IETF Logo Mail Archive

Re: [nfsv4] Review of http://www.ietf.org/id/draft-naik-nfsv4-xattrs-01.txt

Nico Williams <nico@cryptonector.com> Sat, 11 October 2014 00:56 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7836B1A0353 for <nfsv4@ietfa.amsl.com>; Fri, 10 Oct 2014 17:56:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wf9cB5HYlzV4 for <nfsv4@ietfa.amsl.com>; Fri, 10 Oct 2014 17:56:21 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 196D51A034D for <nfsv4@ietf.org>; Fri, 10 Oct 2014 17:56:21 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id BDB109405C; Fri, 10 Oct 2014 17:56:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=WwvbSsScwD93YE cTNikyMY5TKrc=; b=YF97lUiN8dOSSXAD2iIb4Y1hmd2Xjq4195l8kl/nJfP5Dt hQGl+VD1RZPYWiAHzR9gpRiCe5P0ihvIXb38Xj+zLHpNDs02L8hrauFKAP2mrg1d okse0WjXUrVNKnN+Ia5pcXnY29RpvgwsR4H6tHmrKabdTvL7JAHePl3sRO83A=
Received: from localhost (unknown [186.23.16.104]) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPA id E34F994059; Fri, 10 Oct 2014 17:56:19 -0700 (PDT)
Date: Fri, 10 Oct 2014 19:56:18 -0500
From: Nico Williams <nico@cryptonector.com>
To: David Quigley <dpquigl@davequigley.com>
Message-ID: <20141011005616.GB4124@localhost>
References: <CCBBAAB7-B2DE-4378-BBFD-3DAB03630707@primarydata.com> <20141002225325.GC412@localhost> <BD02BA26-A9E8-4963-808D-ABF3ACD082D4@primarydata.com> <20141003192008.GD4981@localhost> <aedbabcb589ebec71799edbba4a40784@countercultured.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <aedbabcb589ebec71799edbba4a40784@countercultured.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/nfsv4/Bkjq8yKsFecpjvYWb8XGMXhAzpk
Cc: NFSv4 <nfsv4@ietf.org>
Subject: Re: [nfsv4] Review of http://www.ietf.org/id/draft-naik-nfsv4-xattrs-01.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Oct 2014 00:56:22 -0000

On Wed, Oct 08, 2014 at 09:21:22AM -0400, David Quigley wrote:
> On 10/03/2014 15:20, Nico Williams wrote:
> >Here I agree with you that the I-D must explain how the server helps
> >mediate access control.  And it must explain that some xattrs have
> >security-relevant semantics.  But that's as far as an NFSv4
> >specification can go here.
> 
> I think that the xattrs exposed through this shouldn't be
> security-relevant unless you're talking about application layer
> security. [...]

I agree with you, but system security-relevant xattrs is a ship that has
sailed.  Perhaps NFSv4 should just not transport them, but I think
that's probably not useful enough.  The really important thing is to
decide when a client is sufficiently privileged, and for that you need
something like RPCSEC_GSSv3 (that allows you to authenticate a client
and a user together and allows the client to make assertions about local
privilege that the server can then decide how much to reduce -- or even
to reject completely, of course).

>                                                       [...]. I agree
> that this is a problem because it opens up the system to
> interoperability issues by encouraging people to bypass any sort of
> standardization effort and just using the excuse that its just
> opaque data.

I agree that non-standardized conventions make xattrs _dangerous_.
Fortunately there appear to be naming conventions that we could
encourage the standardization of, and maybe that will be enough.

> >LNFS seems orthogonal here.  RPCSEC_GSSv3 is more relevant.
> 
> I agree. LNFS is just another way of conveying access control and
> because we punted on syntax, semantics and enforcement I think the
> only references to access control should be what is concretely
> defined in NFSv4. In that case it would be existing RPCSEC_GSS
> flavors for authentication and NFSv4 ACLs.

Right, except that xattrs have no ACLs as such.  (We could codify the
naming conventions and express their associated access controls
synthetically with NFSv4 ACLs...  But note that still, when a filesystem
says that you need "root" privilege (or similar), the context is local
access, and extending such notions of privilege to the network requires
something like RPCSEC_GSSv3.

Nico
--

v2.23.0 | Report a Bug | By Email