From: ebiederm@xmission.com (Eric W. Biederman)
To: Trond Myklebust <trondmy@primarydata.com>
Cc: "seth.forshee\@canonical.com" <seth.forshee@canonical.com>,
"bfields\@fieldses.org" <bfields@fieldses.org>,
"anna.schumaker\@netapp.com" <anna.schumaker@netapp.com>,
"linux-nfs\@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] sunrpc: Use current_real_cred() when looking up rpc credentials
Date: Wed, 25 Jan 2017 12:56:31 +1300 [thread overview]
Message-ID: <87y3y0ko5s.fsf@xmission.com> (raw)
In-Reply-To: <1485301593.36478.2.camel@primarydata.com> (Trond Myklebust's message of "Tue, 24 Jan 2017 23:46:35 +0000")
Trond Myklebust <trondmy@primarydata.com> writes:
> On Wed, 2017-01-25 at 12:28 +1300, Eric W. Biederman wrote:
>> With respect to nfs and automounts.
>>
>> Does NFS have different automount behavior based on the user
>> performing the automount?
>>
>> If NFS does not have different automount behavior depending on the
>> user
>> we just use the creds of the original mounter of NFS?
>>
>> If NFS does have different automount behavior depending on the user
>> (ouch!) we need to go through the call path and see where it makes
>> sense to over ride things and where it does not.
>
> The reason why the NFS client creates a mountpoint is because on
> entering a directory, it detects that there is either a similar
> mountpoint on the server, or there is a referral (which acts sort of
> like a symlink, except it points to a path on one or more different NFS
> servers).
> Without that mountpoint, most things would work, but the user would end
> up seeing nasty non-posix features like duplicate inode numbers.
>
> We do not want to use any creds other than user creds here, because as
> far as the security model is concerned, the process is just crossing
> into an existing directory.
But sget needs different creds.
Because the user who authorizes the mounting of the filesystem is
different than the user who is crossing into the new filesystem.
The local system now cares about that distinction even if the nfs server
does not.
>> Seth the fundamental problem with your patch was that you were
>> patching
>> a location that is used for more just mounts.
>>
>> I am strongly wishing that we could just change follow_automount
>> from:
>>
>>
>> old_cred = override_creds(&init_cred);
>> mnt = path->dentry->d_op->d_automount(path);
>> revert_creds(old_cred);
>>
>> to:
>>
>> old_cred = override_creds(path->mnt->mnt_sb->s_cred);
>> mnt = path->dentry->d_op->d_automount(path);
>> revert_creds(old_cred);
>>
>> And all will be well with nfs. That does remain possible.
>
> No. That would break permissions checking. See above.
Then we need to look much harder at the permission checking
model of d_automount because we need to permission check against
both sets of creds.
>> But looking at the code path you touched it seems to lookup the cred
>> based purely on the local uid, gid, and groups. Which suggests to
>> me that even the original mounters creds may not be enough :(
>>
>> At which point I am not certain of the solution. But I fear that
>> like
>> autofs NFS actually cares which user is transition the magic
>> mountpoint,
>> and may return different data depending on who transitions the
>> mountpoint first. Ick! Nasty Nasty Ick!
>>
>
> The security model is the same as that of an ordinary directory. The
> only difference is that we create a new superblock. Why is that "Ick"?
The Ick is if the superblock that is created depends on the user
crossing the mountpoint.
AKA Do we get a different mountpoint if user A triggers the automount
vs user B triggering the automount?
If the problem is just root squash and not letting root trigger the
automount it is much less ick. Weird but not ick.
Eric
next prev parent reply other threads:[~2017-01-25 0:00 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-15 17:13 [PATCH] sunrpc: Use current_real_cred() when looking up rpc credentials Seth Forshee
2016-12-15 23:01 ` Trond Myklebust
2016-12-16 13:06 ` Seth Forshee
2017-01-10 14:55 ` Seth Forshee
2017-01-11 0:21 ` Eric W. Biederman
2017-01-24 15:17 ` Seth Forshee
2017-01-24 22:55 ` Eric W. Biederman
2017-01-24 23:28 ` Eric W. Biederman
2017-01-24 23:46 ` Trond Myklebust
2017-01-24 23:56 ` Eric W. Biederman [this message]
2017-01-25 0:14 ` Trond Myklebust
2017-01-25 14:52 ` Seth Forshee
2017-01-25 15:51 ` Trond Myklebust
2017-01-25 16:28 ` Seth Forshee
2017-02-01 6:36 ` Eric W. Biederman
2017-02-01 6:38 ` [REVIEW][PATCH] fs: Better permission checking for submounts Eric W. Biederman
2017-02-01 13:28 ` Trond Myklebust
2017-02-01 13:38 ` Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y3y0ko5s.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=anna.schumaker@netapp.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=seth.forshee@canonical.com \
--cc=trondmy@primarydata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).