Bug 2188797

Summary: default configuration file 99-network-fs-clients.conf allows more than nfs
Product: [Fedora] Fedora Reporter: François Rigault <frigo>
Component: gssproxyAssignee: Simo Sorce <ssorce>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: abokovoy, gdeschner, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
URL: https://github.com/gssapi/gssproxy/blob/main/examples/99-network-fs-clients.conf.in
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description François Rigault 2023-04-22 11:23:21 UTC 
gssproxy (0.9.1-5.fc38) is bundled with a default "99-network-fs-clients.conf" config file
There is no restriction of "program" in that file, so any program is able to use the gssproxy, not only rpc.gssd.

(moreover the program only checks for the executable realpath, so having program=/usr/sbin/rpc.gssd can still be bypassed if the user crafts its own LD_PRELOAD or LD_LIBRARY_PATH I believe).

I am trying to have gssproxy create tickets for nfs client, and nothing else.



Reproducible: Always

Steps to Reproduce:
1. configure gssproxy
2. configure ssh server for gssapi authentication
3. GSS_USE_PROXY=yes ssh -K -o PreferredAuthentications=gssapi-with-mic vagrant.test
Actual Results:  
ssh connection just works

Expected Results:  
ssh connection should fail as we only have configuration for nfs server and client

I am looking for a way to transparently activate krb5p on my NFS volumes, without granting users any extra right.
Comment 1 Fedora Release Engineering 2023-08-16 08:09:04 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.