> On Oct 20, 2021, at 2:15 PM, Bruce Fields <bfields@xxxxxxxxxxxx> wrote: > > On Wed, Oct 20, 2021 at 05:45:58PM +0000, Chuck Lever III wrote: >>> On Oct 20, 2021, at 12:37 PM, Olga Kornievskaia <olga.kornievskaia@xxxxxxxxx> wrote: >>> >>> On Wed, Oct 20, 2021 at 11:54 AM J. Bruce Fields <bfields@xxxxxxxxxxxx> wrote: >>>> >>>> knfsd has supported server-to-server copy for a couple years (since >>>> 5.5). You have set a module parameter to enable it. I'm getting asked >>>> when we could turn that parameter on by default. >>>> >>>> I've got a couple vague criteria: one just general maturity, the other a >>>> security question: >>>> >>>> 1. General maturity: the only reports I recall seeing are from testers. >>>> Is anyone using this? Does it work for them? Do they find a benefit? >>>> Maybe we could turn it on by default in one distro (Fedora?) and promote >>>> it a little and see what that turns up? >>>> >>>> 2. Security question: with server-to-server copy enabled, you can send >>>> the server a COPY call with any random address, and the server will >>>> mount that address, open a file, and read from it. Is that safe? >>> >>> How about adding a piece then on the server (a policy) that would only >>> control that? The concept behind the server-to-server was that servers >>> might have a private/fast network between them that they would want to >>> utilize. A more restrictive policy could be to only allow predefined >>> network space to do the COPY? I know that more work. But sound like >>> perhaps it might be something that provides more control to the >>> server. >>> >>> But as Chuck pointed out perhaps the kerberos piece would make this >>> concern irrelevant. >> >> I like the idea of having a server-side policy setting that >> controls whether s2sc is permitted, and maybe establishes a >> range of IP addresses allowed to be destination servers. > > Maybe, but: > > 1) Couldn't you get something awfully close to that with > firewall configuration? Not if the s2sc policy setting is on each export. > 2) I'm getting asked why server-side copy isn't on by default. And your answer to that was "we haven't figured out how to guarantee security when it's enabled". > So I guess the requirement to set inter_copy_offload_enable is > too much. How does requiring more complicated configuration > answer that concern? It answers the concern by letting local administrators choose to enable or disable s2sc based on their own security needs. > 3) There's interest in allowing unprivileged NFS mounts. That's > more of a security risk than this. What's the client > maintainers' judgement about unprivileged NFS mounts? Do they > think that would be safe to allow by default in distros? If so, > then we're certainly fine here. Unprivileged mounting seems like a different question to me. Related, possibly, but not the same. I'd rather leave that discussion to another thread. -- Chuck Lever
