From: "J. Bruce Fields" <bfields@fieldses.org>
To: Neil Brown <neilb@suse.de>
Cc: Christoph Hellwig <hch@lst.de>,
Frank van Maarseveen <frankvm@frankvm.com>,
Linux NFS mailing list <linux-nfs@vger.kernel.org>
Subject: Re: reconnect_path() breaks NFS server causing occasional EACCES
Date: Tue, 29 Apr 2008 12:35:54 -0400 [thread overview]
Message-ID: <20080429163554.GE20420@fieldses.org> (raw)
In-Reply-To: <18454.45086.254692.412079-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
On Tue, Apr 29, 2008 at 03:20:30PM +1000, Neil Brown wrote:
> On Wednesday April 9, hch@lst.de wrote:
> > On Mon, Apr 07, 2008 at 02:43:46PM -0400, J. Bruce Fields wrote:
> > > Anyone who depends on the "x" bit to control access to objects in an
> > > nfs-exported filesystem is already in trouble. We could do so for
> > > directories (at the expense of non-posix-like behavior such as what
> > > you've seen), but we probably can't for files. So I'm inclined to think
> > > this is the right thing to do.
> > >
> > > The "DON'T USE THIS FUNCTION EVER, thanks." suggests we should at least
> > > consult the person who added that comment (cc'd) before adding a call to
> > > lookup_one_noperm(). (And if we decide to do this, we should make a
> > > note of this in that comment.)
> >
> > That function really shouldn't be used and we should obey the x bit.
> > And yes, due to NFSs staleless file handles this will lead to non-posix
> > behaviour which is expected. The same will happen with other nfs
> > servers aswell.
>
> For the record, I disagree. I think it is perfectly appropriate to
> use this function. I think that obeying the 'x' bit is wrong.
>
> Why?
>
> What we are doing here is reconstructing the dcache to correctly
> reflect the filesystem. The reason that we need to do this (rather
> than just leaving the dentry disconnected as we sometimes do with
> files) is so that lock_rename can find valid d_parent pointers and can
> guard against certain directory rename races that might create
> disconnected loops.
>
> i.e. the look_one_* is not being done on behalf of the owner of the
> file, or of the group-owner of the file, or of anyone else. It is
> being done on behalf of the filesystem to ensure future filesystem
> consistency.
> So none of the 'x' bits (owner, group-owner, world) is appropriate to
> validate this lookup.
Just to make sure I understand--you're not claiming that there's an
actual threat of corrupting the on-disk filesystem or in-core data
structures, right?
I understand the "this isn't being done as any particular user"
argument.
It also seems to me that the actual security value of these checks is
very low, given that all they're likely to do is raise the cost of a
filehandle-guessing attack slightly, without really eliminating it.
And from the point of a user the current behavior seems likely to lead
to difficult-to-analyse behavior.
So I don't understand Christoph's objection yet either.
It might also help if we could confirm or deny Christoph's assertion
about the behavior of other nfs servers. It shouldn't be hard to run
the original test case
http://marc.info/?l=linux-nfs&m=120730475719642&w=2
against another server or two.
---b.
next prev parent reply other threads:[~2008-04-29 16:35 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-04 10:24 reconnect_path() breaks NFS server causing occasional EACCES Frank van Maarseveen
2008-04-07 18:43 ` J. Bruce Fields
2008-04-07 19:55 ` Frank van Maarseveen
2008-04-09 13:36 ` Christoph Hellwig
2008-04-09 14:11 ` Frank van Maarseveen
2008-04-09 16:24 ` J. Bruce Fields
2008-04-29 5:20 ` Neil Brown
[not found] ` <18454.45086.254692.412079-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
2008-04-29 16:35 ` J. Bruce Fields [this message]
2008-04-29 17:40 ` Frank van Maarseveen
2008-04-30 17:47 ` J. Bruce Fields
2008-05-02 15:16 ` [PATCH] exportfs: fix incorrect EACCES in reconnect_path() Frank van Maarseveen
2008-05-02 15:34 ` Christoph Hellwig
2008-05-02 15:56 ` J. Bruce Fields
2008-05-02 16:04 ` Trond Myklebust
[not found] ` <1209744293.8294.19.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2008-05-02 22:12 ` J. Bruce Fields
2008-05-04 23:22 ` Neil Brown
[not found] ` <18462.17737.353976.999538-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
2008-05-05 17:47 ` J. Bruce Fields
2008-05-06 0:35 ` Neil Brown
[not found] ` <18463.42978.531115.344884-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
2008-05-06 19:50 ` J. Bruce Fields
2008-05-08 3:03 ` Neil Brown
[not found] ` <18466.28013.258338.485948-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
2008-05-09 4:34 ` J. Bruce Fields
2008-05-09 10:11 ` Frank van Maarseveen
2008-06-29 19:27 ` J. Bruce Fields
2008-05-03 8:52 ` Frank van Maarseveen
2008-04-30 23:29 ` reconnect_path() breaks NFS server causing occasional EACCES Neil Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080429163554.GE20420@fieldses.org \
--to=bfields@fieldses.org \
--cc=frankvm@frankvm.com \
--cc=hch@lst.de \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox