From owner-freebsd-bugs@freebsd.org Thu Nov 21 07:31:42 2019 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5D7641B212B for ; Thu, 21 Nov 2019 07:31:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 47JWTV1sgcz415Z for ; Thu, 21 Nov 2019 07:31:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 400451B212A; Thu, 21 Nov 2019 07:31:42 +0000 (UTC) Delivered-To: bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3FCC91B2129 for ; Thu, 21 Nov 2019 07:31:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47JWTV10V4z415Y for ; Thu, 21 Nov 2019 07:31:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0590C7CE6 for ; Thu, 21 Nov 2019 07:31:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id xAL7Vf4s006598 for ; Thu, 21 Nov 2019 07:31:41 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id xAL7VfNE006597 for bugs@FreeBSD.org; Thu, 21 Nov 2019 07:31:41 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 242132] Wrong GSS credentials cache expiration date for indefinite tickets Date: Thu, 21 Nov 2019 07:31:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: pen@lysator.liu.se X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Nov 2019 07:31:42 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D242132 Bug ID: 242132 Summary: Wrong GSS credentials cache expiration date for indefinite tickets Product: Base System Version: 12.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: pen@lysator.liu.se Created attachment 209312 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D209312&action= =3Dedit Patch to fix the cred_lifetime bug and add a kern.rpc.gss.lifetime_max sysc= tl This is a bug that probably never happens in real life, or is masked by oth= er factors, but I think it's a bug anyway... In /usr/src/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c:svc_rpc_gss_accept_sec_context= () there is a check: if (cred_lifetime =3D=3D GSS_C_INDEFINITE) cred_lifetime =3D time_uptime + 24*60*60; client->cl_expiration =3D time_uptime + cred_lifetime; The assignment in the if-statement should be "cred_lifetime =3D 24*60*60;" because the current code would set client->cl_expiration to 2*time_uptime+24*60*60 - if it ever was GSS_C_INDEFINITE. Atleast until year 2106 or so (when the unsigned 32bit cred_lifetime will wrap around)...=20 Cache entries are invalidated when NFS shares are unmounted and most Kerber= os tickets do have a lifetime (10 hours typically) so this probably almost nev= er happens in real life but anyway... I'd also like to propose adding a sysctl() where one can cap the cred_lifet= ime to a lower value than the default (which is the ticket lifetime - about 10 hours on a "typical" system). With the current code a user being added to a= new group will not be "visible" for NFS until after the GSS cache entry expires= (if the user have something NFS-mounted from that server). It might be a good i= dea to be able to force a lower timeout (like 1 hour or so). --=20 You are receiving this mail because: You are the assignee for the bug.=