2008-11-04 15:43:32

by Brian J. Murrell

[permalink] [raw]
Subject: gssapi and nfs4

Hi all,

So, as I stated previously, I've migrated a few of my mounts to nfs4
with gssapi to solve the limit of 16 supplemental groups issue with the
SYS security model.

I have taken notice of the gssapi export specification:

/mnt/data gss/krb5i(<export_options>)

So with gssapi, gone is the concept of limiting exports to ip/netmasks
as well as exporting to different machines (as identified by
ip/netmasks) with different export options. Is that correct?

How do those concepts map to gssapi then?

I realize that being a newbie to this gssapi use of nfs, this is all
probably pretty basic for most everyone here. Is there some documents
that you could suggest for a person familiar with the SYS/nfs3 security
model to read in understanding the concepts of GSS/nfs4. Or if you are
willing to entertain my newbie questions, let me know and I will ask
away, but I don't want to presume.

Thanx,
b.




2008-11-04 18:10:27

by Andy Adamson

[permalink] [raw]
Subject: Re: gssapi and nfs4

Hi

On Tue, Nov 4, 2008 at 10:43 AM, Brian J. Murrell <[email protected]> wrote:
> Hi all,
>
> So, as I stated previously, I've migrated a few of my mounts to nfs4
> with gssapi to solve the limit of 16 supplemental groups issue with the
> SYS security model.
>
> I have taken notice of the gssapi export specification:
>
> /mnt/data gss/krb5i(<export_options>)

In general, the instructions at the CITI web site will be useful.

>From http://www.citi.umich.edu/projects/nfsv4/linux/using-nfsv4.html:

Mounting and exporting krb5

To mount a filesystem using krb5, provide the "-osec=krb5" option to mount.

To export a filesystem using krb5, add the export option "sec=krb5".
(Note: if your kernel is older than 2.6.23, or nfs-utils older than
1.1.1, you will instead need to export to a special client named
"gss/krb5".)

>
> So with gssapi, gone is the concept of limiting exports to ip/netmasks
> as well as exporting to different machines (as identified by
> ip/netmasks) with different export options. Is that correct?

So instead of using the old "gss/krb5" which indeed did replace the
ip/netmasks list, you can now specify the use of gssapi with an export
option, and still set ip/netmasks.


-->Andy

> How do those concepts map to gssapi then?
>
> I realize that being a newbie to this gssapi use of nfs, this is all
> probably pretty basic for most everyone here. Is there some documents
> that you could suggest for a person familiar with the SYS/nfs3 security
> model to read in understanding the concepts of GSS/nfs4. Or if you are
> willing to entertain my newbie questions, let me know and I will ask
> away, but I don't want to presume.
>
> Thanx,
> b.
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>

2008-11-04 18:53:20

by Brian J. Murrell

[permalink] [raw]
Subject: Re: gssapi and nfs4

On Tue, 2008-11-04 at 13:00 -0500, William A. (Andy) Adamson wrote:
> Hi

Hello,

> In general, the instructions at the CITI web site will be useful.
>
> From http://www.citi.umich.edu/projects/nfsv4/linux/using-nfsv4.html:
>
> Mounting and exporting krb5
>
> To mount a filesystem using krb5, provide the "-osec=krb5" option to mount.

Indeed.

> To export a filesystem using krb5, add the export option "sec=krb5".
> (Note: if your kernel is older than 2.6.23, or nfs-utils older than
> 1.1.1, you will instead need to export to a special client named
> "gss/krb5".)

Ahhh. This, I did not know.

> So instead of using the old "gss/krb5" which indeed did replace the
> ip/netmasks list, you can now specify the use of gssapi with an export
> option, and still set ip/netmasks.

Cool. I think it's still useful to be able to provide some exports as
ro (i.e. forced ro by the server) to some machines (and rw to others)
even with gssapi, yes?

I did notice the bit of text about the single pseudo filesystem. Given
that on my server, I exported a number of filesystems, including / to
privileged (I'm in a very small and trusted environment) clients, it
seemed natural to just set / to fsid 0. I also exported the few other
exports I wanted some nfs4 clients to mount as such:

/ gss/krb5i(rw,insecure,sync,wdelay,no_subtree_check,no_root_squash,fsid=0,crossmnt,anonuid=65534,anongid=65534)
/home gss/krb5i(rw,no_root_squash,sync,subtree_check,anonuid=65534,anongid=65534)
/mnt/data gss/krb5i(rw,sync,subtree_check,crossmnt,anonuid=65534,anongid=65534)
/mnt/data/photos gss/krb5i(rw,sync,subtree_check,anonuid=65534,anongid=65534)

where those are all on different filesystems on the server. I'm
starting to feel like this is not how it's supposed to be done.

b.



2008-11-04 22:48:19

by J. Bruce Fields

[permalink] [raw]
Subject: Re: gssapi and nfs4

On Tue, Nov 04, 2008 at 01:53:17PM -0500, Brian J. Murrell wrote:
> On Tue, 2008-11-04 at 13:00 -0500, William A. (Andy) Adamson wrote:
> > Hi
>
> Hello,
>
> > In general, the instructions at the CITI web site will be useful.
> >
> > From http://www.citi.umich.edu/projects/nfsv4/linux/using-nfsv4.html:
> >
> > Mounting and exporting krb5
> >
> > To mount a filesystem using krb5, provide the "-osec=krb5" option to mount.
>
> Indeed.
>
> > To export a filesystem using krb5, add the export option "sec=krb5".
> > (Note: if your kernel is older than 2.6.23, or nfs-utils older than
> > 1.1.1, you will instead need to export to a special client named
> > "gss/krb5".)
>
> Ahhh. This, I did not know.
>
> > So instead of using the old "gss/krb5" which indeed did replace the
> > ip/netmasks list, you can now specify the use of gssapi with an export
> > option, and still set ip/netmasks.
>
> Cool. I think it's still useful to be able to provide some exports as
> ro (i.e. forced ro by the server) to some machines (and rw to others)
> even with gssapi, yes?

You can still vary ro/rw based on machine or security flavor; e.g.

/home foo(sec=krb5,ro)
/home bar(sec=krb5,rw)

or

/home foo(ro,sec=krb5,rw)

(readable by all users, writeable only by krb5 users). This should all
be documented by "man exports".

> I did notice the bit of text about the single pseudo filesystem. Given
> that on my server, I exported a number of filesystems, including / to
> privileged (I'm in a very small and trusted environment) clients, it
> seemed natural to just set / to fsid 0. I also exported the few other
> exports I wanted some nfs4 clients to mount as such:
>
> / gss/krb5i(rw,insecure,sync,wdelay,no_subtree_check,no_root_squash,fsid=0,crossmnt,anonuid=65534,anongid=65534)
> /home gss/krb5i(rw,no_root_squash,sync,subtree_check,anonuid=65534,anongid=65534)
> /mnt/data gss/krb5i(rw,sync,subtree_check,crossmnt,anonuid=65534,anongid=65534)
> /mnt/data/photos gss/krb5i(rw,sync,subtree_check,anonuid=65534,anongid=65534)
>
> where those are all on different filesystems on the server. I'm
> starting to feel like this is not how it's supposed to be done.

That'll work--but do you really want "/" to be accessible (writeable,
even!) over nfs?

--b.

2008-11-05 05:25:40

by Brian J. Murrell

[permalink] [raw]
Subject: Re: gssapi and nfs4

On Tue, 2008-11-04 at 17:48 -0500, J. Bruce Fields wrote:
>
> You can still vary ro/rw based on machine or security flavor; e.g.
>
> /home foo(sec=krb5,ro)
> /home bar(sec=krb5,rw)

Excellent.

> or
>
> /home foo(ro,sec=krb5,rw)
>
> (readable by all users, writeable only by krb5 users).

Ahhh. Very interesting.

> This should all
> be documented by "man exports".

Yes, it appears to be. My use of gss/krb5(...) was from some "howto"s
that I found on the web. Seems they are tad dated.


> > I did notice the bit of text about the single pseudo filesystem. Given
> > that on my server, I exported a number of filesystems, including / to
> > privileged (I'm in a very small and trusted environment) clients, it
> > seemed natural to just set / to fsid 0. I also exported the few other
> > exports I wanted some nfs4 clients to mount as such:
> >
> > / gss/krb5i(rw,insecure,sync,wdelay,no_subtree_check,no_root_squash,fsid=0,crossmnt,anonuid=65534,anongid=65534)
> > /home gss/krb5i(rw,no_root_squash,sync,subtree_check,anonuid=65534,anongid=65534)
> > /mnt/data gss/krb5i(rw,sync,subtree_check,crossmnt,anonuid=65534,anongid=65534)
> > /mnt/data/photos gss/krb5i(rw,sync,subtree_check,anonuid=65534,anongid=65534)
> >
> > where those are all on different filesystems on the server. I'm
> > starting to feel like this is not how it's supposed to be done.
>
> That'll work--but do you really want "/" to be accessible (writeable,
> even!) over nfs?

Writable, probably not, not for most anyway. A very select few,
perhaps. But still, probably not even readable for most. So how to
solve? Not export / as the pseudo filesystem? Or use an ip/netmask
that makes it impossible to match, or as the one bit of text I read
offered, bind mount everything you want to export into your "export"
tree? This last option seems a bit cumbersome given that everything I
want to export is already mounted and available under /.

Is there any way to limit/match on krb5 principals rather than IPs?

So in the situation of exporting / as fsid 0 (but this would be equally
applicable to an "/export" configuration that bind mounted a filesystem
under /export and then bind mounted a filesystem under that) given that
I have other filesystems mounted under / that I want to export as well,
(i.e. /usr) it's seemed necessary to use the "crossmnt" option on the
fsid 0 export. Is this correct?

So if I do export / as fsid=0,ro my guess is that I have to also export
any subdirs that I want to make "rw" separately, and mount them
separately on the client. i.e.

/ 10.75.22.0/24(sec=krb5,ro,insecure,sync,wdelay,no_subtree_check,root_squash,fsid=0,crossmnt)
/home 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check)
/d 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check,crossmnt)
/d/sub pc(sec=krb5,rw,no_root_squash,sync,no_subtree_check)

and on the clinet:

pc # mount -t nfs4 -o sec=krb5 server:/ /mnt/server
pc # mount -t nfs4 -o sec=krb5 server:/home /mnt/server/home
pc # mount -t nfs4 -o sec=krb5 server:/d /d
pc # mount -t nfs4 -o sec=krb5 server:/d/sub /d/sub

To have /home rw under /mnt/server. It would be there but ro without
the second mount, yes?

It also appears that for the above case of /d and /d/sub I need the
crossmnt option on /d or I don't see anything in /d/sub even though I've
exported and mounted it individually. Does this seem like the expected
behaviour or a bug? It's important to be able to do because I might
want to be able to export /d to certain hosts without giving them access
to mountpoints within /d as I have done above with /d/sub and pc. If I
use crossmnt which my experience is showing I need, then /d/sub is
exposed to all of 10.75.22.0/24 which is not what I want.

Thanx,
b.




Attachments:
signature.asc (197.00 B)
This is a digitally signed message part

2008-11-05 19:02:37

by J. Bruce Fields

[permalink] [raw]
Subject: Re: gssapi and nfs4

On Wed, Nov 05, 2008 at 12:25:29AM -0500, Brian J. Murrell wrote:
> On Tue, 2008-11-04 at 17:48 -0500, J. Bruce Fields wrote:
> >
> > You can still vary ro/rw based on machine or security flavor; e.g.
> >
> > /home foo(sec=krb5,ro)
> > /home bar(sec=krb5,rw)
>
> Excellent.
>
> > or
> >
> > /home foo(ro,sec=krb5,rw)
> >
> > (readable by all users, writeable only by krb5 users).
>
> Ahhh. Very interesting.
>
> > This should all
> > be documented by "man exports".
>
> Yes, it appears to be. My use of gss/krb5(...) was from some "howto"s
> that I found on the web. Seems they are tad dated.
>
>
> > > I did notice the bit of text about the single pseudo filesystem. Given
> > > that on my server, I exported a number of filesystems, including / to
> > > privileged (I'm in a very small and trusted environment) clients, it
> > > seemed natural to just set / to fsid 0. I also exported the few other
> > > exports I wanted some nfs4 clients to mount as such:
> > >
> > > / gss/krb5i(rw,insecure,sync,wdelay,no_subtree_check,no_root_squash,fsid=0,crossmnt,anonuid=65534,anongid=65534)
> > > /home gss/krb5i(rw,no_root_squash,sync,subtree_check,anonuid=65534,anongid=65534)
> > > /mnt/data gss/krb5i(rw,sync,subtree_check,crossmnt,anonuid=65534,anongid=65534)
> > > /mnt/data/photos gss/krb5i(rw,sync,subtree_check,anonuid=65534,anongid=65534)
> > >
> > > where those are all on different filesystems on the server. I'm
> > > starting to feel like this is not how it's supposed to be done.
> >
> > That'll work--but do you really want "/" to be accessible (writeable,
> > even!) over nfs?
>
> Writable, probably not, not for most anyway. A very select few,
> perhaps. But still, probably not even readable for most. So how to
> solve? Not export / as the pseudo filesystem? Or use an ip/netmask
> that makes it impossible to match, or as the one bit of text I read
> offered, bind mount everything you want to export into your "export"
> tree? This last option seems a bit cumbersome given that everything I
> want to export is already mounted and available under /.

Unfortunately that last option's the only practical approach right now.
We're working to simplify this.

> Is there any way to limit/match on krb5 principals rather than IPs?

No. You can use ordinary file permissions on the exported files and
directories, assuming the principal names are of the form
local-user-name@REALM.

> So in the situation of exporting / as fsid 0 (but this would be equally
> applicable to an "/export" configuration that bind mounted a filesystem
> under /export and then bind mounted a filesystem under that) given that
> I have other filesystems mounted under / that I want to export as well,
> (i.e. /usr) it's seemed necessary to use the "crossmnt" option on the
> fsid 0 export. Is this correct?

Yes.

> So if I do export / as fsid=0,ro my guess is that I have to also export
> any subdirs that I want to make "rw" separately,

Right.

> and mount them separately on the client. i.e.

If you want to. If you want to just mount the whole of / at one point
in the client filesystem, you can also do that, and the client will
automatically mount the filesystems underneath as it traverses into
them.

>
> / 10.75.22.0/24(sec=krb5,ro,insecure,sync,wdelay,no_subtree_check,root_squash,fsid=0,crossmnt)
> /home 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check)
> /d 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check,crossmnt)
> /d/sub pc(sec=krb5,rw,no_root_squash,sync,no_subtree_check)
>
> and on the clinet:
>
> pc # mount -t nfs4 -o sec=krb5 server:/ /mnt/server
> pc # mount -t nfs4 -o sec=krb5 server:/home /mnt/server/home
> pc # mount -t nfs4 -o sec=krb5 server:/d /d
> pc # mount -t nfs4 -o sec=krb5 server:/d/sub /d/sub
>
> To have /home rw under /mnt/server. It would be there but ro without
> the second mount, yes?
>
> It also appears that for the above case of /d and /d/sub I need the
> crossmnt option on /d or I don't see anything in /d/sub even though I've
> exported and mounted it individually. Does this seem like the expected
> behaviour or a bug?

That's expected.

> It's important to be able to do because I might
> want to be able to export /d to certain hosts without giving them access
> to mountpoints within /d as I have done above with /d/sub and pc. If I
> use crossmnt which my experience is showing I need, then /d/sub is
> exposed to all of 10.75.22.0/24 which is not what I want.

If you add a separate export for /d/sub, I think it should override that
behavior. I haven't looked at that recently.

--b.

2008-11-05 19:19:03

by Brian J. Murrell

[permalink] [raw]
Subject: Re: gssapi and nfs4

On Wed, 2008-11-05 at 14:02 -0500, J. Bruce Fields wrote:

> Unfortunately that last option's the only practical approach right now.

Other than exporting / of course.

> We're working to simplify this.

Great.

> If you want to. If you want to just mount the whole of / at one point
> in the client filesystem, you can also do that, and the client will
> automatically mount the filesystems underneath as it traverses into
> them.

That is cool.

> > / 10.75.22.0/24(sec=krb5,ro,insecure,sync,wdelay,no_subtree_check,root_squash,fsid=0,crossmnt)
> > /home 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check)
> > /d 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check,crossmnt)
> > /d/sub pc(sec=krb5,rw,no_root_squash,sync,no_subtree_check)
> >
> > and on the clinet:
> >
> > pc # mount -t nfs4 -o sec=krb5 server:/ /mnt/server
> > pc # mount -t nfs4 -o sec=krb5 server:/home /mnt/server/home
> > pc # mount -t nfs4 -o sec=krb5 server:/d /d
> > pc # mount -t nfs4 -o sec=krb5 server:/d/sub /d/sub
> >
> > To have /home rw under /mnt/server. It would be there but ro without
> > the second mount, yes?
> >
> > It also appears that for the above case of /d and /d/sub I need the
> > crossmnt option on /d or I don't see anything in /d/sub even though I've
> > exported and mounted it individually. Does this seem like the expected
> > behaviour or a bug?
>
> That's expected.

But causes a problem as below...

> > It's important to be able to do because I might
> > want to be able to export /d to certain hosts without giving them access
> > to mountpoints within /d as I have done above with /d/sub and pc. If I
> > use crossmnt which my experience is showing I need, then /d/sub is
> > exposed to all of 10.75.22.0/24 which is not what I want.
>
> If you add a separate export for /d/sub, I think it should override that
> behavior.

That's what I did and still, I have to use crossmnt on /d and that
exposes /d/sub it to everyone who gets access to /d where my intention
is to only expose /d/sub to the match/limit I put on /d/sub, which is
the single host "pc" in my above scneario.

Let me thank you for all of your great answers.

b.


Attachments:
signature.asc (197.00 B)
This is a digitally signed message part

2008-11-05 19:40:27

by Andy Adamson

[permalink] [raw]
Subject: Re: gssapi and nfs4

On Wed, Nov 5, 2008 at 2:18 PM, Brian J. Murrell <[email protected]> wrote:
> On Wed, 2008-11-05 at 14:02 -0500, J. Bruce Fields wrote:
>
>> Unfortunately that last option's the only practical approach right now.
>
> Other than exporting / of course.
>
>> We're working to simplify this.
>
> Great.
>
>> If you want to. If you want to just mount the whole of / at one point
>> in the client filesystem, you can also do that, and the client will
>> automatically mount the filesystems underneath as it traverses into
>> them.
>
> That is cool.
>
>> > / 10.75.22.0/24(sec=krb5,ro,insecure,sync,wdelay,no_subtree_check,root_squash,fsid=0,crossmnt)
>> > /home 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check)
>> > /d 10.75.22.0/24(sec=krb5,rw,no_root_squash,sync,no_subtree_check,crossmnt)
>> > /d/sub pc(sec=krb5,rw,no_root_squash,sync,no_subtree_check)
>> >
>> > and on the clinet:
>> >
>> > pc # mount -t nfs4 -o sec=krb5 server:/ /mnt/server
>> > pc # mount -t nfs4 -o sec=krb5 server:/home /mnt/server/home
>> > pc # mount -t nfs4 -o sec=krb5 server:/d /d
>> > pc # mount -t nfs4 -o sec=krb5 server:/d/sub /d/sub
>> >
>> > To have /home rw under /mnt/server. It would be there but ro without
>> > the second mount, yes?
>> >
>> > It also appears that for the above case of /d and /d/sub I need the
>> > crossmnt option on /d or I don't see anything in /d/sub even though I've
>> > exported and mounted it individually. Does this seem like the expected
>> > behaviour or a bug?
>>
>> That's expected.
>
> But causes a problem as below...
>
>> > It's important to be able to do because I might
>> > want to be able to export /d to certain hosts without giving them access
>> > to mountpoints within /d as I have done above with /d/sub and pc. If I
>> > use crossmnt which my experience is showing I need, then /d/sub is
>> > exposed to all of 10.75.22.0/24 which is not what I want.
>>
>> If you add a separate export for /d/sub, I think it should override that
>> behavior.
>
> That's what I did and still, I have to use crossmnt on /d and that
> exposes /d/sub it to everyone who gets access to /d where my intention
> is to only expose /d/sub to the match/limit I put on /d/sub, which is
> the single host "pc" in my above scneario.
>

A better way to limit access is to use ACL's on the directory, which
actually make a difference when running kerberos. :)

-->Andy


> Let me thank you for all of your great answers.
>
> b.
>
>

2008-11-05 19:52:00

by Brian J. Murrell

[permalink] [raw]
Subject: Re: gssapi and nfs4

On Wed, 2008-11-05 at 14:40 -0500, William A. (Andy) Adamson wrote:
>
> A better way to limit access is to use ACL's on the directory,

Yes, indeed. I have been holding off as long as I can on using ACLs
given the lack of integration into the GUI (i.e. gnome) environment thus
far. For example, so far as I know, nautilus does not have any ACL
inspection/modification in it yet. Maybe that's not such a big deal.
Just another layer I guess.

> which
> actually make a difference when running kerberos. :)

Yeah.

FWIU, ACLs would solve the other of the 2 problems that I went to nfs4
with gssapi for anyway and that's being able to more easily allow others
access to files. Unix groups work fine for this as long as you can
control the umask/permission bits a particular application sets on the
files it creates.

While I can create inheritance rules for ownerships in the SYS security
model I can't create (inheritable) umask/permissions rules and have to
rely on either the users' global umask or the application giving, say,
group write permissions to a file. Setting the users' global umask for
that is of course unacceptable and that only leaves attacking the
problem on an application-by-application basis. Yuck.

b.


Attachments:
signature.asc (197.00 B)
This is a digitally signed message part