From: Roman Shtylman <shtylman@athenacr.com>
To: Jeff Layton <jlayton@redhat.com>
Cc: linux-nfs@vger.kernel.org
Subject: Re: question about nfs4 with krb5 behavior
Date: Mon, 10 Jan 2011 15:45:21 -0500 [thread overview]
Message-ID: <201101101545.21890.shtylman@athenacr.com> (raw)
In-Reply-To: <20110110153504.0379874a@tlielax.poochiereds.net>
On Monday, January 10, 2011 03:35:04 pm Jeff Layton wrote:
> On Mon, 10 Jan 2011 14:55:30 -0500
>
> Roman Shtylman <shtylman@athenacr.com> wrote:
> > I have setup nfs4 with krb5 server and successfully mounted a client. Two
> > people can log into the client box and both access their respective
> > shares and not each other's. However, when one user (who lets say has
> > root privs) uses root to become the second user (using su) then that
> > user can now access the info of the user he became.
> >
> > I was under the impression that this should not be possible as the
> > tickets for access should still be tied to the first user they logged in
> > as. Is this true? Or do I have an error in my setup?
> >
> > Process:
> > Login as user A
> > (User B logs into the machine from another terminal)
> > sudo su B (to become user B on the machine)
> > <can now edit files which belong to B>
>
> That's correct, or is at least in accordance with the design. The
> credcache is (usually) a file in /tmp. The kernel has to upcall to
> userspace for that information. To do that, it passes along the uid of
> the owner of the credcache. I think this is governed by the fsuid.
>
> When you "su" to another user, all of the uid's associated with the
> process are changed (real, effective, fs and saved). So, the uid passed to
> the upcall in this case is B's and not A's.
>
> This could potentially be "fixable" by moving the krb5 credcache into
> the per-session keyring and then teach nfs to do keys API upcalls to get
> the right blob. Not a trivial project, but it's doable. This is
> something that would be nice for CIFS and maybe AFS too.
AFS does not have this behavior.
What is a best practice for handling this situation? Prevent "untrusted"
machines from connecting to the nfs server? Basically any machine where a
normal user can become root would be a potential problem?
Thanks for the quick response.
cheers,
~Roman
>
> > If User B does not login before user A becomes user B, user A is not able
> > to edit user B's files even after he becomes user B.
>
> I suspect that that's just a negative cache entry that will eventually
> time out.
next prev parent reply other threads:[~2011-01-10 20:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-10 19:55 question about nfs4 with krb5 behavior Roman Shtylman
2011-01-10 20:35 ` Jeff Layton
2011-01-10 20:45 ` Roman Shtylman [this message]
2011-01-10 20:54 ` Kevin Coffman
2011-01-10 20:56 ` Trond Myklebust
2011-01-11 0:38 ` Daniel.Muntz
2011-01-10 20:48 ` Kevin Coffman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201101101545.21890.shtylman@athenacr.com \
--to=shtylman@athenacr.com \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).