IETF Logo Mail Archive

Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt

David Noveck <davenoveck@gmail.com> Tue, 18 January 2022 19:15 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B6703A1214; Tue, 18 Jan 2022 11:15:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mVqbo0I4IhFF; Tue, 18 Jan 2022 11:15:19 -0800 (PST)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ADB83A1211; Tue, 18 Jan 2022 11:15:19 -0800 (PST)
Received: by mail-ed1-x530.google.com with SMTP id f21so27016281eds.11; Tue, 18 Jan 2022 11:15:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CHzlAI3DPmY0zKQ98xZt23Qa44c7uaHgxccugieQqWQ=; b=AKzLTFOPIDsApMOnaqKFhiZ5atgj4u6g687IM5mjKspqTSQsuGnZODxvupT8p+guzi Gudm1gkkpBH/xnRQfZjQZs21kBXLOahe+j4osWdjkHo+8UQkBnZMI1fUoB6cDb7n3e+H gPjo0+zqJ/l7u2gkpccUULKisULYcH9nzVBIbPLw9FLonBD0hOkz/KTXb81Inp3FJWKn QduqtdP4jAIa4JNGY3WuCgS3yEtYtr7ofaMf5CN+SB1LI6tZqv63lSa2jMA8ihE3sAYU MQX5JGVPty1bBOHJTzKQMu/Vh7mFx2/okvtNjL6hRGBr3u6OBiPKtBhfJR/UZlOFpq3Z uKpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CHzlAI3DPmY0zKQ98xZt23Qa44c7uaHgxccugieQqWQ=; b=cRWscl829siamcCg6YFxnoV+sTI/oJnoWwCBeKRka5lim0dMn9QZwkK97pvMkiUpjK 9ce5prqBOqvJkLoZYxtsg56iEmNMSBAYEx//qZ0z39Qp1XOlMGdPWpR3WDQ5xY95pO5I XNdpMZUp20lEv8c+XdhpNIC/5ZMTHXUQ5RQJLjM5p5yPVhy7dg0cinC7Kr8UJv1XTsN3 ERWSG+nPwY4FqACILEbzsUoinmdzluw+/U230BnadD8rF0JWmtdyfMUErXVvqTaFgIKV xp1PQTEDDZREVsrGAltYq3c6u2I3IqtYQb52YYNbNFzPODc3VHXP0ZdpnbhuKZjpugr6 T+rA==
X-Gm-Message-State: AOAM533l61z16a8Prc9GSxzuNH9zbef5Ppo7z2NWZNsahVDDOcfggpy7 ke27PUyv5qGppMRysoc0tvTp7jqyXMUVxdbXHNY=
X-Google-Smtp-Source: ABdhPJwH5DMBXEvOzRdF/LHZ/lPXFmzpYxx7NWnJODPB60wdgnjo+Cresdj8VPj9btq4on05ALB39HxxOS+Ua9GXIXU=
X-Received: by 2002:aa7:cd99:: with SMTP id x25mr27475341edv.249.1642533317118; Tue, 18 Jan 2022 11:15:17 -0800 (PST)
MIME-Version: 1.0
References: <2E92CBD3-CC56-4C2A-B4DD-3A04782915CD@oracle.com>
In-Reply-To: <2E92CBD3-CC56-4C2A-B4DD-3A04782915CD@oracle.com>
From: David Noveck <davenoveck@gmail.com>
Date: Tue, 18 Jan 2022 14:15:06 -0500
Message-ID: <CADaq8jdxi2mXXFVTL=zdU7J0iLXMSeHArRGOvKn4y+RjPkPbWQ@mail.gmail.com>
To: Chuck Lever III <chuck.lever@oracle.com>
Cc: NFSv4 <nfsv4@ietf.org>, nfsv4-ads@ietf.org, nfsv4-chairs <nfsv4-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e60ce405d5e01601"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/wPAeqeP7v1yb8wxBtamk_lrJNS8>
Subject: Re: [nfsv4] Fwd: New Version Notification for draft-dnoveck-nfsv4-security-04.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2022 19:15:24 -0000

On Tue, Jan 18, 2022, 10:53 AM Chuck Lever III <chuck.lever@oracle.com>
wrote:

>
> > On Jan 17, 2022, at 9:52 AM, J. Bruce Fields <bfields@fieldses.org>
> wrote:
> > On Sun, Jan 16, 2022 at 04:03:12AM -0500, David Noveck wrote:
> >> It seems to me that, given the absence, of an append-write in the NFSv4
> >> protocol, APPEND_WRITE belongs in the same bucket as SYNCHRONIZE and I
> am
> >> planning to draft -05 on that basis.
> >>
> >> Looking forward to -06, I'd like to get away from the text which makes
> each
> >> mask bit its own optional feature,. Clearly READ_DATA, WRITE _DATA, and
> >> EXECUTE should be mandatory but what about the others?  Should any of
> these
> >> be mandatory?  If not, why isn't it implemented? Are there
> >> applications/clients that rely on it?
> >
> > Again, I don't agree that it's desirable to specify this level of
> > detail.
> >
> > NFS has always been a protocol which allows exporting filesystems with
> > semantics that vary somewhat.
> >
> > I'd recommend instead thinking hard about what's essential to do in this
> > document and looking for ways to reduce its scope and length.
> >
> > We've got limited resources, and the attempt to produce a really
> > detailed synthesis of unix and Windows permissions models is an
> > ambitious project.
>
> I enthusiastically endorse moving security-related material into its own
> document.
>
> However, I do not support specifying ACL to mode translation in detail.
> The nfsv4 working group has no authority to mandate policy in local file
> system implementations.


It does have the authority to mandate the behavior exposed to the client
peer.  In this context the server's filesystem is part of the server.  In
any case, server code outside the fs could provide the necessary mapping.

The protocol‘s role is to expose those policies to applications running on
> clients.


This approach would throw interoperability under the bus.

>
>
> I can get behind the document discussing general issues and providing
> clarifying examples in such a way that cannot be mistaken for normative
> text.
>
>
> > --b.
> >
> >>
> >> On Fri, Jan 14, 2022, 6:48 PM Rick Macklem <rmacklem@uoguelph.ca>
> wrote:
> >>
> >>> J. Bruce Fields wrote:
> >>>> On Sun, Jan 09, 2022 at 11:15:34PM +0000, Rick Macklem wrote:
> >>>>> From: David Noveck wrote:
> >>>>>> If I understand correctly, you are intending to accept an acl that
> >>> APPEND_DATA and not
> >>>>>> WRITE_DATA  and then not let the user open the file for write.   I
> >>> don't know about your
> >>>>>> users but I would certainly feel that was a "weird, irritating
> >>> inconsistency".
> >>>>> Yes, but it is consistent with local behaviour on FreeBSD.
> >>>>> A file with APPEND_DATA, but not WRITE_DATA cannot be open'd with a
> >>> POSIX
> >>>>> open("foo", O_APPEND | O_WRONLY, 0)
> >>>>> either locally nor over NFS.
> >>>>> (O_APPEND is a modifier and cannot be specified by itself.)
> >>>> How would an NFS client write to it, anyway?  Do you just tell people
> >>>> they need to use O_SYNC for such files?
> >>> When a file is POSIX open(...O_APPEND..)'d in FreeBSD on an NFS mount
> >>> point, each write is pushed through to the server (with an exclusive
> lock
> >>> held on the vnode) FILESYNC.
> >>> The result maintains ordering, but is very slow compared to doing the
> >>> same on local file systems. For a test case doing 10,000 writes, it
> >>> takes 13sec over NFS vs 0.3sec locally for UFS (even slower for ZFS,
> >>> takes 2minutes for ZFS with sync enabled and no ZIL log).
> >>>> Otherwise writes are likely to get reordered, and then the writer gets
> >>>> random EACCES (and random unfillable holes, if you allow writes at
> >>>> offsets past EOF).  Seems like a bit of a foot-gun.
> >>> Yep, it forces O_SYNC basically.
> >>>> Oh well, out of scope here, I suppose.
> >>> Not really. If another client writes to the file, it could still get
> >>> "random"
> >>> EACCES failures.
> >>> As I mentioned, the FreeBSD server stores APPEND_DATA, but ignores it.
> >>> I recall Robert Watson (who designed the FreeBSD NFSv4 ACL stuff)
> >>> stating as the reason "because it's such a pita".
> >>> For FreeBSD, this is also true of ZFS. (The ACL enforcing part of ZFS
> >>> is in the port specific code, so I don't know what Linux/Solaris does
> >>> w.r.t. APPEND_DATA for ZFS.)
> >>> rick
> >>> --b.
> >
> > _______________________________________________
> > nfsv4 mailing list
> > nfsv4@ietf.org
> > https://www.ietf.org/mailman/listinfo/nfsv4
>

v2.23.0 | Report a Bug | By Email