From: Jeff Layton <jlayton@redhat.com>
To: Jeff Layton <jlayton@redhat.com>
Cc: Simo Sorce <ssorce@redhat.com>,
steved@redhat.com, linux-nfs@vger.kernel.org
Subject: Re: [PATCH v2 2/2] gssd: switch real uid instead of just fsuid when looking for user creds
Date: Mon, 7 Oct 2013 06:00:05 -0400 [thread overview]
Message-ID: <20131007060005.0d07e3fa@tlielax.poochiereds.net> (raw)
In-Reply-To: <20131005180403.12301e80@corrin.poochiereds.net>
On Sat, 5 Oct 2013 18:04:03 -0400
Jeff Layton <jlayton@redhat.com> wrote:
> On Fri, 4 Oct 2013 15:46:42 -0400 (EDT)
> Simo Sorce <ssorce@redhat.com> wrote:
>
> >
> >
> > ----- Original Message -----
> > > The part of process_krb5_upcall that handles non-machine user creds
> > > first tries to query GSSAPI for credentials. If that fails, it then
> > > falls back to trawling through likely credcache locations to find them
> > > and then points $KRB5CCNAME at it before proceeding. There are a number
> > > of bugs in this code that this patch attempts to address.
> > >
> > > The code that queries GSSAPI for credentials does it as root and that
> > > almost universally fails to do anything useful unless we happen to be
> > > looking for non-machine root creds. Because of this, gssd almost always
> > > falls back to having to search for credcaches "manually" and then set
> > > $KRB5CCNAME if and when they are found. The code that handles credential
> > > switching is in create_auth_rpc_client, so it's too late to be of any
> > > use here.
> > >
> > > Worse yet, the GSSAPI code that handles finding credcaches does it based
> > > on the return from getuid(), so just switching the fsuid or even euid is
> > > insufficient. You must switch the real uid.
> >
> > In what case does it do this ?
> > If it is unconditional this is a bug in GSSAPI and we should fix it there.
> >
>
> As far as I can tell (primarily from stracing and experimenting) it
> always does this. Additionally it looks like KEYRING: support might
> also depend on this.
>
I took a closer look at this this morning and I think I see the
problem. The issue is in libkrb5 and the default definitions of the
credcache locations. For instance:
default_ccache_name = KEYRING:persistent:%{uid}
%{uid} expands to the real uid, not the effective one. If you change
that to:
default_ccache_name = KEYRING:persistent:%{euid}
...then it all works just by swapping the euid.
So, not a bug in libkrb5 or libgssapi per-se, but I think we're sort of
stuck with switching the real uid due to this.
The fact that the first patch in this series makes the daemon fork
before doing this should help mitigate any damage that an unprivileged
user can do.
--
Jeff Layton <jlayton@redhat.com>
prev parent reply other threads:[~2013-10-07 10:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-03 19:49 [PATCH v2 0/2] gssd: allow it to work with KEYRING: credcaches Jeff Layton
2013-10-03 19:49 ` [PATCH v2 1/2] gssd: have process_krb5_upcall fork before handling upcall Jeff Layton
2013-10-03 19:49 ` [PATCH v2 2/2] gssd: switch real uid instead of just fsuid when looking for user creds Jeff Layton
2013-10-04 19:46 ` Simo Sorce
2013-10-05 22:04 ` Jeff Layton
2013-10-07 10:00 ` Jeff Layton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131007060005.0d07e3fa@tlielax.poochiereds.net \
--to=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=ssorce@redhat.com \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).