Bug 2188797 - default configuration file 99-network-fs-clients.conf allows more than nfs
Summary: default configuration file 99-network-fs-clients.conf allows more than nfs
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: gssproxy
Version: 39
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Simo Sorce
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/gssapi/gssproxy/bl...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-04-22 11:23 UTC by François Rigault
Modified: 2023-08-16 08:09 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)

Description François Rigault 2023-04-22 11:23:21 UTC 
gssproxy (0.9.1-5.fc38) is bundled with a default "99-network-fs-clients.conf" config file
There is no restriction of "program" in that file, so any program is able to use the gssproxy, not only rpc.gssd.

(moreover the program only checks for the executable realpath, so having program=/usr/sbin/rpc.gssd can still be bypassed if the user crafts its own LD_PRELOAD or LD_LIBRARY_PATH I believe).

I am trying to have gssproxy create tickets for nfs client, and nothing else.



Reproducible: Always

Steps to Reproduce:
1. configure gssproxy
2. configure ssh server for gssapi authentication
3. GSS_USE_PROXY=yes ssh -K -o PreferredAuthentications=gssapi-with-mic vagrant.test
Actual Results:  
ssh connection just works

Expected Results:  
ssh connection should fail as we only have configuration for nfs server and client

I am looking for a way to transparently activate krb5p on my NFS volumes, without granting users any extra right.
Comment 1 Fedora Release Engineering 2023-08-16 08:09:04 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.
Note You need to log in before you can comment on or make changes to this bug.