[36844] in Kerberos
Re: Switching identity using kinit/kdestroy for NFSv4 mounts doesn't
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Fri Mar 13 11:54:02 2015
Date: Fri, 13 Mar 2015 11:53:44 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Robert Wehn <robert.wehn@rz.uni-augsburg.de>
In-Reply-To: <5502EC34.3020004@rz.uni-augsburg.de>
Message-ID: <alpine.GSO.1.10.1503131151580.3953@multics.mit.edu>
MIME-Version: 1.0
Cc: CFS Team <cfs@rz.uni-augsburg.de>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 13 Mar 2015, Robert Wehn wrote:
> - - klist
> -> TGT for jane@REALM
> BUT!
> -> localuser can still access alice's files
> -> localuser can never access jane's files
> -> no new NFS service ticket fetched or needed till the end
> of the ticket lifetime
>
> What doesn't help:
> - - logout and login as localuser
> - - restart gssd
>
> What helps:
> - - Unmount NFS, remount.
>
> The NFS client part of the linux-kernel seems to cache the NFS service
> tickets used for every combination local UID and mounted filesystem.
I don't actually run any NFSv4 myself, but my understanding from
IRC/mailing lists is that the caching has a TTL of roughly a couple hours.
See Brandon's response as well, but from a security perspective, the
kernel NFS implementation is wrong to cache things for so long, especially
without providing a way to invalidate a cached entry.
-Ben Kaduk
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
