Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
"Mike Eisler" <mre-ietf@eisler.com> Thu, 17 April 2008 19:30 UTC
Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: nfsv4-archive@megatron.ietf.org
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7194C3A6AEA; Thu, 17 Apr 2008 12:30:59 -0700 (PDT)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B9913A6AEA for <nfsv4@core3.amsl.com>; Thu, 17 Apr 2008 12:30:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.514
X-Spam-Level:
X-Spam-Status: No, score=-2.514 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OyWlDS2QecrZ for <nfsv4@core3.amsl.com>; Thu, 17 Apr 2008 12:30:57 -0700 (PDT)
Received: from webmail5.dreamhost.com (sd-green-dreamhost-133.dreamhost.com [208.97.187.133]) by core3.amsl.com (Postfix) with ESMTP id 2826A3A69AD for <nfsv4@ietf.org>; Thu, 17 Apr 2008 12:30:57 -0700 (PDT)
Received: from webmail.eisler.com (localhost [127.0.0.1]) by webmail5.dreamhost.com (Postfix) with ESMTP id D0FB85B683 for <nfsv4@ietf.org>; Thu, 17 Apr 2008 12:31:25 -0700 (PDT)
Received: from 198.95.226.230 (SquirrelMail authenticated user mre-ietf@eisler.com) by webmail.eisler.com with HTTP; Thu, 17 Apr 2008 12:31:36 -0700 (PDT)
Message-ID: <14599.198.95.226.230.1208460696.squirrel@webmail.eisler.com>
In-Reply-To: <C98692FD98048C41885E0B0FACD9DFB806B0BAC9@exnane01.hq.netapp.com>
References: <26301.198.95.226.230.1208116510.squirrel@webmail.eisler.com> <C98692FD98048C41885E0B0FACD9DFB806B0BAC9@exnane01.hq.netapp.com>
Date: Thu, 17 Apr 2008 12:31:36 -0700
From: Mike Eisler <mre-ietf@eisler.com>
To: nfsv4@ietf.org
User-Agent: SquirrelMail/1.4.10a
MIME-Version: 1.0
Subject: Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org
I was in the process of making the edits to remove RESTOREFH from the list of operations that can return NFS4ERR_WRONGSEC and came across this: <section anchor="using_secinfo" title="Using NFS4ERR_WRONGSEC, SECINFO, and SE CINFO_NO_NAME"> <t> This section explains of the mechanics of NFSv4.1 security negotiation. The term "put filehandle operation" refers to PUTROOTFH, PUTPUBFH, PUTFH, and RESTOREFH. </t> <section anchor="PUTFH + SAVEFH" title="Put Filehandle Operation + SAVEFH"> <t> The client is saving a filehandle for a future RESTOREFH. The server MUST NOT return NFS4ERR_WRONGSEC to either the put filehandle operation or SAVEFH. </t> </section> <!-- Put Filehandle Operation + SAVEFH --> ---------- There's a reason, which I do not recall, why a put filehandle op followed by SAVEFH is not allowed to return NFS4ERR_WRONGSEC. But because, e.g. PUTFH, SAVEFH cannot return _WRONGSEC, this means RESTOREFH has to return WRONGSEC. Now we could state that PUTFH, SAVEFH can return NFS4ERR_WRONGSEC, and that seems like it is OK. But then so did eliminating WRONGSEC from the list of errors RESTOREFH can return. But I have no time to figure why the spec disallows WRONGSEC on the PUTFH, SAVEFH case. So I intend to make SECINFO synchronized with the errors chapter: remove LINK and RENAME as valid operations that can return NFS4ERR_WRONGSEC. to the spec (i.e. producing an RFC that is broken). On Sun, April 13, 2008 1:54 pm, Noveck, Dave wrote: >> > So I think you have two questions: >> > >> > 1) Can security policies be on name-pattern-defined classes of > objects? >> > >> > 2) Is the saved fh protected in the same way as current fh? >> > >> > So my take is: >> > >> > 1Y, 2Y: CREATE, LINK, RENAME >> >> I think it is: >> >> 1Y, 2Y: REMOVE >> >> Why isn't REMOVE among the list? The target could have a policy. > > My intention was that REMOVE was implicitly included in all the options, > just as LOOKUP is. > >> Why is CREATE on the list? If the object doesn't >> exist, it has no policy. If it does exist, then >> NFS4ERR_EXIST is what must be returned. > > Under 1Y, objects can implicitly have policies based on their names. > With the example of "*.secret" requiring kerberos, AUTH_SYS creation of > "big.secret" would return WRONGSEC. > >> Why are LINK and RENAME on the list? The saved >> fh is protected. > >> LINK is linking one of the two filehandles; we've >> already checked their policies. Note that if the >> target name exists, we return NFS4ERR_EXIST. This >> is the same as CREATE. > > Here I was thinking of a name-based policy where the link matched the > link pattern. > >> RENAME: security policies should not be protecting >> the rename of the policied object. SECINFO is not >> that smart. > > RENAME identifies an existing object by name. If the caller would get > WRONGSEC doing a LOOKUP of that object, he certainly should get one > renaming it. > >> > 1Y, 2N: CREATE, LINK, RENAME, RESTOREFH > >> I think it should be: > >> 1Y, 2N: REMOVE, LINK, RENAME, RESTOREFH > >> for the same reasons as the previous 1Y, 2Y case. > > OK. > >> > 1N, 2Y: none of the above > >> Dave noted this should have had RENAME. I'm not >> seeing it. A RENAME amounts to adding a directory >> entry and deleting a directory entry. If REMOVE >> and CREATE are not on the list, why should RENAME >> be on the list? > > REMOVE was intended to be implicitly on the list as discussed above. > > The difference between CREATE and RENAME is similar to that between > CREATE and OPEN. RENAME works on an existing object which may have > previously acquired a policy. > >> > So I think it is: > >> > 1N, 2Y: none of the above > > I think it would be RENAME and REMOVE. > >> > 1N, 2N: LINK, RENAME, RESTOREFH > >> I agree. > >> So while eliminating RESTOREFH from the list of >> operations that can return NFS4ERR_WRONGSEC is >> going to create a lot editing work for me, I agree >> that 1N, 2Y is the easiest case and the sanest way >> to deal draft-21's current inconsistency. > > I agree. > > -----Original Message----- > From: Mike Eisler [mailto:mre-ietf@eisler.com] > Sent: Sunday, April 13, 2008 3:55 PM > To: nfsv4@ietf.org > Subject: Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME > >> From: Noveck, Dave >> Sent: Sunday, April 13, 2008 9:09 AM >> To: 'Trond Myklebust'; Mike Eisler >> Cc: nfsv4@ietf.org >> Subject: RE: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME > > >>> Also, just out of curiosity, why do we have RESTOREFH in the above >>> two >> >>> lists? Aren't you pretty much guaranteed to get a WRONGSEC error on >>> the filehandle before you get round to the SAVEFH? >> >> I think this may relate to the issue of LINK and RENAME. If you >> create an object and continue to use it in the COMPOUND, you could >> conceive, since it is not atomic, that between two ops the server >> changes his security policy for the object in question (if you can >> ever get WRONGSEC subsequently, it has to change some time, so it >> might be before the COMPOUND is done), but the protocol has decided, >> in order to simplify client implementations, to avoid the possiblity >> of getting WRONGSEC for the current fh. At any time that for the >> current fh, you are guaranteed not to get the error on a current fh >> once vetted when established. You could apply the same to the saved >> fh, but you don't have to. Not protecting the saved fh in this way >> would only mean that you had to check the error at RESTOREFH and >> anywhere that the saved fh was actually used (only LINK and RENAME, I >> think) > > Makes sense. > >> So I think you have two questions: >> >> 1) Can security policies be on name-pattern-defined classes of > objects? >> >> 2) Is the saved fh protected in the same way as current fh? >> >> So my take is: >> >> 1Y, 2Y: CREATE, LINK, RENAME > > I think it is: > > 1Y, 2Y: REMOVE > > Why isn't REMOVE among the list? The target could have a policy. > > Why is CREATE on the list? If the object doesn't exist, it has no > policy. If it does exist, then NFS4ERR_EXIST is what must be returned. > > Why are LINK and RENAME on the list? The saved fh is protected. > > LINK is linking one of the two filehandles; we've already checked their > policies. Note that if the target name exists, we return NFS4ERR_EXIST. > This is the same as CREATE. > > RENAME: security policies should not be protecting the rename of the > policied object. SECINFO is not that smart. > >> 1Y, 2N: CREATE, LINK, RENAME, RESTOREFH > > I think it should be: > > 1Y, 2N: REMOVE, LINK, RENAME, RESTOREFH > > for the same reasons as the previous 1Y, 2Y case. > >> 1N, 2Y: none of the above > > Dave noted this should have had RENAME. I'm not seeing it. A RENAME > amounts to adding a directory entry and deleting a directory entry. If > REMOVE and CREATE are not on the list, why should RENAME be on the list? > > So I think it is: > > 1N, 2Y: none of the above > >> 1N, 2N: LINK, RENAME, RESTOREFH > > I agree. > > So while eliminating RESTOREFH from the list of operations that can > return NFS4ERR_WRONGSEC is going to create a lot editing work for me, I > agree that 1N, 2Y is the easiest case and the sanest way to deal > draft-21's current inconsistency. > > > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 > -- Mike Eisler, Senior Technical Director, NetApp, 719 599 9026, http://blogs.netapp.com/eislers_nfs_blog/ _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Noveck, Dave
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Noveck, Dave
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Noveck, Dave
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Noveck, Dave
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Mike Eisler
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… Trond Myklebust
- Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK… J. Bruce Fields