Date: Fri, 20 Dec 2019 22:53:23 +0000 (UTC) From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r355966 - stable/12/sys/rpc/rpcsec_gss Message-ID: <201912202253.xBKMrNNx051888@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rmacklem Date: Fri Dec 20 22:53:23 2019 New Revision: 355966 URL: https://svnweb.freebsd.org/changeset/base/355966 Log: MFC: r355157, r355161 Add a cap on credential lifetime for Kerberized NFS. The kernel RPCSEC_GSS code sets the credential (called a client) lifetime to the lifetime of the Kerberos ticket, which is typically several hours. As such, when a user's credentials change such as being added to a new group, it can take several hours for this change to be recognized by the NFS server. This patch adds a sysctl called kern.rpc.gss.lifetime_max which can be set by a sysadmin to put a cap on the time to expire for the credentials, so that a sysadmin can reduce the timeout. It also fixes a bug, where time_uptime is added twice when GSS_C_INDEFINITE is returned for a lifetime. This has no effect in practice, since Kerberos never does this. Modified: stable/12/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c ============================================================================== --- stable/12/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Fri Dec 20 22:12:21 2019 (r355965) +++ stable/12/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c Fri Dec 20 22:53:23 2019 (r355966) @@ -180,6 +180,11 @@ SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, client_max, CTLFL &svc_rpc_gss_client_max, 0, "Max number of rpc-gss clients"); +static u_int svc_rpc_gss_lifetime_max = 0; +SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, lifetime_max, CTLFLAG_RW, + &svc_rpc_gss_lifetime_max, 0, + "Maximum lifetime (seconds) of rpc-gss clients"); + static u_int svc_rpc_gss_client_count; SYSCTL_UINT(_kern_rpc_gss, OID_AUTO, client_count, CTLFLAG_RD, &svc_rpc_gss_client_count, 0, @@ -950,8 +955,15 @@ svc_rpc_gss_accept_sec_context(struct svc_rpc_gss_clie * that out). */ if (cred_lifetime == GSS_C_INDEFINITE) - cred_lifetime = time_uptime + 24*60*60; + cred_lifetime = 24*60*60; + /* + * Cap cred_lifetime if sysctl kern.rpc.gss.lifetime_max is set. + */ + if (svc_rpc_gss_lifetime_max > 0 && cred_lifetime > + svc_rpc_gss_lifetime_max) + cred_lifetime = svc_rpc_gss_lifetime_max; + client->cl_expiration = time_uptime + cred_lifetime; /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201912202253.xBKMrNNx051888>