Project

General

Profile

Actions
Copy link

Feature #42451

closed

mds: add root_squash

Added by Patrick Donnelly over 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Ramana Raja
Category:
Administration/Usability
Target version:
Ceph - v16.0.0
% Done:

0%

Source:
Community (user)
Tags:
Backport:
Reviewed:
Affected Versions:
Component(FS):
Common/Protocol
Labels (FS):
Pull request ID:
36457

Description

Allow a root squash mode via the MDS capability. The purpose here is not so much to prevent a true adversary (the client always send a request as the appropriate uid/gid), but instead to prevent an accidental command like, say, rm -r $PTAH/ (where $PATH is presumably something real but $PTAH is not).

"CERN was asking for something even simpler: allow hosts to mount and interact as any user, except prevent root. The specific use-case is to avoid an accidental 'sudo rm -rf ...'.

I think this would take the form of a flag on the normal grant object where root_squash=true. Requests with any uid != 0 would be permitted, but uid == 0 denied. Obviously a malicious user could simply delete each file as the uid the file is owned by, but the purpose of the flag is avoiding user error, not security."

Related issues 1 (1 open0 closed)

Related to CephFS - Bug #56067: Cephfs data loss with root_squash enabledNew

Actions
Actions
Copy link
 #1

Updated by Patrick Donnelly over 4 years ago

  • Assignee set to Ramana Raja
Actions
Copy link
 #2

Updated by Patrick Donnelly about 4 years ago

  • Target version deleted (v15.0.0)
Actions
Copy link
 #3

Updated by Patrick Donnelly almost 4 years ago

  • Category set to Administration/Usability
  • Priority changed from High to Urgent
  • Target version set to v16.0.0
  • Backport set to octopus
Actions
Copy link
 #4

Updated by Ramana Raja almost 4 years ago

  • Status changed from New to Need More Info

Would the following syntax in the MDS caps work?

[mds] allow rw root_squash=true, allow r path=/foo

The client mounting using the cephx auth ID having the above caps will have no read or write access to the file systems when its uid=0. In NFS, enabling root_squash converts uid=0 to anonymous uid, whose default value can be changed. Is this something we want to implement later or now?

Actions
Copy link
 #5

Updated by Patrick Donnelly almost 4 years ago

Ramana Raja wrote:

Would the following syntax in the MDS caps work?

[mds] allow rw root_squash=true, allow r path=/foo

The client mounting using the cephx auth ID having the above caps will have no read or write access to the file systems when its uid=0.

Keep in mind that caps are ORed. So, this would prevent uid=0 access to the file system except under /path. Under /path, user has r rights even if uid=0.

In NFS, enabling root_squash converts uid=0 to anonymous uid, whose default value can be changed. Is this something we want to implement later or now?

I think it's simpler to just forbid write access as uid=0.

Actions
Copy link
 #6

Updated by Ramana Raja over 3 years ago

  • Status changed from Need More Info to In Progress
Actions
Copy link
 #7

Updated by Ramana Raja over 3 years ago

  • Pull request ID set to 36457
Actions
Copy link
 #8

Updated by Patrick Donnelly over 3 years ago

  • Status changed from In Progress to Fix Under Review
Actions
Copy link
 #9

Updated by Patrick Donnelly over 3 years ago

  • Status changed from Fix Under Review to Resolved
  • Backport deleted (octopus)
Actions
Copy link
 #10

Updated by Patrick Donnelly almost 2 years ago

  • Related to Bug #56067: Cephfs data loss with root_squash enabled added
Actions
Copy link

Also available in: Atom PDF