Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt

Rick Macklem <rmacklem@uoguelph.ca> Fri, 07 January 2022 17:11 UTC

Return-Path: <rmacklem@uoguelph.ca>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2C6C3A0CCE for <nfsv4@ietfa.amsl.com>; Fri, 7 Jan 2022 09:11:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uoguelph.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K6tU29pTvo_N for <nfsv4@ietfa.amsl.com>; Fri, 7 Jan 2022 09:11:43 -0800 (PST)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-to1can01on061d.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5d::61d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F17BD3A0CCA for <nfsv4@ietf.org>; Fri, 7 Jan 2022 09:11:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KB5zMegrDzw6WBoMfyu+yEG1GBvwpcHZnKcL+MCYT2l8IDfrnyKwc1B10OtC7uZF4K4boRUIov3xURI4/BDpWWqQXTp4zXKWBmgxRgqTpBg7RctXsWarYC5wrfAb+L0XyacQMLByFLw6bOiy90OBZy/bWh8dPGjDbEBLQBbrVLMtQvbNPSM6cX2GqHVYe55gL/nQRCOHPEJkzHgsx7VZO/jeQiwNfo+2r7N4Ssuhyd0CS0C6fpt68ekWhwBfYFYYa5KGT9NSb0KKnIxYhVJy24GPkDBrY/p0ehbFjMgt03WlA7mlGHuEzKGFPMmnCVV0xzkQAoOdyCvQT2CnGP6bsw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yn6S+AOA6PVglhiE1Jncb7vYT6CM6WTnvkbDLK1K3Cs=; b=NYn/Y5fspuErAO76kWuCFj1Rn6TcIlaNkhd7jnW+0gT4pYToT2Z1xWwpX8RYPUWCam/SK6k1GxKY151K7xtT+qqYDTa7Gcwp/LjbPbF8ON7RdE+9XGQdsQT4884Drm8SBMLsKS2MqZ96RBxNAK06nSFf959i3B9LH07IuDMuptZThEy0malzLVECr1XJezoon21AnFnqFLtd2u/Qb8xSp9LXZk/mUfpt9nIyzu10Rc7JHhmZP5hTTu4/3Uvt+yyFiuoHYPMwpEn93FA5wk1+5aukDvL1/c/ZzvrH6xeYq8+lGG1npIgWghEAIbxYdMt5SxcPL9KBAPdzWnySv2sgRQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yn6S+AOA6PVglhiE1Jncb7vYT6CM6WTnvkbDLK1K3Cs=; b=Zc5W4+OopGT5d7/ZKB3KkoY5hUI+WnEskSE6WEaHLZNnizI+XxE+7XhHlJmybkofa8ohUPc1g4oSsV4/d7VX9HxWUeflQ18xEfMMnO3OGsgzIvyTpUAyzBjhRR/Lzmc0d6GSw3V2P2GZP3yrYNnCeW8vQ3JkGh25Z47U9p9PWcyVBSARgALFFL35svtemYBaD3pB/GROvcIKRYZGyymj0ZgXYt1SCh0YBLzRjmGksyvAbdol2GAP8quzzilDlAbxQWUC88zNcEBZoki0MxKbnVRJ4XaKFgmGBvSj1xjQpgucocU24qcHiOOhHufU2eeCM1d8yv+pVb6xHHzzMq4VRQ==
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQBPR0101MB4130.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:b::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4867.7; Fri, 7 Jan 2022 17:11:36 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::c9d2:bf41:eeca:90aa]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::c9d2:bf41:eeca:90aa%4]) with mapi id 15.20.4867.011; Fri, 7 Jan 2022 17:11:36 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: "J. Bruce Fields" <bfields@fieldses.org>
CC: David Noveck <davenoveck@gmail.com>, NFSv4 <nfsv4@ietf.org>
Thread-Topic: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
Thread-Index: AQHX+M0Zr/DOM25hTke40cIHszU7L6xCR9G8gAAn2JeAAeFnAIAAqW1pgAK93wCAASksy4AO6MoAgAASLdU=
Date: Fri, 07 Jan 2022 17:11:36 +0000
Message-ID: <YQXPR0101MB096815A9CA253024604E8D46DD4D9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <164035267965.25968.10921853654415505678@ietfa.amsl.com> <CADaq8jcXitpCCA+y3u6dYxGM95rfX6UtuZTm27g=Ht6=8x3+Qw@mail.gmail.com> <YQXPR0101MB096858749741A1191DE75279DD7F9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YTOPR0101MB09702834BC7C51CE9146389EDD409@YTOPR0101MB0970.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jc44Ua9CABd3tznCgqv4du6thfo7RAGmn_nA_jjQ-boDw@mail.gmail.com> <YQXPR0101MB09681E0D9ADE96C7C9A493DDDD419@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <CADaq8jcy4kE3+JQ2FBvWqDVZv+e+e21tWBgcJ8EywfnNWLrh4w@mail.gmail.com> <YQXPR0101MB096891D69ED7E94A526223A0DD449@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <20220107154806.GB26961@fieldses.org>
In-Reply-To: <20220107154806.GB26961@fieldses.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: cb6e9163-d9e2-77ab-0a2b-a60f3d0eebb4
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f1fcec2c-00dc-4ff5-6582-08d9d200c2fd
x-ms-traffictypediagnostic: YQBPR0101MB4130:EE_
x-microsoft-antispam-prvs: <YQBPR0101MB41303E53F8711464879AE63FDD4D9@YQBPR0101MB4130.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 57N4V2gRRlVoKSyQWqnrcqbA9LrTzezusJsUCGSUKXExHDlyEdDjdmPbrULsonabkvRcX2KiHR9z1MneLgHAjkUPym7CKU2UioKuvLUTwvFEw3QFxqDbHUulTOQDhldG4R0mwr4OL6brK+k0q6OYj1iWhwhi34T53mrV3QuB6zpuQNTOqKMB1hUhntkvFiK8tOCHXdubwoc7nlfAAL5+J08SXs5p8JymZScLZ8sh5G8+uHS1p7AuoiPOlPmY4kmHvoYc7W/33GigMjiZuovJJozxJDdR63lvA0TrdupNElfypfOSXyrk/WS53CY5qLUkZoEtg/c+5z6/WSQymshNHGj7jaKc8at4IJn9ifCnpxnAhyBiObBV5+v8FJwN4UiR5rFnTYbRggL58cB3Cn/ex+79X+UHgkmQ7NHGUFlBQVw84YWeZBfz2UJVZlxyaVG2eJIDcfPFFTrTIqBzlYHMUIRleGY5iZuhF2oOFSRQbaX13fjGLpGOy/H1OHl7XiUlfEG5YS9aVVQnVi3ET2Q54VnunU2Yh+I3puuK9dV/3DYg9TDXwTVxMTBZnhYf3b+WseWqreU79ZxgKkM3mJnnfWp6vWvzCTv+4nli6q4vtstuwImQxHoVYWq6PZa+V0nntFjum4z/F6Yl7axk9XSh8N2EUXt05V4ZNKr2C9shzqAYCCshdt55P37jFFJA3AKIqO8vg1zosheYcry5b1Kn7w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(33656002)(8936002)(86362001)(83380400001)(6916009)(508600001)(52536014)(316002)(66446008)(66476007)(64756008)(76116006)(71200400001)(122000001)(9686003)(8676002)(38070700005)(2906002)(786003)(186003)(7696005)(4326008)(54906003)(55016003)(91956017)(38100700002)(5660300002)(66556008)(6506007)(66946007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: acs2sar2595nWhevmkZSQvLXuWOQPyMZlmS61Mg48MzEqMFL8PjCWaUYE2orLUPKVAUkwDyIUzCiEwKtRZJuZO9g1uWDKu42JV2Imn0qfKGaGWh+91gYE0LP+KGTvW8GQl5ihRyLtfK7Y6qRg4naLzYmDFIVD8sYoNR08yAexxaWyXYP0yzOPXrsA+pKo5aqlTBnHY+TQSfFenxj2s0utNflw95YtK9WZx/xf3yvLiKO7tHvDIPedr/T5KNPMoRyv4u/a2c1oT5F4/IjJP3kXEFPaFlgfJ3Ky84zGykdHJRVwG62hqzmHwlW+Ez59ONpkUszpmBOFgqISxNjT8JLnUBYUktfRIFmTWUPa7BlOZxItsEU7vVXr1pxIaqPOINdlJFqvuAn31wylxlG7QzCNlN006d3dS+nwcnKX/7Mo+1SR3gridHybMqedP9bsMB+KIMo4T0rRMswJbJVHA5jirCjgoOLyonFgwp5dcbA080OAH+0ZkD2ecpNGCjkuhgP+7CY3kzrSuNm5cghJ2qwhywgsXV7ElXiZZDvrD78hXv04gbfIOO3ubgoMQD3p7e59HB47m1q9YdVQOnTqL8mp/Jnn3GVQpUCkj6XDCVJSON7ouC7i9Nd5ed+gw0/+v531q5rK94a/DEO/tkog5eYwDSR9Zz9lgJVbTdoOtpmx6RAVsGBg3zfkmJc8PCQEKd6n4wZBI2WNwCRjYGTPgeiwor8jR/QoHDhj0eHhxdrCGbS5ED0g5PJKVMhWvG8p5cjEKHmja7A6xJHMa4ddqQ3SwAJNelDPp+P3tQeW7XT9LUsmaQzgzDqXiUcQuEeZvY0rBwnrSMpAbyCX2K5vDGDy5nN5wfT3U/qEMd+VomQ60ySE4zSQBCOa6E8Y3P9BoYf/YSZ9jAvbdlI7DR16WSMXx/JwGW0kekeqe05UflPy1M5Jfu01F4bLgAKdmiUs19HcSck+ldaAlFiWNPEZZomLkv1abAfIBfhxCCy0ViJWJWR6YND9X50ds012szJwVv+EmwbR7AnfbHBMoY6uX8B418xhPcVu/h1q2F3aJ8ey91hO1oRjI2Hm8rN01x2uKKL5QCG9pF3M+iLYdgeUnJJbVMB2yuN4P4UJU7E+lKHuNI5V8Iv+6l1FSCi44dMb2+qb6IvsjkUHK145GGb7CE4G7KR4MFseU/Y1t+aUQoNQddcHTGo5iYKUbvHGQbanqxDFMc9KD7J4uwgHnOsVEcuy64HBc67efr6953KFi9zi5xPJ4eoO68v4l+TDc0mfVHewzoc2Tr5imLVI2N4zpaTNO0OOdvtF2LSK56Q43X0NqmniawpwXlwLZQZujsWWFHn+UvI6CTkNbXgqdYB9ryoCiGJ4yCLc821X3Tsrbb64w8OewSUTRrSlu5zT8Z5/IsUCLE7qgfRa5+tGRc5oblqXxWEGGs/YfdB7TgRF1jeVSKd5VmfvYbcK2kf449ym3NqmvXQTa9OAy1gkrHvRB1KtghBEPtQttagX9hwdU7q/Nd5O6UbJY/qHw7wanZpL9+iT0y3rg1BGJ1cCgiAnQvCtbYhZoLtS5jlEkKoo80I/SBgriO/dziS1R5VYORzBWjumMfOYsbNwRXQlUq1jqbxkY1h4WqC1+78DqkLT+l2CkuAwqG87aFxyaCHvvYgxqbm0s9r6QSM1zNMrhEKpHT/AA==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f1fcec2c-00dc-4ff5-6582-08d9d200c2fd
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jan 2022 17:11:36.2542 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rR5X0fMPYltLZuTvdOwsVm/pQpOss8FUTjyaqCd5jVZhnoK6ZX7169Zyv8BhWa67M0bx01eRd6n2picUzGDiOw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR0101MB4130
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/Y96CNzSOIHzR730TNNkAhR4Accw>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2022 17:11:48 -0000

J. Bruce Fields <bfields@fieldses.org> wrote:
> On Wed, Dec 29, 2021 at 04:32:10AM +0000, Rick Macklem wrote:
> > David Noveck wrote:
> > > From your description and the testing you have done, it seems there is a
> > > significant difference in that this special handling of the owner permissions only
> > > applies to an open file in v4.  Is there a v4 server that does this v3-like thing even
> > > for files that are not open?
> > The FreeBSD server does. It does the "owner-override" for Read/Write using
> > special stateids (which is what I assume you mean by "not open"?).
>
> There's also reboot recovery.  If you open a file, chmod to zero, then
> reboot the server, the previous open should still work.
>
> Also, if the client holds a delegation I think the server will allow the
> file owner to override permissions for reads or writes or
> CLAIM_DELEGATE_CUR opens, because in the face of cached opens the client
> doesn't necessarily know if a file open happened before or after a
> permission change.  (And a permission change doesn't necessarily revoke
> a delegation if it came from the client holding the delegation.)
Good point!

Currently, the FreeBSD server does permission checking for all Opens.
but I think you are correct.

For the cases of Claim_Previous, Claim_Delegate_Previous, the state is
being recovered and, as such, file permission checking should not be done.
--> I think these cases should use the same rule as ExchangeID/CreateSession,
      that is "same principal as first ExchangeID or SetClientID".
--> This could also be described as "must be done with machine principal".

Claim_Delegate_Cur is tougher, but I would say at least "owner-override"
should apply. (A client should be doing an Access check when local opens
are done, but if permissions are changed after that and the delegation is
recalled, having the Open/Claim_Delegate_Cur fail would be "unexpected".)

FreeBSD servers do not have delegations enabled by default and *hopefully*
crash infrequently. As such, I have never received a bug report related to a
failed Open/Claim_Previous or Open/Claim_Delegate_Cur, but this
could happen and I think I'll change the code.

This also makes my argument for using an Open stateid as a substitute
for file permission checking on Read/Write weaker. (This is not implemented
in the FreeBSD server and I am not planning on doing so at this time.)

rick

--b.