From: "J. Bruce Fields" <bfields@redhat.com>
To: Olga Kornievskaia <kolga@netapp.com>
Cc: Christoph Hellwig <hch@infradead.org>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH v8 0/9] NFSD support for async COPY
Date: Tue, 17 Apr 2018 11:41:06 -0400 [thread overview]
Message-ID: <20180417154106.GG10291@parsley.fieldses.org> (raw)
In-Reply-To: <23541B87-1142-4B59-BD57-F572FB8C1C4A@netapp.com>
On Tue, Apr 17, 2018 at 11:17:03AM -0400, Olga Kornievskaia wrote:
>
>
> > On Apr 17, 2018, at 11:00 AM, J. Bruce Fields <bfields@redhat.com>
> > wrote:
> >
> > On Mon, Apr 16, 2018 at 11:52:03PM -0700, Christoph Hellwig wrote:
> >> Also even if we have a good reason to add it I absolutely want a
> >> config option for the feature - it is a lot code adding potential
> >> attack vectors, so we should not just enabled it by default.
> >
> > By the way, am I forgetting some mitigation or can a client provide
> > any address it wants as the source server to copy from?
> >
> > That opens up the server to a lot of the same risks you'd see from
> > unprivileged NFS mounts--a malicious client could copy from a server
> > under it's control that's modified to exploit bugs in the server's
> > NFS client code.
>
> There is nothing in the specification that can protects from a
> malicious user to initiate a copy. There is GSSv3 that were added to
> prevent unprivileged server from accessing information from the source
> server without the user’s knowledge. I don’t see how copy offload is
> the same as unprivileged NFS mount. What copy offload feature offers
> is ability to READ a very specific file.
I can't remember how much more protocol you need besides READ.... If
you support 4.1+ as the copy protocol then you probably also need to do
EXCHANGE_ID and CREATE_SESSION? Fair enough, I agree that you're not
exposing as much of the client code as an unprivileged mount would, but
it's still a lot of opportunities for something to go wrong.
> We do have in the pipe line GSSv3 implementation as well as the COPY
> piece that uses it. It was implemented by Andy and inherited by Anna.
> However, before we could submit that we need the copy offload to go
> in.
A malicious client can give the server credentials that a server under
its control will accept. GSSv3 lets the source server authenticate the
read requests, but I don't think it helps here.
--b.
next prev parent reply other threads:[~2018-04-17 15:41 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-13 17:01 [PATCH v8 0/9] NFSD support for async COPY Olga Kornievskaia
2018-04-13 17:01 ` [PATCH v8 1/9] NFSD CB_OFFLOAD xdr Olga Kornievskaia
2018-04-13 17:01 ` [PATCH v8 2/9] NFSD OFFLOAD_STATUS xdr Olga Kornievskaia
2018-04-13 17:01 ` [PATCH v8 3/9] NFSD OFFLOAD_CANCEL xdr Olga Kornievskaia
2018-04-13 17:01 ` [PATCH v8 4/9] NFSD xdr callback stateid in async COPY reply Olga Kornievskaia
2018-04-13 17:01 ` [PATCH v8 5/9] NFSD introduce async copy feature Olga Kornievskaia
2018-04-13 17:01 ` [PATCH v8 6/9] NFSD create new stateid for async copy Olga Kornievskaia
2018-04-13 17:01 ` [PATCH v8 7/9] NFSD handle OFFLOAD_CANCEL op Olga Kornievskaia
2018-04-17 18:06 ` Anna Schumaker
2018-04-17 18:08 ` Olga Kornievskaia
2018-04-17 18:10 ` Olga Kornievskaia
2018-04-13 17:01 ` [PATCH v8 8/9] NFSD support OFFLOAD_STATUS Olga Kornievskaia
2018-04-13 17:01 ` [PATCH v8 9/9] NFSD stop ongoing async copies on client shutdown Olga Kornievskaia
2018-04-14 7:22 ` [PATCH v8 0/9] NFSD support for async COPY Christoph Hellwig
2018-04-14 12:32 ` Olga Kornievskaia
2018-04-18 7:05 ` Christoph Hellwig
2018-04-16 21:45 ` J. Bruce Fields
2018-04-17 6:52 ` Christoph Hellwig
2018-04-17 13:22 ` Olga Kornievskaia
2018-04-17 13:41 ` J. Bruce Fields
2018-04-17 13:45 ` Olga Kornievskaia
[not found] ` <FE7DF381-A335-4827-94AB-1DEBF5FCEB05@netapp.com>
2018-04-17 13:57 ` J. Bruce Fields
2018-04-17 14:04 ` J. Bruce Fields
2018-04-17 14:08 ` Olga Kornievskaia
2018-04-17 14:13 ` Olga Kornievskaia
2018-04-17 14:50 ` Anna Schumaker
2018-04-17 14:41 ` Steve Dickson
[not found] ` <1E0C45FE-2214-41FB-8634-1005CC13AD9E@netapp.com>
2018-04-18 7:08 ` Christoph Hellwig
2018-04-24 20:29 ` Olga Kornievskaia
2018-04-27 16:03 ` J. Bruce Fields
2018-04-27 23:11 ` Olga Kornievskaia
2018-05-22 21:05 ` Olga Kornievskaia
2018-05-22 22:01 ` J. Bruce Fields
2018-04-17 13:42 ` J. Bruce Fields
2018-04-17 15:00 ` J. Bruce Fields
2018-04-17 15:17 ` Olga Kornievskaia
2018-04-17 15:41 ` J. Bruce Fields [this message]
2018-04-17 15:58 ` J. Bruce Fields
2018-04-17 17:41 ` J. Bruce Fields
2018-04-17 16:15 ` Olga Kornievskaia
2018-04-17 17:39 ` J. Bruce Fields
2018-04-18 7:07 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180417154106.GG10291@parsley.fieldses.org \
--to=bfields@redhat.com \
--cc=hch@infradead.org \
--cc=kolga@netapp.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).