From: Christoph Hellwig <hch@infradead.org>
To: NeilBrown <neilb@suse.de>
Cc: Mike Snitzer <snitzer@kernel.org>,
Jeff Layton <jlayton@kernel.org>,
Chuck Lever <chuck.lever@oracle.com>,
Anna Schumaker <anna@kernel.org>,
Trond Myklebust <trondmy@hammerspace.com>,
Christoph Hellwig <hch@infradead.org>,
linux-nfs@vger.kernel.org
Subject: Re: Security issue in NFS localio
Date: Wed, 3 Jul 2024 22:45:45 -0700 [thread overview]
Message-ID: <ZoY3CYlNebkh4K6S@infradead.org> (raw)
In-Reply-To: <172004548435.16071.5145237815071160040@noble.neil.brown.name>
On Thu, Jul 04, 2024 at 08:24:44AM +1000, NeilBrown wrote:
> 3/ The current code uses the 'struct cred' of the application to look up
> the file in the server code. When a request goes over the wire the
> credential is translated to uid/gid (or krb identity) and this is
> mapped back to a credential on the server which might be in a
> different uid name space (might it? Does that even work for nfsd?)
>
> I think that if rootsquash or allsquash is in effect the correct
> server-side credential is used but otherwise the client-side
> credential is used. That is likely correct in many cases but I'd
> like to be convinced that it is correct in all case. Maybe it is
> time to get a deeper understanding of uid name spaces.
>
> Have I missed anything? Any other thoughts?
Still getting up to speed with the code (and only the current one
posted by Mike, I haven't looked at your series yet), and the
fundamental underlying problem seems to be that while the code to
open the file resides in the nfsd code, it is called from client
context. If opening the file was done in normal nfsd context with
all the usual limitations and then handed out it would work exactly
like FD passing and avoid almost all possibility of privilege
escalation. I'm not sure how to best archive that, though.
next prev parent reply other threads:[~2024-07-04 5:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-03 22:24 Security issue in NFS localio NeilBrown
2024-07-03 23:35 ` Jeff Layton
2024-07-04 4:31 ` Mike Snitzer
2024-07-05 21:39 ` NeilBrown
2024-07-04 5:45 ` Christoph Hellwig [this message]
2024-07-04 19:00 ` Chuck Lever III
2024-07-04 23:25 ` Dave Chinner
2024-07-05 1:42 ` Mike Snitzer
2024-07-05 21:51 ` NeilBrown
2024-07-05 13:45 ` Christoph Hellwig
2024-07-05 13:50 ` Chuck Lever III
2024-07-05 21:56 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZoY3CYlNebkh4K6S@infradead.org \
--to=hch@infradead.org \
--cc=anna@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=snitzer@kernel.org \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox