Re: [PATCH] cifs: handle termination of cifs oplockd kernel thread

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Steve French <smfrench@austin.rr.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
	hch@infradead.org, 7eggert@gmx.de, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] cifs: handle termination of cifs oplockd kernel thread
Date: Sat, 30 Apr 2005 09:50:14 -0500	[thread overview]
Message-ID: <42739B26.8080005@austin.rr.com> (raw)
In-Reply-To: <20050430145306.GA22276@fieldses.org>

J. Bruce Fields wrote:

>On Sat, Apr 30, 2005 at 08:28:27AM -0500, Steve French wrote:
>  
>
>>Miklos Szeredi wrote:
>>
>>    
>>
>>>>>- network/userspace filesystems should be fine aswell
>>>>>    
>>>>>
>>>>>          
>>>>>
>>>>They should, but again I wonder if NFS with all it's complexity is
>>>>being careful enough with what it accepts from the server.
>>>>  
>>>>        
>>>>
>>it is possible for the client to validate that the
>>server is who it says it is, and both NFSv4 (actually the newer NFS
>>RPC) and CIFS of course allow packet signing which helps, not sure if
>>AFS allows packet signing.
>>    
>>
>
>None of this helps in the situation Miklos is considering, where the
>attacker is a user on the client doing the mount.  So presumably the
>user gets to choose a server under his/her control, and all the
>authentication does is prove to the user that s/he got the right server,
>which doesn't protect the kernel at all.
>
>The only defense is auditing the client code's handling of data it
>receives from the server
>  
>
I agree that periodic auditing of returned data, and testing with 
intentionally corrupted server responses
is necessary and should continue.

But you bring up an interesting point about security policy.    For the 
case of evil user trying to mount
to evil server (e.g. one under evil user's control), in one sense it is 
no different than allowing a user to
mount an evil cdrom or usb storage device with evil contens - a device 
which may contain specially
crafted data (file and directory contents and metadata) designed to 
crash the system, but there is
a difference - for network filesystems the server also can delay the 
responses, throw away
the responses or corrupt the frame headers (this can just as often 
happen due to buggy network
hardware and routers too).  Obviously we need to continue to audit for 
both cases - but it would
not hurt to optionally verify that the server can prove its identity and 
prove that it has been properly
added to a security domain that you trust - ie allow an NFSv4 mount and 
the CIFS mount helper
to be configured/built so that users could only mount to servers that are:
    1) In the clients security domain (ie kerberos realm)
    2) In a trusted domain (realm)
IIRC this is already done for the case of some services such as winbind, 
and I vaguely remember
IBM OS/2 doing this (verifying the server's identity during mount) when 
using Kerberized SMB back in
the early 1990s in the Directory and Security server product.

next prev parent reply	other threads:[~2005-04-30 15:53 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <3YLdQ-4vS-15@gated-at.bofh.it>
2005-04-29 23:18 ` [PATCH] cifs: handle termination of cifs oplockd kernel thread Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
2005-04-30  7:32   ` Christoph Hellwig
2005-04-30  8:14     ` Miklos Szeredi
2005-04-30  8:29       ` Christoph Hellwig
2005-04-30  9:22         ` Miklos Szeredi
2005-04-30 10:57           ` Miklos Szeredi
2005-04-30 13:28             ` Steve French
2005-04-30 14:53               ` J. Bruce Fields
2005-04-30 14:50                 ` Steve French [this message]
2005-04-30 17:23                   ` Miklos Szeredi
2005-04-30 16:16               ` Miklos Szeredi
2005-04-30 15:27                 ` Steve French
2005-05-01  0:10               ` Bodo Eggert
2005-05-11  8:59           ` Christoph Hellwig
2005-04-30 12:52         ` Steve French
2005-04-29 21:09 Steve French
2005-04-29 21:31 ` Christoph Hellwig
2005-04-29 22:20   ` Steve French
2005-05-11  8:56     ` Christoph Hellwig
2005-05-11 18:19       ` Steve French
2005-05-16  9:34         ` Christoph Hellwig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42739B26.8080005@austin.rr.com \
    --to=smfrench@austin.rr.com \
    --cc=7eggert@gmx.de \
    --cc=bfields@fieldses.org \
    --cc=hch@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox