IETF Logo Mail Archive

Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt

David Noveck <davenoveck@gmail.com> Sun, 26 December 2021 06:25 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9D3D3A0F5E for <nfsv4@ietfa.amsl.com>; Sat, 25 Dec 2021 22:25:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cItNeZRAfGdn for <nfsv4@ietfa.amsl.com>; Sat, 25 Dec 2021 22:25:25 -0800 (PST)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B96653A0F4A for <nfsv4@ietf.org>; Sat, 25 Dec 2021 22:25:24 -0800 (PST)
Received: by mail-ed1-x531.google.com with SMTP id o6so48922375edc.4 for <nfsv4@ietf.org>; Sat, 25 Dec 2021 22:25:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jtTYWXKcZk0dJVGg+YMQVjdcjbM6h4b7ueFhXFjlxQY=; b=BT+NB5ibB2/vRPQjG7RMsHvxNCFz3Aql6ZHUvGIX+UjHGFnb7LyrMMxKmdsRezyyqu TLevFbM6en/mmtNS/wQkfOVG+eCy4Sy11eO+LknyZvXFWRZFu/rdpM63chRnfFUpN8iY pEA0ze2274bKKt3y9tpBwFg/jQYJoMj8FiWVxwANt2r561Z9LcFHvHahIWyJ9Ztbt2mL PKx9AWqzsaSu7hL8jNYGL7Y4sb5/mpgzc7cOnnTq53YluuR6McuV7X9IkwRT0yT7bbKW fa3nLqHqSO+hkQKTNfyYUo/0D5yYQoHuL1fr1IVCIx2Rcqoc0wsaxc+RFiIXIQyQ6T2z 6dsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jtTYWXKcZk0dJVGg+YMQVjdcjbM6h4b7ueFhXFjlxQY=; b=eQTwWejjGk8vLCE8SPfqRD/x40ZSvS8xtvDihFCFVl7GfOF/G8edjaqbwACbzTAqcr JX38Slltxopw7BFOlWLSmcvaWCMIn+yNyAYUMdjl6cjHrXUxVdewBhZziKFYAKteIAqL q60SOtDbpQEfqb08ony5iL1F57SE2mwhcbjxMYu9iU7IEFRvsFNkKvhSIB8jPr3AF+BE Bh9BWbOsxoCCShMhWMLhq2yDkd3+VjRk4vU3tkEzoBUNKKsNJxQAf7Ft+deGttZjrt6e FYLHebaP45AILnoA82ThdAJV7Fo4qKjbW2fD233Q7yrcaglMy54ovxwBnPTs1VL9Cz/H 8SNQ==
X-Gm-Message-State: AOAM5316ZyeZEeJRAaWD+opeVfddRciWm5UMixDPM1HWV28d+Aq2y00W 2FPu+cENCH1shiu+LkCZ3VF6f6mM5wNJoCwiofU=
X-Google-Smtp-Source: ABdhPJxKrISw7kr+tWFS7tqw2YUhNhn5QvcvTV452KiY9YYF7DZ/2/+a4HojzwCGeLQs98v3rWHB8X5o+BSZqbradqo=
X-Received: by 2002:a17:907:7b9e:: with SMTP id ne30mr10426053ejc.24.1640499921486; Sat, 25 Dec 2021 22:25:21 -0800 (PST)
MIME-Version: 1.0
References: <164035267965.25968.10921853654415505678@ietfa.amsl.com> <CADaq8jcXitpCCA+y3u6dYxGM95rfX6UtuZTm27g=Ht6=8x3+Qw@mail.gmail.com> <YQXPR0101MB096858749741A1191DE75279DD7F9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YTOPR0101MB09702834BC7C51CE9146389EDD409@YTOPR0101MB0970.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YTOPR0101MB09702834BC7C51CE9146389EDD409@YTOPR0101MB0970.CANPRD01.PROD.OUTLOOK.COM>
From: David Noveck <davenoveck@gmail.com>
Date: Sun, 26 Dec 2021 01:25:10 -0500
Message-ID: <CADaq8jc44Ua9CABd3tznCgqv4du6thfo7RAGmn_nA_jjQ-boDw@mail.gmail.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001308f805d406a709"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/u0a0PMMv6YSTH_18ThrhSIXY9Fs>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Dec 2021 06:25:30 -0000

On Fri, Dec 24, 2021, 8:49 PM Rick Macklem <rmacklem@uoguelph.ca> wrote:

> Rick Macklem wrote:
> [stuff snipped]
> > Does the Linux client expect "owner-override"?
> > If no one familiar with the Linux client answers this, I'll run a test
> on a Linux
> > mount.
> I ran the following little test program. It ran fine on local file systems
> and on
> an NFSv4 mount for both the FreeBSD and Linux-5.15.1 clients, if
> "owner-override" was applied to Read/Write.
>

Is there documentation for this option?  I have googled for these words
several times and come up empty.  We need a clear definition of these
semantics to resolve this issue in -05 and that documentation might be
helpful.   If it isn't, could you point me to code, preferably in bsd,
implementing that option.


> If "owner-override" is turned off on the server, it fails for both the
> FreeBSD
> and Linux-5.15.1 client NFSv4 mounts. (The write(2) fails for FreeBSD and
> the
> close(2) fails for Linux, but that's ok. Unless there is an fsync(2),
> flushing writes
> to the server can be delayed until close(2). Both had empty files after the
> failure.)
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <fcntl.h>
> #include <errno.h>
> #include <sys/param.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <err.h>
> #include <unistd.h>
>
> char buf[1024 * 1024];
>
> int
> main(int argc, char *argv[])
> {
>         int fd, i;
>
>         fd = open(argv[1], O_CREAT | O_RDWR, 0666);
>         if (fd < 0)
>                 err(1, "cannot open %s", argv[1]);
>         if (fchmod(fd, 0) < 0)
>                 err(1, "cannot chmod %s", argv[1]);
>         for (i = 0; i < 10; i++)
>                 if (write(fd, buf, sizeof(buf)) != sizeof(buf))
>                         err(1, "cannot write");
>         if (lseek(fd, SEEK_SET, 0) < 0)
>                 err(1, "cannot seek");
>         for (i = 0; i < 10; i++)
>                 if (read(fd, buf, sizeof(buf)) != sizeof(buf))
>                         err(1, "cannot read");
>         if (close(fd) < 0)
>                 err(1, "cannot close");
> }
>
> I do not have access to a Solaris or Mac OSX client to test, rick
>
> ________________________________________
> From: nfsv4 <nfsv4-bounces@ietf.org> on behalf of David Noveck <
> davenoveck@gmail.com>
> Sent: Friday, December 24, 2021 8:49 AM
> To: NFSv4; nfsv4-chairs; nfsv4-ads@ietf.org
> Subject: [nfsv4] Fwd: New Version Notification for
> draft-dnoveck-nfsv4-security-04.txt
>
> CAUTION: This email originated from outside of the University of Guelph.
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe. If in doubt, forward suspicious emails to
> IThelp@uoguelph.ca
>
>
> I've just posted security-04.   Thanks to Rick Macklem and Chuck Lever who
> made important suggestions that I hope are correctly addressed in this
> version.  An rfcdiff with -03 is not small but it is helpful to see what
> has changed.
>
> As previously discussed, I am proposing that the working group adopt this
> draft as a working group document.   I expect Brian and Zahed to set the
> timeline for that discussion.
>
> Please let me know about your suggestions for -05.
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
> Date: Fri, Dec 24, 2021 at 8:31 AM
> Subject: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
> To: David Noveck <davenoveck@gmail.com<mailto:davenoveck@gmail.com>>
>
>
>
> A new version of I-D, draft-dnoveck-nfsv4-security-04.txt
> has been successfully submitted by David Noveck and posted to the
> IETF repository.
>
> Name:           draft-dnoveck-nfsv4-security
> Revision:       04
> Title:          Security for the NFSv4 Protocols
> Document date:  2021-12-24
> Group:          Individual Submission
> Pages:          129
> URL:
> https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-04.txt
> Status:
> https://datatracker.ietf.org/doc/draft-dnoveck-nfsv4-security/
> Html:
> https://www.ietf.org/archive/id/draft-dnoveck-nfsv4-security-04.html
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-dnoveck-nfsv4-security
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-dnoveck-nfsv4-security-04
>
> Abstract:
>    This document describes the core security features of the NFSv4
>    family of protocols, applying to all minor versions.  The discussion
>    includes the use of security features provided by RPC on a per-
>    connection basis.
>
>    This preliminary version of the document, is intended, in large part,
>    to result in working group discussion regarding existing NFSv4
>    security issues and to provide a framework for addressing these
>    issues and obtaining working group consensus regarding necessary
>    changes.
>
>    When a successor document is eventually published as an RFC, it will
>    supersede the description of security appearing in existing minor
>    version specification documents such as RFC 7530 and RFC 8881.
>
>
>
>
> The IETF Secretariat
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email