All of lore.kernel.org
 help / color / mirror / Atom feed
From: Goldwyn Rodrigues <rgoldwyn@suse.de>
To: "bfields@fieldses.org" <bfields@fieldses.org>,
	Miklos Szeredi <miklos@szeredi.hu>
Cc: Trond Myklebust <trondmy@hammerspace.com>,
	"agruenba@redhat.com" <agruenba@redhat.com>,
	"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
	"linux-unionfs@vger.kernel.org" <linux-unionfs@vger.kernel.org>
Subject: Re: nfs4_acl restricts copy_up in overlayfs
Date: Thu, 31 May 2018 16:56:42 -0500	[thread overview]
Message-ID: <f48bc5a3-2787-6835-8c45-79ed2fa0edd7@suse.de> (raw)
In-Reply-To: <20180531140619.GA1298@fieldses.org>



On 05/31/2018 09:06 AM, bfields@fieldses.org wrote:
> On Thu, May 31, 2018 at 03:30:04PM +0200, Miklos Szeredi wrote:
>> On Thu, May 31, 2018 at 3:10 PM, Trond Myklebust
>> <trondmy@hammerspace.com> wrote:
>>> On Thu, 2018-05-31 at 14:55 +0200, Miklos Szeredi wrote:
>>>> On Thu, May 31, 2018 at 2:47 PM, Trond Myklebust <trondmy@hammerspace.com> wrote:
>>>
>>> IOW: if the user does a chmod, and that is authorised by the underlying
>>> filesystem, then overlayfs is in charge of any further authorisation to
>>> that file.
>>> Adding richacls to that model means that you can attempt to copy the
>>> ACL and allow the user to modify that instead of doing the chmod, but
>>> the understanding should be that it's not the same ACL as was been
>>> enforced by the server, so the copy up of the ACL should be treated as
>>> a modification of the ACL (and should therefore first be subject to
>>> authorisation by the server).
>>
>> If someone adds the interface for access checking in the NFS client
>> based on server sercurity model, but without actually having to do the
>> request, and it works for read-only exports (which make a LOT of sense
>> for the use cases where overlayfs may be used with NFS) then we can
>> use that from overlayfs.  Last time Bruce looked this issue, he ran
>> away screeming, IIRC.
> 
> In theory I suppose it's all possible, but I think the only practical
> thing to do for now is just ignore NFSv4 ACLs.
> 

Ignoring nfs4_acl will override the NFS security model where a user
which is specifically denied read access in the nfs4_acl will get read
access if another user who is allowed to read/write edits the file.

I would agree ignoring NFS4 ACLs is the best option.


-- 
Goldwyn

  parent reply	other threads:[~2018-05-31 21:56 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-29 20:32 nfs4_acl restricts copy_up in overlayfs Goldwyn Rodrigues
2018-05-29 21:37 ` Trond Myklebust
2018-05-29 21:37   ` Trond Myklebust
2018-05-30  1:08   ` Goldwyn Rodrigues
2018-05-30  1:08     ` Goldwyn Rodrigues
2018-05-30  3:01     ` Trond Myklebust
2018-05-30  3:01       ` Trond Myklebust
2018-05-30 10:33       ` Goldwyn Rodrigues
2018-05-31  0:45         ` J. Bruce Fields
2018-05-31 10:00           ` Miklos Szeredi
2018-05-31 12:47             ` Trond Myklebust
2018-05-31 12:47               ` Trond Myklebust
2018-05-31 12:55               ` Miklos Szeredi
2018-05-31 13:10                 ` Trond Myklebust
2018-05-31 13:10                   ` Trond Myklebust
2018-05-31 13:30                   ` Miklos Szeredi
2018-05-31 14:06                     ` bfields
2018-05-31 14:26                       ` Miklos Szeredi
2018-05-31 17:52                         ` Trond Myklebust
2018-05-31 17:52                           ` Trond Myklebust
2018-05-31 21:56                       ` Goldwyn Rodrigues [this message]
2018-05-31 21:53                     ` Goldwyn Rodrigues
2018-06-01  0:49                       ` Trond Myklebust
2018-06-01  0:49                         ` Trond Myklebust
2018-06-01 11:40                         ` Goldwyn Rodrigues
2018-06-01 13:16                           ` Trond Myklebust
2018-06-01 13:16                             ` Trond Myklebust
2018-06-01 13:32                             ` Miklos Szeredi
2018-06-01 13:50                               ` bfields
2018-06-01 14:00                                 ` Miklos Szeredi
2018-06-01 14:26                                   ` bfields
2018-06-01 14:43                                     ` Miklos Szeredi
2018-06-01 16:08                                       ` bfields
2018-06-01 17:02                                         ` Miklos Szeredi
2018-06-01 17:43                                           ` bfields
2018-06-01 19:14                                             ` Miklos Szeredi
2018-06-02  0:50                                               ` bfields
2018-06-07 11:50                                                 ` Miklos Szeredi
2018-05-31 18:57                   ` J. R. Okajima

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f48bc5a3-2787-6835-8c45-79ed2fa0edd7@suse.de \
    --to=rgoldwyn@suse.de \
    --cc=agruenba@redhat.com \
    --cc=bfields@fieldses.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=trondmy@hammerspace.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.