lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240912211106.2osqf5voyyjlran7@pali>
Date: Thu, 12 Sep 2024 23:11:06 +0200
From: Pali Rohár <pali@...nel.org>
To: Anna Schumaker <anna.schumaker@...cle.com>
Cc: Trond Myklebust <trondmy@...nel.org>, Anna Schumaker <anna@...nel.org>,
	linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

On Thursday 12 September 2024 17:06:07 Anna Schumaker wrote:
> Hi Pali,
> 
> On 9/12/24 9:02 AM, Pali Rohár wrote:
> > Linux NFS3 kernel client currently has broken support for NFS3
> > AUTH_NULL-only exports and also broken mount option -o sec=none
> > (which explicitly specifies that mount should use AUTH_NULL).
> > 
> > For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
> > export with AUTH_UNIX authentication which results in unusable mount
> > point (any operation on it fails with error because server rejects
> > AUTH_UNIX authentication).
> > 
> > Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
> > one) never announce AUTH_NULL authentication for any export. Linux MNTv3
> > server does not announce it even when the export has the only AUTH_NULL
> > auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
> > is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
> > for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
> > AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.
> > 
> > Main problem on the client side is that mount option -o sec=none for
> > NFS3 client is not processed and Linux NFS kernel client always skips
> > AUTH_NULL (even when server announce it, and also even when user
> > specifies -o sec=none on mount command line).
> > 
> > This patch series address these issues in NFS3 client code.
> > 
> > Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
> > by trying AUTH_NULL authentication as an absolutely last chance when
> > everything else fails. And honors user choice of AUTH_NULL if user
> > explicitly specified -o sec=none as mount option.
> 
> Why fix this on the client instead of fixing the server to announce AUTH_NULL
> if this is what the user has configured?

This can be a next step. Without this client workaround it is not
possible to connect with Linux client to existing/running servers.

> Anna
> 
> > 
> > AUTH_NULL authentication is useful for read-only exports, including
> > public exports. As authentication for these types of exports do not have
> > to be required.
> > 
> > Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
> > AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
> > MNTv3 userspace server. And also tested with exports from modified MNTv3
> > server to properly return AUTH_NULL support in response list.
> > 
> > Patch series is based on the latest upstream tag v6.11-rc7.
> > 
> > Pali Rohár (5):
> >   nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
> >     server
> >   nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
> >   nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
> >   nfs: Fix -o sec=none output in /proc/mounts
> >   nfs: Remove duplicate debug message 'using auth flavor'
> > 
> >  fs/nfs/client.c | 14 ++++++++++-
> >  fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
> >  2 files changed, 65 insertions(+), 13 deletions(-)
> > 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ