From: "bfields@fieldses.org" <bfields@fieldses.org>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Trond Myklebust <trondmy@hammerspace.com>,
"agruenba@redhat.com" <agruenba@redhat.com>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"rgoldwyn@suse.de" <rgoldwyn@suse.de>,
"linux-unionfs@vger.kernel.org" <linux-unionfs@vger.kernel.org>
Subject: Re: nfs4_acl restricts copy_up in overlayfs
Date: Thu, 31 May 2018 10:06:19 -0400 [thread overview]
Message-ID: <20180531140619.GA1298@fieldses.org> (raw)
In-Reply-To: <CAJfpegsW7CwZYJf_EH80aaYotMMBDk1BjR_RA6dz8e=Y3-ox5w@mail.gmail.com>
On Thu, May 31, 2018 at 03:30:04PM +0200, Miklos Szeredi wrote:
> On Thu, May 31, 2018 at 3:10 PM, Trond Myklebust
> <trondmy@hammerspace.com> wrote:
> > On Thu, 2018-05-31 at 14:55 +0200, Miklos Szeredi wrote:
> >> On Thu, May 31, 2018 at 2:47 PM, Trond Myklebust <trondmy@hammerspace.com> wrote:
> >> > I'm still in strong disagreement with the model you are presenting
> >> > here. It is a client enforced model, which is not ever going to be
> >> > compatible with the NFS model.
> >>
> >> It's the only sane model that overlayfs can do.
> >>
> >> Think of it this way: creating an image file on NFS, formating it to
> >> ext4 and mounting it locally through the loop device is not going to
> >> be compatible with the NFS security model either. Should we care?
> >
> > Yes you should care because you are proposing that the simple act of
> > mounting through overlayfs will change who can access, read and modify
> > existing files from a NFS server.
>
> Only access/read: NFS can only be read-only layer. So it's impossible
> to actually modify a file on NFS through overlayfs.
In addition to being read-only, I assume it's also unchanging? I wonder
why you'd want to use NFS at all for this case--sharing a read-only
ext4-formatted block device would seem more straightforward.
Apologies if we've been through this before too, I've long ago paged out
any previous conversation....
> > The model for overlayfs and all unionfs should be that security is
> > enforced by the underlying filesystem _UNTIL_ the access mode is
> > modified on the top level filesystem.
>
> How?
>
> We've been through this. We can't ask an NFS server exported
> read-only about what the permission to modify the filesystem would
> have been if it were exported read-write. Sure, the protocol could be
> extended, etc, etc... But it's just not a good fit.
>
> >
> > IOW: if the user does a chmod, and that is authorised by the underlying
> > filesystem, then overlayfs is in charge of any further authorisation to
> > that file.
> > Adding richacls to that model means that you can attempt to copy the
> > ACL and allow the user to modify that instead of doing the chmod, but
> > the understanding should be that it's not the same ACL as was been
> > enforced by the server, so the copy up of the ACL should be treated as
> > a modification of the ACL (and should therefore first be subject to
> > authorisation by the server).
>
> If someone adds the interface for access checking in the NFS client
> based on server sercurity model, but without actually having to do the
> request, and it works for read-only exports (which make a LOT of sense
> for the use cases where overlayfs may be used with NFS) then we can
> use that from overlayfs. Last time Bruce looked this issue, he ran
> away screeming, IIRC.
In theory I suppose it's all possible, but I think the only practical
thing to do for now is just ignore NFSv4 ACLs.
--b.
next prev parent reply other threads:[~2018-05-31 14:06 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-29 20:32 nfs4_acl restricts copy_up in overlayfs Goldwyn Rodrigues
2018-05-29 21:37 ` Trond Myklebust
2018-05-29 21:37 ` Trond Myklebust
2018-05-30 1:08 ` Goldwyn Rodrigues
2018-05-30 1:08 ` Goldwyn Rodrigues
2018-05-30 3:01 ` Trond Myklebust
2018-05-30 3:01 ` Trond Myklebust
2018-05-30 10:33 ` Goldwyn Rodrigues
2018-05-31 0:45 ` J. Bruce Fields
2018-05-31 10:00 ` Miklos Szeredi
2018-05-31 12:47 ` Trond Myklebust
2018-05-31 12:47 ` Trond Myklebust
2018-05-31 12:55 ` Miklos Szeredi
2018-05-31 13:10 ` Trond Myklebust
2018-05-31 13:10 ` Trond Myklebust
2018-05-31 13:30 ` Miklos Szeredi
2018-05-31 14:06 ` bfields [this message]
2018-05-31 14:26 ` Miklos Szeredi
2018-05-31 17:52 ` Trond Myklebust
2018-05-31 17:52 ` Trond Myklebust
2018-05-31 21:56 ` Goldwyn Rodrigues
2018-05-31 21:53 ` Goldwyn Rodrigues
2018-06-01 0:49 ` Trond Myklebust
2018-06-01 0:49 ` Trond Myklebust
2018-06-01 11:40 ` Goldwyn Rodrigues
2018-06-01 13:16 ` Trond Myklebust
2018-06-01 13:16 ` Trond Myklebust
2018-06-01 13:32 ` Miklos Szeredi
2018-06-01 13:50 ` bfields
2018-06-01 14:00 ` Miklos Szeredi
2018-06-01 14:26 ` bfields
2018-06-01 14:43 ` Miklos Szeredi
2018-06-01 16:08 ` bfields
2018-06-01 17:02 ` Miklos Szeredi
2018-06-01 17:43 ` bfields
2018-06-01 19:14 ` Miklos Szeredi
2018-06-02 0:50 ` bfields
2018-06-07 11:50 ` Miklos Szeredi
2018-05-31 18:57 ` J. R. Okajima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180531140619.GA1298@fieldses.org \
--to=bfields@fieldses.org \
--cc=agruenba@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=rgoldwyn@suse.de \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.