On Feb 7, 2013, at 12:03 PM, Chuck Lever <chuck.lever@xxxxxxxxxx> wrote: > > On Feb 7, 2013, at 11:55 AM, J. Bruce Fields <bfields@xxxxxxxxxxxx> wrote: > >> On Thu, Feb 07, 2013 at 11:26:43AM -0500, Chuck Lever wrote: >>> >>> On Feb 7, 2013, at 11:23 AM, "J. Bruce Fields" <bfields@xxxxxxxxxxxx> wrote: >>> >>>> On Thu, Feb 07, 2013 at 10:58:25AM -0500, Chuck Lever wrote: >>>>> >>>>> On Feb 7, 2013, at 10:02 AM, J. Bruce Fields <bfields@xxxxxxxxxxxx> wrote: >>>>> >>>>>> On Fri, Feb 01, 2013 at 05:43:44PM -0500, Chuck Lever wrote: >>>>>>> Clean up. This matches a similar API for the client side, and >>>>>>> keeps ULP fingers out the of the GSS mech switch. >>>>>>> >>>>>>> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx> >>>>>>> Acked-by: J. Bruce Fields <bfields@xxxxxxxxxx> >>>>>>> --- >>>>>>> >>>>>>> Bruce- >>>>>>> >>>>>>> This version of the patch follows the existing logic in >>>>>>> nfsd4_do_encode_secinfo(): If the RPC layer can't find GSS info >>>>>>> that matches an export security flavor, it assumes the flavor is >>>>>>> not a GSS pseudoflavor, and simply puts it on the wire. >>>>>>> >>>>>>> However, if the below XDR encoding logic is given a legitimate GSS >>>>>>> pseudoflavor but the RPC layer says it does not support that >>>>>>> pseudoflavor for some reason, then we leak GSS pseudoflavor numbers >>>>>>> onto the wire. >>>>>>> >>>>>>> I confirmed this happens by blacklisting rpcsec_gss_krb5, then >>>>>>> attempted a client transition from the pseudo-fs to a Kerberos-only >>>>>>> share. The client received a flavor list containing the Kerberos >>>>>>> pseudoflavor numbers, rather than GSS tuples. >>>>>>> >>>>>>> The encoder logic can check that each pseudoflavor is less than >>>>>>> MAXFLAVOR before writing it into the buffer, to prevent this. But >>>>>>> after "nflavs" is written into the XDR buffer, the encoder can't >>>>>>> skip writing flavor information into the buffer when it discovers >>>>>>> the RPC layer doesn't support that flavor. >>>>>>> >>>>>>> Is there some way of writing "nflavs" into the XDR buffer after >>>>>>> the loop that writes the flavor information is complete? >>>>>> >>>>>> Yes, you can save a pointer and then go back and fill that in--see >>>>>> encode_fattr for an example. >>>>> >>>>> Thanks, I will submit an additional patch that describes this issue and fixes it. >>>>> >>>>> I asked David Noveck, as one of the authors of RFC 3530, whether an NFS server should return a zero-length flavor list or an error if SECINFO can't find any flavors a client is allowed to use. His opinion was to return NFS4_OK and a zero-length flavor list. >>>> >>>> Fine with me for this code. >>> >>> OK, will go with that. >>> >>>> (In practice though we should probably be warning somewhere (exportfs?) >>>> if somebody creates an export like that.) >>> >>> The problem can also arise because gssd isn't running or auth_rpcgss.ko or rpcsec_gss_krb5.ko are not loadable for some reason. In other words, an empty flavor list might also be the result of a transient server misconfiguration. >> >> OK. Do you think the kernel could help by providing a once-only warning >> in such a case? (Or in the case when we're not able to find support for >> a security flavor set on the export.) > > I've thought a little about that. There is already a logged warning if a gssd upcall times out. But it's hard to tell inside the kernel why a module doesn't load. These all look pretty much the same to the RPC layer: > > - module is blacklisted or not installed? > - GSS support wasn't built? > - filesystem corruption? > - export specifies a security flavor the RPC client doesn't recognize? > > I suppose I could add something here, but I wonder about the false alarms. How about this: "Warning: export specifies a security flavor that isn't supported" -- Chuck Lever chuck[dot]lever[at]oracle[dot]com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
