From: Chuck Lever <chuck.lever@oracle.com>
To: NeilBrown <neil@brown.name>
Cc: Jeff Layton <jlayton@kernel.org>,
Steve Dickson <steved@redhat.com>, Tom Haynes <loghyr@gmail.com>,
linux-nfs@vger.kernel.org
Subject: Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports
Date: Thu, 15 May 2025 08:01:41 -0400 [thread overview]
Message-ID: <500d0c27-c332-41b3-803d-488b8f5ca92c@oracle.com> (raw)
In-Reply-To: <174725922736.62796.10035875212639959992@noble.neil.brown.name>
On 5/14/25 5:47 PM, NeilBrown wrote:
> On Wed, 14 May 2025, Chuck Lever wrote:
>> On 5/14/25 7:43 AM, NeilBrown wrote:
>>> On Wed, 14 May 2025, Jeff Layton wrote:
>>>> On Wed, 2025-05-14 at 12:28 +1000, NeilBrown wrote:
>>
>>>> True. Anyone relying on this "protection" is fooling themselves though.
>>>
>>> As above: in some circumstances with physically secure networks
>>> (entirely in a locked room, or entire in a virtualisation host, or a
>>> VPN) it makes perfect sense.
>>
>> On a physically secure network where all the hosts are also known to be
>> secure, source port checking is wholly superfluous. It makes no sense
>> there.
>
> No, that is the only place that it makes sense.
>
> If you have a secure network of secure machines running a secure
> configuration of secure software managed by secure administrators, then
> you can trust that a low port number comes from secure software and,
> in particular, that the UID in the AUTH_SYS credential is reliable.
>
> If you don't have that security, then you cannot trust the port number
> or the uid and should not be accepting AUTH_SYS at all.
>
> If you *Do* have that security, then we can discuss if the "secure" or
> "insecure" flag is appropriate. If you know that all processes running
> on all nodes in the network are secure, and will only do what the admins
> let them do, then there is no need for "secure" with its restrictions,
> and "insecure" is perfectly fine. However if you allow lower-privileged
> processes - maybe you have a login server, or you let people upload their
> own cgi scripts to the web server - then "secure" is important to ensure
> users only access file that their uid has access to.
>
>>
>>
>>>>>> I don't see any really motivation for this change. Could you provide it
>>>>>> please?
>>>>>
>>>>> Or to put it another way: who benefits?
>>>>>
>>>>
>>>> Anyone running NFS clients behind NAT?
>>>
>>> Maybe that should have been in the commit message?
>>
>> Agreed, the commit message should have more beef (sorry, vegetarians).
>>
>> The commit message should also mention that NFS clients frequently
>> exhaust their privileged source port range, causing new mount
>> operations to fail sporadically. This is a well-documented problem
>> and the main reason we started moving Kerberized mounts to ephemeral
>> ports.
>>
>> Generally that's a situation that is sticky for a couple of minutes
>> while TCP sockets proceed through TIME_WAIT until the source port can
>> be re-used by another connection.
>>
>>
>>>> The main discussion came about when we were testing against a
>>>> hammerspace deployment. They were using knfsd as their DS's, and had
>>>> forgotten to add "insecure" to the export options. When the (NAT'ed)
>>>> client tried to talk to the DS's, it got back NFSERR3_PERM because of
>>>> this. It took a little while to ascertain the cause.
>>>
>>> "Change default to fix configuration problem"....???
>>> The default must always be the more secure. "fail safe".
>>
>> Sure, but this option, although it's name is "secure", offers very
>> little real security. So we are actively promoting a mythological level
>> of security here, and that is a Bad Thing (tm).
>
> "very little" is not zero. "mythological" is unfair. There is real
> security is certain specific situations.
We can argue about "mythological", but it is totally fair to say that
calling this mechanism "secure", and its inverse "insecure" is an
overreach and a gross misrepresentation. It is relevant only for
AUTH_UNIX and only then when there are other active forms of security
in place.
So I think our fundamental point is that the balance has changed. These
days, in most situations, source port checking is not relevant and is
actively inconvenient for many common usage scenarios.
Before changing the default behavior of NFSD, we can survey other common
network storage protocol implementations (iSCSI, NVMe, SMB) to see if
those protocols also use this form of authorizing access.
In the meantime, do you object to moving forward with the other two
suggestions I made:
- Updating the description of the "secure" export option in exports(5)
- Adding a warning to exportfs when an export has neither "secure" or
"insecure" set and allows access via sec=sys ?
--
Chuck Lever
next prev parent reply other threads:[~2025-05-15 12:02 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 13:50 [PATCH nfs-utils] exportfs: make "insecure" the default for all exports Jeff Layton
2025-05-13 14:17 ` Chuck Lever
2025-05-13 15:14 ` Lionel Cons
2025-05-13 15:35 ` Jeff Layton
2025-05-13 16:11 ` Chuck Lever
2025-06-04 17:12 ` Cedric Blancher
2025-06-04 18:20 ` Chuck Lever
2025-05-14 2:16 ` NeilBrown
2025-05-14 2:28 ` NeilBrown
2025-05-14 11:17 ` Jeff Layton
2025-05-14 11:43 ` NeilBrown
2025-05-14 12:02 ` Jeff Layton
2025-05-14 21:58 ` NeilBrown
2025-05-14 12:56 ` Chuck Lever
2025-05-14 21:47 ` NeilBrown
2025-05-15 12:01 ` Chuck Lever [this message]
2025-05-15 21:44 ` NeilBrown
2025-05-16 12:09 ` Chuck Lever
2025-05-19 6:02 ` NeilBrown
2025-05-19 11:39 ` Jeff Layton
2025-05-19 14:16 ` Chuck Lever
[not found] ` <4bee9565-c2a8-4b90-be57-7d1340fa9ed7@esat.kuleuven.be>
2025-05-19 20:51 ` Chuck Lever
2025-05-20 1:44 ` Rick Macklem
2025-05-20 13:20 ` Chuck Lever
2025-05-25 17:29 ` Chuck Lever
2025-05-26 0:09 ` NeilBrown
2025-05-26 1:47 ` Rick Macklem
2025-05-26 1:52 ` Rick Macklem
2025-05-26 2:29 ` NeilBrown
2025-05-28 0:57 ` Rick Macklem
2025-05-27 13:28 ` Chuck Lever
2025-05-27 15:05 ` Chuck Lever
2025-05-27 15:58 ` Rick Macklem
2025-05-27 16:29 ` Rick Macklem
2025-05-27 16:58 ` Chuck Lever
2025-05-28 1:06 ` Rick Macklem
2025-05-27 19:18 ` Benjamin Coddington
2025-05-27 19:41 ` Chuck Lever
2025-05-27 20:25 ` Benjamin Coddington
2025-05-28 14:07 ` Chuck Lever
2025-05-28 1:24 ` NeilBrown
2025-05-28 2:48 ` Rick Macklem
2025-05-14 11:46 ` Chuck Lever
2025-05-14 12:28 ` Thomas Haynes
2025-05-14 21:49 ` NeilBrown
2025-05-14 2:38 ` NeilBrown
2025-05-14 11:20 ` Jeff Layton
2025-05-15 1:32 ` Christopher Bii
2025-05-21 9:06 ` Sebastian Feld
2025-05-21 12:25 ` Jeff Layton
2025-05-21 13:14 ` Chuck Lever
2025-05-21 13:43 ` Chuck Lever
2025-06-04 17:07 ` Cedric Blancher
2025-06-04 18:26 ` Steve Dickson
2025-06-04 18:45 ` Cedric Blancher
2025-06-04 19:17 ` Jeff Layton
2025-06-04 19:53 ` Steve Dickson
2025-06-05 16:48 ` Trond Myklebust
2025-06-05 18:09 ` Chuck Lever
2025-06-05 8:20 ` Cedric Blancher
2025-06-05 13:54 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=500d0c27-c332-41b3-803d-488b8f5ca92c@oracle.com \
--to=chuck.lever@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=loghyr@gmail.com \
--cc=neil@brown.name \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox