secret key shows up in /etc/mtab after mount -o secretfile=/.../key
mount.ceph reads secretfile in and passes mount the actual secret. It becomes <hidden> in /proc/mounts, but /etc/mtab is created by mount and isn't cleaned up by the kernel, so the key remains there visible for anyone to see in its full glory. Oops ;-)
#1 Updated by Sage Weil over 8 years ago
we should probably be using keyctl?
#2 Updated by Sage Weil over 8 years ago
- Assignee set to Anonymous
- Target version set to 12
Tv, can you see if the kernel key management stuff is appropriate here?
The client key is static.. only needs to be handed off to the kernel during mount. Goals would be
- not in mtab
- reusing infrastructure wherever possible
- work with mount -a
Maybe mount.ceph (which currently just does a dns lookup and the secretfile -> secret translation) should be invoking the keyctl stuff and pass a key=id to the kernel.
#7 Updated by Anonymous over 8 years ago
- Status changed from New to Resolved
Author: Tommi Virtanen <email@example.com>
Date: 2011-03-29 11:39:26 -0700
mount.ceph: Use kernel key management API when possible.
Backwards compatible with older kenrnels, for now.
Signed-off-by: Tommi Virtanen <firstname.lastname@example.org>
#8 Updated by Alexandre Oliva over 8 years ago
Thanks! It seems that this fix missed ceph-0.26, even though mount.ceph (that presumably was the bit that needed fixing) is part of it. Is there any particular reason why this is marked for Linux kernel client rather than... whatever component name the mount.ceph program in ceph gets? Is it because the fix requires kernel interface changes?