Switching identity using kinit/kdestroy for NFSv4 mounts doesn't work

Robert Wehn robert.wehn at rz.uni-augsburg.de
Fri Mar 13 09:55:00 EDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

we mount Linux home directories from a NFSv4 server
authenticated/authorized via MIT Kerberos/OpenLdap. The underlying file
system (GPFS) is NFSv4 ACL aware.

Now we would like to expose the data to the user for homeUse/syncing
using Webdav or other Web based protocols.
To do so we plan using OwnCloud with Apache, as Owncloud allows to write
authentication and datastore backend plugins.

The Idea was:
- -> OwnCloud process gets username/password
- -> gets TGT using kinit for this user and its process
- -> access users home directory via NFS, so obtain NFS service ticket
- -> if the user logs out kdestroy should do the job and destroy TGT and
service ticket.

We tried and an major issue is: the access to the users data over NFS is
still possible after the kdestroy...

The Problem is:
A user cannot switch or get rid of its security context concerning the
existing NFS connection, which means:
- - mount NFS as root (keytab of the server)
- - su localuser (has local user-ID 1001)
- - kinit alice at REALM
  -> get TGT for alice at REALM
  -> localuser with id 1001 can access alice's
     files (depending on ACL) on the nfs server
     by automatically getting a nfs/ser at REALM
     service Ticket
- - kdestroy
  -> localuser can still access alice's files!!!
- - klist
  -> no TGT or Service ticket there
- - kinit jane at REALM
  -> get TGT for jane at REALM
- - klist
  -> TGT for jane at REALM
BUT!
  -> localuser can still access alice's files
  -> localuser can never access jane's files
  -> no new NFS service ticket fetched or needed till the end
     of the ticket lifetime

What doesn't help:
- - logout and login as localuser
- - restart gssd

What helps:
- - Unmount NFS, remount.

The NFS client part of the linux-kernel seems to cache the NFS service
tickets used for every combination local UID and mounted filesystem.

- From security point we were surprised to see it's not possible to get
rid of the Kerberos/NFS security context using kdestroy.

There is a bug report/suggested patch which seems to make it possible
but never seemed to get into the kernel:
http://www.spinics.net/lists/linux-nfs/msg34236.html

What is your opinion to this behavior?
Do you think this is reasonable from kerberos point of view, or do you
also think this needs to be changed?

Any comment is appreciated.

Robert.

- -- 

Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)

iQEcBAEBAgAGBQJVAuw0AAoJEP/Qkk76z7S5uNEH+gIB53x3NZIcYd3MGF2ERSxT
mRqSvq7e1+6Dq43099PkjnCWcRtxMEV1S7vnlHUgJIc/7TzcntODShW/NXAMOsEF
O4GM/nF28lfkcWu5PxArvI4sI+c2eOBiF4AgguEN3c5ALdEK2XtpEcneFqJ3/y4w
oUnDQekrhiFg0TWk1nIFt1ZM9emOtQ6GC2Gn4S90glLcMIhcj1bPr7JGL7wJY5pk
y4pJwVUXhSgOLn++1PX+mhZ71MxvviCZzBfVgoMsFXLLTVtrX934CT8MQhXIIFuf
gMkj8oEuRjbNT3lH7nMGAK4iO2e2wyL52QZW3tIwKKDwLPLsBMtYxPtI+aFL0bI=
=BAgn
-----END PGP SIGNATURE-----


More information about the Kerberos mailing list