Project

General

Profile

Bug #852

secret key shows up in /etc/mtab after mount -o secretfile=/.../key

Added by Alexandre Oliva over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
03/02/2011
Due date:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:

Description

mount.ceph reads secretfile in and passes mount the actual secret. It becomes <hidden> in /proc/mounts, but /etc/mtab is created by mount and isn't cleaned up by the kernel, so the key remains there visible for anyone to see in its full glory. Oops ;-)

Associated revisions

Revision bee85518 (diff)
Added by Tommi Virtanen over 8 years ago

mount.ceph: Use kernel key management API when possible.

Backwards compatible with older kenrnels, for now.

Fixes: #852
Signed-off-by: Tommi Virtanen <>

History

#2 Updated by Sage Weil over 8 years ago

  • Assignee set to Anonymous
  • Target version set to 12

Tv, can you see if the kernel key management stuff is appropriate here?

The client key is static.. only needs to be handed off to the kernel during mount. Goals would be
- not in mtab
- reusing infrastructure wherever possible
- work with mount -a

Maybe mount.ceph (which currently just does a dns lookup and the secretfile -> secret translation) should be invoking the keyctl stuff and pass a key=id to the kernel.

#3 Updated by Anonymous over 8 years ago

Tv, can you see if the kernel key management stuff is appropriate here?

That is what I wanted to do. They already provide just about anything you might ask for.

#4 Updated by Sage Weil over 8 years ago

  • Project changed from Ceph to Linux kernel client
  • Target version deleted (12)

#5 Updated by Sage Weil over 8 years ago

  • Target version set to v2.6.39

#6 Updated by Sage Weil over 8 years ago

  • translation missing: en.field_position set to 532

#7 Updated by Anonymous over 8 years ago

  • Status changed from New to Resolved

commit bee85518e2885cc93fe8ca634292ad4846515456
Author: Tommi Virtanen <>
Date: 2011-03-29 11:39:26 -0700

mount.ceph: Use kernel key management API when possible.
Backwards compatible with older kenrnels, for now.
Fixes: #852
Signed-off-by: Tommi Virtanen &lt;&gt;

#8 Updated by Alexandre Oliva over 8 years ago

Thanks! It seems that this fix missed ceph-0.26, even though mount.ceph (that presumably was the bit that needed fixing) is part of it. Is there any particular reason why this is marked for Linux kernel client rather than... whatever component name the mount.ceph program in ceph gets? Is it because the fix requires kernel interface changes?

#9 Updated by Anonymous over 8 years ago

It needs commit 4b2a58abd1e17c0ee53c8dded879e015917cca67 on the kernel side, first included in v2.6.39-rc2.

#10 Updated by Sage Weil over 8 years ago

  • translation missing: en.field_story_points set to 3
  • translation missing: en.field_position deleted (538)
  • translation missing: en.field_position set to 538

Also available in: Atom PDF