietf.org/mailman/listinfo/nfsv4 > > > > _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Noveck, Dave
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Noveck, Dave
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Noveck, Dave
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Noveck, Dave
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… J. Bruce Fields