From: Miklos Szeredi <miklos@szeredi.hu>
To: "bfields@fieldses.org" <bfields@fieldses.org>
Cc: Trond Myklebust <trondmy@hammerspace.com>,
"rgoldwyn@suse.de" <rgoldwyn@suse.de>,
"agruenba@redhat.com" <agruenba@redhat.com>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"linux-unionfs@vger.kernel.org" <linux-unionfs@vger.kernel.org>
Subject: Re: nfs4_acl restricts copy_up in overlayfs
Date: Thu, 7 Jun 2018 13:50:09 +0200 [thread overview]
Message-ID: <CAJfpegtt8jZ0j_3gwSSUUc6bC7NF6s6qtFEJELztsevLdWROZQ@mail.gmail.com> (raw)
In-Reply-To: <20180602005040.GH10666@fieldses.org>
On Sat, Jun 2, 2018 at 2:50 AM, bfields@fieldses.org
<bfields@fieldses.org> wrote:
> On Fri, Jun 01, 2018 at 09:14:38PM +0200, Miklos Szeredi wrote:
>> On Fri, Jun 1, 2018 at 7:43 PM, bfields@fieldses.org
>> <bfields@fieldses.org> wrote:
>> > On Fri, Jun 01, 2018 at 07:02:20PM +0200, Miklos Szeredi wrote:
>> >> On Fri, Jun 1, 2018 at 6:08 PM, bfields@fieldses.org
>> >> <bfields@fieldses.org> wrote:
>> >> > On Fri, Jun 01, 2018 at 04:43:51PM +0200, Miklos Szeredi wrote:
>> >> >> Look at ovl_permission(), I think it pretty clearly describes this model.
>> >> >
>> >> > Thanks! Uh, so generic_permission is the thing that just does the usual
>> >> > mode/acl checks on the in-core inode, and inode_permission is the one
>> >> > that also calls into the filesystem?
>> >>
>> >> Right.
>> >>
>> >> > But I'm still a little confused--if I'm reading right, "realinode" is
>> >> > the lower inode before copyup, and the upper inode after, so can't
>> >> > inode_permission(realinode, mask) return different results before and
>> >> > after copyup?
>> >>
>> >> Theoretically, yes. Not in any sane setup, though.
>> >
>> > If root squashing is enabled and you mount as root, then it will change.
>> >
>> > That's not an unlikely case, it's pretty much the default.
>>
>> Let's see: root squashing will change root creds to nobody's creds, right?
>>
>> That results in a weird situation, where user foo is trying to access
>> a file owned by foo, but which doesn't have read permission for
>> "other" will not be able to perform a read on that file. In fact, no
>> user will be able to read that file, including root. Copying up the
>> file will also fail, since that requires read permission.
>>
>> So for that case it's not true that permission will change, since
>> copy-up won't be possible.
>
> Fair enough. That's still pretty weird behavior.
>
> Arguably if you're going to do something different here then maybe it's
> good for the difference to manifest in a way that's really obvious in
> common cases, so people don't just overlook it.
>
>> That leaves the case where no read or write permissions are involved,
>> which is execute. I think we should just mask that out from the
>> inode_permission() check. Makes no sense to ask underlying filesystem
>> about execute permission.
>
> I suppose so.
>
>> With that we'll have consistent permissions before and after copy-up.
>> Right?
>
> Hm. If inode_permission(realinode, mask) changes across copy-up:
>
> - if the difference is in execute, you're telling me we'll
> ignore that.
> - if it changes from denying to allowing read, you don't care
> since that will prevent the copy up in the first place.
> - if it changes from denying to allowing write, that has no
> effect since you only care about read permission for copyup in
> the case someone requests write permission. (Hm, the special
> file case should be weird. I guess those just don't get
> copied up? Still I think people will be surprised by
> permission failures here.)
Special file can get copied up on metadata change. We shoudln't ask
server at all for permissions in this case. That would be consistent
with the "cp -a" model.
> - if it changes from allowing read or write to denying--then
> we're no longer talking about root, assuming the permission
> check on the copied-up inode wouldn't fail for root. We don't
> currently allow non-root to mount NFS, but there are people
> that would like to see that change.
The "cp -a" model should work even for userns unprivileged mounts. We
do assume a certain sanity with setups: I'm sure someone could come up
with a setup (e.g. with selinux) where weirdness happens after
copy-up.
Thanks,
Miklos
>
> --b.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-06-07 11:50 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-29 20:32 nfs4_acl restricts copy_up in overlayfs Goldwyn Rodrigues
2018-05-29 21:37 ` Trond Myklebust
2018-05-29 21:37 ` Trond Myklebust
2018-05-30 1:08 ` Goldwyn Rodrigues
2018-05-30 1:08 ` Goldwyn Rodrigues
2018-05-30 3:01 ` Trond Myklebust
2018-05-30 3:01 ` Trond Myklebust
2018-05-30 10:33 ` Goldwyn Rodrigues
2018-05-31 0:45 ` J. Bruce Fields
2018-05-31 10:00 ` Miklos Szeredi
2018-05-31 12:47 ` Trond Myklebust
2018-05-31 12:47 ` Trond Myklebust
2018-05-31 12:55 ` Miklos Szeredi
2018-05-31 13:10 ` Trond Myklebust
2018-05-31 13:10 ` Trond Myklebust
2018-05-31 13:30 ` Miklos Szeredi
2018-05-31 14:06 ` bfields
2018-05-31 14:26 ` Miklos Szeredi
2018-05-31 17:52 ` Trond Myklebust
2018-05-31 17:52 ` Trond Myklebust
2018-05-31 21:56 ` Goldwyn Rodrigues
2018-05-31 21:53 ` Goldwyn Rodrigues
2018-06-01 0:49 ` Trond Myklebust
2018-06-01 0:49 ` Trond Myklebust
2018-06-01 11:40 ` Goldwyn Rodrigues
2018-06-01 13:16 ` Trond Myklebust
2018-06-01 13:16 ` Trond Myklebust
2018-06-01 13:32 ` Miklos Szeredi
2018-06-01 13:50 ` bfields
2018-06-01 14:00 ` Miklos Szeredi
2018-06-01 14:26 ` bfields
2018-06-01 14:43 ` Miklos Szeredi
2018-06-01 16:08 ` bfields
2018-06-01 17:02 ` Miklos Szeredi
2018-06-01 17:43 ` bfields
2018-06-01 19:14 ` Miklos Szeredi
2018-06-02 0:50 ` bfields
2018-06-07 11:50 ` Miklos Szeredi [this message]
2018-05-31 18:57 ` J. R. Okajima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJfpegtt8jZ0j_3gwSSUUc6bC7NF6s6qtFEJELztsevLdWROZQ@mail.gmail.com \
--to=miklos@szeredi.hu \
--cc=agruenba@redhat.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=rgoldwyn@suse.de \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.