Project

General

Profile

Actions
Copy link

Bug #852

closed

secret key shows up in /etc/mtab after mount -o secretfile=/.../key

Added by Alexandre Oliva about 13 years ago. Updated almost 13 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
v2.6.39
% Done:

0%

Source:
Tags:
Backport:
Regression:
Severity:
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

mount.ceph reads secretfile in and passes mount the actual secret. It becomes <hidden> in /proc/mounts, but /etc/mtab is created by mount and isn't cleaned up by the kernel, so the key remains there visible for anyone to see in its full glory. Oops ;-)

Actions
Copy link
 #2

Updated by Sage Weil about 13 years ago

  • Assignee set to Anonymous
  • Target version set to 12

Tv, can you see if the kernel key management stuff is appropriate here?

The client key is static.. only needs to be handed off to the kernel during mount. Goals would be
- not in mtab
- reusing infrastructure wherever possible
- work with mount -a

Maybe mount.ceph (which currently just does a dns lookup and the secretfile -> secret translation) should be invoking the keyctl stuff and pass a key=id to the kernel.

Actions
Copy link
 #3

Updated by Anonymous about 13 years ago

Tv, can you see if the kernel key management stuff is appropriate here?

That is what I wanted to do. They already provide just about anything you might ask for.

Actions
Copy link
 #4

Updated by Sage Weil about 13 years ago

  • Project changed from Ceph to Linux kernel client
  • Target version deleted (12)
Actions
Copy link
 #5

Updated by Sage Weil about 13 years ago

  • Target version set to v2.6.39
Actions
Copy link
 #6

Updated by Sage Weil about 13 years ago

  • Translation missing: en.field_position set to 532
Actions
Copy link
 #7

Updated by Anonymous about 13 years ago

  • Status changed from New to Resolved

commit bee85518e2885cc93fe8ca634292ad4846515456
Author: Tommi Virtanen <>
Date: 2011-03-29 11:39:26 -0700

mount.ceph: Use kernel key management API when possible.
Backwards compatible with older kenrnels, for now.
Fixes: #852
    Signed-off-by: Tommi Virtanen &lt;&gt;
Actions
Copy link
 #8

Updated by Alexandre Oliva about 13 years ago

Thanks! It seems that this fix missed ceph-0.26, even though mount.ceph (that presumably was the bit that needed fixing) is part of it. Is there any particular reason why this is marked for Linux kernel client rather than... whatever component name the mount.ceph program in ceph gets? Is it because the fix requires kernel interface changes?

Actions
Copy link
 #9

Updated by Anonymous about 13 years ago

It needs commit 4b2a58abd1e17c0ee53c8dded879e015917cca67 on the kernel side, first included in v2.6.39-rc2.

Actions
Copy link
 #10

Updated by Sage Weil almost 13 years ago

  • Translation missing: en.field_story_points set to 3
  • Translation missing: en.field_position deleted (538)
  • Translation missing: en.field_position set to 538
Actions
Copy link

Also available in: Atom PDF