group changes don't show up in kerberizedd mounts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nfs-utils (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
The problem described in https:/
TO reproduce:
On file system mounted sec=krb5, login as user xxx. Cd to user yyy's directory.
Add user's xxx and yyy to group ggg.
As user yyy, create directory ddd, chgrp ggg ddd
As user xxx, try to view ddd. This will fail.
THe problem is that the nfs context for xxx was established when they accessed the file system. When they were added to the group, the context didn't have it. In theory the context will be refeshed when the Kerberos ticket expires. 1) that's typically a day, which is too long a delay 2) it doesn't actually happen.
The patch allows you to tell the server to expire contexts after some finite period. We're using 30 minutes. I'm also using a slightly different version of the patch.
Instead of just ctx_endtime = now + 1800 (I've hardcoded the time to minimize the patch) I'm using
+ /* timeout in 30 min or ticket expiration, whichever is sooner */
+ {// so we can use a local variable //
+ time_t now = time(0);
+
+ if ((now + 1800) < ctx_endtime) {
+ ctx_endtime = now + 1800;
+ }
+
+ }
+
This is technially a security problem. If a user wants to remove access from someone, it can take an arbitrarily long period to take effect. The original bug noted this as a security problem, and others involve din the discussiosn agreed.
I have no idea why this patch never got appied upstream.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: nfs-common 1:1.3.4-
ProcVersionSign
Uname: Linux 5.4.0-65-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-
Architecture: amd64
CasperMD5CheckR
Date: Tue Mar 9 12:34:03 2021
InstallationDate: Installed on 2020-03-25 (348 days ago)
InstallationMedia: Ubuntu 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805)
ProcEnviron:
TERM=vt100
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/tcsh
SourcePackage: nfs-utils
UpgradeStatus: Upgraded to focal on 2020-12-21 (77 days ago)
modified.
mtime.conffile.
mtime.conffile.
On our systems, user credentials are automatically renewed about halfway through their lifetime, as long as the user is still logged in. I wonder if this means that the expiration at the end of the ticket lifetime never triggers, so the fix in eb3a145789b9eed d39b56e1d76f412 435abaa747 doesn't actually do anything.
I added myself to a group, logged out and logged in (so I'd show up in the group on the client), cd'd to the file system, but was never able to see a file owned by another user protected by that group. Even after a weekend, which is well beyond how long the original ticket lifetime.