-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Objections to Section 4.3.2 of integration-measurement-06 #6
Comments
From RFC 5661: 5.5. Set-Only and Get-Only Attributes
15.1.6.1. NFS4ERR_ACCESS (Error Code 13)
15.1.6.2. NFS4ERR_PERM (Error Code 1)
15.1.6.3. NFS4ERR_WRONGSEC (Error Code 10016)
The SETATTR operation is permitted to return: NFS4ERR_ACCESS, NFS4ERR_ADMIN_REVOKED, NFS4ERR_ATTRNOTSUPP, NFS4ERR_BADCHAR, NFS4ERR_BADOWNER, NFS4ERR_BADXDR, NFS4ERR_BAD_STATEID, NFS4ERR_DEADSESSION, NFS4ERR_DELAY, NFS4ERR_DELEG_REVOKED, NFS4ERR_DQUOT, NFS4ERR_EXPIRED, NFS4ERR_FBIG, NFS4ERR_FHEXPIRED, NFS4ERR_GRACE, NFS4ERR_INVAL, NFS4ERR_IO, NFS4ERR_LOCKED, NFS4ERR_MOVED, NFS4ERR_NOFILEHANDLE, NFS4ERR_NOSPC, NFS4ERR_OLD_STATEID, NFS4ERR_OPENMODE, NFS4ERR_OP_NOT_IN_SESSION, NFS4ERR_PERM, NFS4ERR_REP_TOO_BIG, NFS4ERR_REP_TOO_BIG_TO_CACHE, NFS4ERR_REQ_TOO_BIG, NFS4ERR_RETRY_UNCACHED_REP, NFS4ERR_ROFS, NFS4ERR_SERVERFAULT, NFS4ERR_STALE, NFS4ERR_TOO_MANY_OPS, NFS4ERR_UNKNOWN_LAYOUTTYPE, NFS4ERR_WRONG_TYPE INVAL, ACCESS, and PERM are all permitted status codes, but WRONGSEC is not. In this case, I think allowing IMA metadata updates when the file content is writable, without any further adornment, is an adequate baseline. |
Possible alternative approach:
|
That's true but it is very difficult to do when there is no definition of "appropriately authorized agents"
First of all no reason is given as to why this is so. Note that:
Perhaps so, but without information about such security policies, this isn't all that helpful.
I don't agree. If the client tries to do an operation and is not allowed to do it, then you have an instance of inter-non-operability :-( Also, if the client has no indication of why this failed (wrong user, wrong client, wrong something else) there is no way to decide how to work around the failure.
It has to be recognized that server flexibility is not an unalloyed good, and that in granting such a large degree of fleixibility (almost unbounded) to the server, you basicallly undercut the value of defining a protocol, to provide interoperability.
If these are not normative requirements, then there are no normatve requirements and I don't see how you can get by saying essentially that the server is free to accept or reject requests as it chooses.
Also, although the word "recommendations" is used, ther are no actual recommendations to make any particular choice as better than another. As to "implementation guidance" what is the implemenation being guided to do?
The use of the word "include" suggests that other ways are allowed/recommended or part of what you are guiding the server to do. These include some silly ones (e.g. do not allow the change of ima metadata in a month that does not include an "r") and some that are not silly at all (e.g. do not allow the change of IMA metdata when done by an unauthenticated client using AUTH_SYS).
If applied to an AUTH_SYS client, this constitutes a glaring security hole. I think this would be Ok, for non-auth-sys as long as NFS4ERR_WRONGSEC is returned if AUTH_SYS is used.
Since the source IP addresses can be spoofed, the value of this is limited.
I think this would be OK, as long NFS4ERR_PERM is returned when the owner is wrong.
If a server is not allowing SETATTR of this attribute, it is really treating this as a get-only attribute, in which case NFS4ERR_INVAL would be the appropriate error to return.
Since each of the above clearly has ann existing constituency, making intra-community comporomise difficult to achieve, let me try to articulate my bottom line:
The text was updated successfully, but these errors were encountered: