Re: Inconsistency when mounting a directory that 'world' cannot access.

[NeilBrown <neilb@suse.de>]

[-- Attachment #1: Type: text/plain, Size: 2646 bytes --]

On Mon, 1 Oct 2012 11:43:10 -0400 "J. Bruce Fields" <bfields@fieldses.org>
wrote:

> On Tue, Sep 18, 2012 at 11:23:29AM +1000, NeilBrown wrote:
> > 
> > Suppose that on an NFS server I have a directory
> >    /foo/bar/baz
> > 
> > which I export, and that /foo/bar does not have world access.  e.g.
> > permissions are '750' and everyone who owns files in there is a member of the
> > group which owns /foo/bar.
> > 
> > Then with NFSv3 I can
> >   mount server:/foo/bar/baz  /somewhere
> > because the lookup of /foo/bar/baz happens as root on the server in mountd.
> > 
> > With NFSv4 using 'sec=sys' I can only do this if I export with
> > "no_root_squash", as the lookup happens on the client as root, and if root
> > were squashed, it wouldn't have access beyond /foo/bar.
> > 
> > But if I use NFSv4 using 'sec=krb5', the lookup happens on the client using a
> > machine credential which gets mapped to 'nobody/nogroup' (or whatever anonuid
> > and anongid are set to for the export).  So I cannot perform the mount at all.
> > 
> > This is - at best - inconsistent and can cause confusion (hey - I was
> > confused for a while there).
> > 
> > Should something be done?  Can anything be done?
> 
> I think nfsd_lookup_dentry() would need a special exception for the
> NFSEXP_V4ROOT case.

I don't think that would help in general.
If I export /foo and want to mount /foo/bar/baz, then for the last lookup at
least, NFSEXP_V4ROOT isn't set anywhere near.

An exception would need to be made for every 'nfs4_lookup_dentry', provided
it found a directory, or nothing (or a symlink...).  Possibly this could only
be done for anonymous credentials (as are used by the nfs4 mount operation).

It would be nice if we could clearly differentiate a mount-time lookup from a
regular lookup, but I don't think the protocol allows for that.

Thanks,
NeilBrown


> 
> Looks like the directory permission check is actually done in
> lookup_one_len(), so we'd need to either call something else or
> temporarily swap credentials?
> 
> --b.
> 
> > 
> > I lean towards thinking that the most restrictive behaviour is most correct
> > (though I have a customer who feels that it is too restrictive).
> > 
> > Should the NFSv4 client always use an anon credential when performing the
> > 'mount'?  Is that even possible for auth_sys?
> > Should rpc.mountd use set_fsuid before doing the path lookup to ensure that
> > everyone has access to the exported directory?
> > 
> > Or is there some way 'mount' lookups for krb5 could be treated as being
> > performed by root?
> > 
> > Any ideas?


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]