lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <FF31002F-003E-4C43-8FC7-E2250788F516@hammerspace.com>
Date:   Tue, 28 Mar 2023 15:02:13 +0000
From:   Trond Myklebust <trondmy@...merspace.com>
To:     Charles Edward Lever <chuck.lever@...cle.com>
CC:     Geert Uytterhoeven <geert+renesas@...der.be>,
        Trond Myklebust <trondmy@...merspace.com>,
        Anna Schumaker <anna@...nel.org>,
        Linux NFS Mailing List <linux-nfs@...r.kernel.org>,
        "linux-renesas-soc@...r.kernel.org" 
        <linux-renesas-soc@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        kernel test robot <lkp@...el.com>,
        Niklas Söderlund 
        <niklas.soderlund@...natech.se>
Subject: Re: [PATCH] NFSv4: Fix NFS_V4 select RPCSEC_GSS_KRB5



> On Mar 28, 2023, at 09:40, Chuck Lever III <chuck.lever@...cle.com> wrote:
> 
> 
> 
>> On Mar 28, 2023, at 3:25 AM, Geert Uytterhoeven <geert+renesas@...der.be> wrote:
>> 
>> If CONFIG_CRYPTO=n (e.g. arm/shmobile_defconfig):
>> 
>>   WARNING: unmet direct dependencies detected for RPCSEC_GSS_KRB5
>>     Depends on [n]: NETWORK_FILESYSTEMS [=y] && SUNRPC [=y] && CRYPTO [=n]
>>     Selected by [y]:
>>     - NFS_V4 [=y] && NETWORK_FILESYSTEMS [=y] && NFS_FS [=y]
>> 
>> As NFSv4 can work without crypto enabled, fix this by making the
>> selection of RPCSEC_GSS_KRB5 conditional on CRYPTO.
>> 
>> Fixes: e57d065277387980 ("NFS & NFSD: Update GSS dependencies")
>> Reported-by: kernel test robot <lkp@...el.com>
>> Link: https://lore.kernel.org/oe-kbuild-all/202303241307.f6NeW9gZ-lkp@intel.com/
>> Reported-by: Niklas Söderlund <niklas.soderlund@...natech.se>
>> Link: https://lore.kernel.org/r/ZCG6tIoz0VN6d+oy@sleipner.dyn.berto.se
>> Signed-off-by: Geert Uytterhoeven <geert+renesas@...der.be>
>> ---
>> Nfsroot ("root=/dev/nfs rw nfsroot=aaa.bbb.ccc.ddd:/path/to/fs,tcp,v4")
>> works fine without CRYPTO and RPCSEC_GSS_KRB5.
>> CONFIG_NFSD_V4 selects CRYPTO, so was not affected by the similar change.
> 
> Makes sense to me.
> 
> I can quickly take this through nfsd-fixes if the NFS maintainers
> can send me an Acked-by.
> 
> 
>> ---
>> fs/nfs/Kconfig | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>> 
>> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
>> index 450d6c3bc05e27dd..f05c13ce0155bd69 100644
>> --- a/fs/nfs/Kconfig
>> +++ b/fs/nfs/Kconfig
>> @@ -75,7 +75,7 @@ config NFS_V3_ACL
>> config NFS_V4
>> tristate "NFS client support for NFS version 4"
>> depends on NFS_FS
>> - select RPCSEC_GSS_KRB5
>> + select RPCSEC_GSS_KRB5 if CRYPTO
>> select KEYS
>> help
>>   This option enables support for version 4 of the NFS protocol
>> -- 
>> 2.34.1
>> 

Hmm… Perhaps it is time to just remove the above RPCSEC_GSS_KRB5 dependency altogether? It is possible to use the NFSv4.1 client with just AUTH_SYS, and in fact there are plenty of people out there using only that. The fact that RFC5661 gets its knickers in a twist about RPCSEC_GSS support is largely irrelevant to those people.

The other issue is that ’select’ enforces the strict dependency that if the NFS client is compiled into the kernel, then the RPCSEC_GSS and kerberos code needs to be compiled in as well: they cannot exist as modules.

_________________________________
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@...merspace.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ