[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOi1vP9CgJnw4ewtewBOb-mjAGvCP+6upW8J61GixQD=junV0Q@mail.gmail.com>
Date: Wed, 11 Sep 2024 23:03:19 +0200
From: Ilya Dryomov <idryomov@...il.com>
To: Max Kellermann <max.kellermann@...os.com>
Cc: Patrick Donnelly <pdonnell@...hat.com>, xiubli@...hat.com, ceph-devel@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] fs/ceph/quota: ignore quota with CAP_SYS_RESOURCE
On Wed, Sep 11, 2024 at 9:21 PM Max Kellermann <max.kellermann@...os.com> wrote:
>
> On Wed, Sep 11, 2024 at 8:04 PM Patrick Donnelly <pdonnell@...hat.com> wrote:
> > CephFS has many components that are cooperatively maintained by the
> > MDS **and** the clients; i.e. the clients are trusted to follow the
> > protocols and restrictions in the file system. For example,
> > capabilities grant a client read/write permissions on an inode but a
> > client could easily just open any file and write to it at will. There
> > is no barrier preventing that misbehavior.
>
> To me, that sounds like you confirm my assumption on how Ceph works -
> both file permissions and quotas. As a superuser (CAP_DAC_OVERRIDE), I
> can write arbitrary files, and just as well CAP_SYS_RESOURCE should
> allow me to exceed quotas - that's how both capabilities are
> documented.
Hi Max,
I think Patrick is actually saying the reverse: having root or other
_local_ user privileges on a particular node shouldn't subvert the
CephFS caps system because there might be many other users involved.
If you have a CephFS client that hasn't been tampered with, coming in
with CAP_DAC_OVERRIDE wouldn't allow you to write to an arbitrary file
directly or even buffer data for that file in memory unless the MDS
grants the cap/permission.
However a rigged CephFS client could absolutely do that. It could
ignore those parts of the MDS protocol or bypass the MDS entirely and
interact only with OSDs. The only thing that could stand in the way of
a client like that is CephX, which is where I believe the suggestion to
implement the quota override as a new CephX cap is coming from. If
a particular user is to be allowed to go loose, the system needs to
have a record of that.
Thanks,
Ilya
Powered by blists - more mailing lists