Feature #42451
closedmds: add root_squash
0%
Description
Allow a root squash mode via the MDS capability. The purpose here is not so much to prevent a true adversary (the client always send a request as the appropriate uid/gid), but instead to prevent an accidental command like, say, rm -r $PTAH/ (where $PATH is presumably something real but $PTAH is not).
"CERN was asking for something even simpler: allow hosts to mount and interact as any user, except prevent root. The specific use-case is to avoid an accidental 'sudo rm -rf ...'.
I think this would take the form of a flag on the normal grant object where root_squash=true. Requests with any uid != 0 would be permitted, but uid == 0 denied. Obviously a malicious user could simply delete each file as the uid the file is owned by, but the purpose of the flag is avoiding user error, not security."
Updated by Patrick Donnelly almost 4 years ago
- Category set to Administration/Usability
- Priority changed from High to Urgent
- Target version set to v16.0.0
- Backport set to octopus
Updated by Ramana Raja almost 4 years ago
- Status changed from New to Need More Info
Would the following syntax in the MDS caps work?
[mds] allow rw root_squash=true, allow r path=/foo
The client mounting using the cephx auth ID having the above caps will have no read or write access to the file systems when its uid=0. In NFS, enabling root_squash converts uid=0 to anonymous uid, whose default value can be changed. Is this something we want to implement later or now?
Updated by Patrick Donnelly almost 4 years ago
Ramana Raja wrote:
Would the following syntax in the MDS caps work?
[mds] allow rw root_squash=true, allow r path=/foo
The client mounting using the cephx auth ID having the above caps will have no read or write access to the file systems when its uid=0.
Keep in mind that caps are ORed. So, this would prevent uid=0 access to the file system except under /path. Under /path, user has r rights even if uid=0.
In NFS, enabling root_squash converts uid=0 to anonymous uid, whose default value can be changed. Is this something we want to implement later or now?
I think it's simpler to just forbid write access as uid=0.
Updated by Ramana Raja over 3 years ago
- Status changed from Need More Info to In Progress
Updated by Patrick Donnelly over 3 years ago
- Status changed from In Progress to Fix Under Review
Updated by Patrick Donnelly over 3 years ago
- Status changed from Fix Under Review to Resolved
- Backport deleted (
octopus)
Updated by Patrick Donnelly almost 2 years ago
- Related to Bug #56067: Cephfs data loss with root_squash enabled added