Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pnfsmanager: avoid leaking whether or not file exists #6567

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

paulmillar
Copy link
Member

Motivation:

The WebDAV door (among other doors) queries pnfsmanager to discover the
PNFS-ID of a target. Within pnfsmanager, the NameSpaceProvider plugin is
used to discover information about the target.

When looking up the inode from a path, the Chimera plugin
(ChimeraNameSpaceProvider) checks whether the user can 'cd' into the
target's parent directory. To do this, it looks up the inode
information for the target and all it's parents.

Currently, if the target does not exist then this immediately throws
FileNotFoundChimeraFsException. This is true even if the user does not
have permission to 'cd' into a parent directory. Therefore, the user
can discover whether a file exists within a directory that user cannot
enter.

Modification:

Update ChimeraNameSpaceProvider so that, after discovering the target
does not exist, it next checks whether the user can 'cd' into the
deepest parent directory that exists. If the user does not have
permission to 'cd' into this deepest parent directory then the
FileNotFoundChimeraFsException is replaced with a
PermissionDeniedCacheException.

Result:

Doors no longer allow a user to discover whether or not a file or
directory exists within directories they cannot access.

Target: master
Request: 8.0
Request: 7.2
Request: 7.1
Request: 7.0
Request: 6.2
Requires-notes: yes
Requires-book: no

Motivation:

The WebDAV door (among other doors) queries pnfsmanager to discover the
PNFS-ID of a target. Within pnfsmanager, the NameSpaceProvider plugin is
used to discover information about the target.

When looking up the inode from a path, the Chimera plugin
(ChimeraNameSpaceProvider) checks whether the user can 'cd' into the
target's parent directory.  To do this, it looks up the inode
information for the target and all it's parents.

Currently, if the target does not exist then this immediately throws
FileNotFoundChimeraFsException.  This is true even if the user does not
have permission to 'cd' into a parent directory.  Therefore, the user
can discover whether a file exists within a directory that user cannot
enter.

Modification:

Update ChimeraNameSpaceProvider so that, after discovering the target
does not exist, it next checks whether the user can 'cd' into the
deepest parent directory that exists.  If the user does not have
permission to 'cd' into this deepest parent directory then the
FileNotFoundChimeraFsException is replaced with a
PermissionDeniedCacheException.

Result:

Doors no longer allow a user to discover whether or not a file or
directory exists within directories they cannot access.

Target: master
Request: 8.0
Request: 7.2
Request: 7.1
Request: 7.0
Request: 6.2
Requires-notes: yes
Requires-book: no
@paulmillar paulmillar marked this pull request as draft March 28, 2022 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant