Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37203C38142 for ; Tue, 31 Jan 2023 22:47:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232046AbjAaWrr (ORCPT ); Tue, 31 Jan 2023 17:47:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40414 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232051AbjAaWrq (ORCPT ); Tue, 31 Jan 2023 17:47:46 -0500 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 98D3054210 for ; Tue, 31 Jan 2023 14:47:36 -0800 (PST) Received: by mail-pj1-x1036.google.com with SMTP id l4-20020a17090a850400b0023013402671so128537pjn.5 for ; Tue, 31 Jan 2023 14:47:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Zu+UveQQ7/6hjal8Wp4useyLiFQ+PWTQ0D0Hw2Wr6Q0=; b=kd83u5/62K15p6FEvIFb03qG4AyZtkCRpl1vlmFbQOzqGQJx4j+Xk20/M4L9NV8tIo wfpJl3a19+w5jXxJVNAYiA5lU0hN7aeSevF3+GCf0GFi00iEMc+P9WVPElmr/rq8xw41 H/f/UFBefS+IS5MEHp0TnnGo8CjTkQkvGCQ0Efx6IrbVxm9bVpn5KT1zp3aBW85RbkYT pB4fWByGzBmo+WBmUj0NDRtAYyvrBIUU/8tZgnPLnt0brgEfG2nzd2LyR9lmwyw9EMfo 60QM6xYC1UNbWF7qIlm8vQY3qYfmh7LFJGZu7hp0nj2vrvldriRVubIj11M1e9jOf+QZ LByw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Zu+UveQQ7/6hjal8Wp4useyLiFQ+PWTQ0D0Hw2Wr6Q0=; b=RldwJ+n5vEK7CsQW45Q6cOrU0Okd8ygzAQrNramU7u4N1364UttWazgNbYqbWumJWp 22jQPpmb1U15kYGuLl8Qi3/TPr9D0L4MteTekurvVqpn+NJGMJ4uzkB5AYpVpzsWXmV3 Lw/wCEFqFVl1GlmTKQ1c8Zs3RrXaCe9cSmdEbvQDokwwQqtgT5r1tfUQJ1Lqt9tngV/2 z9lnT3eK0ehKy3wZbHv5Sn0g4+GoMsJhBtW/WLdZNYBZxuUPViyZ6lZzcKoXu44tp9Sg jFwLpjCmelfR/sQx3vm7crYgGv/RLovkFhFvRcTGqBKMtluRz1yE6/m2TStIjY4v/UKq /7ew== X-Gm-Message-State: AO0yUKVPViRkJDSe0IlzXjV5KNIaITgqxBkLS9daLWLpk9kSdFU7utWE txF2lnT8TmgfduR0GmNP3TAFcIpxLvXrriKS5zQ= X-Google-Smtp-Source: AK7set+Eq9g3Z8g8MH21q9wyecgusDEu/44L8FtOEAa4Jv3GtUQKzqttnV64xKlyNBgw5hTospDgO7tmL+7VBDf/J/Y= X-Received: by 2002:a17:902:e74f:b0:196:1c5a:55cf with SMTP id p15-20020a170902e74f00b001961c5a55cfmr124033plf.15.1675205256031; Tue, 31 Jan 2023 14:47:36 -0800 (PST) MIME-Version: 1.0 References: <654e3b7d15992d191b2b2338483f29aec8b10ee1.camel@kernel.org> <3c02bd2df703a68093db057c51086bbf767ffeb1.camel@kernel.org> <936efa478e786be19cb9715eba1941ebc4f94a1b.camel@kernel.org> <2bc328a4a292eb02681f8fc6ea626e83f7a3ae85.camel@kernel.org> <0BBE155A-CE56-40F7-A729-85D67A9C0CC3@oracle.com> In-Reply-To: From: Olga Kornievskaia Date: Tue, 31 Jan 2023 17:47:24 -0500 Message-ID: Subject: Re: Zombie / Orphan open files To: "Andrew J. Romero" Cc: Chuck Lever III , Jeff Layton , Linux NFS Mailing List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Tue, Jan 31, 2023 at 5:26 PM Andrew J. Romero wrote: > > Hi Olga > > This is great info ! > > Can you make sure that the host principal is not granted any > read or write access ( via ACL entry, owner, group or Everyone access) > to the actual directory and file being opened. > > If, by spec or well established convention, the client host principal just needs to submit the "close request" > to the NFS server ; but, needs no access to the actual directory tree or files, then > my NAS vendor will need to take action. > > If I need to grant directory / file access to all host principals on-site > I will probably get serious computer-security opposition. Closing a file has nothing to do with having access to the file. As per spec, doing state operations should be allowed by the machine principal. Here's the paragraph of the spec stating that things like CLOSE must be allowed: In cases where the server's security policies on a portion of its namespace require RPCSEC_GSS authentication, a client may have to use an RPCSEC_GSS credential to remove per-file state (e.g., LOCKU, CLOSE, etc.). The server may require that the principal that removes the state match certain criteria (e.g., the principal might have to be the same as the one that acquired the state). However, the client might not have an RPCSEC_GSS context for such a principal, and might not be able to create such a context (perhaps because the user has logged off). When the client establishes SP4_MACH_CRED or SP4_SSV protection, it can specify a list of operations that the server MUST allow using the machine credential (if SP4_MACH_CRED is used) or the SSV credential (if SP4_SSV is used). If the NAS vendor is disallowing it then they are in the wrong. > > Thanks ! > > Andy > > > > > What you describe --- having different views of state on the client > > and server -- is not a known common behaviour. > > > > I have tried it on my Kerberos setup. > > Gotten a 5min ticket. > > As a user opened a file in a process that went to sleep. > > My user credentials have expired (after 5mins). I verified that by > > doing an "ls" on a mounted filesystem which resulted in permission > > denied error. > > Then I killed the application that had an opened file. This resulted > > in a NFS CLOSE being sent to the server using the machine's gss > > context (which is a default behaviour of the linux client regardless > > of whether or not user's credentials are valid). > > > > Basically as far as I can tell, a linux client can handle cleaning up > > state when user's credentials have expired. > > > > > > > > > > > > Andy > > > > > > > > > > > > > > >