On 10/20/21 1:29 PM, Bruce Fields wrote:
On Wed, Oct 20, 2021 at 12:03:46PM -0700, dai.ngo@xxxxxxxxxx wrote:
On 10/20/21 9:33 AM, Olga Kornievskaia wrote:
On Wed, Oct 20, 2021 at 12:00 PM Chuck Lever III <chuck.lever@xxxxxxxxxx> wrote:
2. Security question: with server-to-server copy enabled, you can send
the server a COPY call with any random address, and the server will
mount that address, open a file, and read from it. Is that safe?
The client already has write access to the share on the destination
server, it can write any data to the destination file.
Agreed. Please look back at what I said; I'm not thinking about attacks
on the source server, I'm thinking about attacks on the destination (the
one that receives the COPY).
Sorry for missing you point. If I understand correctly, your concern is
that a malicious client can direct the destination server to mount a
malicious source server that can generate DOS attack to the destination
server.
The attack can come from the replies of the source server or requests
from the source server to the destination server via the back channel.
One of possible attack in the reply is BAD_STATEID which was handled
by the client code as mentioned by Olga.
Here is the list of NFS requests made from the destination to the
source server:
EXCHANGE_ID
CREATE_SESSION
RECLAIM_COMLETE
SEQUENCE
PUTROOTFH
PUTHF
GETFH
GETATTR
READ/READ_PLUS
DESTROY_SESSION
DESTROY_CLIENTID
Do you think we should review all replies from these requests to make
sure error replies do not cause problems for the destination server?
same for the back channel ops:
OP_CB_GETATTR
OP_CB_RECALL
OP_CB_LAYOUTRECALL
OP_CB_NOTIFY
OP_CB_PUSH_DELEG
OP_CB_RECALL_ANY
OP_CB_RECALLABLE_OBJ_AVAIL
OP_CB_RECALL_SLOT
OP_CB_SEQUENCE
OP_CB_WANTS_CANCELLED
OP_CB_NOTIFY_LOCK
OP_CB_NOTIFY_DEVICEID
OP_CB_OFFLOAD
-Dai
--b.
