Created attachment 209312 [details]
Patch to fix the cred_lifetime bug and add a kern.rpc.gss.lifetime_max sysctl
This is a bug that probably never happens in real life, or is masked by other factors, but I think it's a bug anyway...
In /usr/src/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c:svc_rpc_gss_accept_sec_context() there is a check:
if (cred_lifetime == GSS_C_INDEFINITE)
cred_lifetime = time_uptime + 24*60*60;
client->cl_expiration = time_uptime + cred_lifetime;
The assignment in the if-statement should be "cred_lifetime = 24*60*60;" because the current code would set client->cl_expiration to 2*time_uptime+24*60*60 - if it ever was GSS_C_INDEFINITE. Atleast until year 2106 or so (when the unsigned 32bit cred_lifetime will wrap around)...
Cache entries are invalidated when NFS shares are unmounted and most Kerberos tickets do have a lifetime (10 hours typically) so this probably almost never happens in real life but anyway...
I'd also like to propose adding a sysctl() where one can cap the cred_lifetime to a lower value than the default (which is the ticket lifetime - about 10 hours on a "typical" system). With the current code a user being added to a new group will not be "visible" for NFS until after the GSS cache entry expires (if the user have something NFS-mounted from that server). It might be a good idea to be able to force a lower timeout (like 1 hour or so).
Take this PR and commit the patch to head.
A commit references this bug:
Date: Thu Nov 28 02:05:31 UTC 2019
New revision: 355157
Add a cap on credential lifetime for Kerberized NFS.
The kernel RPCSEC_GSS code sets the credential (called a client) lifetime
to the lifetime of the Kerberos ticket, which is typically several hours.
As such, when a user's credentials change such as being added to a new group,
it can take several hours for this change to be recognized by the NFS server.
This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set
by a sysadmin to put a cap on the time to expire for the credentials, so that
a sysadmin can reduce the timeout.
It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE
is returned for a lifetime. This has no effect in practice, sine Kerberos
never does this.
Tested by: email@example.com
Submitted by: firstname.lastname@example.org
MFC after: 2 weeks