[nfsv4] POSIX ACLs as backdoor to bypass NFSv4 ACLs Re: Re: Comments for draft-rmacklem-nfsv4-posix-acls-02
Mark Liam Brown <brownmarkliam@gmail.com> Fri, 09 August 2024 22:52 UTC
Return-Path: <brownmarkliam@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46D36C180B61 for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 15:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oRG6Vi7KjWIL for <nfsv4@ietfa.amsl.com>; Fri, 9 Aug 2024 15:52:02 -0700 (PDT)
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1BAFC15109E for <nfsv4@ietf.org>; Fri, 9 Aug 2024 15:52:02 -0700 (PDT)
Received: by mail-pj1-x1029.google.com with SMTP id 98e67ed59e1d1-2cb7cd6f5f2so2032337a91.2 for <nfsv4@ietf.org>; Fri, 09 Aug 2024 15:52:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723243922; x=1723848722; darn=ietf.org; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=SpoANFLNJgn9MMoC4GSU3gUocWCblcnJ/SR8Oza70xM=; b=NfDZAI8PSLsQySFbX/8+zqKvTN62BTpcQPfh7LkP+mcnWeVIZ7IDZamdu4AcfLvEkf SwiHBgUNQ8l33C1cs/KXoxM98rgp+EyrHuK0jI2+vl+3AwQZ12XAYix8TgsKpFREnNPn mTfTVZS9nCgOjLlAOuk3LPdX/ii+fQCS1K52kuthkE1NOk88V6Qzu+jKevOyl6H3rcnw tkag912uS7MrBgSxhi7bm1+kKRPILuMSsuCdu683z3lCAgt58Kr2/lFZyI6N1NgdpNwY 4Fd/d1flbTUmm8Tn5/Cq067pjF/lLhQ2ET2H/nEIBtRqSCRAGb7JVdraKdZESfzZuNJG Jikg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723243922; x=1723848722; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SpoANFLNJgn9MMoC4GSU3gUocWCblcnJ/SR8Oza70xM=; b=ewxmLOxGRRWPf8AXfvL5ipsuT03GnOXOOgnjjz01MpwqaHydlwHGsqn/UA82qj6x1y StzbITjxoSS184Mj66tcOkr5R1GkAPLgQyA0nHVnqW1awXRKO3a/Kk51GzAxjRO09PXO 6S9d8On2R0z1PlX2n0EvYlLzTyNiF27rlRNGGCNSI373HtU2EiFt1pVMHREfyl49eaLx FNqisV7LkZ8rYnxsqcMAI7wNwmV5qPMD9nY4kVIt0YbENOG0Xf0oxZA2jtWSVum6c47y ue614AslU7EZPzQg0Edd+CYUzPQBGDEwPxhN+n4u87nppufnmMxVtI8A9ZiYBAVFwCeN nHCA==
X-Gm-Message-State: AOJu0YxCX+tazN864hyvWix/yBRA35qYfayAdJ7BymFnhjaHftwLBcc/ Dp7HE1MnLh32heY0S5KCdjcvuzvoa5ytcmmkXyOZ3aJn5mDC4NI2YC8x/10kW65HlDLuhR0PGcU ykxkBivZ+bY296rUbQZMwnhSKHCkabw==
X-Google-Smtp-Source: AGHT+IEfgfckb5RgTRFmuvTpcZKz6doG0crB1Eg0Zh+0wun9Bt86VGteaA3LuvCvEglBmFtf+KYUrFsc+GlnlihNfoE=
X-Received: by 2002:a17:90b:124f:b0:2c9:cbdd:acd with SMTP id 98e67ed59e1d1-2d1e807165amr3604400a91.35.1723243921537; Fri, 09 Aug 2024 15:52:01 -0700 (PDT)
MIME-Version: 1.0
References: <20240806170525.trrqy27aqu7sayb5@pali> <CAM5tNy4pPcP7AErkqvu2URqX9nCT-8i3y_esVzpyyjaHC6Uuew@mail.gmail.com> <CADaq8jexUbGSNfrkSkrVn3axkDZu2HrMYeT1pF7TNGKXHaZ73w@mail.gmail.com> <20240809223446.4q6umzjpelv4kz3b@pali>
In-Reply-To: <20240809223446.4q6umzjpelv4kz3b@pali>
From: Mark Liam Brown <brownmarkliam@gmail.com>
Date: Sat, 10 Aug 2024 00:51:25 +0200
Message-ID: <CAN0SSYwAL_gWoF4UFU0z1KyitNhGTcuy28c-Mh=QfhsTjdYhsg@mail.gmail.com>
To: NFSv4 <nfsv4@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: NTQU4JD4JTL527EZ5YMMZSGXTADHQ4P2
X-Message-ID-Hash: NTQU4JD4JTL527EZ5YMMZSGXTADHQ4P2
X-MailFrom: brownmarkliam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] POSIX ACLs as backdoor to bypass NFSv4 ACLs Re: Re: Comments for draft-rmacklem-nfsv4-posix-acls-02
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/wlw7VnLLDeDEFdpqxFzJv3f27Gs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
On Sat, Aug 10, 2024 at 12:35 AM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> wrote: > > On Wednesday 07 August 2024 08:07:16 David Noveck wrote: > > On Tue, Aug 6, 2024, 6:21 PM Rick Macklem <rick.macklem@gmail.com> wrote: > > > On Tue, Aug 6, 2024 at 10:05 AM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im> > > > wrote: > > >> 2) > > >> > > >> Then there is a problem with "group" bits of "mode" attribute. > > >> In RFC 8881 section 6.2.4 is written: > > >> > > >> "Bits MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP apply to principals > > >> identified in the owner_group attribute but who are not identified in > > >> the owner attribute." > > >> > > >> And in section 6.3.2.1 is written: > > >> > > >> "Some server implementations also add bits permitted to named users and > > >> groups to the group bits (MODE4_RGRP, MODE4_WGRP, and MODE4_XGRP). > > >> Implementations are discouraged from doing this." > > >> "The same user confusion seen when fetching the mode also results if > > >> setting the mode does not effectively control permissions for the owner, > > >> group, and other users; this motivates some of the requirements that > > >> follow." > > >> > > >> POSIX ACL with at least one named user or named group requires that > > >> mode group bits refers to POSIX ACL mask, and not to the POSIX ACL > > >> group_obj (which represents owner_group). > > >> > > >> Those RFC 8881 parts of NFS mode attribute are basically not compatible > > >> with POSIX ACL. Your extension does not mention this problem and does > > >> not handle it. > > >> > > >> Existing NFS4 servers which follows the RFC 8881 meaning of mode group > > >> bits, would not be able to implement this your extension for POSIX ACL, > > >> because existing servers cannot change behavior of mode attribute due > > >> backward compatibility. I think that this is a big problem. > > >> Servers in multiprotocol environment mostly follows the RFC 8881 advice > > >> to never return something like "POSIX mask" in group bits. > > >> > > >> How to solve this problem. One option could be including all mode bits > > >> into your new "posix_access_acl" attribute and let NFS4 clients to use > > >> only "posix_access_acl" on chown operation, and never use existing > > >> "mode" attribute at all (if the extension is supported by server). > > >> > > >> Another option could be to introduce a new "posix_mode" attribute which > > >> would be strictly POSIX and old "mode" attribute can stay as before for > > >> backward compatibility. Again clients would not use "mode" attribute > > >> anymore. > > >> > > > > > A similar possibility is discussed in an appendix to acls-04. The idea is > > a read-only mode_info attribute > > that clients could use if they want to display a mode that can be displayed > > to reflect a summary of the ACL permissions. > > I think that it should be the client who compose summary of the ACL > permissions. Why? Because POSIX ACL clients compute this summary > differently than NFS4 servers who follows RFC 8881 recommendation (to > not add bits from named users and named group to mode group bits). > > So if you have a POSIX ACL compatible system, then its NFS4 should > report different mode to applications, than the NFS4 compatible system > which does not support POSIX ACL. > > For example if you have POSIX compatible system which connects to two > different NFS4 servers, where first is POSIX ACL, second is NFS4 ACL and > you set same access control on both of them for some files (just with > simple ALLOW cases, which is supported by both POSIX and NFS4 ACL > models) then every server will report different mode. Even it both > servers will provide same access. And this is strange. This is not strange. This is a setup for privilege escalation and data theft. For example if a file is - per NFSv4 ACL - "append, but not write", and then you stomp over that with setfacl and give POSIX ACL "write" rights, then from a NFSv4 ACL point you suddenly have "append AND write" rights. Given that bank account transaction files are intentional "append, but not write" the use of POSIX ACL on such a file would negate all security, and allows anyone to modify transaction files in random locations, instead of just adding another transaction. I'm pretty sure the admins from Goldman Sachs and Deutsche will "love" such a backdoor feature. Mark -- IT Infrastructure Consultant Windows, Linux
- [nfsv4] Comments for draft-rmacklem-nfsv4-posix-a… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… David Noveck
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… David Noveck
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Pali Rohár
- [nfsv4] POSIX ACLs as backdoor to bypass NFSv4 AC… Mark Liam Brown
- [nfsv4] Re: Comments for draft-rmacklem-nfsv4-pos… Rick Macklem