IETF Logo Mail Archive

Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME

"Mike Eisler" <mre-ietf@eisler.com> Thu, 17 April 2008 20:01 UTC

Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: nfsv4-archive@megatron.ietf.org
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D90E33A67B7; Thu, 17 Apr 2008 13:01:03 -0700 (PDT)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C7A333A67B4 for <nfsv4@core3.amsl.com>; Thu, 17 Apr 2008 13:01:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.518
X-Spam-Level:
X-Spam-Status: No, score=-2.518 tagged_above=-999 required=5 tests=[AWL=0.081, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gbrvZsm6r8Ux for <nfsv4@core3.amsl.com>; Thu, 17 Apr 2008 13:00:59 -0700 (PDT)
Received: from webmail5.dreamhost.com (sd-green-dreamhost-133.dreamhost.com [208.97.187.133]) by core3.amsl.com (Postfix) with ESMTP id 4E88C3A6DCF for <nfsv4@ietf.org>; Thu, 17 Apr 2008 13:00:49 -0700 (PDT)
Received: from webmail.eisler.com (localhost [127.0.0.1]) by webmail5.dreamhost.com (Postfix) with ESMTP id 59F065B65E for <nfsv4@ietf.org>; Thu, 17 Apr 2008 13:01:25 -0700 (PDT)
Received: from 198.95.226.230 (SquirrelMail authenticated user mre-ietf@eisler.com) by webmail.eisler.com with HTTP; Thu, 17 Apr 2008 13:01:25 -0700 (PDT)
Message-ID: <60470.198.95.226.230.1208462485.squirrel@webmail.eisler.com>
In-Reply-To: <14599.198.95.226.230.1208460696.squirrel@webmail.eisler.com>
References: <26301.198.95.226.230.1208116510.squirrel@webmail.eisler.com> <C98692FD98048C41885E0B0FACD9DFB806B0BAC9@exnane01.hq.netapp.com> <14599.198.95.226.230.1208460696.squirrel@webmail.eisler.com>
Date: Thu, 17 Apr 2008 13:01:25 -0700
From: Mike Eisler <mre-ietf@eisler.com>
To: nfsv4@ietf.org
User-Agent: SquirrelMail/1.4.10a
MIME-Version: 1.0
Subject: Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org

Ah, now I see why LINK and RENAME have to return NFS4ERR_WRONGSEC.

PUTFH followed by SAVEFH cannot return NFS4ERR_WRONGSEC.
LINK and RENAME don't require a RESTOREFH. If there is a strict
security policy on the saved fh used for LINK and RENAME, then without
NFS4ERR_WRONGSEC, that policy could be circumvented.

So, knowing what I know now (and I may know more later, so this is subject
to change), my new plan is:

 Make the errors chapter synchronized with the SECINFO section:
 add LINK and RENAME as valid operations that can return
 NFS4ERR_WRONGSEC.

On Thu, April 17, 2008 12:31 pm, Mike Eisler wrote:
> I was in the process of making the edits to remove RESTOREFH from
> the list of operations that can return NFS4ERR_WRONGSEC and came
> across this:
>
>
>   <section anchor="using_secinfo" title="Using NFS4ERR_WRONGSEC, SECINFO,
> and SE
> CINFO_NO_NAME">
>   <t>
>    This section explains of the mechanics of NFSv4.1 security negotiation.
>    The term "put filehandle operation" refers to
>    PUTROOTFH, PUTPUBFH, PUTFH, and RESTOREFH.
>   </t>
>
>    <section anchor="PUTFH + SAVEFH"
>     title="Put Filehandle Operation + SAVEFH">
>    <t>
>     The client is saving a filehandle for a future RESTOREFH. The
>     server MUST NOT return NFS4ERR_WRONGSEC to either the put filehandle
>     operation or SAVEFH.
>    </t>
>    </section> <!-- Put Filehandle Operation + SAVEFH -->
>
> ----------
>
> There's a reason, which I do not recall, why a put filehandle op
> followed by SAVEFH is not allowed to return NFS4ERR_WRONGSEC.
>
> But because, e.g. PUTFH, SAVEFH cannot return _WRONGSEC, this
> means RESTOREFH has to return WRONGSEC.
>
>
> Now we could state that PUTFH, SAVEFH can return NFS4ERR_WRONGSEC,
> and that seems like it is OK. But then so did eliminating WRONGSEC
> from the list of errors RESTOREFH can return.
> But I have no time to figure why the spec disallows WRONGSEC on the
> PUTFH, SAVEFH case.
>
> So I intend to make SECINFO synchronized with the errors chapter:
> remove LINK and RENAME as valid operations that can return
> NFS4ERR_WRONGSEC.
>
> to the spec (i.e. producing an RFC that is broken).
> On Sun, April 13, 2008 1:54 pm, Noveck, Dave wrote:
>>> > So I think you have two questions:
>>> >
>>> > 1) Can security policies be on name-pattern-defined classes of
>> objects?
>>> >
>>> > 2) Is the saved fh protected in the same way as current fh?
>>> >
>>> > So my take is:
>>> >
>>> > 1Y, 2Y: CREATE, LINK, RENAME
>>>
>>> I think it is:
>>>
>>> 1Y, 2Y: REMOVE
>>>
>>> Why isn't REMOVE among the list? The target could have a policy.
>>
>> My intention was that REMOVE was implicitly included in all the options,
>> just as LOOKUP is.
>>
>>> Why is CREATE on the list? If the object doesn't
>>> exist, it has no policy. If it does exist, then
>>> NFS4ERR_EXIST is what must be returned.
>>
>> Under 1Y, objects can implicitly have policies based on their names.
>> With the example of "*.secret" requiring kerberos, AUTH_SYS creation of
>> "big.secret" would return WRONGSEC.
>>
>>> Why are LINK and RENAME on the list? The saved
>>> fh is protected.
>>
>>> LINK is linking one of the two filehandles; we've
>>> already checked their policies. Note that if the
>>> target name exists, we return NFS4ERR_EXIST. This
>>> is the same as CREATE.
>>
>> Here I was thinking of a name-based policy where the link matched the
>> link pattern.
>>
>>> RENAME: security policies should not be protecting
>>> the rename of the policied object. SECINFO is not
>>> that smart.
>>
>> RENAME identifies an existing object by name.  If the caller would get
>> WRONGSEC doing a LOOKUP of that object, he certainly should get one
>> renaming it.
>>
>>> > 1Y, 2N: CREATE, LINK, RENAME, RESTOREFH
>>
>>> I think it should be:
>>
>>> 1Y, 2N: REMOVE, LINK, RENAME, RESTOREFH
>>
>>> for the same reasons as the previous 1Y, 2Y case.
>>
>> OK.
>>
>>> > 1N, 2Y: none of the above
>>
>>> Dave noted this should have had RENAME. I'm not
>>> seeing it. A RENAME amounts to adding a directory
>>> entry and deleting a directory entry. If REMOVE
>>> and CREATE are not on the list, why should RENAME
>>> be on the list?
>>
>> REMOVE was intended to be implicitly on the list as discussed above.
>>
>> The difference between CREATE and RENAME is similar to that between
>> CREATE and OPEN.  RENAME works on an existing object which may have
>> previously acquired a policy.
>>
>>> > So I think it is:
>>
>>> > 1N, 2Y: none of the above
>>
>> I think it would be RENAME and REMOVE.
>>
>>> > 1N, 2N: LINK, RENAME, RESTOREFH
>>
>>> I agree.
>>
>>> So while eliminating RESTOREFH from the list of
>>> operations that can return NFS4ERR_WRONGSEC is
>>> going to create a lot editing work for me, I agree
>>> that 1N, 2Y is the easiest case and the sanest way
>>> to deal draft-21's current inconsistency.
>>
>> I agree.
>>
>> -----Original Message-----
>> From: Mike Eisler [mailto:mre-ietf@eisler.com]
>> Sent: Sunday, April 13, 2008 3:55 PM
>> To: nfsv4@ietf.org
>> Subject: Re: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
>>
>>> From: Noveck, Dave
>>> Sent: Sunday, April 13, 2008 9:09 AM
>>> To: 'Trond Myklebust'; Mike Eisler
>>> Cc: nfsv4@ietf.org
>>> Subject: RE: [nfsv4] NFS4ERR_WRONGSEC inconsistency - LINK and RENAME
>>
>>
>>>> Also, just out of curiosity, why do we have RESTOREFH in the above
>>>> two
>>>
>>>> lists? Aren't you pretty much guaranteed to get a WRONGSEC error on
>>>> the filehandle before you get round to the SAVEFH?
>>>
>>> I think this may relate to the issue of LINK and RENAME.  If you
>>> create an object and continue to use it in the COMPOUND, you could
>>> conceive, since it is not atomic, that between two ops the server
>>> changes his security policy for the object in question (if you can
>>> ever get WRONGSEC subsequently, it has to change some time, so it
>>> might be before the COMPOUND is done), but the protocol has decided,
>>> in order to simplify client implementations, to avoid the possiblity
>>> of getting WRONGSEC for the current fh.  At any time that for the
>>> current fh, you are guaranteed not to get the error on a current fh
>>> once vetted when established.  You could apply the same to the saved
>>> fh, but you don't have to.  Not protecting the saved fh in this way
>>> would only mean that you had to check the error at RESTOREFH and
>>> anywhere that the saved fh was actually used (only LINK and RENAME, I
>>> think)
>>
>> Makes sense.
>>
>>> So I think you have two questions:
>>>
>>> 1) Can security policies be on name-pattern-defined classes of
>> objects?
>>>
>>> 2) Is the saved fh protected in the same way as current fh?
>>>
>>> So my take is:
>>>
>>> 1Y, 2Y: CREATE, LINK, RENAME
>>
>> I think it is:
>>
>> 1Y, 2Y: REMOVE
>>
>> Why isn't REMOVE among the list? The target could have a policy.
>>
>> Why is CREATE on the list? If the object doesn't exist, it has no
>> policy. If it does exist, then NFS4ERR_EXIST is what must be returned.
>>
>> Why are LINK and RENAME on the list? The saved fh is protected.
>>
>> LINK is linking one of the two filehandles; we've already checked their
>> policies. Note that if the target name exists, we return NFS4ERR_EXIST.
>> This is the same as CREATE.
>>
>> RENAME: security policies should not be protecting the rename of the
>> policied object. SECINFO is not that smart.
>>
>>> 1Y, 2N: CREATE, LINK, RENAME, RESTOREFH
>>
>> I think it should be:
>>
>> 1Y, 2N: REMOVE, LINK, RENAME, RESTOREFH
>>
>> for the same reasons as the previous 1Y, 2Y case.
>>
>>> 1N, 2Y: none of the above
>>
>> Dave noted this should have had RENAME. I'm not seeing it. A RENAME
>> amounts to adding a directory entry and deleting a directory entry. If
>> REMOVE and CREATE are not on the list, why should RENAME be on the list?
>>
>> So I think it is:
>>
>> 1N, 2Y: none of the above
>>
>>> 1N, 2N: LINK, RENAME, RESTOREFH
>>
>> I agree.
>>
>> So while eliminating RESTOREFH from the list of operations that can
>> return NFS4ERR_WRONGSEC is going to create a lot editing work for me, I
>> agree that 1N, 2Y is the easiest case and the sanest way to deal
>> draft-21's current inconsistency.
>>
>>
>>
>> _______________________________________________
>> nfsv4 mailing list
>> nfsv4@ietf.org
>> https://www.ietf.org/mailman/listinfo/nfsv4
>>
>
>
> --
> Mike Eisler, Senior Technical Director, NetApp, 719 599 9026,
> http://blogs.netapp.com/eislers_nfs_blog/
>
>
>
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
>


-- 
Mike Eisler, Senior Technical Director, NetApp, 719 599 9026,
http://blogs.netapp.com/eislers_nfs_blog/



_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email