Any way to allow setuid daemon to access krb5 automounted nfs directories?

Any way to allow setuid daemon to access krb5 automounted nfs directories?

[Orion Poplawski]

Is there any way to allow setuid daemon to access krb5 automounted nfs 
directories?  Specifically I'm looking to run spamassassin's spamd on a remote 
server and access user's home directories via krb5 nfs4.  spamd changes user 
to the user receiving the email being processes and needs to modify files in 
the user's home directory.  Is there any reasonably secure way to give this 
daemon the ability to do this?  Any way to tell rpc.gssd to use a specific 
credential cache for this type of access rather than the default for that 
effective uid?

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion@nwra.com
Boulder, CO 80301                   http://www.nwra.com

Re: Any way to allow setuid daemon to access krb5 automounted nfs directories?

[Jim Rees]

Orion Poplawski wrote:

  Is there any way to allow setuid daemon to access krb5 automounted
  nfs directories?  Specifically I'm looking to run spamassassin's
  spamd on a remote server and access user's home directories via krb5
  nfs4.  spamd changes user to the user receiving the email being
  processes and needs to modify files in the user's home directory.
  Is there any reasonably secure way to give this daemon the ability
  to do this?  Any way to tell rpc.gssd to use a specific credential
  cache for this type of access rather than the default for that
  effective uid?

You don't want to give spamd the user's credentials. You want to acl the
user's files so that spamd can do what it wants. Spamd will need its own
krb5 principal.

But I hope you're not planning to deliver mail over nfs. I think that would
be a mistake.

Re: Any way to allow setuid daemon to access krb5 automounted nfs directories?

[Orion Poplawski]

On 09/25/2012 11:50 AM, Jim Rees wrote:
> Orion Poplawski wrote:
>
>    Is there any way to allow setuid daemon to access krb5 automounted
>    nfs directories?  Specifically I'm looking to run spamassassin's
>    spamd on a remote server and access user's home directories via krb5
>    nfs4.  spamd changes user to the user receiving the email being
>    processes and needs to modify files in the user's home directory.
>    Is there any reasonably secure way to give this daemon the ability
>    to do this?  Any way to tell rpc.gssd to use a specific credential
>    cache for this type of access rather than the default for that
>    effective uid?
>
> You don't want to give spamd the user's credentials. You want to acl the
> user's files so that spamd can do what it wants. Spamd will need its own
> krb5 principal.

Hmm, okay, I may be able to run spamd in non-setuid mode and get it to work. 
Thanks.

> But I hope you're not planning to deliver mail over nfs. I think that would
> be a mistake.
>

Oh no, but my mail host at the moment is woefully under-powered so I've moved 
spam scanning off of it.

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion@nwra.com
Boulder, CO 80301                   http://www.nwra.com

RE: Any way to allow setuid daemon to access krb5 automounted nfs directories?

[Myklebust, Trond]

> -----Original Message-----
> From: linux-nfs-owner@vger.kernel.org [mailto:linux-nfs-
> owner@vger.kernel.org] On Behalf Of Jim Rees
> Sent: Tuesday, September 25, 2012 1:50 PM
> To: Orion Poplawski
> Cc: linux-nfs@vger.kernel.org
> Subject: Re: Any way to allow setuid daemon to access krb5 automounted
> nfs directories?
>
> But I hope you're not planning to deliver mail over nfs. I think that would be a
> mistake.

What's wrong with that? Delivering and serving up email is a fairly common use-case for NFS.

Trond

Re: Any way to allow setuid daemon to access krb5 automounted nfs directories?

[Jim Rees]

Myklebust, Trond wrote:

  > -----Original Message-----
  > From: linux-nfs-owner@vger.kernel.org [mailto:linux-nfs-
  > owner@vger.kernel.org] On Behalf Of Jim Rees
  > Sent: Tuesday, September 25, 2012 1:50 PM
  > To: Orion Poplawski
  > Cc: linux-nfs@vger.kernel.org
  > Subject: Re: Any way to allow setuid daemon to access krb5 automounted
  > nfs directories?
  >
  > But I hope you're not planning to deliver mail over nfs. I think that would be a
  > mistake.
  
  What's wrong with that? Delivering and serving up email is a fairly common
  use-case for NFS.

Nothing against spamd or NFS in particular.  It's just that some mailers
assume the file system is a local disk and are not prepared for the kinds of
failures you can get over a network.