Varying ro/rw based on security flavor doesn't work

Varying ro/rw based on security flavor doesn't work

[Tamas Vincze]

Hi:

The exports man page says that one can vary ro/rw based on security 
flavor by including multiple sec= options in /etc/exports, but it seems 
to be broken in nfs-utils-1.3.0-0.48.el7_4.

For example this /etc/exports:

/export/pub 10.13.0.0/16(sec=sys,ro,sec=krb5i:krb5p,rw)

results in this /var/lib/nfs/etab:

/export/pub 
10.13.0.0/16(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,root_squash,no_all_squash,sec=krb5i:krb5p,secure,root_squash,no_all_squash)

Only the rw option is present in etab, that applies to both sec=sys and 
sec=krb5i:krb5p.

Is this bug specific to redhat or also present upstream?

Please include me in replies as I'm not subscribed to the list.

Thanks,
Tamas

Re: Varying ro/rw based on security flavor doesn't work

[J. Bruce Fields]

On Tue, Jan 09, 2018 at 10:11:05AM -0500, Tamas Vincze wrote:
> The exports man page says that one can vary ro/rw based on security
> flavor by including multiple sec= options in /etc/exports, but it
> seems to be broken in nfs-utils-1.3.0-0.48.el7_4.
> 
> For example this /etc/exports:
> 
> /export/pub 10.13.0.0/16(sec=sys,ro,sec=krb5i:krb5p,rw)
> 
> results in this /var/lib/nfs/etab:
> 
> /export/pub 10.13.0.0/16(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,root_squash,no_all_squash,sec=krb5i:krb5p,secure,root_squash,no_all_squash)
> 
> Only the rw option is present in etab, that applies to both sec=sys
> and sec=krb5i:krb5p.
> 
> Is this bug specific to redhat or also present upstream?

I don't know off the top of my head....  Is there a redhat bug filed?
And is there some prevoius version that you know worked?

Agreed that it looks like a bug.

--b.

Re: Varying ro/rw based on security flavor doesn't work

[Tamas Vincze]

On 01/09/2018 02:23 PM, J. Bruce Fields wrote:
> On Tue, Jan 09, 2018 at 10:11:05AM -0500, Tamas Vincze wrote:
>> The exports man page says that one can vary ro/rw based on security
>> flavor by including multiple sec= options in /etc/exports, but it
>> seems to be broken in nfs-utils-1.3.0-0.48.el7_4.
>>
>> For example this /etc/exports:
>>
>> /export/pub 10.13.0.0/16(sec=sys,ro,sec=krb5i:krb5p,rw)
>>
>> results in this /var/lib/nfs/etab:
>>
>> /export/pub 10.13.0.0/16(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,root_squash,no_all_squash,sec=krb5i:krb5p,secure,root_squash,no_all_squash)
>>
>> Only the rw option is present in etab, that applies to both sec=sys
>> and sec=krb5i:krb5p.
>>
>> Is this bug specific to redhat or also present upstream?
> I don't know off the top of my head....  Is there a redhat bug filed?
I filed one today: https://bugzilla.redhat.com/show_bug.cgi?id=1532688
It has no duplicates so far...
> And is there some prevoius version that you know worked?
I don't know, I haven't used this feature before.
> Agreed that it looks like a bug.
>
> --b.
And it can have some security implications if people have been relying 
on it and it quietly broke (sec=sys is basically no security these 
days). I see this feature has been around for more than a decade so 
there's a good chance that it's in use.

-Tamas

Re: Varying ro/rw based on security flavor doesn't work

[Tamas Vincze]

On 01/09/2018 02:23 PM, J. Bruce Fields wrote:
> On Tue, Jan 09, 2018 at 10:11:05AM -0500, Tamas Vincze wrote:
>> The exports man page says that one can vary ro/rw based on security
>> flavor by including multiple sec= options in /etc/exports, but it
>> seems to be broken in nfs-utils-1.3.0-0.48.el7_4.
> And is there some prevoius version that you know worked?
RedHat tested it further and it's still broken in 
nfs-utils-2.2.1-3.rc2.fc26.
It works correctly in nfs-utils-1.2.3-75.el6.

-Tamas

Re: Varying ro/rw based on security flavor doesn't work

[Justin Mitchell]

On Thu, 2018-01-11 at 10:36 -0500, Tamas Vincze wrote:
> On 01/09/2018 02:23 PM, J. Bruce Fields wrote:
> > On Tue, Jan 09, 2018 at 10:11:05AM -0500, Tamas Vincze wrote:
> >> The exports man page says that one can vary ro/rw based on security
> >> flavor by including multiple sec= options in /etc/exports, but it
> >> seems to be broken in nfs-utils-1.3.0-0.48.el7_4.
> > And is there some prevoius version that you know worked?
> RedHat tested it further and it's still broken in 
> nfs-utils-2.2.1-3.rc2.fc26.
> It works correctly in nfs-utils-1.2.3-75.el6.

Introduced by 37c07fa0 2016-11-22 Jianhong Yin
exportfs: remove redundant exports options output

It appears to be an attempt to quash duplicated options, but it is too
simplistic to handle this case correctly where otherwise opposing
options of ro and rw can validly both appear.