Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 21 Nov 2019 07:31:41 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 242132] Wrong GSS credentials cache expiration date for indefinite tickets
Message-ID:  <bug-242132-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D242132

            Bug ID: 242132
           Summary: Wrong GSS credentials cache expiration date for
                    indefinite tickets
           Product: Base System
           Version: 12.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: pen@lysator.liu.se

Created attachment 209312
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D209312&action=
=3Dedit
Patch to fix the cred_lifetime bug and add a kern.rpc.gss.lifetime_max sysc=
tl

This is a bug that probably never happens in real life, or is masked by oth=
er
factors, but I think it's a bug anyway...

In
/usr/src/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c:svc_rpc_gss_accept_sec_context=
()
there is a check:

             if (cred_lifetime =3D=3D GSS_C_INDEFINITE)
                        cred_lifetime =3D time_uptime + 24*60*60;

                client->cl_expiration =3D time_uptime + cred_lifetime;

The assignment in the if-statement should be "cred_lifetime =3D 24*60*60;"
because the current code would set client->cl_expiration to
2*time_uptime+24*60*60 - if it ever was GSS_C_INDEFINITE. Atleast until year
2106 or so (when the unsigned 32bit cred_lifetime will wrap around)...=20

Cache entries are invalidated when NFS shares are unmounted and most Kerber=
os
tickets do have a lifetime (10 hours typically) so this probably almost nev=
er
happens in real life but anyway...

I'd also like to propose adding a sysctl() where one can cap the cred_lifet=
ime
to a lower value than the default (which is the ticket lifetime - about 10
hours on a "typical" system). With the current code a user being added to a=
 new
group will not be "visible" for NFS until after the GSS cache entry expires=
 (if
the user have something NFS-mounted from that server). It might be a good i=
dea
to be able to force a lower timeout (like 1 hour or so).

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-242132-227>