IETF Logo Mail Archive

Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-xattrs-05: (with DISCUSS)

"Marc Eshel" <eshel@us.ibm.com> Thu, 25 May 2017 16:12 UTC

Return-Path: <eshel@us.ibm.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02045129B29 for <nfsv4@ietfa.amsl.com>; Thu, 25 May 2017 09:12:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.401
X-Spam-Level:
X-Spam-Status: No, score=-5.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QfgCj-419aew for <nfsv4@ietfa.amsl.com>; Thu, 25 May 2017 09:12:27 -0700 (PDT)
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C247D129B28 for <nfsv4@ietf.org>; Thu, 25 May 2017 09:12:27 -0700 (PDT)
Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v4PG8jib033075 for <nfsv4@ietf.org>; Thu, 25 May 2017 12:12:25 -0400
Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154]) by mx0a-001b2d01.pphosted.com with ESMTP id 2ap1v4abc7-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for <nfsv4@ietf.org>; Thu, 25 May 2017 12:12:25 -0400
Received: from localhost by e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <nfsv4@ietf.org> from <eshel@us.ibm.com>; Thu, 25 May 2017 10:12:24 -0600
Received: from b03cxnp08027.gho.boulder.ibm.com (9.17.130.19) by e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 25 May 2017 10:12:22 -0600
Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v4PGCLHM10223890 for <nfsv4@ietf.org>; Thu, 25 May 2017 09:12:21 -0700
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C086C78051 for <nfsv4@ietf.org>; Thu, 25 May 2017 10:12:21 -0600 (MDT)
Received: from e39.co.us.ibm.com (unknown [9.17.249.49]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTPS id B4E3F7803F for <nfsv4@ietf.org>; Thu, 25 May 2017 10:12:21 -0600 (MDT)
Received: from localhost by e39.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <nfsv4@ietf.org> from <eshel@us.ibm.com>; Thu, 25 May 2017 10:12:21 -0600
Received: from smtp.notes.na.collabserv.com (192.155.248.72) by e39.co.us.ibm.com (192.168.2.139) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128/128) Thu, 25 May 2017 10:12:19 -0600
Received: from localhost by smtp.notes.na.collabserv.com with smtp.notes.na.collabserv.com ESMTP for <nfsv4@ietf.org> from <eshel@us.ibm.com>; Thu, 25 May 2017 16:12:18 -0000
Received: from us1a3-smtp08.a3.dal06.isc4sb.com (10.146.103.57) by smtp.notes.na.collabserv.com (10.106.227.158) with smtp.notes.na.collabserv.com ESMTP; Thu, 25 May 2017 16:11:54 -0000
Received: from us1a3-mail148.a3.dal06.isc4sb.com ([10.146.38.117]) by us1a3-smtp08.a3.dal06.isc4sb.com with ESMTP id 2017052516115379-579529 ; Thu, 25 May 2017 16:11:53 +0000
In-Reply-To: <20170525152957.GV10188@localhost>
To: Nico Williams <nico@cryptonector.com>
Cc: draft-ietf-nfsv4-xattrs@ietf.org, Eric Rescorla <ekr@rtfm.com>, The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
From: Marc Eshel <eshel@us.ibm.com>
Date: Thu, 25 May 2017 09:11:53 -0700
References: <149559305147.28562.14990485255783585477.idtracker@ietfa.amsl.com> <CAKKJt-cHEoBeP++YP-=FWmVTWkoLWLa5OZ=sDYT7kEBrDvvOiw@mail.gmail.com> <CABcZeBPc9U1D+sSOnz2_3MwVn527ruuqqWoCsZYafx_rLwpyAQ@mail.gmail.com> <CAKKJt-dcjiMFk0NyD-UrBQrtKAZgWaVzcxY67YSDOu0ZVNw9Ng@mail.gmail.com> <CAKKJt-ceK3r8=HXArenmNXpt8bk2MuKbkPL-qoNPZMrHHETfJg@mail.gmail.com> <20170525152957.GV10188@localhost>
MIME-Version: 1.0
X-KeepSent: E1A7E856:598CE2A7-8825812B:00586825; type=4; name=$KeepSent
X-Mailer: IBM Notes Release 9.0.1EXT SHF766 December 14, 2016
X-LLNOutbound: False
X-Disclaimed: 27399
X-TNEFEvaluated: 1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="US-ASCII"
x-cbid: 17052516-0020-0000-0000-00000C049976
X-IBM-SpamModules-Scores: BY=0; FL=0; FP=0; FZ=0; HX=0; KW=0; PH=0; SC=0.40962; ST=0; TS=0; UL=0; ISC=; MB=0.039931
X-IBM-SpamModules-Versions: BY=3.00007116; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000212; SDB=6.00865504; UDB=6.00429764; IPR=6.00645280; BA=6.00005374; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00015581; XFM=3.00000015; UTC=2017-05-25 16:12:16
X-IBM-AV-DETECTION: SAVI=unsuspicious REMOTE=unsuspicious XFE=unused
X-IBM-AV-VERSION: SAVI=2017-05-25 16:04:36 - 6.00006792
x-cbparentid: 17052516-6060-0000-0000-000010FAE794
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
X-TM-AS-GCONF: 00
X-IBM-SpamModules-Scores:
X-IBM-SpamModules-Versions: BY=3.00007116; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000212; SDB=6.00865504; UDB=6.00429764; IPR=6.00645280; BA=6.00005374; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00015581; XFM=3.00000015; UTC=2017-05-25 16:12:23
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
Message-Id: <OFE1A7E856.598CE2A7-ON8825812B.00586825-8825812B.0058FAF1@notes.na.collabserv.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-25_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1705250306
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/D_LAuaHQ8fLXvIlifTkvAqz3qpk>
Subject: Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-xattrs-05: (with DISCUSS)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2017 16:12:29 -0000

We had a lot of discussions in the WG about the security implications and 
we decided to stay a way of defining different types of xattr. This is 
user only xattr for the applications to use and it should be handled as an 
extension to the data in the file without any meaning for the protocol. If 
it is not clear enough we can fix the text and add a warning. 
Marc.



From:   Nico Williams <nico@cryptonector.com>
To:     Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc:     Eric Rescorla <ekr@rtfm.com>, draft-ietf-nfsv4-xattrs@ietf.org, 
The IESG <iesg@ietf.org>, NFSv4 <nfsv4@ietf.org>, nfsv4-chairs@ietf.org
Date:   05/25/2017 08:30 AM
Subject:        Re: [nfsv4] Eric Rescorla's Discuss on 
draft-ietf-nfsv4-xattrs-05: (with DISCUSS)



On Thu, May 25, 2017 at 10:35:53AM -0400, Spencer Dawkins at IETF wrote:
> Dear -xattrs- folk,
> 
> We did chat about this Discuss on the call, and Eric said (in the jabber
> room) that if the issue he raised is accurate, at a minimum, the 
document
> needs to provide a warning about the exposure, in order to clear the
> Discuss.

No, i think it has to provide, at a minimum, a MUST NOT (see below).

The alternative is to add proper support for system xattrs.  I discuss
both below.

> Actual technical solutions that mitigate the exposure are, of course,
> appreciated, if it's possible to provide a solution.

A better way to deal with this would be to have a way to flag some
xattrs as being system xattrs, and more importantly, to indicate whether
the client and server support whatever the system xattr's semantics are.

If a client doesn't support some system xattr, the server might provide
more limited access to the file that has that xattr.  If a server
doesn't support some system xattr, the client might fail the operation
to set it.  It all depends on the particular system xattr's semantics.

E.g., a system xattr denoting append-only or read-only can be enforced
by the server, but setting it when the server doesn't support it means
that other clients might not enforce it either.

An xattr that denotes privileges to be gained on exec (a la set-uid),
probably requires extra permission to set -- if the server doesn't know
this, then other clients must not grant those extra privileges on exec!

Alternatively, you could just say that at this time NFSv4 simply does
not support system xattrs, and that no xattrs with names in a system
namespace must be trusted by clients.  This is where the MUST NOT comes
in: the spec would say "clients MUST NOT accord special system semantics
to xattrs" (with some wordsmithing around "system" xattrs).  Then you
could add the flagging feature later.  But you'll have to distinguish
system xattrs set pre- and post-addition of the flagging feature.

Nico
--

v2.23.0 | Report a Bug | By Email