IETF Logo Mail Archive

Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-xattrs-05: (with DISCUSS)

Eric Rescorla <ekr@rtfm.com> Thu, 25 May 2017 13:50 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECA5129A9A for <nfsv4@ietfa.amsl.com>; Thu, 25 May 2017 06:50:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jeDHgdv-_omM for <nfsv4@ietfa.amsl.com>; Thu, 25 May 2017 06:50:14 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE8AA129A90 for <nfsv4@ietf.org>; Thu, 25 May 2017 06:50:11 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id l14so103549814ywk.1 for <nfsv4@ietf.org>; Thu, 25 May 2017 06:50:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=79HQYvXS7QGcQm/fj75NK5WpU3wtpuI1BI7g5RT4Qrg=; b=l+vwbduIOFqhiuk3Owc+4Qos+1LEVSGxoYwWbXkdGRjb4OkdKBcPEY1VpEbxDGl8zf EEuq3L1DNsk3UhDD5Ys0GrirPzRreR6NhKN/TaaPueNcp//50DwZG6I9ugRNkcV4K3xF jANKD3Z8DTnzQvlu2hXws4EpnwtsRoNmQEqq9OyiMq1tIi9kgJq5KuZyXO7MSqkUIjkU 17wOrZIq7D10ObZge2V5CJOKM2qfgQRt9P9xGri4Q88S78fBto30OiW0Dce2aG611gDG TXDqWDeX+kxmSxbglfg1MoJeu3SZulstZKBys7qey2DthVbsrZTHcWmeLmtHnotFiOS/ Bd9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=79HQYvXS7QGcQm/fj75NK5WpU3wtpuI1BI7g5RT4Qrg=; b=E8O8Xdy0gWwqTPYO/EO66UWPXksSJRGArMcE8LWfogCLPjEFWa2cV2KiYsNiJpjRCJ opb8a4WUPEwMeSUrC9A0MnmthH/H9paD6cKayGKfbYf2YrH42k8B53ohi9kMYF8Wn2VT uX6+dP513ZGC9iRby9dH4/YaDNmSKWN8Hct9icsoj8narE/O6sldMidLLaUdRyASmDZQ GsAO7Dmsolt+W43ncKXznfTyDhDLTR5xvTzBXOBpfoD5t7f+E5mTpOcCA9AGPRBfTbR8 usmaWJenb4L7cQTa9PqrhVs+NX2fadNnLgOMcOedWVGnhyoVH4H2Zqkj1xpf5EujG0om CXgg==
X-Gm-Message-State: AODbwcCRUglXtIEooYVw8uWYL5ECdX/lmokjQwHtKZfJQf9r8K5w21BN rGzZzxa7n7p7P+nCapcGnLhJgZtKpe5T
X-Received: by 10.129.104.69 with SMTP id d66mr31997622ywc.74.1495720211269; Thu, 25 May 2017 06:50:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Thu, 25 May 2017 06:49:30 -0700 (PDT)
In-Reply-To: <CAKKJt-cHEoBeP++YP-=FWmVTWkoLWLa5OZ=sDYT7kEBrDvvOiw@mail.gmail.com>
References: <149559305147.28562.14990485255783585477.idtracker@ietfa.amsl.com> <CAKKJt-cHEoBeP++YP-=FWmVTWkoLWLa5OZ=sDYT7kEBrDvvOiw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 25 May 2017 21:49:30 +0800
Message-ID: <CABcZeBPc9U1D+sSOnz2_3MwVn527ruuqqWoCsZYafx_rLwpyAQ@mail.gmail.com>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: The IESG <iesg@ietf.org>, nfsv4-chairs@ietf.org, Spencer Shepler <spencer.shepler@gmail.com>, NFSv4 <nfsv4@ietf.org>, draft-ietf-nfsv4-xattrs@ietf.org
Content-Type: multipart/alternative; boundary="001a11490b9ae061a90550597f4e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/erWAZa-7voCU8RElYIiN3P1Z81o>
Subject: Re: [nfsv4] Eric Rescorla's Discuss on draft-ietf-nfsv4-xattrs-05: (with DISCUSS)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2017 13:50:16 -0000

On Thu, May 25, 2017 at 9:19 PM, Spencer Dawkins at IETF <
spencerdawkins.ietf@gmail.com> wrote:

> Hi, Eric,
>
> On Tue, May 23, 2017 at 9:30 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>> Eric Rescorla has entered the following ballot position for
>> draft-ietf-nfsv4-xattrs-05: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-nfsv4-xattrs/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>>       Since xattrs are application data, security issues are exactly
>> the
>>       same as those relating to the storing of file data and named
>>       attributes.  These are all various sorts of application data and
>>       the fact that the means of reference is slightly different in
>> each
>>       case should not be considered security-relevant.  As such, the
>>       additions to the NFS protocol for supporting extended attributes
>>       do not alter the security considerations of the NFSv4.2 protocol
>>       [RFC7862].
>>
>> This seems inadequate. The issue is that if machine A writes some
>> extended attribute which is security relevant (i.e., this file is
>> only readable under certain conditions) and then machine B doesn't
>> know about the attribute, then you have a security problem on B
>> because it will not enforce it. It seems like FreeBSD uses extended
>> attributes for this purpose, so this isn't just theoretical.
>
>
> I haven't seen a response from the authors on this Discuss, so, at the
> risk of talking out of my hat, I THINK the answer is going to be that
>
>    - either machine B keeps enforcing the incredibly lame access rights
>    it's already enforcing (all users are part of the "nfs" group, so share the
>    same access rights anyway, or whatever), or
>    - machine B isn't enforcing anything now, so wouldn't be enforcing
>    anything anyway.
>
>
I think that's right.


>
>    -
>
> So, at a minimum, this extension would Do No Harm during periods of
> partial deployment.
>

This, I don't agree with, because once this capability exists, people come
to rely on it.

-Ekr


> My advice is to wait for a response from a smarter Spencer (S), or another
> person who knows more about NFSv4 than I do, who will either confirm what
> I'm saying or tell you what I should have said instead, but if it's worth
> having a speculative discussion on the call today, I'm always up for that,
> of course.
>
> Spencer
>

v2.23.0 | Report a Bug | By Email