https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-3866 Lustre <p>We have two kinds of missing permission checks in HSM. I'll call them "bad" and "less-bad."</p> <p>Here are the bad ones: By guessing its FID an unprivileged user can archive and restore an arbitrary file, even one which is otherwise inaccessible. An unprivileged user can also cancel running HSM actions on an arbitrary file, and send a remove command.</p> <p>If write permission for other is set on the file then an unprivileged user can get about 1/2 through HSM release, failing at the call to mo_xattr_set() on the orphan, just before layout_swap.</p> <p>The less-bad ones involve the rights to perform various HSM operations on a file owned by the user. In this case there is some disagreement about what should be allowed (some discussion on <a href="https://jira.whamcloud.com/browse/LU-3811" title="non-root users cannot archive files, root cannot archive non-root users&#39; files" class="issue-link" data-issue-key="LU-3811"><del>LU-3811</del></a>).</p> <p>Some questions: Which less-bad operations should be permitted by default? How should additional permissions be granted? (/proc tunable, setuid() binary, policy tool?) Should explicit restore be treated differently from implicit restore?</p> <p>I propose that by default all explicit HSM actions require root or CAP_SYS_ADMIN. The next level can be enabled via /proc and allows explicit archive, release, and restore to the file owner.</p> LU-3866

missing permission checks on HSM operations

Technical task LU-3647 Blocker Resolved Fixed John Hammond John Hammond HSM Fri, 30 Aug 2013 17:00:37 +0000 Tue, 8 Oct 2013 16:38:03 +0000 Tue, 8 Oct 2013 16:38:03 +0000 Lustre 2.5.0 Lustre 2.5.0 0 12 <p>Bruno</p> <p>Could you please look into this one?</p> <p>Thanks</p> <p>Peter</p> <p>Also the CT ioctls LL_IOC_HSM_CT_START, LL_IOC_HSM_PROGRESS, LL_IOC_HSM_COPY_START, LL_IOC_HSM_COPY_END are completely unrestricted. A non-root user with access to a lustre mount point can register as a copytool. And the same user running on the same node as a CT, with access to any lustre mount point on that node can unregister the CT by crafting a KUC with the CT's PID and group KUC_GRP_HSM.</p> <p>I would suggest a restrictive set of permissions for all operations except restore. I make an exception for restore, as anyone with read privileges on a file should reasonably expect to be able to access the file, even if it has been released. It’s implied in the nature of the restore operation (whether invoked explicitly or implicitly).</p> <p>Other commands could be left as super-user commands, with sudo or equivalent providing the necessary privilege escalation, at least as a stop-gap. If we documented this adequately, it would provide a reasonable implementation.</p> <p>I agree with you that the copytools must only be managed by the super-user.</p> <p>I’ve included some other notes:</p> <p><em><b>Archive Files</b></em></p> <ul> <li>Super-user can archive files</li> <li>Owner can archive files</li> <li>? Group members with write access can archive files?</li> <li>Other users cannot archive files</li> </ul> <p><em><b>Release files</b></em></p> <ul> <li>Super-user can release files</li> <li>Other users, whether file owners, group members or other, cannot release files</li> </ul> <p><em><b>Restore Files</b></em></p> <ul> <li>Any user with read permission can restore a file (implicit restore effectively mandates this behaviour)</li> <li>Restore requests cannot change ownership, permissions or other metadata</li> </ul> <p><em><b>Remove files</b></em></p> <ul> <li>Super-user can remove files from the archive</li> <li>Owner can remove files from archive</li> <li>? Group members with write access can remove files from archive?</li> <li>Other users cannot remove files from archive</li> </ul> <p><em><b>Cancel</b></em></p> <ul> <li>Super-user can cancel all requests</li> <li>Requester can cancel their own requests</li> <li>Users cannot cancel requests made by other users</li> </ul> <p><em><b>Questions</b></em></p> <ul> <li>Apply ACLs to allow alternative uses? For example "group_write_can_archive" – group members can archive files when the group write bit is set. Could effectively allow privilege escalation based on ACLs for files. So, very restrictive by default, but users can modify permissions to allow further options</li> <li>Create an MDT parameter to assign "super-user" privilege or otherwise delegate operations for HSM command set? <ul> <li>sudo could cover this, which means we could leave the commands as requiring super-user privileges, then demonstrate how one could use Sudo to delegate privileges to admin users</li> </ul> </li> <li>MDT could potentially provide finer-grained access control but would need to weigh cost/benefit against alternatives</li> </ul> <p>I think we must have a simple tunnable (through CDT policy flags =&gt; managed by CDT?) like control on/off. Many sites will not care of who is doing what.</p> <ul class="alternate" type="square"> <li>"Requester can cancel their own requests": today we do not memorize the request owner in llog. Do we replace this by file owner or who is able to read file ?</li> <li>"Users cannot cancel requests made by other users": even on their file ?</li> </ul> <p>Malcolm, thanks for the list that we can use as a start point for the "high-level" control for this task. I already see that we need to also add notes about the eXecution right/bit, do we allow for explicit/implicit restore when execution bit is set ?</p> <p>John, J-C, what do you think if, we start with implementation of 3 modes, no-control/root-only/enhanced ?</p> <p>Also and as very 1st step, for root-only mode, what do you think would be the best/simplest way to implement it, in ll_xx_ioctl() with just a tunable/proc to set the mode ?</p> <p>I started a patch on for this that would do the following.</p> <ol> <li>Make LL_IOC_HSM_CT_START require CAP_SYS_ADMIN (the client side handler modifies the KUC table).</li> <li>Add MUTABOR to the handler flags for all MDS_HSM opcodes except MDS_HSM_STATE_GET.</li> <li>Require CAP_SYS_ADMIN for MDS_HSM_PROGRESS, MDS_HSM_CT_REGISTER, and MDS_HSM_CT_UNREGISTER.</li> <li>Require CAP_SYS_ADMIN in mdt_hsm_state_set() for setting flags not in HSM_USER_MASK.</li> <li>Add bit masks <tt>hsm_user_request_mask,hsm_group_request_mask,hsm_other_request_mask</tt> to control who<br/> can perform what HSM actions on file. For example, we check<br/> <tt>hsm_user_request_mask &amp; (1 &lt;&lt; HSMA_RELEASE)</tt> to see if the file owner<br/> <tt>(uc-&gt;uc_fsuid == la-&gt;la_uid)</tt> can release the file. By default, I set each mask to <tt>1 &lt;&lt; HSMA_RESTORE</tt>. Having CAP_SYS_ADMIN will override<br/> these masks of course.</li> <li>Add <tt>/proc/fs/lustre/mdt/*/hsm/hsm_user,group,other_request_mask</tt> to set and set these bits.</li> </ol> <p>This patch will not distinguish between implicit restore and explicit restore.</p> <p>Begin the flames.</p> <p>Thank you Malcolm for this work of listing all actions and the related permissions.</p> <p>However, some of these permissions doesn't look appropriate for a production system,<br/> so I think they should be tunable:</p> <blockquote> <p><b>Archive</b><br/> Owner can archive files</p></blockquote> <p>This should be a tunable, basically if we want to prevent users from archiving their files after each modification<br/> and let the PolicyEngine schedule the copy to control/leverage the data flow to the archive.</p> <blockquote> <p><b>Release</b><br/> Other users, whether file owners, group members or other, cannot release files</p></blockquote> <p>This should be a tunable, this can be a way for the user to give an hint to the system<br/> that he doesn't plan to read the file in a near future, so we can free space in Lustre for other 'hot' data.</p> <blockquote> <p><b>Remove files</b><br/> Owner can remove files from archive</p></blockquote> <p>This sounds dangerous. I don't want users to be able to invalidate copies in the backend an uncontrolled way.</p> <p>Add the following case:</p> <ul> <li>Only root can hsm_remove fids that no longer exist. The main use case is the garbage collection of orphan entries in the HSM (for removed entries in Lustre).<br/> BTW, I think this case is not currently tested in sanity-hsm as lfs doesn't support it (this can only be done by directly calling the llapi).</li> </ul> <p>Thomas</p> <p>Hi Thomas,</p> <p>I agree with your comments: archive and release should be tuneable and remove should be a privileged operation (users can make mistakes after all). My original thought was just to make sure that these operations should be protected such that the owner of a file does not get any unwelcome surprises. I support your amendments.</p> <p>Please see <a href="http://review.whamcloud.com/7565" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/7565</a>.</p> <p>All,<br/> Can we get an agreement to limit the scope of this ticket to the critical/minimum permission checks that we want to be integrated in 2.5, and which I strongly feel are already in John's patch ??</p> <p>I'm OK with John's proposal. I think Gerrit #7565 will be fine for a first round.</p> <p>Landed for 2.5</p> Related LU-3811 Development Rank 1|hzvzqn: Rank (Obsolete) 10032