Re: gssd: set $HOME to prevent recursion when home dirs are on kerberized NFS mount revisted

Steve Dickson <SteveD@xxxxxxxxxx> · Mon, 7 Dec 2020 13:06:58 -0500

Hello,

Sorry for the delayed response... Trying to burn up some PTO.

On 11/23/20 1:17 PM, Jacob Shivers wrote:
> Commit 2f682f25c642fcfe7c511d04bc9d67e732282348 changed existing
> behavior to avoid a deadlock for users using Kerberized NFS home dirs.
> 
> However, this also prevents users leveraging their own k5identity
> files under their home directory and instead rpc.gssd uses a
> system-wide /.k5identity file. For users expecting to use their own
> k5identity file this is certainly unexpected.
So how is the deadlock not happening when ~/.k5identity is on a NFS
home directory? What am I missing?

> 
> Below is some pseudo code that was proposed and would just add a flag
> allowing for the behavior prior to
> 2f682f25c642fcfe7c511d04bc9d67e732282348:
> 
> /* psudo code snippet starts here */
>         /*
>          * Some krb5 routines try to scrape info out of files in the user's
>          * home directory. This can easily deadlock when that homedir is on a
> -        * kerberized NFS mount. By setting $HOME unconditionally to "/", we
> +        * kerberized NFS mount. Some users may not have $HOME on NFS.
> +        * By default setting $HOME unconditionally to "/", we
>          * prevent this behavior in routines that use $HOME in preference to
>          * the results of getpw*.
> +        * Users who have $HOME on krb5-NFS should set
> `--home-not-kerberized` in argv
> +        * Users who have $HOME on krb5-NFS but want to use their
> $HOME anyway should set NFS_HOME_ACCESSIBLE=TRUE
>          */
> +       if (argv == '--home-not-kerberized') ||
> (getenv("NFS_HOME_ACCESSIBLE") == 'TRUE') {
> +               log.debug('Not masking $HOME, this breaks on Kerberized $HOME');
> +       }
> +       else {
> +               log.debug('Assuming $HOME requires Kerberos, use
> `--home-not-kerberized` to change this behavior');
>         if (setenv("HOME", "/", 1)) {
>                 printerr(1, "Unable to set $HOME: %s\n", strerror(errn));
>                 exit(1);
>         }
> +       }
> /* psudo code snippet ends here */
In general I'm pretty reluctant to add flags but what is needed
to do so is a company single letter flag '-H' and a man page 
entry describing the flag. 

> 
> While acknowledging the use of this flag for Kerberized NFS home dirs
> is undesirable and would cause a deadlock, there should be no issue
> for users not using Kerberized NFS home dirs.
What apps are you using that is seeing this problem?

steved.