From: "J. Bruce Fields" <bfields@fieldses.org>
To: NeilBrown <neilb@suse.de>
Cc: "Myklebust, Trond" <Trond.Myklebust@netapp.com>,
NFS <linux-nfs@vger.kernel.org>
Subject: Re: Inconsistency when mounting a directory that 'world' cannot access.
Date: Mon, 8 Oct 2012 08:19:20 -0400 [thread overview]
Message-ID: <20121008121920.GA25231@fieldses.org> (raw)
In-Reply-To: <20121008170304.37dc6ae9@notabene.brown>
On Mon, Oct 08, 2012 at 05:03:04PM +1100, NeilBrown wrote:
> On Thu, 4 Oct 2012 12:07:39 -0400 "J. Bruce Fields" <bfields@fieldses.org>
> wrote:
> > It's not the nfsd behavior that bothers me--there's nothing we can do
> > about the fact that access by filehandle can bypass directory
> > permissions.
> >
> > What bothers is that mountd will apparently allow anyone to do a lookup
> > anywhere in an exported filesystem.
>
> Not anyone - it requires a privileged source port from a known host.
> So it is only "anyone who can get 'root'".
As you know, that's not necessarily a good asumption. And if somebody's
using sec=krb5, they're explicitly saying that they don't trust that
assumption.
> > Getting all the id->name mappings for a 100-entry directory is going to
> > require a 100 serialized upcalls to idmapd (and then possibly ldap), and
> > by default it looks like the idmapd cache will go cold after 10
> > minutes.... Not hard to imagine that could be a problem.
> >
> > Running multiple idmapd process would be easy and might help? Though
> > not if the client's just giving us the getattrs one at a time.
> >
> > Or maybe the problem's somewhere else entirely, but that's a real bug if
> > we aren't giving good performance on /home.
>
> I did some experimenting..
> On both 'client' and 'server':
> for i in `seq 2000 3000`; do echo u$i:x:$i:1000::/nohome:/bin/false; done
> >> /etc/passwd
>
> On server in suitable directory
>
> for i in `seq 2000 3000`; do mkdir $i ; chown u$i $i ; done
>
> Mount that directory onto the client with NFSv3 and "time ls -l" takes a
> little under 4 seconds.
> Mount with NFSv4 and it takes about the same. However:
OK, that's interesting. I wonder what the problem is, then? I can't
think of what else would make /home different.
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2974
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2975
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2976
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2977
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2978
> drwxr-xr-x 2 u2979 root 4096 Oct 8 16:19 2979
> drwxr-xr-x 2 u2980 root 4096 Oct 8 16:19 2980
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2981
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2982
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2983
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2984
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2985
> drwxr-xr-x 2 4294967294 root 4096 Oct 8 16:19 2986
> ....
Oops.
> tcpdump shows the server is returning the write stuff, but something if going
> wrong on the client. I've tried unmounting/remounting and killing/restarting
> rpc.idmapd.
> I had some config problems previously .. is there any chance that these
> unknown entries are in a cache? Any easy way to view or flush the cache?
Not that I know of.
What client version is this, and is it using the new (nfsidmap) or old
(idmapd) idmapper?
--b.
next prev parent reply other threads:[~2012-10-08 12:19 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-18 1:23 Inconsistency when mounting a directory that 'world' cannot access NeilBrown
2012-10-01 15:43 ` J. Bruce Fields
2012-10-02 2:38 ` NeilBrown
2012-10-02 14:33 ` J. Bruce Fields
2012-10-03 3:46 ` NeilBrown
2012-10-03 15:13 ` J. Bruce Fields
2012-10-03 15:48 ` Myklebust, Trond
2012-10-03 16:27 ` J. Bruce Fields
2012-10-03 22:46 ` NeilBrown
2012-10-04 16:07 ` J. Bruce Fields
2012-10-08 6:03 ` NeilBrown
2012-10-08 11:42 ` Steve Dickson
2012-10-08 12:20 ` J. Bruce Fields
2012-10-09 0:30 ` NeilBrown
2012-10-08 12:19 ` J. Bruce Fields [this message]
2012-10-08 13:54 ` Malahal Naineni
2012-10-08 14:18 ` J. Bruce Fields
2012-10-08 15:26 ` Malahal Naineni
2012-10-09 0:33 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121008121920.GA25231@fieldses.org \
--to=bfields@fieldses.org \
--cc=Trond.Myklebust@netapp.com \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.