IETF Logo Mail Archive

Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME

"Mike Eisler" <mre-ietf@eisler.com> Sun, 13 April 2008 19:54 UTC

Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: nfsv4-archive@megatron.ietf.org
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C1C3B3A6DDE; Sun, 13 Apr 2008 12:54:44 -0700 (PDT)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B636828C292 for <nfsv4@core3.amsl.com>; Sun, 13 Apr 2008 12:54:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.511
X-Spam-Level:
X-Spam-Status: No, score=-2.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8dA6BznOeieL for <nfsv4@core3.amsl.com>; Sun, 13 Apr 2008 12:54:41 -0700 (PDT)
Received: from webmail4.sd.dreamhost.com (sd-green-dreamhost-133.dreamhost.com [208.97.187.133]) by core3.amsl.com (Postfix) with ESMTP id D5E1A28C135 for <nfsv4@ietf.org>; Sun, 13 Apr 2008 12:54:41 -0700 (PDT)
Received: from webmail.eisler.com (localhost [127.0.0.1]) by webmail4.sd.dreamhost.com (Postfix) with ESMTP id 5648D3022E for <nfsv4@ietf.org>; Sun, 13 Apr 2008 12:55:10 -0700 (PDT)
Received: from 198.95.226.230 (SquirrelMail authenticated user mre-ietf@eisler.com) by webmail.eisler.com with HTTP; Sun, 13 Apr 2008 12:55:10 -0700 (PDT)
Message-ID: <26301.198.95.226.230.1208116510.squirrel@webmail.eisler.com>
In-Reply-To: <C98692FD98048C41885E0B0FACD9DFB806B0BAA9@exnane01.hq.netapp.com>
References: <C98692FD98048C41885E0B0FACD9DFB806B0BAA9@exnane01.hq.netapp.com>
Date: Sun, 13 Apr 2008 12:55:10 -0700
From: Mike Eisler <mre-ietf@eisler.com>
To: nfsv4@ietf.org
User-Agent: SquirrelMail/1.4.10a
MIME-Version: 1.0
Subject: Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org

> From: Noveck, Dave
> Sent: Sunday, April 13, 2008 9:09 AM
> To: 'Trond Myklebust'; Mike Eisler
> Cc: nfsv4@ietf.org
> Subject: RE: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME


>> Also, just out of curiosity, why do we have RESTOREFH in the above two
>
>> lists? Aren't you pretty much guaranteed to get a WRONGSEC error on
>> the filehandle before you get round to the SAVEFH?
>
> I think this may relate to the issue of LINK and RENAME.  If you create
> an object and continue to use it in the COMPOUND, you could conceive,
> since it is not atomic, that between two ops the server changes his
> security policy for the object in question (if you can ever get WRONGSEC
> subsequently, it has to change some time, so it might be before the
> COMPOUND is done), but the protocol has decided, in order to simplify
> client implementations, to avoid the possiblity of getting WRONGSEC for
> the current fh.  At any time that for the current fh, you are guaranteed
> not to get the error on a current fh once vetted when established.  You
> could apply the same to the saved fh, but you don't have to.  Not
> protecting the saved fh in this way would only mean that you had to
> check the error at RESTOREFH and anywhere that the saved fh was actually
> used (only LINK and RENAME, I think)

Makes sense.

> So I think you have two questions:
>
> 1) Can security policies be on name-pattern-defined classes of objects?
>
> 2) Is the saved fh protected in the same way as current fh?
>
> So my take is:
>
> 1Y, 2Y: CREATE, LINK, RENAME

I think it is:

1Y, 2Y: REMOVE

Why isn't REMOVE among the list? The target could have
a policy.

Why is CREATE on the list? If the object doesn't exist,
it has no policy. If it does exist, then NFS4ERR_EXIST is
what must be returned.

Why are LINK and RENAME on the list? The saved fh is protected.

LINK is linking one of the two filehandles; we've already
checked their policies. Note that if the target name
exists, we return NFS4ERR_EXIST. This is the same as CREATE.

RENAME: security policies should not be protecting the
rename of the policied object. SECINFO is not that smart.

> 1Y, 2N: CREATE, LINK, RENAME, RESTOREFH

I think it should be:

1Y, 2N: REMOVE, LINK, RENAME, RESTOREFH

for the same reasons as the previous 1Y, 2Y case.

> 1N, 2Y: none of the above

Dave noted this should have had RENAME. I'm not
seeing it. A RENAME amounts to adding a directory
entry and deleting a directory entry. If REMOVE
and CREATE are not on the list, why should RENAME be
on the list?

So I think it is:

1N, 2Y: none of the above

> 1N, 2N: LINK, RENAME, RESTOREFH

I agree.

So while eliminating RESTOREFH from the list of operations that
can return NFS4ERR_WRONGSEC is going to create a lot
editing work for me, I agree that 1N, 2Y is the easiest case
and the sanest way to deal draft-21's current inconsistency.



_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email