IETF Logo Mail Archive

RE: [nfsv4] allowed delayed writes via AUTH_GSS

Carl Burnett <cburnett@us.ibm.com> Thu, 02 October 2003 18:28 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18615 for <nfsv4-archive@odin.ietf.org>; Thu, 2 Oct 2003 14:28:22 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A58BG-0001gN-3O for nfsv4-archive@odin.ietf.org; Thu, 02 Oct 2003 14:28:02 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h92IS2SR006461 for nfsv4-archive@odin.ietf.org; Thu, 2 Oct 2003 14:28:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A58BF-0001g8-Vb for nfsv4-web-archive@optimus.ietf.org; Thu, 02 Oct 2003 14:28:02 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18572 for <nfsv4-web-archive@ietf.org>; Thu, 2 Oct 2003 14:27:52 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A58BD-0004u1-00 for nfsv4-web-archive@ietf.org; Thu, 02 Oct 2003 14:27:59 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1A58BD-0004ty-00 for nfsv4-web-archive@ietf.org; Thu, 02 Oct 2003 14:27:59 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A58BE-0001fF-TN; Thu, 02 Oct 2003 14:28:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A58AK-0001ej-RL for nfsv4@optimus.ietf.org; Thu, 02 Oct 2003 14:27:04 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18546 for <nfsv4@ietf.org>; Thu, 2 Oct 2003 14:26:55 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A58AI-0004tT-00 for nfsv4@ietf.org; Thu, 02 Oct 2003 14:27:02 -0400
Received: from e34.co.us.ibm.com ([32.97.110.132]) by ietf-mx with esmtp (Exim 4.12) id 1A58AH-0004tK-00 for nfsv4@ietf.org; Thu, 02 Oct 2003 14:27:01 -0400
Received: from westrelay04.boulder.ibm.com (westrelay04.boulder.ibm.com [9.17.193.32]) by e34.co.us.ibm.com (8.12.10/8.12.2) with ESMTP id h92IQVbl350212 for <nfsv4@ietf.org>; Thu, 2 Oct 2003 14:26:31 -0400
Received: from d03nm130.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.193.82]) by westrelay04.boulder.ibm.com (8.12.9/NCO/VER6.6) with ESMTP id h92IQU7B157622 for <nfsv4@ietf.org>; Thu, 2 Oct 2003 12:26:30 -0600
To: nfsv4@ietf.org
MIME-Version: 1.0
Subject: RE: [nfsv4] allowed delayed writes via AUTH_GSS
X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001
Message-ID: <OF6FB2C662.4EE438AE-ON87256DB3.0062E216@us.ibm.com>
From: Carl Burnett <cburnett@us.ibm.com>
X-MIMETrack: Serialize by Router on D03NM130/03/M/IBM(Release 6.0.2CF2|July 23, 2003) at 10/02/2003 12:26:30, Serialize complete at 10/02/2003 12:26:30
Content-Type: text/plain; charset="us-ascii"
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 2 Oct 2003 13:26:27 -0500
Date: Thu, 02 Oct 2003 13:26:27 -0500

I think this does represent a fairly serious problem with the protocol. 
You have situations where a client cannot return resources to a server. In 
the previously discussed cases of CLOSE and LOCKU, this potentially leads 
to the inability to access files because the client can't release state 
and there is no way short of manual intervention for the server to recover 
the resource. I am not referring the extreme cases where someone leaves an 
app running with opens and locks. Its the more typical cases where an 
application terminates, perhaps due to an EACCES upon loss of 
authentication, the client can't do its job. At least for the DELEGRETURN 
case the server can recall the delegation.

From a security perspective, I think you have to view it with a separation 
of the security around the file system resources that are being protected 
and the security around the client host to server host state management. 
The security of the file system resources is based on the real user 
accessing the files and enforcement of the access controls on them. That's 
different from the security of the client to server shared state. With 
SETCLIENTID, the protocol has already established that state control is in 
fact based on the security of SETCLIENTID. The problem is that the 
protocol operations for more granular state control have been coupled to 
file system export controls because of the use of the PUTFH operation.

As as been discussed, environments desiring stronger security beyond the 
protection of the data would probably want to leverage the use of 
RPCSEC-GSS on SETCLIENTID by creating a machine principal for the client. 
But history says many environments will not do this to reduce 
administration on the client side. They still get the strong security on 
the data, which is the key thing.

I am hoping for some good discussion on this topic at the upcoming 
bakeoff.

Thanks,
Carl

Carl Burnett
AIX Kernel Architecture - Network File System
(512) 838-8498, TL 678-8498
(please reply to cburnett@us.ibm.com)





Mike Eisler <mike@eisler.com>
Sent by: nfsv4-admin@ietf.org
10/02/2003 12:14 PM

 
        To:     nfsv4@ietf.org
        cc: 
        Subject:        RE: [nfsv4] allowed delayed writes via AUTH_GSS





 > -----Original Message-----
 > From: Carl Burnett [mailto:cburnett@us.ibm.com]
 > Sent: Thursday, October 02, 2003 5:18 AM
 > To: nfsv4@ietf.org
 > Subject: Re: [nfsv4] allowed delayed writes via AUTH_GSS
 >
 >
 > Why wouldn't the client be able to use its host
 > authentication (used in
 > SETCLIENTID) when doing DELEGRETURN? That seems like exactly what you
 > would want to do.
[...]

 > To me, this looks fundamentally flawed that primarily state oriented
 > operations are so closely tied to user authentication when in
 > fact state
 > is a client to server. This is especially true for
 > delegations. Client IDs
 > own delegations, not users.

What you see as flawed, others might see as good security.

If one wants to compromise security for convenience, one has the
freedom to add an ACE to his files giving the SETCLIENTID
principal authority to write and read data. With that
authority, the client can then acquire, flush, and
return delegations via the machine cred. ACE inheritence from directories
deals with any of the ease of use issues this entails. The prescence
of the machine cred in the ACL informs the client to use this
capability.

Or simply concede that the pure
machine cred model is adequate for one's purposes and
implement/deploy my suggested GSS pseudo-mechanism.




_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4




_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email