Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
bfields@fieldses.org Thu, 13 January 2022 22:04 UTC
Return-Path: <bfields@fieldses.org>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0CC3A15D1; Thu, 13 Jan 2022 14:04:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fieldses.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id co4ajxvdca2w; Thu, 13 Jan 2022 14:04:11 -0800 (PST)
Received: from fieldses.org (fieldses.org [IPv6:2600:3c00:e000:2f7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 959AA3A15CE; Thu, 13 Jan 2022 14:04:11 -0800 (PST)
Received: by fieldses.org (Postfix, from userid 2815) id 1BFC82218; Thu, 13 Jan 2022 17:04:09 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 fieldses.org 1BFC82218
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fieldses.org; s=default; t=1642111449; bh=BR8x6BBSFQKGRF4QZ7xugCv/1xrxm9qd3iHoFg1xbN0=; h=Date:To:Cc:Subject:References:In-Reply-To:From:From; b=EyZXtLALO8eV0qRobJuqsIk+6ccCxwPHhpP4Hs+OUHLD90OwD/i2ce1/DkbANzSEC frhubyoQhG5m2Q9dnD3iqKoRwe25XnDiNVqWBajyx7Xd1PRbtOwSzA3i4PU7IiQpmg Gr+0nWbSaVfDkHN2MbfJl/opgeBjdl0xK8qI2wQo=
Date: Thu, 13 Jan 2022 17:04:09 -0500
To: David Noveck <davenoveck@gmail.com>
Cc: NFSv4 <nfsv4@ietf.org>, nfsv4-chairs <nfsv4-chairs@ietf.org>, nfsv4-ads@ietf.org
Message-ID: <20220113220409.GA2830@fieldses.org>
References: <164035267965.25968.10921853654415505678@ietfa.amsl.com> <CADaq8jcXitpCCA+y3u6dYxGM95rfX6UtuZTm27g=Ht6=8x3+Qw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CADaq8jcXitpCCA+y3u6dYxGM95rfX6UtuZTm27g=Ht6=8x3+Qw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
From: bfields@fieldses.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/UiPOc1ozJaKOeWVP26ycBdI-jIA>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jan 2022 22:04:17 -0000
p. 13: As I said before, I'm not OK with this attempt to pin down ACL semantics and mode/ACL interactions. See https://mailarchive.ietf.org/arch/msg/nfsv4/pbGEGwDvMwknwjsBKsWaK2BRXqc/ p. 20: "many clients are built on systems whose only ACL-related API is based on the UNIX ACL model." What clients are you thinking of? The Linux client, for example, does provide an NFSv4 ACL API, and we have tools built on it that allow users to get and set ACLs. "it is hard to imagine a server incapable of distinguishing a write to an offset within existing file and one beyond it." Most of the filesystems Linux servers export don't support separate WRITE and APPEND bits. "To do that, requests to set NFSv4 ACLs where the handling for these two masks are different for any specified user or group are to be rejected with NFS4ERR_ATTRNOTSUPP." Once upon a time we did have code that rejected any ACL that couldn't be translated into something storable on our backend filesystems. It was painful to use: there's more than one rule governing allowable mask bits and ALLOW/DENY ordering, and if you mess up, you get one error that doesn't tell you why. That's why the Linux server now accepts such ACLs and instead translates them to something stricter. You get the guarantee that the ACL won't allow access beyond that you requested. And the option of reading back the set ACL gives you at least some chance of figuring out what happened, where an NFS4ERR_ATTRNOTSUPP doesn't. p. 41: "The deletion of the file's data is dealt with separately as this, like a truncation to length zero, requires ACE4_WRITE_DATA." We can't require write permissions on a file to delete the file. p. 42: "The complexity of the approach without any indication that there is a need for such complexity makes me doubtful that anything was actually implemented" I'm pretty sure that section is just a description of what ZFS does, for what it's worth. p. 56: "Setting only the mode attribute, will result in the access of the file being controlled just it would be if the existing acl did not exist, with file access decisions as to read made in accordance with the mode set." Neither Linux nor Solaris/ZFS work that way. p. 61: "While the NFSv4.1 provides that many might not need or use, it is the one that the working group adopted by the working group, and I have to assume that alternatives, such as the withdrawn POSIX ACL proposal were considered but not adopted." Right. As I understand it, that decision was based in part on the assumption that it would be possible to map between POSIX and NFSv4 ACLs. Linux knfsd has been doing that since the beginning. I don't agree that this document should now go back and disallow that. p. 72: "The algorithm specified below, now considered the Previous Treatment associated with Item #24a, has an important flaw in does not deal with the (admittedly uncommon) case in which the owner_group has less access than the owner or others have less access than the owner-group." We definitely knew about "reverse-slope" modes and took them into account. I'm not entirely sure I understand the algorithm at the end of section 9.3, but I believe it's wrong. It appears that it would map an ACL like (ignoring some mask-bit details): DENY OWNER@ W ALLOW EVERYONE@ RW to the mode r--r--r--. (Because the OWNER@ ACE applies "in the negative sense" to the calculation of the group and other bits.) But the above ACL actually grants write permissions to anyone other than the file owner, and the correct mode is r--rw-rw-. (And I also don't like the fact that it ignores named users and groups, so that, e.g., ALLOW bfields RW will be mapped to mode 0.) (I ran out of time here and stopped reading.) --b.
- [nfsv4] Fwd: New Version Notification for draft-d… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] New Version Notification for draft-dn… Brian Pawlowski
- Re: [nfsv4] New Version Notification for draft-dn… Chuck Lever III
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… bfields
- Re: [nfsv4] Fwd: New Version Notification for dra… Rick Macklem
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… J. Bruce Fields
- Re: [nfsv4] Fwd: New Version Notification for dra… Chuck Lever III
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… David Noveck
- Re: [nfsv4] Fwd: New Version Notification for dra… Trond Myklebust