Re: server-to-server copy by default

public inbox for linux-nfs@vger.kernel.org
 help / color / mirror / Atom feed

From: dai.ngo@oracle.com
To: Bruce Fields <bfields@fieldses.org>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
	Steve Dickson <steved@redhat.com>,
	Olga Kornievskaia <olga.kornievskaia@gmail.com>,
	Chuck Lever <chuck.lever@oracle.com>
Subject: Re: server-to-server copy by default
Date: Wed, 20 Oct 2021 22:00:41 -0700	[thread overview]
Message-ID: <a009cbf3-cb83-b7c8-aa86-2eee06962b68@oracle.com> (raw)
In-Reply-To: <20211020202907.GF597@fieldses.org>

On 10/20/21 1:29 PM, Bruce Fields wrote:

> On Wed, Oct 20, 2021 at 12:03:46PM -0700, dai.ngo@oracle.com wrote:
>> On 10/20/21 9:33 AM, Olga Kornievskaia wrote:
>>> On Wed, Oct 20, 2021 at 12:00 PM Chuck Lever III <chuck.lever@oracle.com> wrote:
>>>>> 2. Security question: with server-to-server copy enabled, you can send
>>>>> the server a COPY call with any random address, and the server will
>>>>> mount that address, open a file, and read from it.  Is that safe?
>> The client already has write access to the share on the destination
>> server, it can write any data to the destination file.
> Agreed.  Please look back at what I said; I'm not thinking about attacks
> on the source server, I'm thinking about attacks on the destination (the
> one that receives the COPY).

Sorry for missing you point. If I understand correctly, your concern is
that a malicious client can direct the destination server to mount a
malicious source server that can generate DOS attack to the destination
server.

The attack can come from the replies of the source server or requests
from the source server to the destination server via the back channel.
One of possible attack in the reply is BAD_STATEID which was handled
by the client code as mentioned by Olga.

Here is the list of NFS requests made from the destination to the
source server:

         EXCHANGE_ID
         CREATE_SESSION
         RECLAIM_COMLETE
         SEQUENCE
         PUTROOTFH
         PUTHF
         GETFH
         GETATTR
         READ/READ_PLUS
         DESTROY_SESSION
         DESTROY_CLIENTID

Do you think we should review all replies from these requests to make
sure error replies do not cause problems for the destination server?

same for the back channel ops:

         OP_CB_GETATTR
         OP_CB_RECALL
         OP_CB_LAYOUTRECALL
         OP_CB_NOTIFY
         OP_CB_PUSH_DELEG
         OP_CB_RECALL_ANY
         OP_CB_RECALLABLE_OBJ_AVAIL
         OP_CB_RECALL_SLOT
         OP_CB_SEQUENCE
         OP_CB_WANTS_CANCELLED
         OP_CB_NOTIFY_LOCK
         OP_CB_NOTIFY_DEVICEID
         OP_CB_OFFLOAD

-Dai

> --b.

next prev parent reply	other threads:[~2021-10-21  5:00 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-20 15:54 server-to-server copy by default J. Bruce Fields
2021-10-20 16:00 ` Chuck Lever III
2021-10-20 16:33   ` Olga Kornievskaia
2021-10-20 19:03     ` dai.ngo
2021-10-20 20:29       ` Bruce Fields
2021-10-21  5:00         ` dai.ngo [this message]
2021-10-21 14:02           ` Bruce Fields
2021-10-22  6:34             ` dai.ngo
2021-10-22 12:58               ` Bruce Fields
2021-11-01 17:37               ` dai.ngo
2021-11-01 19:33                 ` Bruce Fields
2021-11-01 19:55                   ` dai.ngo
2021-10-20 17:24   ` Steve Dickson
2021-10-20 17:51     ` Chuck Lever III
2021-10-20 16:37 ` Olga Kornievskaia
2021-10-20 17:45   ` Chuck Lever III
2021-10-20 18:15     ` Bruce Fields
2021-10-20 19:04       ` Chuck Lever III
2021-10-21 13:43         ` Steve Dickson
2021-10-21 13:56         ` Bruce Fields
2021-10-21 14:13         ` Bruce Fields
2021-10-21 14:22           ` Trond Myklebust
2021-10-21 14:38             ` bfields
2021-10-20 18:00   ` J. Bruce Fields
2021-11-01 18:22 ` Charles Hedrick
2021-11-01 19:25   ` Steve Dickson
2021-11-01 19:44     ` Charles Hedrick

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a009cbf3-cb83-b7c8-aa86-2eee06962b68@oracle.com \
    --to=dai.ngo@oracle.com \
    --cc=bfields@fieldses.org \
    --cc=chuck.lever@oracle.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=olga.kornievskaia@gmail.com \
    --cc=steved@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox