Re: [nfsv4] Review of http://www.ietf.org/id/draft-naik-nfsv4-xattrs-01.txt

[David Quigley <dpquigl@davequigley.com>]

On 10/03/2014 15:20, Nico Williams wrote:

> 
>> The draft takes the stance that xattrs exist on many platforms, there
>> is no standard for their use, and that means there is no need to
>> define any requirements for the use in NFS.
> 
> Here I agree with you that the I-D must explain how the server helps
> mediate access control.  And it must explain that some xattrs have
> security-relevant semantics.  But that's as far as an NFSv4
> specification can go here.
> 

I think that the xattrs exposed through this shouldn't be 
security-relevant unless you're talking about application layer 
security. I don't care if a web app or some user-space program uses an 
xattr for its internal access control but anything beyond that I don't 
think is ok. Trond in the past has expressed concerns about people 
establishing arbitrary sub protocols by using xattrs. I agree that this 
is a problem because it opens up the system to interoperability issues 
by encouraging people to bypass any sort of standardization effort and 
just using the excuse that its just opaque data.



>> 2) Subject/Object labels can control access to the xattr.
>> 
>> So some of these concerns go away with LNFS. But the fact that LNFS
>> does take care of some of the security in my mind means that the draft
>> needs to call out what happens when there is no LNFS available.
> 
> LNFS seems orthogonal here.  RPCSEC_GSSv3 is more relevant.
> 

I agree. LNFS is just another way of conveying access control and 
because we punted on syntax, semantics and enforcement I think the only 
references to access control should be what is concretely defined in 
NFSv4. In that case it would be existing RPCSEC_GSS flavors for 
authentication and NFSv4 ACLs.

> Nico