From: "bfields@fieldses.org" <bfields@fieldses.org>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Trond Myklebust <trondmy@hammerspace.com>,
"agruenba@redhat.com" <agruenba@redhat.com>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"rgoldwyn@suse.de" <rgoldwyn@suse.de>,
"linux-unionfs@vger.kernel.org" <linux-unionfs@vger.kernel.org>
Subject: Re: nfs4_acl restricts copy_up in overlayfs
Date: Thu, 31 May 2018 10:06:19 -0400 [thread overview]
Message-ID: <20180531140619.GA1298@fieldses.org> (raw)
In-Reply-To: <CAJfpegsW7CwZYJf_EH80aaYotMMBDk1BjR_RA6dz8e=Y3-ox5w@mail.gmail.com>
On Thu, May 31, 2018 at 03:30:04PM +0200, Miklos Szeredi wrote:
> On Thu, May 31, 2018 at 3:10 PM, Trond Myklebust
> <trondmy@hammerspace.com> wrote:
> > On Thu, 2018-05-31 at 14:55 +0200, Miklos Szeredi wrote:
> >> On Thu, May 31, 2018 at 2:47 PM, Trond Myklebust <trondmy@hammerspace.com> wrote:
> >> > I'm still in strong disagreement with the model you are presenting
> >> > here. It is a client enforced model, which is not ever going to be
> >> > compatible with the NFS model.
> >>
> >> It's the only sane model that overlayfs can do.
> >>
> >> Think of it this way: creating an image file on NFS, formating it to
> >> ext4 and mounting it locally through the loop device is not going to
> >> be compatible with the NFS security model either. Should we care?
> >
> > Yes you should care because you are proposing that the simple act of
> > mounting through overlayfs will change who can access, read and modify
> > existing files from a NFS server.
>
> Only access/read: NFS can only be read-only layer. So it's impossible
> to actually modify a file on NFS through overlayfs.
In addition to being read-only, I assume it's also unchanging? I wonder
why you'd want to use NFS at all for this case--sharing a read-only
ext4-formatted block device would seem more straightforward.
Apologies if we've been through this before too, I've long ago paged out
any previous conversation....
> > The model for overlayfs and all unionfs should be that security is
> > enforced by the underlying filesystem _UNTIL_ the access mode is
> > modified on the top level filesystem.
>
> How?
>
> We've been through this. We can't ask an NFS server exported
> read-only about what the permission to modify the filesystem would
> have been if it were exported read-write. Sure, the protocol could be
> extended, etc, etc... But it's just not a good fit.
>
> >
> > IOW: if the user does a chmod, and that is authorised by the underlying
> > filesystem, then overlayfs is in charge of any further authorisation to
> > that file.
> > Adding richacls to that model means that you can attempt to copy the
> > ACL and allow the user to modify that instead of doing the chmod, but
> > the understanding should be that it's not the same ACL as was been
> > enforced by the server, so the copy up of the ACL should be treated as
> > a modification of the ACL (and should therefore first be subject to
> > authorisation by the server).
>
> If someone adds the interface for access checking in the NFS client
> based on server sercurity model, but without actually having to do the
> request, and it works for read-only exports (which make a LOT of sense
> for the use cases where overlayfs may be used with NFS) then we can
> use that from overlayfs. Last time Bruce looked this issue, he ran
> away screeming, IIRC.
In theory I suppose it's all possible, but I think the only practical
thing to do for now is just ignore NFSv4 ACLs.
--b.
next prev parent reply other threads:[~2018-05-31 14:06 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-29 20:32 nfs4_acl restricts copy_up in overlayfs Goldwyn Rodrigues
2018-05-29 21:37 ` Trond Myklebust
2018-05-30 1:08 ` Goldwyn Rodrigues
2018-05-30 3:01 ` Trond Myklebust
2018-05-30 10:33 ` Goldwyn Rodrigues
2018-05-31 0:45 ` J. Bruce Fields
2018-05-31 10:00 ` Miklos Szeredi
2018-05-31 12:47 ` Trond Myklebust
2018-05-31 12:55 ` Miklos Szeredi
2018-05-31 13:10 ` Trond Myklebust
2018-05-31 13:30 ` Miklos Szeredi
2018-05-31 14:06 ` bfields [this message]
2018-05-31 14:26 ` Miklos Szeredi
2018-05-31 17:52 ` Trond Myklebust
2018-05-31 21:56 ` Goldwyn Rodrigues
2018-05-31 21:53 ` Goldwyn Rodrigues
2018-06-01 0:49 ` Trond Myklebust
2018-06-01 11:40 ` Goldwyn Rodrigues
2018-06-01 13:16 ` Trond Myklebust
2018-06-01 13:32 ` Miklos Szeredi
2018-06-01 13:50 ` bfields
2018-06-01 14:00 ` Miklos Szeredi
2018-06-01 14:26 ` bfields
2018-06-01 14:43 ` Miklos Szeredi
2018-06-01 16:08 ` bfields
2018-06-01 17:02 ` Miklos Szeredi
2018-06-01 17:43 ` bfields
2018-06-01 19:14 ` Miklos Szeredi
2018-06-02 0:50 ` bfields
2018-06-07 11:50 ` Miklos Szeredi
2018-05-31 18:57 ` J. R. Okajima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180531140619.GA1298@fieldses.org \
--to=bfields@fieldses.org \
--cc=agruenba@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=rgoldwyn@suse.de \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox