Return-Path: Received: from mail-ot0-f170.google.com ([74.125.82.170]:37390 "EHLO mail-ot0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750850AbeFAOAX (ORCPT ); Fri, 1 Jun 2018 10:00:23 -0400 Received: by mail-ot0-f170.google.com with SMTP id 101-v6so6900778oth.4 for ; Fri, 01 Jun 2018 07:00:23 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20180601135033.GA10666@fieldses.org> References: <128c74cb1507d7eab36ac8d32182dbbc7d3f9f88.camel@hammerspace.com> <95e00ce46fe1f5fed50fe24947eee0dda51e0140.camel@hammerspace.com> <828f320cde910a45983d91bddb6477d21c5cae33.camel@hammerspace.com> <20180601135033.GA10666@fieldses.org> From: Miklos Szeredi Date: Fri, 1 Jun 2018 16:00:22 +0200 Message-ID: Subject: Re: nfs4_acl restricts copy_up in overlayfs To: "bfields@fieldses.org" Cc: Trond Myklebust , "rgoldwyn@suse.de" , "agruenba@redhat.com" , "linux-nfs@vger.kernel.org" , "linux-unionfs@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-nfs-owner@vger.kernel.org List-ID: On Fri, Jun 1, 2018 at 3:50 PM, bfields@fieldses.org wrote: > On Fri, Jun 01, 2018 at 03:32:59PM +0200, Miklos Szeredi wrote: >> How do you define "safely"? >> >> Is it safe for root to do >> >> cp -a /nfs/remotedir /tmp/localdir >> >> ? >> >> That's essentially what an overlayfs mount with an NFS layer does with >> respect to access permissions: >> >> - remote files are not modifiable to anyone, unless server allows >> >> - remote files *readable to root* will provide access based on local DAC check. >> >> Does that need to be made clear in the docs? Surely. But it does NOT >> mean it's dangerous or that it's not useful with an arbitrary NFS >> server > > We should definitely have clear documentation, but despite that, in > practice lots of people *will* be surprised when permissions are > enforced differently after copy-up, and those surprises may well have > unpleasant implications. Permissions are enforced exactly the same before and after copy-up. That's one of the good points in doing the permission checks locally. That "cp -a /nfs/remotedir /tmp/localdir" example is almost exactly equivalent to: mount -t overlay -olowerdir=/nfs/remotedir,upperdir=/tmp/upper,... /tmp/localdir except the copy is delayed until modification. Thanks, Miklos