Bug 242132 - fix wrong GSS credentials cache expiration date for indefinite tickets
Summary: fix wrong GSS credentials cache expiration date for indefinite tickets
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 12.1-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: Rick Macklem
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2019-11-21 07:31 UTC by Peter Eriksson
Modified: 2019-12-20 23:11 UTC (History)
1 user (show)

See Also:
rmacklem: mfc-stable12+
rmacklem: mfc-stable11+


Attachments
Patch to fix the cred_lifetime bug and add a kern.rpc.gss.lifetime_max sysctl (1.57 KB, text/plain)
2019-11-21 07:31 UTC, Peter Eriksson
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Eriksson 2019-11-21 07:31:41 UTC
Created attachment 209312 [details]
Patch to fix the cred_lifetime bug and add a kern.rpc.gss.lifetime_max sysctl

This is a bug that probably never happens in real life, or is masked by other factors, but I think it's a bug anyway...

In /usr/src/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c:svc_rpc_gss_accept_sec_context() there is a check:

             if (cred_lifetime == GSS_C_INDEFINITE)
                        cred_lifetime = time_uptime + 24*60*60;

                client->cl_expiration = time_uptime + cred_lifetime;

The assignment in the if-statement should be "cred_lifetime = 24*60*60;" because the current code would set client->cl_expiration to 2*time_uptime+24*60*60 - if it ever was GSS_C_INDEFINITE. Atleast until year 2106 or so (when the unsigned 32bit cred_lifetime will wrap around)... 

Cache entries are invalidated when NFS shares are unmounted and most Kerberos tickets do have a lifetime (10 hours typically) so this probably almost never happens in real life but anyway...

I'd also like to propose adding a sysctl() where one can cap the cred_lifetime to a lower value than the default (which is the ticket lifetime - about 10 hours on a "typical" system). With the current code a user being added to a new group will not be "visible" for NFS until after the GSS cache entry expires (if the user have something NFS-mounted from that server). It might be a good idea to be able to force a lower timeout (like 1 hour or so).
Comment 1 Rick Macklem freebsd_committer freebsd_triage 2019-11-28 01:49:38 UTC
Take this PR and commit the patch to head.
Comment 2 commit-hook freebsd_committer freebsd_triage 2019-11-28 02:06:12 UTC
A commit references this bug:

Author: rmacklem
Date: Thu Nov 28 02:05:31 UTC 2019
New revision: 355157
URL: https://svnweb.freebsd.org/changeset/base/355157

Log:
  Add a cap on credential lifetime for Kerberized NFS.

  The kernel RPCSEC_GSS code sets the credential (called a client) lifetime
  to the lifetime of the Kerberos ticket, which is typically several hours.
  As such, when a user's credentials change such as being added to a new group,
  it can take several hours for this change to be recognized by the NFS server.
  This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set
  by a sysadmin to put a cap on the time to expire for the credentials, so that
  a sysadmin can reduce the timeout.
  It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE
  is returned for a lifetime. This has no effect in practice, sine Kerberos
  never does this.

  Tested by:	pen@lysator.liu.se
  PR:		242132
  Submitted by:	pen@lysator.liu.se
  MFC after:	2 weeks

Changes:
  head/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2019-12-20 23:08:46 UTC
A commit references this bug:

Author: rmacklem
Date: Fri Dec 20 23:08:10 UTC 2019
New revision: 355967
URL: https://svnweb.freebsd.org/changeset/base/355967

Log:
  MFC: r355157, r355161
  Add a cap on credential lifetime for Kerberized NFS.

  The kernel RPCSEC_GSS code sets the credential (called a client) lifetime
  to the lifetime of the Kerberos ticket, which is typically several hours.
  As such, when a user's credentials change such as being added to a new group,
  it can take several hours for this change to be recognized by the NFS server.
  This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set
  by a sysadmin to put a cap on the time to expire for the credentials, so that
  a sysadmin can reduce the timeout.
  It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE
  is returned for a lifetime. This has no effect in practice, since Kerberos
  never does this.

  PR:		242132

Changes:
_U  stable/11/
  stable/11/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
Comment 4 Rick Macklem freebsd_committer freebsd_triage 2019-12-20 23:11:25 UTC
Patch has been committed and MFC'd.