From: Trond Myklebust <trondmy@hammerspace.com>
To: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"rgoldwyn@suse.de" <rgoldwyn@suse.de>,
"linux-unionfs@vger.kernel.org" <linux-unionfs@vger.kernel.org>
Subject: Re: nfs4_acl restricts copy_up in overlayfs
Date: Wed, 30 May 2018 03:01:56 +0000 [thread overview]
Message-ID: <75266c983a03f6dbfd5d1a39c94fa6d56a1a8a22.camel@hammerspace.com> (raw)
In-Reply-To: <2cf94c6b-e819-79af-4ac9-3b19d26dc6d9@suse.de>
On Tue, 2018-05-29 at 20:08 -0500, Goldwyn Rodrigues wrote:
>
> On 05/29/2018 04:37 PM, Trond Myklebust wrote:
> > On Tue, 2018-05-29 at 15:32 -0500, Goldwyn Rodrigues wrote:
> > > While mounting overlayfs with NFS as a lower directory and a
> > > local
> > > filesystem as an upper layer leads to copy_up failures because
> > > NFS4
> > > has
> > > an extra system.nfs4_acl which cannot be copied up. This has been
> > > discussed before [1] and [2] with the suggestion that nfs4_acl is
> > > derived from posix_acls or just inode->i_mode *most* of the times
> > > and
> > > hence it can be mapped back.
> > >
> > > The problem is NFS client knows nothing about nfs4_acl and it is
> > > decoded
> > > in nfs4-acl-tools. Even if we make nfs client capable of
> > > understand
> > > nfs4_acl xattr, can it be used to perform ACL's for the system.
> > > AFAIU,
> > > it is uses user/group names as opposed uid/gid to perform id
> > > mapping.
> > > Can the client map it back to user names and derive if it is just
> > > an
> > > replica of inode's i_mode?
> > >
> > > The idea is to suppress nfs4_acl if it is the same as inode's
> > > i_mode.
> > > This means nfs4-acl-tools/nfs4_getacl would give no results when
> > > requesting for ACLs. This would break existing applications if
> > > they
> > > expect some output from nfs4_getfacl.
> > >
> > > Is there a better way to identify if nfs4_acl is just a
> > > representation
> > > of i_mode at the client end and can be safely ignored during an
> > > overlayfs copy_up? Can we include a flag for this?
> > >
> > >
> > > [1] https://www.spinics.net/lists/linux-nfs/msg61045.html
> > > [2] https://www.spinics.net/lists/linux-unionfs/msg04736.html
> > >
> >
> > If the permissions are unchanged so that overlayfs is not trying to
> > override the way the server interprets the ACL, and credential held
> > by
> > the user, then you are better off calling the Linux client for
> > open/close and permissions calls.
> >
> > Once you've allowed the user to chmod or chown the file, you are on
> > your own, because your security model for the file will have forked
> > with the security model provided by NFS. At that point, the file
> > had
> > better have been copied up, and you'd better be ready to manage it
> > entirely from overlayfs.
> >
> > The above applies not only when the file is subject to NFSv4 acls,
> > but
> > it is also true when you are using strong authentication (i.e.
> > Kerberos
> > V).
> >
>
> The files permissions are checked during copy ups because a data copy
> also happens in case of a change. The problem however is not the
> checks
> have to happen for this operation but if we should bypass NFS
> security
> for consequent ones.
>
> For example, If we copy_up the file just because the current user is
> able to, it would not copy the nfs4_acl. If there is a NFS4 acl rule
> to
> DENY another user, the earlier denied user will be able to access the
> file after the copy_up because we did not copy the nfs4_acl.
>
As I said, you are forking the security model. You are trying to make
the NFS client act as a proxy for the NFS server without giving it
enough information to do so.
The NFS client is careful to _always_ leave interpreting the ACL, mode,
and other security information to the server. If it must try to act as
a proxy for the server when serving up cached information, then it uses
the ACCESS rpc call to ensure that it doesn't give up information that
the server would normally deny to a particular user.
> Overlayfs tries to make sure that all xattr from an underlying
> filesystem is compatible with the one being copied to. nfs4_acl is
> not
> compatible with a local filesystem it rejects the copy_up as
> EOPNOTSUPP.
>
> From the nfsd code (nfsd_get_nfs4_acl), in *most* cases nfs4_acl is
> just
> a representation of i_mode and does not require a special ACL.
If your server is a knfsd based Linux server, then maybe. If it's
anything else, then the above statement is dead wrong. Either way,
you'd be opening a large can of security worms by making those
assumptions.
> However,
> just because there is a nfs4_acl, a copy_up does not happen in the
> client.
Which would appear to be the more secure behaviour if you are unable to
enforce the exact same security semantics as the server.
--
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@hammerspace.com
WARNING: multiple messages have this Message-ID (diff)
From: Trond Myklebust <trondmy@hammerspace.com>
To: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"rgoldwyn@suse.de" <rgoldwyn@suse.de>,
"linux-unionfs@vger.kernel.org" <linux-unionfs@vger.kernel.org>
Subject: Re: nfs4_acl restricts copy_up in overlayfs
Date: Wed, 30 May 2018 03:01:56 +0000 [thread overview]
Message-ID: <75266c983a03f6dbfd5d1a39c94fa6d56a1a8a22.camel@hammerspace.com> (raw)
In-Reply-To: <2cf94c6b-e819-79af-4ac9-3b19d26dc6d9@suse.de>
T24gVHVlLCAyMDE4LTA1LTI5IGF0IDIwOjA4IC0wNTAwLCBHb2xkd3luIFJvZHJpZ3VlcyB3cm90
ZToNCj4gDQo+IE9uIDA1LzI5LzIwMTggMDQ6MzcgUE0sIFRyb25kIE15a2xlYnVzdCB3cm90ZToN
Cj4gPiBPbiBUdWUsIDIwMTgtMDUtMjkgYXQgMTU6MzIgLTA1MDAsIEdvbGR3eW4gUm9kcmlndWVz
IHdyb3RlOg0KPiA+ID4gV2hpbGUgbW91bnRpbmcgb3ZlcmxheWZzIHdpdGggTkZTIGFzIGEgbG93
ZXIgZGlyZWN0b3J5IGFuZCBhDQo+ID4gPiBsb2NhbA0KPiA+ID4gZmlsZXN5c3RlbSBhcyBhbiB1
cHBlciBsYXllciBsZWFkcyB0byBjb3B5X3VwIGZhaWx1cmVzIGJlY2F1c2UNCj4gPiA+IE5GUzQN
Cj4gPiA+IGhhcw0KPiA+ID4gYW4gZXh0cmEgc3lzdGVtLm5mczRfYWNsIHdoaWNoIGNhbm5vdCBi
ZSBjb3BpZWQgdXAuIFRoaXMgaGFzIGJlZW4NCj4gPiA+IGRpc2N1c3NlZCBiZWZvcmUgWzFdIGFu
ZCBbMl0gd2l0aCB0aGUgc3VnZ2VzdGlvbiB0aGF0IG5mczRfYWNsIGlzDQo+ID4gPiBkZXJpdmVk
IGZyb20gcG9zaXhfYWNscyBvciBqdXN0IGlub2RlLT5pX21vZGUgKm1vc3QqIG9mIHRoZSB0aW1l
cw0KPiA+ID4gYW5kDQo+ID4gPiBoZW5jZSBpdCBjYW4gYmUgbWFwcGVkIGJhY2suDQo+ID4gPiAN
Cj4gPiA+IFRoZSBwcm9ibGVtIGlzIE5GUyBjbGllbnQga25vd3Mgbm90aGluZyBhYm91dCBuZnM0
X2FjbCBhbmQgaXQgaXMNCj4gPiA+IGRlY29kZWQNCj4gPiA+IGluIG5mczQtYWNsLXRvb2xzLiBF
dmVuIGlmIHdlIG1ha2UgbmZzIGNsaWVudCBjYXBhYmxlIG9mDQo+ID4gPiB1bmRlcnN0YW5kDQo+
ID4gPiBuZnM0X2FjbCB4YXR0ciwgY2FuIGl0IGJlIHVzZWQgdG8gcGVyZm9ybSBBQ0wncyBmb3Ig
dGhlIHN5c3RlbS4NCj4gPiA+IEFGQUlVLA0KPiA+ID4gaXQgaXMgdXNlcyB1c2VyL2dyb3VwIG5h
bWVzIGFzIG9wcG9zZWQgdWlkL2dpZCB0byBwZXJmb3JtIGlkDQo+ID4gPiBtYXBwaW5nLg0KPiA+
ID4gQ2FuIHRoZSBjbGllbnQgbWFwIGl0IGJhY2sgdG8gdXNlciBuYW1lcyBhbmQgZGVyaXZlIGlm
IGl0IGlzIGp1c3QNCj4gPiA+IGFuDQo+ID4gPiByZXBsaWNhIG9mIGlub2RlJ3MgaV9tb2RlPw0K
PiA+ID4gDQo+ID4gPiBUaGUgaWRlYSBpcyB0byBzdXBwcmVzcyBuZnM0X2FjbCBpZiBpdCBpcyB0
aGUgc2FtZSBhcyBpbm9kZSdzDQo+ID4gPiBpX21vZGUuDQo+ID4gPiBUaGlzIG1lYW5zIG5mczQt
YWNsLXRvb2xzL25mczRfZ2V0YWNsIHdvdWxkIGdpdmUgbm8gcmVzdWx0cyB3aGVuDQo+ID4gPiBy
ZXF1ZXN0aW5nIGZvciBBQ0xzLiBUaGlzIHdvdWxkIGJyZWFrIGV4aXN0aW5nIGFwcGxpY2F0aW9u
cyBpZg0KPiA+ID4gdGhleQ0KPiA+ID4gZXhwZWN0IHNvbWUgb3V0cHV0IGZyb20gbmZzNF9nZXRm
YWNsLg0KPiA+ID4gDQo+ID4gPiBJcyB0aGVyZSBhIGJldHRlciB3YXkgdG8gaWRlbnRpZnkgaWYg
bmZzNF9hY2wgaXMganVzdCBhDQo+ID4gPiByZXByZXNlbnRhdGlvbg0KPiA+ID4gb2YgaV9tb2Rl
IGF0IHRoZSBjbGllbnQgZW5kIGFuZCBjYW4gYmUgc2FmZWx5IGlnbm9yZWQgZHVyaW5nIGFuDQo+
ID4gPiBvdmVybGF5ZnMgY29weV91cD8gQ2FuIHdlIGluY2x1ZGUgYSBmbGFnIGZvciB0aGlzPw0K
PiA+ID4gDQo+ID4gPiANCj4gPiA+IFsxXSBodHRwczovL3d3dy5zcGluaWNzLm5ldC9saXN0cy9s
aW51eC1uZnMvbXNnNjEwNDUuaHRtbA0KPiA+ID4gWzJdIGh0dHBzOi8vd3d3LnNwaW5pY3MubmV0
L2xpc3RzL2xpbnV4LXVuaW9uZnMvbXNnMDQ3MzYuaHRtbA0KPiA+ID4gDQo+ID4gDQo+ID4gSWYg
dGhlIHBlcm1pc3Npb25zIGFyZSB1bmNoYW5nZWQgc28gdGhhdCBvdmVybGF5ZnMgaXMgbm90IHRy
eWluZyB0bw0KPiA+IG92ZXJyaWRlIHRoZSB3YXkgdGhlIHNlcnZlciBpbnRlcnByZXRzIHRoZSBB
Q0wsIGFuZCBjcmVkZW50aWFsIGhlbGQNCj4gPiBieQ0KPiA+IHRoZSB1c2VyLCB0aGVuIHlvdSBh
cmUgYmV0dGVyIG9mZiBjYWxsaW5nIHRoZSBMaW51eCBjbGllbnQgZm9yDQo+ID4gb3Blbi9jbG9z
ZSBhbmQgcGVybWlzc2lvbnMgY2FsbHMuDQo+ID4gDQo+ID4gT25jZSB5b3UndmUgYWxsb3dlZCB0
aGUgdXNlciB0byBjaG1vZCBvciBjaG93biB0aGUgZmlsZSwgeW91IGFyZSBvbg0KPiA+IHlvdXIg
b3duLCBiZWNhdXNlIHlvdXIgc2VjdXJpdHkgbW9kZWwgZm9yIHRoZSBmaWxlIHdpbGwgaGF2ZSBm
b3JrZWQNCj4gPiB3aXRoIHRoZSBzZWN1cml0eSBtb2RlbCBwcm92aWRlZCBieSBORlMuIEF0IHRo
YXQgcG9pbnQsIHRoZSBmaWxlDQo+ID4gaGFkDQo+ID4gYmV0dGVyIGhhdmUgYmVlbiBjb3BpZWQg
dXAsIGFuZCB5b3UnZCBiZXR0ZXIgYmUgcmVhZHkgdG8gbWFuYWdlIGl0DQo+ID4gZW50aXJlbHkg
ZnJvbSBvdmVybGF5ZnMuDQo+ID4gDQo+ID4gVGhlIGFib3ZlIGFwcGxpZXMgbm90IG9ubHkgd2hl
biB0aGUgZmlsZSBpcyBzdWJqZWN0IHRvIE5GU3Y0IGFjbHMsDQo+ID4gYnV0DQo+ID4gaXQgaXMg
YWxzbyB0cnVlIHdoZW4geW91IGFyZSB1c2luZyBzdHJvbmcgYXV0aGVudGljYXRpb24gKGkuZS4N
Cj4gPiBLZXJiZXJvcw0KPiA+IFYpLg0KPiA+IA0KPiANCj4gVGhlIGZpbGVzIHBlcm1pc3Npb25z
IGFyZSBjaGVja2VkIGR1cmluZyBjb3B5IHVwcyBiZWNhdXNlIGEgZGF0YSBjb3B5DQo+IGFsc28g
aGFwcGVucyBpbiBjYXNlIG9mIGEgY2hhbmdlLiBUaGUgcHJvYmxlbSBob3dldmVyIGlzIG5vdCB0
aGUNCj4gY2hlY2tzDQo+IGhhdmUgdG8gaGFwcGVuIGZvciB0aGlzIG9wZXJhdGlvbiBidXQgaWYg
d2Ugc2hvdWxkIGJ5cGFzcyBORlMNCj4gc2VjdXJpdHkNCj4gZm9yIGNvbnNlcXVlbnQgb25lcy4N
Cj4gDQo+IEZvciBleGFtcGxlLCBJZiB3ZSBjb3B5X3VwIHRoZSBmaWxlIGp1c3QgYmVjYXVzZSB0
aGUgY3VycmVudCB1c2VyIGlzDQo+IGFibGUgdG8sIGl0IHdvdWxkIG5vdCBjb3B5IHRoZSBuZnM0
X2FjbC4gSWYgdGhlcmUgaXMgYSBORlM0IGFjbCBydWxlDQo+IHRvDQo+IERFTlkgYW5vdGhlciB1
c2VyLCB0aGUgZWFybGllciBkZW5pZWQgdXNlciB3aWxsIGJlIGFibGUgdG8gYWNjZXNzIHRoZQ0K
PiBmaWxlIGFmdGVyIHRoZSBjb3B5X3VwIGJlY2F1c2Ugd2UgZGlkIG5vdCBjb3B5IHRoZSBuZnM0
X2FjbC4NCj4gDQoNCkFzIEkgc2FpZCwgeW91IGFyZSBmb3JraW5nIHRoZSBzZWN1cml0eSBtb2Rl
bC4gWW91IGFyZSB0cnlpbmcgdG8gbWFrZQ0KdGhlIE5GUyBjbGllbnQgYWN0IGFzIGEgcHJveHkg
Zm9yIHRoZSBORlMgc2VydmVyIHdpdGhvdXQgZ2l2aW5nIGl0DQplbm91Z2ggaW5mb3JtYXRpb24g
dG8gZG8gc28uDQoNClRoZSBORlMgY2xpZW50IGlzIGNhcmVmdWwgdG8gX2Fsd2F5c18gbGVhdmUg
aW50ZXJwcmV0aW5nIHRoZSBBQ0wsIG1vZGUsDQphbmQgb3RoZXIgc2VjdXJpdHkgaW5mb3JtYXRp
b24gdG8gdGhlIHNlcnZlci4gSWYgaXQgbXVzdCB0cnkgdG8gYWN0IGFzDQphIHByb3h5IGZvciB0
aGUgc2VydmVyIHdoZW4gc2VydmluZyB1cCBjYWNoZWQgaW5mb3JtYXRpb24sIHRoZW4gaXQgdXNl
cw0KdGhlIEFDQ0VTUyBycGMgY2FsbCB0byBlbnN1cmUgdGhhdCBpdCBkb2Vzbid0IGdpdmUgdXAg
aW5mb3JtYXRpb24gdGhhdA0KdGhlIHNlcnZlciB3b3VsZCBub3JtYWxseSBkZW55IHRvIGEgcGFy
dGljdWxhciB1c2VyLg0KDQo+IE92ZXJsYXlmcyB0cmllcyB0byBtYWtlIHN1cmUgdGhhdCBhbGwg
eGF0dHIgZnJvbSBhbiB1bmRlcmx5aW5nDQo+IGZpbGVzeXN0ZW0gaXMgY29tcGF0aWJsZSB3aXRo
IHRoZSBvbmUgYmVpbmcgY29waWVkIHRvLiBuZnM0X2FjbCBpcw0KPiBub3QNCj4gY29tcGF0aWJs
ZSB3aXRoIGEgbG9jYWwgZmlsZXN5c3RlbSBpdCByZWplY3RzIHRoZSBjb3B5X3VwIGFzDQo+IEVP
UE5PVFNVUFAuDQo+IA0KPiBGcm9tIHRoZSBuZnNkIGNvZGUgKG5mc2RfZ2V0X25mczRfYWNsKSwg
aW4gKm1vc3QqIGNhc2VzIG5mczRfYWNsIGlzDQo+IGp1c3QNCj4gYSByZXByZXNlbnRhdGlvbiBv
ZiBpX21vZGUgYW5kIGRvZXMgbm90IHJlcXVpcmUgYSBzcGVjaWFsIEFDTC4gDQoNCklmIHlvdXIg
c2VydmVyIGlzIGEga25mc2QgYmFzZWQgTGludXggc2VydmVyLCB0aGVuIG1heWJlLiBJZiBpdCdz
DQphbnl0aGluZyBlbHNlLCB0aGVuIHRoZSBhYm92ZSBzdGF0ZW1lbnQgaXMgZGVhZCB3cm9uZy4g
RWl0aGVyIHdheSwNCnlvdSdkIGJlIG9wZW5pbmcgYSBsYXJnZSBjYW4gb2Ygc2VjdXJpdHkgd29y
bXMgYnkgbWFraW5nIHRob3NlDQphc3N1bXB0aW9ucy4NCg0KPiBIb3dldmVyLA0KPiBqdXN0IGJl
Y2F1c2UgdGhlcmUgaXMgYSBuZnM0X2FjbCwgYSBjb3B5X3VwIGRvZXMgbm90IGhhcHBlbiBpbiB0
aGUNCj4gY2xpZW50Lg0KDQpXaGljaCB3b3VsZCBhcHBlYXIgdG8gYmUgdGhlIG1vcmUgc2VjdXJl
IGJlaGF2aW91ciBpZiB5b3UgYXJlIHVuYWJsZSB0bw0KZW5mb3JjZSB0aGUgZXhhY3Qgc2FtZSBz
ZWN1cml0eSBzZW1hbnRpY3MgYXMgdGhlIHNlcnZlci4NCg0KLS0gDQpUcm9uZCBNeWtsZWJ1c3QN
CkxpbnV4IE5GUyBjbGllbnQgbWFpbnRhaW5lciwgSGFtbWVyc3BhY2UNCnRyb25kLm15a2xlYnVz
dEBoYW1tZXJzcGFjZS5jb20NCg0K
next prev parent reply other threads:[~2018-05-30 3:02 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-29 20:32 nfs4_acl restricts copy_up in overlayfs Goldwyn Rodrigues
2018-05-29 21:37 ` Trond Myklebust
2018-05-29 21:37 ` Trond Myklebust
2018-05-30 1:08 ` Goldwyn Rodrigues
2018-05-30 1:08 ` Goldwyn Rodrigues
2018-05-30 3:01 ` Trond Myklebust [this message]
2018-05-30 3:01 ` Trond Myklebust
2018-05-30 10:33 ` Goldwyn Rodrigues
2018-05-31 0:45 ` J. Bruce Fields
2018-05-31 10:00 ` Miklos Szeredi
2018-05-31 12:47 ` Trond Myklebust
2018-05-31 12:47 ` Trond Myklebust
2018-05-31 12:55 ` Miklos Szeredi
2018-05-31 13:10 ` Trond Myklebust
2018-05-31 13:10 ` Trond Myklebust
2018-05-31 13:30 ` Miklos Szeredi
2018-05-31 14:06 ` bfields
2018-05-31 14:26 ` Miklos Szeredi
2018-05-31 17:52 ` Trond Myklebust
2018-05-31 17:52 ` Trond Myklebust
2018-05-31 21:56 ` Goldwyn Rodrigues
2018-05-31 21:53 ` Goldwyn Rodrigues
2018-06-01 0:49 ` Trond Myklebust
2018-06-01 0:49 ` Trond Myklebust
2018-06-01 11:40 ` Goldwyn Rodrigues
2018-06-01 13:16 ` Trond Myklebust
2018-06-01 13:16 ` Trond Myklebust
2018-06-01 13:32 ` Miklos Szeredi
2018-06-01 13:50 ` bfields
2018-06-01 14:00 ` Miklos Szeredi
2018-06-01 14:26 ` bfields
2018-06-01 14:43 ` Miklos Szeredi
2018-06-01 16:08 ` bfields
2018-06-01 17:02 ` Miklos Szeredi
2018-06-01 17:43 ` bfields
2018-06-01 19:14 ` Miklos Szeredi
2018-06-02 0:50 ` bfields
2018-06-07 11:50 ` Miklos Szeredi
2018-05-31 18:57 ` J. R. Okajima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=75266c983a03f6dbfd5d1a39c94fa6d56a1a8a22.camel@hammerspace.com \
--to=trondmy@hammerspace.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=rgoldwyn@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.