IETF Logo Mail Archive

Re: [nfsv4] Going forward on the security document

Frank Filz <ffilzlnx@mindspring.com> Thu, 15 February 2024 17:44 UTC

Return-Path: <ffilzlnx@mindspring.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2301CC14F6AC for <nfsv4@ietfa.amsl.com>; Thu, 15 Feb 2024 09:44:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=earthlink.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80X4tetSZVct for <nfsv4@ietfa.amsl.com>; Thu, 15 Feb 2024 09:44:47 -0800 (PST)
Received: from mta-101a.earthlink-vadesecure.net (mta-101a.earthlink-vadesecure.net [51.81.61.60]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A97CC14CF18 for <nfsv4@ietf.org>; Thu, 15 Feb 2024 09:44:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; bh=u8LoyEc90cx1h9w2EoIvX05Y4kwUh07XOPjryL Whlmo=; c=relaxed/relaxed; d=earthlink.net; h=from:reply-to:subject: date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to: references:list-id:list-help:list-unsubscribe:list-subscribe:list-post: list-owner:list-archive; q=dns/txt; s=dk12062016; t=1708019086; x=1708623886; b=j+iZ9U+QCqGp/Tqg7z0X/nVH6XZb3x0BdVnTByYCXHXpjMkg5+JoDob doMKiSSrifQBaaBNLRR4/Gnd/vWECCXb0Q3ecJMunmZu5kVyVtr2VIPCBI/st0xMcAG8sSo TbRgE/mjUMYXHPd1LUYlLvm7lCjw23Vw3M0vFh3RZEH2kS75LSV84btihRmn2nkGYd+AMTw se1lFyWVjfH61MchduW1Ruk68ECSWvY8N7w6wm/vuhli10EAkrLgN+6uaJIyGrqi2lnp9oN omXrRv2P+b0V813ixHILVLS08lJC2ZQNYsTv4cWJodnZs07kvKgUo2IBLVPGJ+1Ec0d/eWD /yA==
Authentication-Results: earthlink-vadesecure.net; auth=pass smtp.auth=ffilzlnx@mindspring.com smtp.mailfrom=ffilzlnx@mindspring.com;
Received: from FRANKSTHINKPAD ([174.174.49.201]) by vsel1nmtao01p.internal.vadesecure.com with ngmta id d767bcc0-17b41a4f16384e61; Thu, 15 Feb 2024 17:44:46 +0000
From: Frank Filz <ffilzlnx@mindspring.com>
To: 'Jeff Layton' <jlayton@poochiereds.net>, 'David Noveck' <davenoveck@gmail.com>, 'NFSv4' <nfsv4@ietf.org>, 'Zaheduzzaman Sarker' <zahed.sarker.ietf@gmail.com>
Cc: 'Chuck Lever' <cel@kernel.org>
References: <CADaq8jcFioz5XeRCaC7q6KkG6CJZaX6CYrcqk_AFAewU3-tkYw@mail.gmail.com> <d8789a595b88ec0448ead5ad551dfe91c344cc58.camel@poochiereds.net>
In-Reply-To: <d8789a595b88ec0448ead5ad551dfe91c344cc58.camel@poochiereds.net>
Date: Thu, 15 Feb 2024 09:44:45 -0800
Message-ID: <014401da6036$aadb4c10$0091e430$@mindspring.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Content-Language: en-us
Thread-Index: AQGnAL65iFpdlLoEvcpXvzIvyueoMQIT+3ytsWHJgYA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/8mnzdi_VMGKXmc7t57pZ7LU-Jd8>
Subject: Re: [nfsv4] Going forward on the security document
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2024 17:44:51 -0000

> From: nfsv4 [mailto:nfsv4-bounces@ietf.org] On Behalf Of Jeff Layton
> On Wed, 2024-02-14 at 11:07 -0500, David Noveck wrote:
> > This message is my attempt to summarize the results of discussion of the
v4
> security document that occurred at the interim meeting this afternoon.
> > This email is  my attempt to summarize  the results of discussion of the
> security document that occurred at the 2/13 Interim Wrorking Group
> meeting.   This document is being done as part of the rfc5661bis effort .
> >
> > Although I have tried to be accurate, it should be noted that I have
made no
> attempt to coordinate with others present and that others may have
different
> views as to what was discussed/decided.
> >
> > I decided to try to simplify processing, as suggested by a number of
> > people, by splitting out the ACL-related material from the security
> > document proper .  I will then try to address the difficult issues
> > created when ACLs were added to NFSv4 without clear semantic
> > requirements in a separate document, devoted to ACLs
> >
> > As a result, the next draft of the security document,
> > draft-dnoveck-nfsv4-security-08, will limit the discussion of
acl-related issues
> by treating acls as an EXPERIMENTAL feature to be described in a separate
> document.
> >
> > That document, initially draft-dnoveck-nfsv4-acls-00 will explain why
the
> experiment adopted initially in rfc3010 and propagated without major
changes
> to rfcs 3530, 5661, 7530, and 8881 was a failure which it does not make
sense to
> continue.  Instead, I will, as I proposed at the meeting, change the focus
of the
> focus ACL description on a simplified core baased on the withdrawn draft
POSIx
> ACLs with provisions for extensions of that model that have actually.   I
will be
> sending out in the week, a description of ONTAP ACL support  which
includes a
> number of such extensions.
> >
> > This approach is the reverse of the one adopted in rfc3010 and
> > subsequent rfcs in which ACLs including a massive set of extensions was
> presented as canonical, but was supplemented by some dubious material
which
> essentially said "Oh by the way, if any of this inconvenient, feel free to
ignore it.
> "
> >
> > We will be needing information about actual implementations of some of
the
> ACL extensions discussed in existing documents and have to be prepared to
> simply drop material that was never implemented.  In particular,  as far
as I
> know, the troublesome behavior, derived from windows acl implementation,
> mentioned in the meeting in which deny ACL are scanned and effected after
all
> requested permissions was never described in NFSv4 and probably never
> implemented.   As a result, it is likely that concern about its effect on
the
> specification of NFSv4 ACLs was misplaced.
> >
> 
> Linux nfsd translates between NFSv4 and POSIX ACLs based upon the method
> described here:
> 
>     https://datatracker.ietf.org/doc/html/draft-ietf-nfsv4-acl-mapping-05
> 
> This is of course lossy and there are ACEs that it could never handle
correctly
> (like want to make something writeable but not give delete permissions?
Too
> bad). It also would reorder ACEs to conform to the well-defined order of
> evaluation in POSIX ACLs since we can't preserve the given ordering.

NFS-Ganesha also translates between POSIX and NFSv4 ACLs in hopefully the
same way as the kernel (no guarantee it's a perfect match). NFS-Ganesha also
supports the non-RFC sideband protocol to provide POSIX ACL support to NFSv3
clients.

NFS-Ganesha has some level of support of NFSv4 ACLs when IBM's GPFS is the
back end FSAL. I don't know the details of how closely their ACL
implementation matches RFC 3530 and it it was updated in any way for
subsequent RFCs.

I don't know if any out of tree FSALs implement NFSv4 ACLs. There has been
talk but no action towards implementing Rich ACLs for the Cephfs backend.

NFS-Ganesha does not yet reject ACLs it cannot properly enforce per RFC.

> > There are also a number of related matters that were discussed without
> resulting in any agreement.   The following uissues will need to be
addressed on
> the wg list and in subsequent meetings:
> >  * Chris I. raised what he described as a set of  problems with NFSv4's
handling
> of "identity".   The ensuing discussion led me to conclude that he was
referring
> to two different issues:
> >     - The lack of clarity about mapping between uid/gid values and the
strings
> used to represent users and groups.   With regard to this issue, I tend to
agree
> with Brian P.'s point that these are properly treated as implementation
> matters.   I will try to make this clearer in forthcoming drafts.
> >     - At a later point in the discussion, it appeared that many of
Chris's concerns
> were prompted by the disturbing ease with which a client might represent
> himself as a given named user.  While it is possible that such
> impersonation might be made more likely by flaws in the mappings between
> names and numeric ids, the fundamental issue here is inherited from NFSv2
and
> NFSv3 implementations, in which AUTH_SYS is used, allowing unauthenticated
> requests to be executed, given the common use of AUTH_SYS and the lack of
> facilities for client peer authentication.
> > > >  The material in -08 will address this issue pretty much as was done
in -07,
> pointing out the security problem involved in use of AUTH_SYS, without
going so
> far forbidding its use or formally RECOMMENDING against it.   While we may
> not have reached consensus on this, I don't see any obstacles to it.
> > > Although I feel that the shift from numeric ids to strings made
between v3
> and v4 was, like the inclusion of ACLs without a clear semantics model for
their
> use, a mistake, it is not possible for  us to undo that mistake.   I think
it will be
> possible to clarify the role of name mapping by not requiring the mapping
of ids
> to names when AUTH_SYS is used, although the numeric ids need to
(trivially)
> mapped to strings.  I will try to see what can be done in that regard in
-08,
> without crossing any red lines.
> >  * Tom H.  raised issues regarding potential XDR changes which he found
> troubling.   Chris agreed to post the diffs between RFC5662 and the most
recent
> draft of rfc5662bis.  While Tom never wavered from his position that any
such
> differences were inherently impermissible, I need to point out that these
> changes which reorganized the typedefs while keeping what is sent  OTW as
> formally opaque are analogous to the xdr changes made between rfc 3531 and
> 7531 and are not a problem.  The working group will have to discuss this
issue
> further but I think consensus is achievable.
> >  * The repeated suggestions by Brian that the NFSv4 server could be
> defined  as an "interpreter" depending on the server fs's choice of
semantics
> have never been addressed.  In my view, the working group needs to
seriously
> consider this possibility and clearly reject it.  I don't think we can
publish a
> purported Proposed Standard that leaves so much material unspecified, even
if
> the IETF/IESG could somehow be convinced to accept it.
> > _______________________________________________
> > nfsv4 mailing list
> > nfsv4@ietf.org
> > https://www.ietf.org/mailman/listinfo/nfsv4
> 
> >From my standpoint, allowing us to present and manipulate POSIX ACLs
> properly across v4 sounds like a very welcome change!
> --
> Jeff Layton <jlayton@poochiereds.net>
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

Frank Filz

v2.23.0 | Report a Bug | By Email