lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Zwbfmf3L5XphaiGs@tissot.1015granger.net>
Date: Wed, 9 Oct 2024 15:55:05 -0400
From: Chuck Lever <chuck.lever@...cle.com>
To: NeilBrown <neilb@...e.de>
Cc: Pali Rohár <pali@...nel.org>,
        Jeff Layton <jlayton@...nel.org>,
        Olga Kornievskaia <okorniev@...hat.com>, Dai Ngo <dai.ngo@...cle.com>,
        Tom Talpey <tom@...pey.com>,
        "linux-nfs@...r.kernel.org" <linux-nfs@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] nfsd: Fix NFSD_MAY_BYPASS_GSS and
 NFSD_MAY_BYPASS_GSS_ON_ROOT

On Tue, Oct 08, 2024 at 05:47:55PM -0400, NeilBrown wrote:
> And NFSD_MAY_LOCK should be discarded, and nlm_fopen() should set
> NFSD_MAY_BYPASS_SEC.

366         /*                                                                      
367          * pseudoflavor restrictions are not enforced on NLM,                   

Wrt the mention of "NLM", nfsd4_lock() also sets NFSD_MAY_LOCK.

368          * which clients virtually always use auth_sys for,                     
369          * even while using RPCSEC_GSS for NFS.                                 
370          */                                                                     
371         if (access & NFSD_MAY_LOCK)                                             
372                 goto skip_pseudoflavor_check;                                   
373         if (access & NFSD_MAY_BYPASS_GSS)                                       
374                 may_bypass_gss = true;
375         /*                                                                      
376          * Clients may expect to be able to use auth_sys during mount,          
377          * even if they use gss for everything else; see section 2.3.2          
378          * of rfc 2623.                                                         
379          */                                                                     
380         if (access & NFSD_MAY_BYPASS_GSS_ON_ROOT                                
381                         && exp->ex_path.dentry == dentry)                       
382                 may_bypass_gss = true;                                          
383                                                                                 
384         error = check_nfsd_access(exp, rqstp, may_bypass_gss);                  
385         if (error)                                                              
386                 goto out;                                                       
387                                                                                 
388 skip_pseudoflavor_check:                                                        
389         /* Finally, check access permissions. */                                
390         error = nfsd_permission(cred, exp, dentry, access);     

MAY_LOCK is checked in nfsd_permission() and __fh_verify().

But MAY_BYPASS_GSS is set in loads of places that use those two
functions. How can we be certain that the two flags are equivalent? 

Though I agree, simplifying this hot path would both help
performance scalability and reduce reader headaches. It might be a
little nicer to pass the NFSD_MAY flags directly to
check_nfsd_access(), for example.


-- 
Chuck Lever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ