On Tue, Jan 31, 2023 at 5:26 PM Andrew J. Romero <romero@xxxxxxxx> wrote: > > Hi Olga > > This is great info ! > > Can you make sure that the host principal is not granted any > read or write access ( via ACL entry, owner, group or Everyone access) > to the actual directory and file being opened. > > If, by spec or well established convention, the client host principal just needs to submit the "close request" > to the NFS server ; but, needs no access to the actual directory tree or files, then > my NAS vendor will need to take action. > > If I need to grant directory / file access to all host principals on-site > I will probably get serious computer-security opposition. Closing a file has nothing to do with having access to the file. As per spec, doing state operations should be allowed by the machine principal. Here's the paragraph of the spec stating that things like CLOSE must be allowed: In cases where the server's security policies on a portion of its namespace require RPCSEC_GSS authentication, a client may have to use an RPCSEC_GSS credential to remove per-file state (e.g., LOCKU, CLOSE, etc.). The server may require that the principal that removes the state match certain criteria (e.g., the principal might have to be the same as the one that acquired the state). However, the client might not have an RPCSEC_GSS context for such a principal, and might not be able to create such a context (perhaps because the user has logged off). When the client establishes SP4_MACH_CRED or SP4_SSV protection, it can specify a list of operations that the server MUST allow using the machine credential (if SP4_MACH_CRED is used) or the SSV credential (if SP4_SSV is used). If the NAS vendor is disallowing it then they are in the wrong. > > Thanks ! > > Andy > > > > > What you describe --- having different views of state on the client > > and server -- is not a known common behaviour. > > > > I have tried it on my Kerberos setup. > > Gotten a 5min ticket. > > As a user opened a file in a process that went to sleep. > > My user credentials have expired (after 5mins). I verified that by > > doing an "ls" on a mounted filesystem which resulted in permission > > denied error. > > Then I killed the application that had an opened file. This resulted > > in a NFS CLOSE being sent to the server using the machine's gss > > context (which is a default behaviour of the linux client regardless > > of whether or not user's credentials are valid). > > > > Basically as far as I can tell, a linux client can handle cleaning up > > state when user's credentials have expired. > > > > > > > > > > > > Andy > > > > > > > > > > > > > > >
