Re: NFS: Treat NFS4ERR_CLID_INUSE as a fatal error

Linux NFS development
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
	David Noveck <david.noveck@emc.com>
Subject: Re: NFS: Treat NFS4ERR_CLID_INUSE as a fatal error
Date: Fri, 10 Aug 2012 16:39:30 -0400	[thread overview]
Message-ID: <20120810203930.GC17985@fieldses.org> (raw)
In-Reply-To: <12DB2C80-31EB-4317-B1E7-96620A8F7374@oracle.com>

On Fri, Aug 10, 2012 at 04:33:46PM -0400, Chuck Lever wrote:
> OK, I didn't notice that you were unmounting between the tests.  3.5 and before did update the boot verifier after the last mount of a server goes away, but that's also not desirable behavior.  So I guess 3.6 also has my patch which makes the NFS client use the same boot verifier until it reboots, as God and the authors of 3530 intended?

I don't know.  (Why is that the right thing to do?  Telling the server
when you're not using the client any more seems reasonable to me.)

> I think we agree that, whether the Linux server is compliant with what's currently in 3530bis or not, it's the NFS client changes in 3.6 that "introduced the regression" and should be fixed.  If you change the client to add the flavor and pseudoflavor name to the nfs_client_id4.id string, does that fix the regression satisfactorily?

I haven't tested it, but yes, that should do the job.

(Though note that's not just a revert, since previously only the flavor
(not the pseudoflavor) was factored into the clientid string.)

--b.

> 
> Maybe we should just revert those two and try again in 3.7.
> 
> > --b.
> > 
> >> 
> >>> 
> >>>>> If the intention is to ensure that a clientid can't be "hijacked" by
> >>>>> someone malicious, then you don't want to allow a krb5 setclientid to
> >>>>> blow away a clientid established with krb5i.  (If sending the
> >>>>> setclientid with krb5i indicates the client wants protection against
> >>>>> attacks which replace the body of the rpc, then a later krb5 setclientid
> >>>>> should be rejected, since it could be the product of such an attack.)
> >>>> 
> >>>> If the client wants to avoid hijacking, it should start out with krb5i, as is recommended in the Security Considerations section of 3530(bis).
> >>>> 
> >>>> The intention of 3530(bis) is that one client instance uses just one nfs_client_id4.id string.  A client that attempts to change flavors on its SETCLIENTID/RENEW operations in mid-journey, on purpose, seems a little schizophrenic.  I can't think of a good reason it should do this.
> >>> 
> >>> You don't know it's the same client any more.  The attack is:
> >>> 
> >>> 	client sends setclientid with krb5i.
> >>> 
> >>> 	client later sends some other rpc with krb5.
> >>> 
> >>> 	attacker intercepts that operation, takes the rpc header, strips
> >>> 	out the body, and replaces the body by a setclientid operation
> >>> 	destroying the client's state.
> >>> 
> >>> Since krb5 only protects the header, the server can't tell that's what's
> >>> happened.
> >> 
> >> -- 
> >> Chuck Lever
> >> chuck[dot]lever[at]oracle[dot]com
> >> 
> >> 
> >> 
> >> 
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> -- 
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
> 
> 
> 
>

next prev parent reply	other threads:[~2012-08-10 20:39 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-09 18:35 NFS: Treat NFS4ERR_CLID_INUSE as a fatal error J. Bruce Fields
2012-08-09 19:06 ` Chuck Lever
2012-08-09 19:37   ` J. Bruce Fields
2012-08-09 20:38     ` J. Bruce Fields
2012-08-09 20:46       ` Chuck Lever
2012-08-09 20:52         ` Chuck Lever
2012-08-09 21:13           ` J. Bruce Fields
2012-08-09 21:29             ` Chuck Lever
2012-08-09 21:38               ` J. Bruce Fields
2012-08-10 19:38                 ` Chuck Lever
2012-08-10 20:13                   ` J. Bruce Fields
2012-08-10 20:33                     ` Chuck Lever
2012-08-10 20:39                       ` J. Bruce Fields [this message]
2012-08-10 20:53                         ` J. Bruce Fields
2012-08-10 21:22                         ` Chuck Lever
2012-08-21 18:24                           ` J. Bruce Fields
2012-08-21 18:57                             ` Chuck Lever

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120810203930.GC17985@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=chuck.lever@oracle.com \
    --cc=david.noveck@emc.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox