Feature #42451
mds: add root_squash
0%
Description
Allow a root squash mode via the MDS capability. The purpose here is not so much to prevent a true adversary (the client always send a request as the appropriate uid/gid), but instead to prevent an accidental command like, say, rm -r $PTAH/ (where $PATH is presumably something real but $PTAH is not).
"CERN was asking for something even simpler: allow hosts to mount and interact as any user, except prevent root. The specific use-case is to avoid an accidental 'sudo rm -rf ...'.
I think this would take the form of a flag on the normal grant object where root_squash=true. Requests with any uid != 0 would be permitted, but uid == 0 denied. Obviously a malicious user could simply delete each file as the uid the file is owned by, but the purpose of the flag is avoiding user error, not security."
History
#1 Updated by Patrick Donnelly about 1 year ago
- Assignee set to Ramana Raja
#2 Updated by Patrick Donnelly 12 months ago
- Target version deleted (
v15.0.0)
#3 Updated by Patrick Donnelly 7 months ago
- Category set to Administration/Usability
- Priority changed from High to Urgent
- Target version set to v16.0.0
- Backport set to octopus
#4 Updated by Ramana Raja 6 months ago
- Status changed from New to Need More Info
Would the following syntax in the MDS caps work?
[mds] allow rw root_squash=true, allow r path=/foo
The client mounting using the cephx auth ID having the above caps will have no read or write access to the file systems when its uid=0. In NFS, enabling root_squash converts uid=0 to anonymous uid, whose default value can be changed. Is this something we want to implement later or now?
#5 Updated by Patrick Donnelly 6 months ago
Ramana Raja wrote:
Would the following syntax in the MDS caps work?
[mds] allow rw root_squash=true, allow r path=/foo
The client mounting using the cephx auth ID having the above caps will have no read or write access to the file systems when its uid=0.
Keep in mind that caps are ORed. So, this would prevent uid=0 access to the file system except under /path. Under /path, user has r rights even if uid=0.
In NFS, enabling root_squash converts uid=0 to anonymous uid, whose default value can be changed. Is this something we want to implement later or now?
I think it's simpler to just forbid write access as uid=0.
#6 Updated by Ramana Raja 6 months ago
- Status changed from Need More Info to In Progress
#7 Updated by Ramana Raja 6 months ago
- Pull request ID set to 36457
#8 Updated by Patrick Donnelly 6 months ago
- Status changed from In Progress to Fix Under Review
#9 Updated by Patrick Donnelly 4 months ago
- Status changed from Fix Under Review to Resolved
- Backport deleted (
octopus)