Re: [PATCH] nfsd: permit unauthenticated stat of export root

[Peter Staubach <staubach@redhat.com>]

J. Bruce Fields wrote:
> On Thu, Aug 07, 2008 at 03:39:45PM -0400, Peter Staubach wrote:
>   
>> J. Bruce Fields wrote:
>>     
>>> On Thu, Aug 07, 2008 at 02:23:40PM -0400, Peter Staubach wrote:
>>>   
>>>       
>>>> J. Bruce Fields wrote:
>>>>     
>>>>         
>>>>> From: J. Bruce Fields <bfields@citi.umich.edu>
>>>>>
>>>>> RFC 2623 section 2.3.2 permits the server to bypass gss authentication
>>>>> checks for certain operations that a client may perform when mounting.
>>>>> In the case of a client that doesn't have some form of credentials
>>>>> available to it on boot, this allows it to perform the mount unattended.
>>>>> (Presumably real file access won't be needed until a user with
>>>>> credentials logs in.)
>>>>>
>>>>> Being slightly more lenient allows lots of old clients to access
>>>>> krb5-only exports, with the only loss being a small amount of
>>>>> information leaked about the root directory of the export.
>>>>>
>>>>> This affects on v2 and v3; v4 still requires authentication for all
>>>>> access.
>>>>>
>>>>> Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
>>>>> ---
>>>>>  fs/nfsd/nfs3proc.c        |    5 +++--
>>>>>  fs/nfsd/nfsfh.c           |   30 ++++++++++++++++++++----------
>>>>>  fs/nfsd/nfsproc.c         |    6 ++++--
>>>>>  fs/nfsd/vfs.c             |    4 ++--
>>>>>  include/linux/nfsd/nfsd.h |    3 ++-
>>>>>  5 files changed, 31 insertions(+), 17 deletions(-)
>>>>>
>>>>> I intend to submit this for 2.6.28
>>>>>
>>>>> diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c
>>>>> index 4d617ea..1419142 100644
>>>>> --- a/fs/nfsd/nfs3proc.c
>>>>> +++ b/fs/nfsd/nfs3proc.c
>>>>> @@ -530,7 +530,7 @@ nfsd3_proc_fsstat(struct svc_rqst * rqstp, struct nfsd_fhandle    *argp,
>>>>>  	dprintk("nfsd: FSSTAT(3)   %s\n",
>>>>>  				SVCFH_fmt(&argp->fh));
>>>>>  -	nfserr = nfsd_statfs(rqstp, &argp->fh, &resp->stats);
>>>>> +	nfserr = nfsd_statfs(rqstp, &argp->fh, &resp->stats, 0);
>>>>>  	fh_put(&argp->fh);
>>>>>  	RETURN_STATUS(nfserr);
>>>>>  }
>>>>> @@ -558,7 +558,8 @@ nfsd3_proc_fsinfo(struct svc_rqst * rqstp, struct nfsd_fhandle    *argp,
>>>>>  	resp->f_maxfilesize = ~(u32) 0;
>>>>>  	resp->f_properties = NFS3_FSF_DEFAULT;
>>>>>  -	nfserr = fh_verify(rqstp, &argp->fh, 0, NFSD_MAY_NOP);
>>>>> +	nfserr = fh_verify(rqstp, &argp->fh, 0,
>>>>> +			NFSD_MAY_NOP | NFSD_MAY_BYPASS_GSS_ON_ROOT);
>>>>>   	/* Check special features of the file system. May request
>>>>>  	 * different read/write sizes for file systems known to have
>>>>>         
>>>>>           
>>>> I would think that you might want to have nfsd3_proc_getattr()
>>>> in this list too.  Some clients may need to generate a GETATTR
>>>> if they need the attributes for the root node.
>>>>     
>>>>         
>>> Do you know of any? rfc 2623 makes it sound like those clients are out
>>> of luck.  And testing confirms that this patch is sufficient for the
>>> linux client, at least.
>>>       
>> I believe that the Solaris client may.  I think that it may
>> use the attributes returned from the FSINFO call, if there
>> are any, to prevent the additional GETATTR, but this should
>> be tested.  It might also be interesting to test out a
>> readonly failover mount on the Solaris client to see what
>> behavior that that exhibits.
>>     
>
> OK, could be.  Volunteers to test that welcomed--for now I think I'll
> stick to the list in the RFC.

I think that RFC2623 doesn't quite completely describe the entire
situation.  I believe that Mike Eisler probably looked to see what
traffic that a client, like Solaris, generated, using some network
analysis tool such as snoop or wireshark, when mounting a file
system from a NetApp filer or a Solaris server.

These servers return post_op_attributes with the FSINFO response.
Thus, the client does not need to generate a GETATTR call in order
to retrieve the initial attributes, or more precisely, to retrieve
the file type.

The Linux NFS server does not return post_op_attributes with the
FSINFO response.  Thus, the client is forced to generate a
subsequent GETATTR call to retrieve the attributes.

A better description of the set of operations which should be
allowed and which ones are not should include a discussion on
the contents of the response to the FSINFO request.  If the
server returns attributes in the FSINFO response, then it does
not need to allow unauthenticated GETATTR requests.  If it does
not return attributes in the FSINFO response, then it must allow
unauthenticated GETATTR requests because this is required in
order to allow clients to successfully mount file systems using
strong authentication.

       ps