Ubuntu
linux package

NFS access not revoked on kdestroy

Bug #1424727 reported by Bryan Quigley
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Linux
Confirmed
Medium
linux (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

1) Ubuntu 14.04
2) 3.13 kernel or mainline kernel 3.19.
krb5-user [1.12+dfsg-2ubuntu5.1]
nfs-common [1:1.2.8-6ubuntu1]
3) What should happen:
Start as unpriviledged (in a kerberos sense) user with access to a kerberos protected NFS share (in this case it contains home directories)
kinit user1
ls ~user1 #Test user1 permissions, this should always succeed (and does)

kdestroy #should destroy user1 permissions

kinit user2
ls ~user2# this should succeed!
ls ~user1# this should fail!

4) What happened instead:
After kinit user2:
ls ~user2# this FAILS
ls ~user1# this still WORKS

This appears to be known upstream:
http://www.citi.umich.edu/projects/nfsv4/linux/faq/#krb5_006

Bits and pieces of an earlier attempt at a fix:
http://www.spinics.net/lists/linux-nfs/msg34236.html
nfslogin/logout prototype http://www.citi.umich.edu/projects/asci/icsi-alpha/nfs-utils-patches/1.0.10-asci-2/nfs-utils-1.0.10-asci-017-add_nfslogin.dif

Another bug request: https://fedorahosted.org/gss-proxy/ticket/1 (and linked discussion)

Workarounds:
Unmount/Mount NFS share

See original description
Bryan Quigley (bryanquigley)
tags: added: kernel-bug-exists-upstream
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1424727

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Command didn't work remotely, nothing relevant is in syslog/kern.og.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
description: updated
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.0 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

If you are unable to test the mainline kernel, for example it will not boot, please add the tag: 'kernel-unable-to-test-upstream'.
Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.0-rc1-vivid/

Changed in linux (Ubuntu):
importance: Undecided → Medium
tags: added: kernel-da-key
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Just tested with v4.0-rc1, it's still there.

tags: removed: kernel-bug-exists-upstream
tags: added: kernel-bug-exists-upstream
Revision history for this message
In , bryan.quigley+bugs (bryan.quigley+bugs-linux-kernel-bugs) wrote :

The NFS client caches credentials and doesn't expose a way for kdestroy (or any other tool AFAIK to clear them).

How to reproduce:
Start as unpriviledged (in a kerberos sense) user with access to a kerberos protected NFS share (in this case it contains home directories)
kinit user1
ls ~user1 #Test user1 permissions, this should always succeed (and does)

kdestroy #should destroy user1 permissions

kinit user2
ls ~user2# this should succeed, but it fails
ls ~user1# this should fail, but it still works!

This appears to be known upstream:
http://www.citi.umich.edu/projects/nfsv4/linux/faq/#krb5_006

Bits and pieces of an earlier attempt at a fix:
http://www.spinics.net/lists/linux-nfs/msg34236.html
nfslogin/logout prototype http://www.citi.umich.edu/projects/asci/icsi-alpha/nfs-utils-patches/1.0.10-asci-2/nfs-utils-1.0.10-asci-017-add_nfslogin.dif

Another bug request: https://fedorahosted.org/gss-proxy/ticket/1 (and linked discussion)
Launchpad bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1424727

Workarounds:
Unmount/Mount NFS share

Revision history for this message
In , bryan.quigley+bugs (bryan.quigley+bugs-linux-kernel-bugs) wrote :

If spinics is down use http://linux-nfs.vger.kernel.narkive.com/JHXBEH6t/patch-0-2-rfc-enable-the-use-of-the-keyring-credential-cache

[PATCH 0/2] RFC: enable the use of the KEYRING credential cache

Bug Watch Updater (bug-watch-updater)
Changed in linux:
importance: Unknown → Medium
status: Unknown → Confirmed
Revision history for this message
In , itsmonikaa1 (itsmonikaa1-linux-kernel-bugs) wrote :

I've tried this with using https://www.theacademicpapers.co.uk/ and this works good on my side. I would suggest you should also try this.

Revision history for this message
Scilife Pharma Pvt (Limited) (scilife) wrote :

I've attempted this with utilizing https://www.scilife.biz/ and this works great on my side. I would propose you ought to likewise attempt this.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.