NLM GRANT callback using AUTH_NULL is rejected

NLM GRANT callback using AUTH_NULL is rejected

[Lever, Charles]

hi neil-

it looks like you have the most expertise in this area, so you are the
lucky victim today.

our filer sends NLM GRANTED callbacks back to clients using AUTH_NULL
authentication.  Linux clients always seem to reject these callbacks.

parsing through fs/lockd and net/sunrpc, i see a comment that indicates
that AUTH_NULL RPC requests are subject to IP access control (a la
/etc/exports).  theoretically, if lockd doesn't register the filer in
the ip_map cache, then all the filer's callbacks will be rejected,
right?

        - Chuck Lever
--
corporate:    <cel at netapp dot com>
personal:     <chucklever at bigfoot dot com>


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: NLM GRANT callback using AUTH_NULL is rejected

[J. Bruce Fields]

On Thu, Nov 17, 2005 at 07:38:22AM -0800, Lever, Charles wrote:
> our filer sends NLM GRANTED callbacks back to clients using AUTH_NULL
> authentication.  Linux clients always seem to reject these callbacks.
> 
> parsing through fs/lockd and net/sunrpc, i see a comment that indicates
> that AUTH_NULL RPC requests are subject to IP access control (a la
> /etc/exports).  theoretically, if lockd doesn't register the filer in
> the ip_map cache, then all the filer's callbacks will be rejected,
> right?

See

http://marc.theaimsgroup.com/?l=linux-nfs&m=110608174305835&w=2

and following messages.  These appear to have gone into 2.6 in early
March sometime, so I assume that was about 2.6.12?

--b.


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: NLM GRANT callback using AUTH_NULL is rejected

[Olaf Kirch]

On Thu, Nov 17, 2005 at 07:38:22AM -0800, Lever, Charles wrote:
> our filer sends NLM GRANTED callbacks back to clients using AUTH_NULL
> authentication.  Linux clients always seem to reject these callbacks.

Isn't this what the pg_authenticate hooks were added for?
At least 2.6.14 has lockd_authenticate which will accept any
type of authentication for callbacks.

I think in SLES9 we have an earlier version of this patch which
does this. What client are you testing against?

Olaf
-- 
Olaf Kirch   |  --- o --- Nous sommes du soleil we love when we play
okir@suse.de |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

RE: NLM GRANT callback using AUTH_NULL is rejected

[Lever, Charles]

> On Thu, Nov 17, 2005 at 07:38:22AM -0800, Lever, Charles wrote:
> > our filer sends NLM GRANTED callbacks back to clients using=20
> AUTH_NULL
> > authentication.  Linux clients always seem to reject these=20
> callbacks.
> >=20
> > parsing through fs/lockd and net/sunrpc, i see a comment=20
> that indicates
> > that AUTH_NULL RPC requests are subject to IP access control (a la
> > /etc/exports).  theoretically, if lockd doesn't register=20
> the filer in
> > the ip_map cache, then all the filer's callbacks will be rejected,
> > right?
>=20
> See
>=20
> http://marc.theaimsgroup.com/?l=3Dlinux-nfs&m=3D110608174305835&w=3D2
>=20
> and following messages.  These appear to have gone into 2.6 in early
> March sometime, so I assume that was about 2.6.12?

thanks bruce.

ok, these appear not to be in RHEL 4 update 2, which is what our
internal test happens to be using at the moment.  i would assume that an
FC4 system running the latest update would already have this series of
patches integrated...?

was it the judgement of the community that no IP address checking for
AUTH_NULL callbacks is better than having at least *some* sanity
checking?  seems reasonable to me to register the IP address of the file
server so that not just any joe IP address can grant locks.
(limitations of authentication via IP address notwithstanding).

obtw, did you happen to have a test to see if GRANTED callbacks were
being accepted after your patch is applied?  that will save me the
trouble of working up a test myself.


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: NLM GRANT callback using AUTH_NULL is rejected

[J. Bruce Fields]

On Thu, Nov 17, 2005 at 08:20:48AM -0800, Lever, Charles wrote:
> was it the judgement of the community that no IP address checking for
> AUTH_NULL callbacks is better than having at least *some* sanity
> checking?  seems reasonable to me to register the IP address of the file
> server so that not just any joe IP address can grant locks.

My memory of the details is hazy now, but I seem to recall that lockd
does check that somewhere.

> obtw, did you happen to have a test to see if GRANTED callbacks were
> being accepted after your patch is applied?  that will save me the
> trouble of working up a test myself.

All I did was run the following on two different machines, and verify
that one got the lock the instant I ^C'd the other.

--b.

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/select.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <err.h>

int main(int argc, char *argv[])
{
	char buf[4096];
	struct flock fl;
	int fd, ret;

	if (argc != 2)
		errx(1, "usage: %s file_to_lock", argv[0]);

	fd = open(argv[1], O_RDWR|O_CREAT, 0666);
	if (fd == -1)
		err(1, "open");
	/* Exclusive lock on whole file: */
	fl.l_type = F_WRLCK;
	fl.l_whence = SEEK_SET;
	fl.l_start = 0;
	fl.l_len = 0;
	ret = fcntl(fd, F_SETLKW, &fl);
	if (ret == -1)
		err(1, "fcntl(fd, F_SETLKWD, fl)");
	printf("got lock; waiting\n");
	select(0, NULL, NULL, NULL, NULL);
	exit(0);
}


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

RE: NLM GRANT callback using AUTH_NULL is rejected

[Trond Myklebust]

On Thu, 2005-11-17 at 08:20 -0800, Lever, Charles wrote:

> was it the judgement of the community that no IP address checking for
> AUTH_NULL callbacks is better than having at least *some* sanity
> checking?  seems reasonable to me to register the IP address of the file
> server so that not just any joe IP address can grant locks.
> (limitations of authentication via IP address notwithstanding).

nlmsvc_grant_callback() checks that both the IP address and the cookie
match a request that was sent by the client.

Cheers,
  Trond



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: NLM GRANT callback using AUTH_NULL is rejected

[Steve Dickson]

Lever, Charles wrote:
> ok, these appear not to be in RHEL 4 update 2, which is what our
> internal test happens to be using at the moment.  
I beg to differ my friend...  They seem to be in the
2.6.9-22 kernel I'm looking at...

steved.


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs