2021-03-17 19:02:06

by Charles Hedrick

[permalink] [raw]
Subject: group changes don't take effect on NFS

Accord to the web page, this mailing list is the official place to report bugs in nfs-utils. This one is fairly serous for us.

The problem described in https://linux-nfs.vger.kernel.narkive.com/dgTL2KiI/svcgssd-allow-administrators-to-specify-timeout-for-the-cached-context is still present. The patch described there needs to be applied.

TO reproduce:

On file system mounted sec=krb5, login as user xxx. Cd to user yyy's directory.
Add user's xxx and yyy to group ggg.
As user yyy, create directory ddd, chgrp ggg ddd
As user xxx, try to view ddd. This will fail.

THe problem is that the nfs context for xxx was established when they accessed the file system. When they were added to the group, the context didn't have it. In theory the context will be refeshed when the Kerberos ticket expires. 1) that's typically a day, which is too long a delay 2) it doesn't actually happen.

The patch allows you to tell the server to expire contexts after some finite period. We're using 30 minutes. I'm also using a slightly different version of the patch.

Instead of just ctx_endtime = now + 1800 (I've hardcoded the time to minimize the patch) I'm using

+ /* timeout in 30 min or ticket expiration, whichever is sooner */
+ {// so we can use a local variable //
+ time_t now = time(0);
+
+ if ((now + 1800) < ctx_endtime) {
+ ctx_endtime = now + 1800;
+ }
+
+ }
+

This is technially a security problem. If a user wants to remove access from someone, it can take an arbitrarily long period to take effect. The original bug noted this as a security problem, and others involve din the discussiosn agreed.

There was a patch to limit the context lifetime to the ticket lifetime. It appears that it works but isn’t useful. If the user renews their ticket, the context continues. We do that automatically as long as the user stays logged in. Even if the patch worked, 24 hours is too long to wait for changes to take effect.