Is there any way to allow setuid daemon to access krb5 automounted nfs
directories? Specifically I'm looking to run spamassassin's spamd on a remote
server and access user's home directories via krb5 nfs4. spamd changes user
to the user receiving the email being processes and needs to modify files in
the user's home directory. Is there any reasonably secure way to give this
daemon the ability to do this? Any way to tell rpc.gssd to use a specific
credential cache for this type of access rather than the default for that
effective uid?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane [email protected]
Boulder, CO 80301 http://www.nwra.com
Myklebust, Trond wrote:
> -----Original Message-----
> From: [email protected] [mailto:linux-nfs-
> [email protected]] On Behalf Of Jim Rees
> Sent: Tuesday, September 25, 2012 1:50 PM
> To: Orion Poplawski
> Cc: [email protected]
> Subject: Re: Any way to allow setuid daemon to access krb5 automounted
> nfs directories?
>
> But I hope you're not planning to deliver mail over nfs. I think that would be a
> mistake.
What's wrong with that? Delivering and serving up email is a fairly common
use-case for NFS.
Nothing against spamd or NFS in particular. It's just that some mailers
assume the file system is a local disk and are not prepared for the kinds of
failures you can get over a network.
Orion Poplawski wrote:
Is there any way to allow setuid daemon to access krb5 automounted
nfs directories? Specifically I'm looking to run spamassassin's
spamd on a remote server and access user's home directories via krb5
nfs4. spamd changes user to the user receiving the email being
processes and needs to modify files in the user's home directory.
Is there any reasonably secure way to give this daemon the ability
to do this? Any way to tell rpc.gssd to use a specific credential
cache for this type of access rather than the default for that
effective uid?
You don't want to give spamd the user's credentials. You want to acl the
user's files so that spamd can do what it wants. Spamd will need its own
krb5 principal.
But I hope you're not planning to deliver mail over nfs. I think that would
be a mistake.
On 09/25/2012 11:50 AM, Jim Rees wrote:
> Orion Poplawski wrote:
>
> Is there any way to allow setuid daemon to access krb5 automounted
> nfs directories? Specifically I'm looking to run spamassassin's
> spamd on a remote server and access user's home directories via krb5
> nfs4. spamd changes user to the user receiving the email being
> processes and needs to modify files in the user's home directory.
> Is there any reasonably secure way to give this daemon the ability
> to do this? Any way to tell rpc.gssd to use a specific credential
> cache for this type of access rather than the default for that
> effective uid?
>
> You don't want to give spamd the user's credentials. You want to acl the
> user's files so that spamd can do what it wants. Spamd will need its own
> krb5 principal.
Hmm, okay, I may be able to run spamd in non-setuid mode and get it to work.
Thanks.
> But I hope you're not planning to deliver mail over nfs. I think that would
> be a mistake.
>
Oh no, but my mail host at the moment is woefully under-powered so I've moved
spam scanning off of it.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane [email protected]
Boulder, CO 80301 http://www.nwra.com
> -----Original Message-----
> From: [email protected] [mailto:linux-nfs-
> [email protected]] On Behalf Of Jim Rees
> Sent: Tuesday, September 25, 2012 1:50 PM
> To: Orion Poplawski
> Cc: [email protected]
> Subject: Re: Any way to allow setuid daemon to access krb5 automounted
> nfs directories?
>
> But I hope you're not planning to deliver mail over nfs. I think that would be a
> mistake.
What's wrong with that? Delivering and serving up email is a fairly common use-case for NFS.
Trond