Coda File System

Re: Coda-client-setup 0.5 released

From: Jan Harkes <jaharkes_at_cs.cmu.edu>
Date: Fri, 11 Mar 2005 12:53:10 -0500
On Fri, Mar 11, 2005 at 03:47:34PM +0100, Ivan Popov wrote:
> On Fri, Mar 11, 2005 at 09:16:16AM -0500, Greg Troxel wrote:
> > One could use the SHA-1 hashes to avoid refetching the file, if the
> > issue is just authenticity.
> 
> Very good points!
> 
> Essentially venus should not let a user access a cached
> object unless it has verified the hash over this user's connection.

The problem is that we don't necessarily always have a hash from the
server we can rely on.

First of all the sha1 checksums aren't persistently cached on the
servers, so they are recalculated on almost every GetAttr, which was
causing some problems for our old servers when slocate started running
from ~15 clients at exactly 4 in the morning. So I actually have sha1
checksums disabled on most servers (allow_sha in server.conf).

Second, if the file was locally modified, there is no way to validate
it's authenticity until it has been sent back to the server even if the
local user had 'tokens' we don't know if those tokens are valid until
the server actually accepts the operation.

> If we explicitely disallow application of System:Anyuser rights
> when an uid does not have cached access rights, it will be safe.

That is already the case, even with expired tokens we don't fall back on
system:anyuser (ofcourse there are always exceptions, in this case we
fall back on system:anyuser permissions if we're disconnected). 

> If we'd implement another change I was pleading for
> (e.g. http://www.coda.cs.cmu.edu/maillists/codalist/codalist-2004/6811.html)
> to avoid expiration of the cached rights at token expiry,
> then it will be convenient as well as safe!

I am still very much against this change and don't believe it is safe.
We already avoid expiration for as long as possible, only when the
server actually tells us that the token is really a useless blob of bits
do we expire the cached rights. If we don't expire then, then we would
allow operations to complete that we know cannot be reintegrated and
which would lead to a reintegration conflict.

The question is when is the most appropriate time to flush cached
rights.
Whenever the server rejects some operation? That will mostly be after
the fact, we already let the operation complete locally, why else would
we be caching rights.
When a new token is obtained? That would give the same problem we have
right now when I know I'm going to be connected for only a short period
of time, but need to get that one file. The servers will reject my
token, but I might need to reauthenticate to get access to the file.

But let's say we keep the cached rights around for as long as possible.
That opens the door to unauthorized access problems, let's say I'm
fixing something on a user's desktop with my system:administrator token.
Once I'm done, he regains his token, but he would have cached rights for
the stuff I worked on so he can change those files all he wants.
Ofcourse the server won't accept any of these changes since he doesn't
have admin rights. Unless he tricks me by creating some other problem in
another location, I come in, authenticate and poof all the unauthorized
changes just got committed on the servers.

But to validate that there aren't any unwanted operations waiting to be
reintegrated I would have to first check the CMLs for all volumes. And
since most of the problems that need admin intervention are either
repair or reintegration related it isn't useful to automatically purge
CMLs whenever I run cunlog or clog from a normal user to one with admin
rights.

Jan
Received on 2005-03-11 12:54:09