[PATCH] gssd: validate cred in gssd_acquire_user_cred

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Weston Andros Adamson <dros@netapp.com>
To: <steved@redhat.com>
Cc: <linux-nfs@vger.kernel.org>, Weston Andros Adamson <dros@netapp.com>
Subject: [PATCH] gssd: validate cred in gssd_acquire_user_cred
Date: Fri, 25 Oct 2013 13:09:34 -0400	[thread overview]
Message-ID: <1382720974-2746-1-git-send-email-dros@netapp.com> (raw)

Call gss_inquire_cred after gssd_acquire_krb5_cred check for expired
credentials.

This fixes a recent regression (since 302de786930a2c533068f9d8909a817b40f07c32)
that causes the user's ticket cache to grow unbounded with expired service
tickets when the user's credentials expire.

To reproduce this issue:

 - mount kerberos nfs export
 - kinit for a short lifetime (ie "kinit -l 1m")
 - run a job that opens a file and writes for more than the lifetime
 - run klist a few times after expiry and see the list grow, ie:

Ticket cache: DIR::/run/user/1749600001/krb5cc/tktYmpGlX
Default principal: dros@APIKIA.FAKE

Valid starting       Expires              Service principal
10/21/2013 15:39:38  10/21/2013 15:40:35  krbtgt/APIKIA.FAKE@APIKIA.FAKE
10/21/2013 15:39:40  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:35  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:36  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:37  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:37  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:38  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:38  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:39  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:39  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:39  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:39  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:40  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:40  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:41  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:41  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:42  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:42  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE
10/21/2013 15:40:42  10/21/2013 15:40:35  nfs/zero.apikia.fake@APIKIA.FAKE

Signed-off-by: Weston Andros Adamson <dros@netapp.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

---

Version 2 of the patch - version 1 had compiler warnings I completely missed!
I wonder how it worked before... but this now compiles cleanly and I verified
that it fixes the growing tkt cache problem.

Thanks,
  -dros


 utils/gssd/krb5_util.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index c6e52fd..697d1d2 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -1405,6 +1405,13 @@ gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred)
 
 	ret = gssd_acquire_krb5_cred(name, gss_cred);
 
+	/* force validation of cred to check for expiry */
+	if (ret == 0) {
+		if (gss_inquire_cred(&min_stat, *gss_cred, NULL, NULL,
+				     NULL, NULL) != GSS_S_COMPLETE)
+			ret = -1;
+	}
+
 	maj_stat = gss_release_name(&min_stat, &name);
 	return ret;
 }
-- 
1.8.3.1 (Apple Git-46)

next             reply	other threads:[~2013-10-25 17:09 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-25 17:09 Weston Andros Adamson [this message]
2013-10-28 12:44 ` [PATCH] gssd: validate cred in gssd_acquire_user_cred Steve Dickson
  -- strict thread matches above, loose matches on Subject: below --
2013-10-22 14:04 Weston Andros Adamson
2013-10-22 14:41 ` Simo Sorce
2013-10-22 16:03   ` Weston Andros Adamson
2013-10-22 16:11     ` Weston Andros Adamson
2013-10-22 16:13     ` Simo Sorce
2013-10-22 16:22       ` Weston Andros Adamson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c6e52fd dfblob:697d1d2 )
 OR (
bs:"[PATCH] gssd: validate cred in gssd_acquire_user_cred" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1382720974-2746-1-git-send-email-dros@netapp.com \
    --to=dros@netapp.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=steved@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.