Re: [PATCH 1/1] SUNRPC: new keyring key_type for gss context destruction at kdestroy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2012-12-03 at 22:39 +0000, Adamson, Andy wrote:
> On Dec 3, 2012, at 4:06 PM, "Myklebust, Trond" <Trond.Myklebust@xxxxxxxxxx>
>  wrote:

> > It seems to me that this code allows me to kill anyone's rpcsec_gss
> > sessions by creating a key with their uid, and then destroying it.
> 
> Yes - just proof of concept code. There is a lot to consider.
> 
> > 
> > One solution is to replace user_instantiate() with something that sets
> > the payload to a value determined by the kernel itself. We'd definitely
> > want to include the uid, but perhaps also add a cookie that is unique to
> > this key (using the idr/ida stuff from include/linux/idr.h ?), and that
> > can be used to distinguish it from keys generated from other processes.
> > If we were to use the same key to label the auth_gss creds, then we
> > could have user_gss_destroy() kill _only_ the auth_gss creds that it
> > spawned.
> 
> Yes, killing only the auth it spawned is indeed what we want.
> 
> > 
> > Ultimately, though, I think we might want to let the user set at least
> > _part_ of the payload to something that might be useful to gssd when it
> > goes looking for credentials. Since the nfslogin and gssd will be
> > shipped as part of the nfs-utils package, it would be nice to allow them
> > to use the gss-ctx key in order to communicate. Interesting information
> > might include the KRB5CCNAME.
> 
> Thanks for the good suggestions.

So, I've got a question: Can we replace some of the stuff in the "RFC
Avoid expired credential keys for buffered writes" patch series with
this?

My thinking is that since the user_gss_destroy() has to sync all files
and then invalidate the rpcsec_gss creds, we're pretty much doing the
same thing as in the above RFC patch series. If nfslogin were to tell
the gss-ctx key how long until the kerberos tgt expires, couldn't we
have a work queue job wake up just before the tgt is about to expire,
and simply call user_gss_destroy by revoking the gss-ctx key?
If, on the other hand, the user renews the tgt using nfslogin, then we
could update the gss-ctx key, and defer the work queue job until the new
expirt time.

-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@xxxxxxxxxx
www.netapp.com
��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥



[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux