Bug #852
closedsecret key shows up in /etc/mtab after mount -o secretfile=/.../key
0%
Description
mount.ceph reads secretfile in and passes mount the actual secret. It becomes <hidden> in /proc/mounts, but /etc/mtab is created by mount and isn't cleaned up by the kernel, so the key remains there visible for anyone to see in its full glory. Oops ;-)
Updated by Sage Weil about 13 years ago
we should probably be using keyctl?
http://www.ibm.com/developerworks/linux/library/l-key-retention.html
Updated by Sage Weil about 13 years ago
- Assignee set to Anonymous
- Target version set to 12
Tv, can you see if the kernel key management stuff is appropriate here?
The client key is static.. only needs to be handed off to the kernel during mount. Goals would be
- not in mtab
- reusing infrastructure wherever possible
- work with mount -a
Maybe mount.ceph (which currently just does a dns lookup and the secretfile -> secret translation) should be invoking the keyctl stuff and pass a key=id to the kernel.
Updated by Anonymous about 13 years ago
Tv, can you see if the kernel key management stuff is appropriate here?
That is what I wanted to do. They already provide just about anything you might ask for.
Updated by Sage Weil about 13 years ago
- Project changed from Ceph to Linux kernel client
- Target version deleted (
12)
Updated by Sage Weil about 13 years ago
- Translation missing: en.field_position set to 532
Updated by Anonymous about 13 years ago
- Status changed from New to Resolved
commit bee85518e2885cc93fe8ca634292ad4846515456
Author: Tommi Virtanen <tommi.virtanen@dreamhost.com>
Date: 2011-03-29 11:39:26 -0700
mount.ceph: Use kernel key management API when possible.
Backwards compatible with older kenrnels, for now.
Fixes: #852
Signed-off-by: Tommi Virtanen <tommi.virtanen@dreamhost.com>
Updated by Alexandre Oliva about 13 years ago
Thanks! It seems that this fix missed ceph-0.26, even though mount.ceph (that presumably was the bit that needed fixing) is part of it. Is there any particular reason why this is marked for Linux kernel client rather than... whatever component name the mount.ceph program in ceph gets? Is it because the fix requires kernel interface changes?
Updated by Anonymous about 13 years ago
It needs commit 4b2a58abd1e17c0ee53c8dded879e015917cca67 on the kernel side, first included in v2.6.39-rc2.
Updated by Sage Weil almost 13 years ago
- Translation missing: en.field_story_points set to 3
- Translation missing: en.field_position deleted (
538) - Translation missing: en.field_position set to 538