mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-28 11:18:45 +07:00
c69f22f25f
Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200621133552.46371-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net>
95 lines
3.7 KiB
ReStructuredText
95 lines
3.7 KiB
ReStructuredText
=========================================
|
|
rpcsec_gss support for kernel RPC servers
|
|
=========================================
|
|
|
|
This document gives references to the standards and protocols used to
|
|
implement RPCGSS authentication in kernel RPC servers such as the NFS
|
|
server and the NFS client's NFSv4.0 callback server. (But note that
|
|
NFSv4.1 and higher don't require the client to act as a server for the
|
|
purposes of authentication.)
|
|
|
|
RPCGSS is specified in a few IETF documents:
|
|
|
|
- RFC2203 v1: https://tools.ietf.org/rfc/rfc2203.txt
|
|
- RFC5403 v2: https://tools.ietf.org/rfc/rfc5403.txt
|
|
|
|
and there is a 3rd version being proposed:
|
|
|
|
- https://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt
|
|
(At draft n. 02 at the time of writing)
|
|
|
|
Background
|
|
==========
|
|
|
|
The RPCGSS Authentication method describes a way to perform GSSAPI
|
|
Authentication for NFS. Although GSSAPI is itself completely mechanism
|
|
agnostic, in many cases only the KRB5 mechanism is supported by NFS
|
|
implementations.
|
|
|
|
The Linux kernel, at the moment, supports only the KRB5 mechanism, and
|
|
depends on GSSAPI extensions that are KRB5 specific.
|
|
|
|
GSSAPI is a complex library, and implementing it completely in kernel is
|
|
unwarranted. However GSSAPI operations are fundementally separable in 2
|
|
parts:
|
|
|
|
- initial context establishment
|
|
- integrity/privacy protection (signing and encrypting of individual
|
|
packets)
|
|
|
|
The former is more complex and policy-independent, but less
|
|
performance-sensitive. The latter is simpler and needs to be very fast.
|
|
|
|
Therefore, we perform per-packet integrity and privacy protection in the
|
|
kernel, but leave the initial context establishment to userspace. We
|
|
need upcalls to request userspace to perform context establishment.
|
|
|
|
NFS Server Legacy Upcall Mechanism
|
|
==================================
|
|
|
|
The classic upcall mechanism uses a custom text based upcall mechanism
|
|
to talk to a custom daemon called rpc.svcgssd that is provide by the
|
|
nfs-utils package.
|
|
|
|
This upcall mechanism has 2 limitations:
|
|
|
|
A) It can handle tokens that are no bigger than 2KiB
|
|
|
|
In some Kerberos deployment GSSAPI tokens can be quite big, up and
|
|
beyond 64KiB in size due to various authorization extensions attacked to
|
|
the Kerberos tickets, that needs to be sent through the GSS layer in
|
|
order to perform context establishment.
|
|
|
|
B) It does not properly handle creds where the user is member of more
|
|
than a few thousand groups (the current hard limit in the kernel is 65K
|
|
groups) due to limitation on the size of the buffer that can be send
|
|
back to the kernel (4KiB).
|
|
|
|
NFS Server New RPC Upcall Mechanism
|
|
===================================
|
|
|
|
The newer upcall mechanism uses RPC over a unix socket to a daemon
|
|
called gss-proxy, implemented by a userspace program called Gssproxy.
|
|
|
|
The gss_proxy RPC protocol is currently documented `here
|
|
<https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation>`_.
|
|
|
|
This upcall mechanism uses the kernel rpc client and connects to the gssproxy
|
|
userspace program over a regular unix socket. The gssproxy protocol does not
|
|
suffer from the size limitations of the legacy protocol.
|
|
|
|
Negotiating Upcall Mechanisms
|
|
=============================
|
|
|
|
To provide backward compatibility, the kernel defaults to using the
|
|
legacy mechanism. To switch to the new mechanism, gss-proxy must bind
|
|
to /var/run/gssproxy.sock and then write "1" to
|
|
/proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both
|
|
steps.
|
|
|
|
Once the upcall mechanism is chosen, it cannot be changed. To prevent
|
|
locking into the legacy mechanisms, the above steps must be performed
|
|
before starting nfsd. Whoever starts nfsd can guarantee this by reading
|
|
from /proc/net/rpc/use-gss-proxy and checking that it contains a
|
|
"1"--the read will block until gss-proxy has done its write to the file.
|