linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Miklos Szeredi <miklos@szeredi.hu>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Andy Whitcroft <apw@canonical.com>,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH 0/2] issues with NFS filesystems as lower layer
Date: Wed, 12 Sep 2012 17:20:17 +0200	[thread overview]
Message-ID: <87ehm7xo7i.fsf@tucsk.pomaz.szeredi.hu> (raw)
In-Reply-To: <20120911214450.GB28418@fieldses.org> (J. Bruce Fields's message of "Tue, 11 Sep 2012 17:44:50 -0400")

"J. Bruce Fields" <bfields@fieldses.org> writes:

> On Tue, Sep 11, 2012 at 10:56:52PM +0200, Miklos Szeredi wrote:
>> "J. Bruce Fields" <bfields@fieldses.org> writes:
>> 
>> >> > Secondly when using an NFSv3 R/O lower layer the filesystem permissions
>> >> > check refuses permission to write to the inode which prevents us from
>> >> > copying it up even though we have a writable upper layer.  (With an ext4
>> >> > lower layer the inode check will succeed if the inode  is writable even
>> >> > if the filesystem is not.)  It is not clear what the right solution is
>> >> > here.  One approach is to check the inode permissions only (avoiding the
>> >> > filesystem specific permissions op), but it is not clear we can rely on
>> >> > these for all underlying filesystems.  Perhaps this check should only be
>> >> > used for NFS.
>> >
>> > Then couldn't you for example end up circumventing ACLs on the
>> > underlying file to access data cached by reads from another user on the
>> > same system?
>> 
>> Ignoring ACL's should always give less access, isn't that right?
>
> Not necessarily.
>
> (It's up to the server--and if anything servers probably want to err on
> the side of returning mode bits that are an upper, not a lower, bound on
> the permissions.)

Okay, I looked at the POSIX ACL access check algorithm and now
understand things better.

Now i think that enforcing ACL's on the overlay is not possible if ACL's
are not copied up together with the data.

This is because during the copy-up the server checks for access, but it
checks access for only a single user/group pair.  Subsequent access
checks on the copied-up object by any other user/group may not reflect
the original ACL's on the lower filesystem.

So assuming that we can't copy up NFS ACL's, it is possible to
circumvent those ACL's by triggering a copy-up.  Of course this type of
"attack" is limited by the fact that copy-up is only triggerable by a
write type operation.

I'm not sure...  I believe that we should say that NFS ACL's on the
lower layer and overlayfs simply don't mix.  In that case current
behavior of erroring out seems to be the correct one.

Andy, I'm wondering: what is your use case for NFS with ACL's?

Because overlayfs can't completely ignore ACL's on the lower filesystem,
but it can't enforce them properly either.  So it's a rather weird
situation.


>
>> > Is it possible to arrange that the check for a readonly filesystem be
>> > done only by the vfs and not also by ->permission?
>> 
>> You'd need to modify NFS servers for that to work, no?  It's possible
>> but not practical.
>
> Oh, OK, I guess I assumed you were dealing with an NFS filesystem that
> had been mounted readonly on the NFS client.
>
> If it's a read-write mount of a filesystem that's read-only on the
> server side: well, there is at least an error for that case: the server
> should return NFSERR_ROFS, and you should see EROFS--could you do the
> copy-up only in the case you get that error?

If the server returns EROFS then all you know is that the filesystem is
read-only.  But that's not what we are interested in.  We are interested
in whether the access would be allowed *if* the filesystem *wasn't*
read-only.  The server doesn't tell us that.

Thanks,
Miklos

  reply	other threads:[~2012-09-12 15:18 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-06 15:56 [RFC PATCH 0/2] issues with NFS filesystems as lower layer Andy Whitcroft
2012-09-06 15:56 ` [RFC PATCH 1/2] ovl: ovl_copy_up_xattr may fail when the upper filesystem does not support the same xattrs Andy Whitcroft
2012-09-06 15:56 ` [PATCH 2/2] overlayfs: when the underlying filesystem is read-only use inode permissions Andy Whitcroft
2012-09-07  6:35 ` [RFC PATCH 0/2] issues with NFS filesystems as lower layer Miklos Szeredi
2012-09-07 19:38   ` J. Bruce Fields
2012-09-11 20:56     ` Miklos Szeredi
2012-09-11 21:44       ` J. Bruce Fields
2012-09-12 15:20         ` Miklos Szeredi [this message]
2012-09-12 16:07           ` J. Bruce Fields

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ehm7xo7i.fsf@tucsk.pomaz.szeredi.hu \
    --to=miklos@szeredi.hu \
    --cc=apw@canonical.com \
    --cc=bfields@fieldses.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).