2021-02-25 06:06:07

by NeilBrown

[permalink] [raw]
Subject: [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access

When NFSv3 is used mountd provides logs of successful and failed mount
attempts which can be used for auditing.
When NFSv4 is used there are no such logs as NFSv4 does not have a
distinct "mount" request.

However mountd still knows about which filesysytems are being accessed
from which clients, and can actually provide more reliable logs than it
currently does, though they must be more verbose - with periodic "is
being accessed" message replacing a single "was mounted" message.

This series adds support for that logging, and adds some related
improvements to make the logs as useful as possible.

NeilBrown

---

NeilBrown (5):
mountd: reject unknown client IP when !use_ipaddr.
mountd: Don't proactively add export info when fh info is requested.
mountd: add logging for authentication results for accesses.
mountd: add --cache-use-ipaddr option to force use_ipaddr
mountd: make default ttl settable by option


support/export/auth.c | 4 +++
support/export/cache.c | 32 +++++++++++------
support/export/v4root.c | 3 +-
support/include/exportfs.h | 3 +-
support/nfs/exports.c | 4 ++-
utils/mountd/mountd.c | 29 +++++++++++++++-
utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++
7 files changed, 130 insertions(+), 15 deletions(-)

--
Signature


2021-02-25 06:06:32

by NeilBrown

[permalink] [raw]
Subject: [PATCH 4/5] mountd: add --cache-use-ipaddr option to force use_ipaddr

From: NeilBrown <[email protected]>

When logging authentication requests, it can be easier to read the logs
if clients are always identified by IP address, not intermediate names
like netgroups or subnets.

To allow this, add --cache-use-ipaddr or -i which tell mountd to always
enable use_ipaddr.

Signed-off-by: NeilBrown <[email protected]>
---
support/export/auth.c | 4 ++++
utils/mountd/mountd.c | 8 +++++++-
utils/mountd/mountd.man | 18 ++++++++++++++++++
3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/support/export/auth.c b/support/export/auth.c
index 0bfa77d18469..cea376300d01 100644
--- a/support/export/auth.c
+++ b/support/export/auth.c
@@ -66,6 +66,10 @@ check_useipaddr(void)
int old_use_ipaddr = use_ipaddr;
unsigned int len = 0;

+ if (use_ipaddr > 1)
+ /* fixed - don't check */
+ return;
+
/* add length of m_hostname + 1 for the comma */
for (clp = clientlist[MCL_NETGROUP]; clp; clp = clp->m_next)
len += (strlen(clp->m_hostname) + 1);
diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c
index 59eddf79fd2e..dafcc35ca9c2 100644
--- a/utils/mountd/mountd.c
+++ b/utils/mountd/mountd.c
@@ -75,9 +75,10 @@ static struct option longopts[] =
{ "manage-gids", 0, 0, 'g' },
{ "no-udp", 0, 0, 'u' },
{ "log-auth", 0, 0, 'l'},
+ { "cache-use-ipaddr", 0, 0, 'i'},
{ NULL, 0, 0, 0 }
};
-static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gl";
+static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gli";

#define NFSVERSBIT(vers) (0x1 << (vers - 1))
#define NFSVERSBIT_ALL (NFSVERSBIT(2) | NFSVERSBIT(3) | NFSVERSBIT(4))
@@ -681,6 +682,8 @@ read_mountd_conf(char **argv)
num_threads = conf_get_num("mountd", "threads", num_threads);
reverse_resolve = conf_get_bool("mountd", "reverse-lookup", reverse_resolve);
ha_callout_prog = conf_get_str("mountd", "ha-callout");
+ if (conf_get_bool("mountd", "cache-use-ipaddr", 0))
+ use_ipaddr = 2;

s = conf_get_str("mountd", "state-directory-path");
if (s && !state_setup_basedir(argv[0], s))
@@ -803,6 +806,9 @@ main(int argc, char **argv)
case 'l':
xlog_sconfig("auth", 1);
break;
+ case 'i':
+ use_ipaddr = 2;
+ break;
case 0:
break;
case '?':
diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man
index df4e5356cb05..44d237e56110 100644
--- a/utils/mountd/mountd.man
+++ b/utils/mountd/mountd.man
@@ -118,6 +118,23 @@ section.
will always log authentication responses to MOUNT requests when NFSv3 is
used, but to get similar logs for NFSv4, this option is required.
.TP
+.BR \-i " or " \-\-cache\-use\-ipaddr
+Normally each client IP address is matched against each host identifier
+(name, wildcard, netgroup etc) found in
+.B /etc/exports
+and a combined identity is formed from all matching identifiers.
+Often many clients will map to the same combined identity so performing
+this mapping reduces the number of distinct access details that the
+kernel needs to store.
+Specifying the
+.B \-i
+option suppresses this mapping so that access to each filesystem is
+requested and cached separately for each client IP address. Doing this
+can increase the burden of updating the cache slightly, but can make the
+log messages produced by the
+.B -l
+option easier to read.
+.TP
.B \-F " or " \-\-foreground
Run in foreground (do not daemonize)
.TP
@@ -248,6 +265,7 @@ Values recognized in the
.B [mountd]
section include
.BR manage-gids ,
+.BR cache\-use\-ipaddr ,
.BR descriptors ,
.BR port ,
.BR threads ,


2021-02-25 06:06:32

by NeilBrown

[permalink] [raw]
Subject: [PATCH 2/5] mountd: Don't proactively add export info when fh info is requested.

From: NeilBrown <[email protected]>

When an "nfsd.fh" request is received from the kernel, we map the
file-handle prefix to a path name and report that (as required) and then
also add "nfsd.export" information with export flags applicable to that
path.

This is not necessary and was added as a perceived optimisation.
When updating data already in the kernel, it is unlikely to help as the
kernel can be expected to ask for both details at much the same time.
With NFSv3, new information is normally added by a MOUNT rpc request, so
this is irrelevant.
With NFSv4, the kernel requests the "nfsd.export" information when
walking down from ROOT, *before* requesting the nfsd.fh information, so
this "optimisation" causes unnecessary work.

A future patch will add logging of authentication requests, and this
double-handling would result in extra unnecessary log messages.

As this "optimisation" appears to have no practical value and some
(small) cost, let's remove it.

Signed-off-by: NeilBrown <[email protected]>
---
support/export/cache.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/support/export/cache.c b/support/export/cache.c
index 156ebfd4087c..49a761749ec6 100644
--- a/support/export/cache.c
+++ b/support/export/cache.c
@@ -96,7 +96,6 @@ static bool path_lookup_error(int err)
* Record is terminated with newline.
*
*/
-static int cache_export_ent(char *buf, int buflen, char *domain, struct exportent *exp, char *path);

#define INITIAL_MANAGED_GROUPS 100

@@ -870,18 +869,13 @@ static void nfsd_fh(int f)
!is_mountpoint(found->e_mountpoint[0]?
found->e_mountpoint:
found->e_path)) {
- /* Cannot export this yet
+ /* Cannot export this yet
* should log a warning, but need to rate limit
xlog(L_WARNING, "%s not exported as %d not a mountpoint",
found->e_path, found->e_mountpoint);
*/
/* FIXME we need to make sure we re-visit this later */
goto out;
- } else if (cache_export_ent(buf, sizeof(buf), dom, found, found_path) < 0) {
- if (!path_lookup_error(errno))
- goto out;
- /* The kernel is saying the path is unexportable */
- found = NULL;
}

bp = buf; blen = sizeof(buf);


2021-03-04 07:50:00

by Steve Dickson

[permalink] [raw]
Subject: Re: [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access

Hey!

A couple comments...

On 2/24/21 9:42 PM, NeilBrown wrote:
> When NFSv3 is used mountd provides logs of successful and failed mount
> attempts which can be used for auditing.
> When NFSv4 is used there are no such logs as NFSv4 does not have a
> distinct "mount" request.
>
> However mountd still knows about which filesysytems are being accessed
> from which clients, and can actually provide more reliable logs than it
> currently does, though they must be more verbose - with periodic "is
> being accessed" message replacing a single "was mounted" message.
>
> This series adds support for that logging, and adds some related
> improvements to make the logs as useful as possible.
>
> NeilBrown
>
> ---
>
> NeilBrown (5):
> mountd: reject unknown client IP when !use_ipaddr.
> mountd: Don't proactively add export info when fh info is requested.
> mountd: add logging for authentication results for accesses.
I wonder if we should mention setting "debug=auth" enables
this logging in the mountd manpage

> mountd: add --cache-use-ipaddr option to force use_ipaddr
> mountd: make default ttl settable by option
These two probably need to be put into the nfs.conf file
and the nfs.conf man page since the conf_get_num()
and conf_get_bool() calls were added.

Finally, I'll add this to my plate, but I'm thinking
the new log-auth and ttl flags probably should be
introduce into nfsv4.exported.

I didn't port over the use-ipaddr flag to exportd,
since I though it was only used in the v3 mount path
but may that was an oversight on my part.

Thoughts?

steved.
>
>
> support/export/auth.c | 4 +++
> support/export/cache.c | 32 +++++++++++------
> support/export/v4root.c | 3 +-
> support/include/exportfs.h | 3 +-
> support/nfs/exports.c | 4 ++-
> utils/mountd/mountd.c | 29 +++++++++++++++-
> utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++
> 7 files changed, 130 insertions(+), 15 deletions(-)
>
> --
> Signature
>

2021-03-04 14:03:11

by NeilBrown

[permalink] [raw]
Subject: Re: [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access

On Tue, Mar 02 2021, Steve Dickson wrote:

> Hey!
>
> A couple comments...
>
> On 2/24/21 9:42 PM, NeilBrown wrote:
>> When NFSv3 is used mountd provides logs of successful and failed mount
>> attempts which can be used for auditing.
>> When NFSv4 is used there are no such logs as NFSv4 does not have a
>> distinct "mount" request.
>>
>> However mountd still knows about which filesysytems are being accessed
>> from which clients, and can actually provide more reliable logs than it
>> currently does, though they must be more verbose - with periodic "is
>> being accessed" message replacing a single "was mounted" message.
>>
>> This series adds support for that logging, and adds some related
>> improvements to make the logs as useful as possible.
>>
>> NeilBrown
>>
>> ---
>>
>> NeilBrown (5):
>> mountd: reject unknown client IP when !use_ipaddr.
>> mountd: Don't proactively add export info when fh info is requested.
>> mountd: add logging for authentication results for accesses.
> I wonder if we should mention setting "debug=auth" enables
> this logging in the mountd manpage

That is already in the mountd man page :-)

>
>> mountd: add --cache-use-ipaddr option to force use_ipaddr
>> mountd: make default ttl settable by option
> These two probably need to be put into the nfs.conf file
> and the nfs.conf man page since the conf_get_num()
> and conf_get_bool() calls were added.

That's done now too.

>
> Finally, I'll add this to my plate, but I'm thinking
> the new log-auth and ttl flags probably should be
> introduce into nfsv4.exported.
>

I'll add that to my patches before resubmitting.

> I didn't port over the use-ipaddr flag to exportd,
> since I though it was only used in the v3 mount path
> but may that was an oversight on my part.

use-ipaddr it not at all v3 specific.
It was originally introduced to handle the fact that a single host could
be in a large number of netgroups, and concatenating the names of all
those netgroups could produce a "domain" name that is too long.
The new option to force it on is useful for access logging, particularly
with NFSv4.

I'll add that to my patches too.

Thanks,
NeilBrown


>
> Thoughts?
>
> steved.
>>
>>
>> support/export/auth.c | 4 +++
>> support/export/cache.c | 32 +++++++++++------
>> support/export/v4root.c | 3 +-
>> support/include/exportfs.h | 3 +-
>> support/nfs/exports.c | 4 ++-
>> utils/mountd/mountd.c | 29 +++++++++++++++-
>> utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++
>> 7 files changed, 130 insertions(+), 15 deletions(-)
>>
>> --
>> Signature
>>


Attachments:
signature.asc (869.00 B)

2021-03-04 17:27:06

by Steve Dickson

[permalink] [raw]
Subject: Re: [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access



On 3/3/21 5:28 PM, NeilBrown wrote:
> On Tue, Mar 02 2021, Steve Dickson wrote:
>
>> Hey!
>>
>> A couple comments...
>>
>> On 2/24/21 9:42 PM, NeilBrown wrote:
>>> When NFSv3 is used mountd provides logs of successful and failed mount
>>> attempts which can be used for auditing.
>>> When NFSv4 is used there are no such logs as NFSv4 does not have a
>>> distinct "mount" request.
>>>
>>> However mountd still knows about which filesysytems are being accessed
>>> from which clients, and can actually provide more reliable logs than it
>>> currently does, though they must be more verbose - with periodic "is
>>> being accessed" message replacing a single "was mounted" message.
>>>
>>> This series adds support for that logging, and adds some related
>>> improvements to make the logs as useful as possible.
>>>
>>> NeilBrown
>>>
>>> ---
>>>
>>> NeilBrown (5):
>>> mountd: reject unknown client IP when !use_ipaddr.
>>> mountd: Don't proactively add export info when fh info is requested.
>>> mountd: add logging for authentication results for accesses.
>> I wonder if we should mention setting "debug=auth" enables
>> this logging in the mountd manpage
>
> That is already in the mountd man page :-)
Sorry I must have missed it...

>
>>
>>> mountd: add --cache-use-ipaddr option to force use_ipaddr
>>> mountd: make default ttl settable by option
>> These two probably need to be put into the nfs.conf file
>> and the nfs.conf man page since the conf_get_num()
>> and conf_get_bool() calls were added.
>
> That's done now too.
Thank you!

>
>>
>> Finally, I'll add this to my plate, but I'm thinking
>> the new log-auth and ttl flags probably should be
>> introduce into nfsv4.exported.
>>
>
> I'll add that to my patches before resubmitting.
Thank you again!

>
>> I didn't port over the use-ipaddr flag to exportd,
>> since I though it was only used in the v3 mount path
>> but may that was an oversight on my part.
>
> use-ipaddr it not at all v3 specific.
> It was originally introduced to handle the fact that a single host could
> be in a large number of netgroups, and concatenating the names of all
> those netgroups could produce a "domain" name that is too long.
> The new option to force it on is useful for access logging, particularly
> with NFSv4.
>
> I'll add that to my patches too.
Perfect!

steved.
>
> Thanks,
> NeilBrown
>
>
>>
>> Thoughts?
>>
>> steved.
>>>
>>>
>>> support/export/auth.c | 4 +++
>>> support/export/cache.c | 32 +++++++++++------
>>> support/export/v4root.c | 3 +-
>>> support/include/exportfs.h | 3 +-
>>> support/nfs/exports.c | 4 ++-
>>> utils/mountd/mountd.c | 29 +++++++++++++++-
>>> utils/mountd/mountd.man | 70 ++++++++++++++++++++++++++++++++++++++
>>> 7 files changed, 130 insertions(+), 15 deletions(-)
>>>
>>> --
>>> Signature
>>>