From: Scott Mayhew <smayhew@redhat.com>
To: linux-nfs@vger.kernel.org
Subject: NFSv3 and xprtsec policies
Date: Thu, 2 May 2024 11:54:43 -0400 [thread overview]
Message-ID: <ZjO3Qwf_G87yNXb2@aion> (raw)
Red Hat QE identified an "interesting" issue with NFSv3 and TLS, in that an
NFSv3 client can mount with "xprtsec=none" a filesystem exported with
"xprtsec=tls:mtls" (in the sense that the client gets the filehandle and adds a
mount to its mount table - it can't actually access the mount).
Here's an example using machines from the recent Bakeathon.
Mounting a server with TLS enabled:
# mount -o v4.2,sec=sys,xprtsec=tls oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt
# umount /mnt
Trying to mount without "xprtsec=tls" shows that the filesystem is not exported with "xprtsec=none":
# mount -o v4.2,sec=sys oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt
mount.nfs: Operation not permitted for oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls on /mnt
Yet a v3 mount without "xprtsec=tls" works:
# mount -o v3,sec=sys oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt
# umount /mnt
and a mount with no explicit version and without "xprtsec=tls" falls back to
v3 and also "works":
# mount -o sec=sys oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt
# grep ora /proc/mounts
oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt nfs
+rw,relatime,vers=3,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=100.64.0.49,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=100.64.0.49 0 0
Even though the filesystem is mounted, the client can't do anything with it:
# ls /mnt
ls: cannot open directory '/mnt': Permission denied
When krb5 is used with NFSv3, the server returns a list of pseudoflavors in
mountres3_ok (https://datatracker.ietf.org/doc/html/rfc1813#section-5.2.1).
The client compares that list with its own list of auth flavors parsed from the
mount request and returns -EACCES if no match is found (see
nfs_verify_authflavors()).
Perhaps we should be doing something similar with xprtsec policies? Should
there be an errata to RFC 9289 and a request from IANA for assigned numbers for
pseudo-flavors corresponding to xprtsec policies?
If not, this behavior should at least be documented in the man pages.
-Scott
next reply other threads:[~2024-05-02 15:54 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-02 15:54 Scott Mayhew [this message]
2024-05-02 16:15 ` NFSv3 and xprtsec policies Chuck Lever III
2024-05-02 17:37 ` Scott Mayhew
2024-05-02 17:51 ` Chuck Lever III
2024-05-02 18:51 ` Scott Mayhew
2024-05-02 19:25 ` Jeffrey Layton
2024-05-03 18:44 ` Chuck Lever
2024-05-03 20:53 ` Scott Mayhew
2024-05-03 22:31 ` Rick Macklem
2024-05-06 16:47 ` Scott Mayhew
2024-05-06 22:41 ` Rick Macklem
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZjO3Qwf_G87yNXb2@aion \
--to=smayhew@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.