Bug 242132

Summary: fix wrong GSS credentials cache expiration date for indefinite tickets
Product: Base System Reporter: Peter Eriksson <pen>
Component: kernAssignee: Rick Macklem <rmacklem>
Status: Closed FIXED    
Severity: Affects Some People CC: rmacklem
Priority: --- Keywords: patch
Version: 12.1-RELEASEFlags: rmacklem: mfc-stable12+
rmacklem: mfc-stable11+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch to fix the cred_lifetime bug and add a kern.rpc.gss.lifetime_max sysctl none

Description Peter Eriksson 2019-11-21 07:31:41 UTC
Created attachment 209312 [details]
Patch to fix the cred_lifetime bug and add a kern.rpc.gss.lifetime_max sysctl

This is a bug that probably never happens in real life, or is masked by other factors, but I think it's a bug anyway...

In /usr/src/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c:svc_rpc_gss_accept_sec_context() there is a check:

             if (cred_lifetime == GSS_C_INDEFINITE)
                        cred_lifetime = time_uptime + 24*60*60;

                client->cl_expiration = time_uptime + cred_lifetime;

The assignment in the if-statement should be "cred_lifetime = 24*60*60;" because the current code would set client->cl_expiration to 2*time_uptime+24*60*60 - if it ever was GSS_C_INDEFINITE. Atleast until year 2106 or so (when the unsigned 32bit cred_lifetime will wrap around)... 

Cache entries are invalidated when NFS shares are unmounted and most Kerberos tickets do have a lifetime (10 hours typically) so this probably almost never happens in real life but anyway...

I'd also like to propose adding a sysctl() where one can cap the cred_lifetime to a lower value than the default (which is the ticket lifetime - about 10 hours on a "typical" system). With the current code a user being added to a new group will not be "visible" for NFS until after the GSS cache entry expires (if the user have something NFS-mounted from that server). It might be a good idea to be able to force a lower timeout (like 1 hour or so).
Comment 1 Rick Macklem freebsd_committer 2019-11-28 01:49:38 UTC
Take this PR and commit the patch to head.
Comment 2 commit-hook freebsd_committer 2019-11-28 02:06:12 UTC
A commit references this bug:

Author: rmacklem
Date: Thu Nov 28 02:05:31 UTC 2019
New revision: 355157
URL: https://svnweb.freebsd.org/changeset/base/355157

Log:
  Add a cap on credential lifetime for Kerberized NFS.

  The kernel RPCSEC_GSS code sets the credential (called a client) lifetime
  to the lifetime of the Kerberos ticket, which is typically several hours.
  As such, when a user's credentials change such as being added to a new group,
  it can take several hours for this change to be recognized by the NFS server.
  This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set
  by a sysadmin to put a cap on the time to expire for the credentials, so that
  a sysadmin can reduce the timeout.
  It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE
  is returned for a lifetime. This has no effect in practice, sine Kerberos
  never does this.

  Tested by:	pen@lysator.liu.se
  PR:		242132
  Submitted by:	pen@lysator.liu.se
  MFC after:	2 weeks

Changes:
  head/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
Comment 3 commit-hook freebsd_committer 2019-12-20 23:08:46 UTC
A commit references this bug:

Author: rmacklem
Date: Fri Dec 20 23:08:10 UTC 2019
New revision: 355967
URL: https://svnweb.freebsd.org/changeset/base/355967

Log:
  MFC: r355157, r355161
  Add a cap on credential lifetime for Kerberized NFS.

  The kernel RPCSEC_GSS code sets the credential (called a client) lifetime
  to the lifetime of the Kerberos ticket, which is typically several hours.
  As such, when a user's credentials change such as being added to a new group,
  it can take several hours for this change to be recognized by the NFS server.
  This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set
  by a sysadmin to put a cap on the time to expire for the credentials, so that
  a sysadmin can reduce the timeout.
  It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE
  is returned for a lifetime. This has no effect in practice, since Kerberos
  never does this.

  PR:		242132

Changes:
_U  stable/11/
  stable/11/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
Comment 4 Rick Macklem freebsd_committer 2019-12-20 23:11:25 UTC
Patch has been committed and MFC'd.