[OpenAFS] Additonal question about the OpenAFS Security Advisory 2016-003

Dave Botsch botsch@cnf.cornell.edu
Wed, 07 Dec 2016 11:52:29 -0500

It sounds like running the salvagedirs would result in the next increment=
dump being equiv in size to doing a full dump?


David William Botsch

On December 7, 2016 8:57:54 AM Jeffrey Altman <jaltman@auristor.com> wrot=

> On 12/7/2016 8:06 AM, Harald Barth wrote:
>> The security advisory says:
>>> We further recommend that administrators salvage all volumes with the
>>> -salvagedirs option, in order to remove existing leaks.
>> Is moving the volume to another server enough to fix this as well or
>> does the leak move with the volume?
> The leak will move with the volume.
> A bit of background for those that are not steeped in the details of th=
> AFS3 protocol and client and file server access for directories.
> AFS file servers store directory information in a flat file that
> consists of a header, a hash table and a fixed number of directory entr=
> blocks.  When a client reads the contents of a directory, it fetches th=
> directory file in exactly the same way it fetches the contents of norma=
> files and symlinks.  The AFS3 callback mechanism works the same for
> directory files as it does for normal files and symlinks.
> An AFS dump can be thought of as an AFS specific "tar" variant which
> stores AFS Volume metadata and data elements. When a volume dump is
> constructed for a volume move, a volume release, a volume backup, etc.
> the contents of the directory files are copied into the dump stream
> exactly as they are stored on disk by the file server.  When a volserve=
> receives a dump and writes it to disk as part of a AFSVol_VolForward or
> AFSVol_Restore operation, each directory file is written to disk as it
> exists within the dump.
> Backup systems that store full and incremental dump files do so without
> modifying the contents during the backup or restore operations.  As a
> result restoring from a backup will restore any leaked information.
> Backup systems that parse AFS dumps and reconstruct AFS dumps during th=
> restore process might or might not store and restore the leaked
> information.  Contact the provider of your backup system.
> It is worth emphasizing that IBM AFS and OpenAFS volserver operations
> including all backup and restore operations occur in the clear.
> Therefore, all leaked information will be visible to passive viewers on
> the network segments across which volume backups and moves occur.
> What the salvager's "-salvagedirs" option does is force the salvager to
> rewrite every directory object.  This has two benefits when performed b=
> a 1.6.20 or later salvager.
> 1. It will build a directory file that contains no leaked information
>    stored in the original directory file.
> 2. It will compact the directory to reduce fragmentation that could
>    have resulted in directory full errors when attempting to store a
>    filename that required more directory blocks than are available
>    contiguously.
> I hope this information is helpful.
> Jeffrey Altman