Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1679264pxb; Wed, 20 Oct 2021 09:39:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzOeGjw4raRsaov2WLtI3imjQcBx9kCtlgXDOOGboTeC1mJolYJYBdf16lnDl/UYUKKTiiX X-Received: by 2002:a17:902:7d8b:b0:13f:7f35:674d with SMTP id a11-20020a1709027d8b00b0013f7f35674dmr176606plm.70.1634747988106; Wed, 20 Oct 2021 09:39:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634747988; cv=none; d=google.com; s=arc-20160816; b=sRFF+mQEMCoSxBP5IZ8m3LnPJayxDFFK1NMI6ECRsbpZVY4x6xGtegd3fSF4RYiHC0 r64c22dl1XjE0b5CgiORcbVEnSYay8pqb3adib/n8NcsdDjmbsPhGwXONLkQa8RUBYu5 LhGXje8T06fzFJxYpeccADgx3WMQWDrh0QDYZ75Pe6WhK7toubd1HBflkH22pL1OY66t DnaC+NvH2ykPOzYb2SCilkaKKUOBUI/xOayLGL+kVGeTIs7hCWABPw/yK3gCaj7U+To3 vXNXi+ih7ce6RDSQu9ZnuaYyyrEIDg4B+mMlSWS44tDvi4ikE903t/ya8Drt/UswXD7M 28Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=zQ9AaBcF3Owlwwsa14pA64T4lvNly106zJ1l9eYbveM=; b=IHqKtgU4l/1s0YpQCEp2pdRhv/bFnxWIX8OAuki9pnPlRd5EHYhOyKWZE95/6CV9aS KHKjP+hDzGQkLshe+VpjMsh7dhGvgcoMNNYM+61Mr4LesAf9D9SbR6Azwt++jnNxYLrk fSOsT/DVoL25yDn2j/FH+5ath9dpwJX7HddMzT+wS0VlTBvceM/lzNcKhyGconiSueM5 ABOzOefFahJUILa7ACBrYZnr7Xz990e9pF1G1siVGmrzReIpbxpw8QIOhInT88KX10Ot Djdrhe5W+s2pP2TREKcEKjIn/WbB9bPmQVEoSa6IZD8Xhy876ZHckY8loTiXHAg2+mQf srSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=N1cb7MJ2; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l4si3488555pgh.628.2021.10.20.09.39.23; Wed, 20 Oct 2021 09:39:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=N1cb7MJ2; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230076AbhJTQjo (ORCPT + 99 others); Wed, 20 Oct 2021 12:39:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53314 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230219AbhJTQjn (ORCPT ); Wed, 20 Oct 2021 12:39:43 -0400 Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C9BCAC06161C for ; Wed, 20 Oct 2021 09:37:25 -0700 (PDT) Received: by mail-ed1-x52f.google.com with SMTP id g10so27606648edj.1 for ; Wed, 20 Oct 2021 09:37:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zQ9AaBcF3Owlwwsa14pA64T4lvNly106zJ1l9eYbveM=; b=N1cb7MJ28VsYbBO6bEBPOu2UjditeIzwreOE3qlk2B1cVHNLgwPDVObmjaPjGPg5z/ xf9pqiRklPUptpIfuYcpP+IB9WMbLX0uGOi3ojLIOZXtlTpfIbw7SnVdWFOygQZ1WiiC iyMifpwhNT0mWqg+ROgA7hABTup179o7LKRXHp+CtOe6milXzvGpp6oeB1+ifHEZ/yhx yZoCy8sDAEcbgKoZDdhKQgBLSjuLQJcNpbEj/GNgi0GtLppgOvd93FzZZ/t3Qc/90I2h 3m9Qj7bzNBHeenyBuE8jra0/hGlnaCcnbUXh7xo+gnmaqCFwpSHVLlriWPGCFNB4IDFy yDBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zQ9AaBcF3Owlwwsa14pA64T4lvNly106zJ1l9eYbveM=; b=XumstNIcq6tIToJNzz6ZavmbhoE9Hg6VxSfe7Y1axDi1WvEdvDT2bEuLrYwULDNtuO 2ezNsDDwpC3iooyRkhNFDShHRRvzfDYeerUzcsiByPeEfXcmuYiN5VwSdyhKYxH+voWB 4girsp4VmnU6rs5tqY4Tkf6Vgt+f7EHpshowVlqpuO+7EAevgnXaInazGa4K0+G/6kXk B0teXQlfBOC5oMR24WAfzXfNUKU+gL9QhCtWEO+3+D8Qbyg+ezarJxF09jAd5ai1AT4O 760l6JDe/VqnQTKsDI4uTBBBjVpzj7J/Dg3qu8rr5BNLPtEsnrjs0A9m/XIzD/J5F/gf CAYw== X-Gm-Message-State: AOAM531dUQijuuf3X2CpN3WVp6EsTIvBKqds1KnxwNhsSIik7iGyhPaP QJyu0RzziTpiy5kkf2oXV2nkGYMJmqVzsPHkjwI= X-Received: by 2002:a05:6402:510c:: with SMTP id m12mr5893edd.33.1634747839956; Wed, 20 Oct 2021 09:37:19 -0700 (PDT) MIME-Version: 1.0 References: <20211020155421.GC597@fieldses.org> In-Reply-To: <20211020155421.GC597@fieldses.org> From: Olga Kornievskaia Date: Wed, 20 Oct 2021 12:37:08 -0400 Message-ID: Subject: Re: server-to-server copy by default To: "J. Bruce Fields" Cc: linux-nfs , Dai Ngo , Steve Dickson , Chuck Lever Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, Oct 20, 2021 at 11:54 AM J. Bruce Fields wrote: > > knfsd has supported server-to-server copy for a couple years (since > 5.5). You have set a module parameter to enable it. I'm getting asked > when we could turn that parameter on by default. > > I've got a couple vague criteria: one just general maturity, the other a > security question: > > 1. General maturity: the only reports I recall seeing are from testers. > Is anyone using this? Does it work for them? Do they find a benefit? > Maybe we could turn it on by default in one distro (Fedora?) and promote > it a little and see what that turns up? > > 2. Security question: with server-to-server copy enabled, you can send > the server a COPY call with any random address, and the server will > mount that address, open a file, and read from it. Is that safe? How about adding a piece then on the server (a policy) that would only control that? The concept behind the server-to-server was that servers might have a private/fast network between them that they would want to utilize. A more restrictive policy could be to only allow predefined network space to do the COPY? I know that more work. But sound like perhaps it might be something that provides more control to the server. But as Chuck pointed out perhaps the kerberos piece would make this concern irrelevant. > Normally we only mount servers that were chosen by root. Here we'll > mount any random server that some client told us to. What's the worst > that random server can do? Do we trust our xdr decoding? Can it DOS us > by throwing the client's state recovery code into some loop with weird > error returns? Etc. Client code has been modified to know about special copy stateids that if the client gets BAD_STATEID it knows not to try to do recovery and instead it errors back to the "application", it being nfsd. > Maybe it's fine. I'm OK with some level of risk. I just want to make > sure somebody's thought this through. > > There's also interest in allowing unprivileged NFS mounts, but I don't > think we've turned that on yet, partly for similar reasons. This is a > subset of that problem. > > --b.