From: Scott Mayhew <smayhew@redhat.com>
To: linux-nfs@vger.kernel.org
Subject: NFSv3 and xprtsec policies
Date: Thu, 2 May 2024 11:54:43 -0400 [thread overview]
Message-ID: <ZjO3Qwf_G87yNXb2@aion> (raw)
Red Hat QE identified an "interesting" issue with NFSv3 and TLS, in that an
NFSv3 client can mount with "xprtsec=none" a filesystem exported with
"xprtsec=tls:mtls" (in the sense that the client gets the filehandle and adds a
mount to its mount table - it can't actually access the mount).
Here's an example using machines from the recent Bakeathon.
Mounting a server with TLS enabled:
# mount -o v4.2,sec=sys,xprtsec=tls oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt
# umount /mnt
Trying to mount without "xprtsec=tls" shows that the filesystem is not exported with "xprtsec=none":
# mount -o v4.2,sec=sys oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt
mount.nfs: Operation not permitted for oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls on /mnt
Yet a v3 mount without "xprtsec=tls" works:
# mount -o v3,sec=sys oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt
# umount /mnt
and a mount with no explicit version and without "xprtsec=tls" falls back to
v3 and also "works":
# mount -o sec=sys oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt
# grep ora /proc/mounts
oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt nfs
+rw,relatime,vers=3,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=100.64.0.49,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=100.64.0.49 0 0
Even though the filesystem is mounted, the client can't do anything with it:
# ls /mnt
ls: cannot open directory '/mnt': Permission denied
When krb5 is used with NFSv3, the server returns a list of pseudoflavors in
mountres3_ok (https://datatracker.ietf.org/doc/html/rfc1813#section-5.2.1).
The client compares that list with its own list of auth flavors parsed from the
mount request and returns -EACCES if no match is found (see
nfs_verify_authflavors()).
Perhaps we should be doing something similar with xprtsec policies? Should
there be an errata to RFC 9289 and a request from IANA for assigned numbers for
pseudo-flavors corresponding to xprtsec policies?
If not, this behavior should at least be documented in the man pages.
-Scott
next reply other threads:[~2024-05-02 15:54 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-02 15:54 Scott Mayhew [this message]
2024-05-02 16:15 ` NFSv3 and xprtsec policies Chuck Lever III
2024-05-02 17:37 ` Scott Mayhew
2024-05-02 17:51 ` Chuck Lever III
2024-05-02 18:51 ` Scott Mayhew
2024-05-02 19:25 ` Jeffrey Layton
2024-05-03 18:44 ` Chuck Lever
2024-05-03 20:53 ` Scott Mayhew
2024-05-03 22:31 ` Rick Macklem
2024-05-06 16:47 ` Scott Mayhew
2024-05-06 22:41 ` Rick Macklem
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZjO3Qwf_G87yNXb2@aion \
--to=smayhew@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).