Ubuntu
keyutils package

Merge ~utkarsh/ubuntu/+source/keyutils:apply-default-ttl-to-records-bionic into ubuntu/+source/keyutils:ubuntu/bionic-devel

  1. Git
  2. lp:~utkarsh/ubuntu/+source/keyutils
  3. apply-default-ttl-to-records-bionic
  4. Merge into ubuntu/bionic-devel
Proposed by Utkarsh Gupta
Status: Merged
Merged at revision: ba67e1b244162f1bf824b2f6554f0705571d930c
Proposed branch: ~utkarsh/ubuntu/+source/keyutils:apply-default-ttl-to-records-bionic
Merge into: ubuntu/+source/keyutils:ubuntu/bionic-devel
Diff against target: 81 lines (+59/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/apply-default-ttl-to-records.patch (+50/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Miriam España Acebal (community) Needs Information
Robie Basak Needs Information
Chris Newcomer Pending
Canonical Server packageset reviewers Pending
Canonical Server Pending
git-ubuntu import Pending
Review via email: mp+416514@code.launchpad.net

Description of the change

Hiya,

This is a minimalistic patch of what we uploaded to Focal and Impish (and also, Jammy).

Below are the MPs of what I had uploaded to Focal and Impish, which are in the SRU queue, so that you can see how much we've stripped down and also verify that the stripping is indeed correct or not.

MP for Focal: https://code.launchpad.net/~utkarsh/ubuntu/+source/keyutils/+git/keyutils/+merge/416132

MP for Impish: https://code.launchpad.net/~utkarsh/ubuntu/+source/keyutils/+git/keyutils/+merge/416129

To post a comment you must log in.
Revision history for this message
Robie Basak (racb) wrote :

This goes a bit further I think. The upstream patch used the TTL from an SRV record or "afsdb" (not sure what that is), and falls back to 5. But your backport will use 5 all the time? Is this intentional?

The use of global variables means I'm not clear when it is reset for a subsequent query, but I assume the upstream code is correct there.

review: Needs Information
Revision history for this message
Miriam España Acebal (mirespace) wrote :

Hi Utkarsh,

congratulations on landing this MP!

The code, at first glance, looks correct. I have been able to build the package locally.

What I am struggling with is the verification of the fix. I have not been able to reproduce the good case.

Also, the test plan has an oversight in the ss command: it has to be ``` ss -K dport = :445 ```. I'm not sure if it's a reconnect or something (admittedly, after running that, I still see the file that the samba server is sharing)... but when it says "after a reboot of the client machine to make sure the kernel keys are refreshed "the behaviour is the same.

Maybe I'm missing things in the configuration to check the cases. What I did:

a) Samba server

  vim /etc/netplan10-lxc.yaml <-- duplicate the ens entry with different number to
  have 2 ifaces
  netplan try
  apt install samba
  vim /etc/samba/smb.conf <-- edit path on [sambashare] section
  mkdir <path_on_the_step_before> an create an archive there (a .txt for example)
  create user and register it in samba : adduser <user> ; smbpasswd -a <user>
  vim /etc/hosts <-- put here the 2 ips with a name (sambaserver.example.com),
  comment one line

b) Client

  apt install keyutils
  apt install cifs-utils dnsutils
  mkdir <path_local_share_folder>
  vim /etc/hosts <-- add the no comment line from a)
  nslookup sambaserver
  mount -t cifs -o user=<user> //sambaserver/sambashare <path_local_share_folder>
  ls <path_local_share_folder> <-- check you can see the files
  ss dport = :445

c) Use the commented line for the IP in both server and client

d) Client
  ss -K dport = :445

Maybe the problem for me is using the /etc/hosts, so systemd-resolv is doing nothing ... what do you think? What would the step there instead of using /etc/hosts? At least, I hope I have given you some more detailed steps to reproduce.

review: Needs Information

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 5dfbb4c..ab8a167 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+keyutils (1.5.9-9.2ubuntu2.1) bionic; urgency=medium
7+
8+ * d/p/apply-default-ttl-to-records.patch: Add patch
9+ to apply default TTL to records obtained from
10+ getaddrinfo(). (LP: #1962453)
11+
12+ -- Utkarsh Gupta <utkarsh@ubuntu.com> Tue, 08 Mar 2022 13:26:12 +0530
13+
14 keyutils (1.5.9-9.2ubuntu2) bionic; urgency=medium
15
16 * debian/patches/endianness-and-PIE.patch: fix regexp match against
17diff --git a/debian/patches/apply-default-ttl-to-records.patch b/debian/patches/apply-default-ttl-to-records.patch
18new file mode 100644
19index 0000000..5a049ac
20--- /dev/null
21+++ b/debian/patches/apply-default-ttl-to-records.patch
22@@ -0,0 +1,50 @@
23+From 75e7568dc516db698093b33ea273e1b4a30b70be Mon Sep 17 00:00:00 2001
24+From: David Howells <dhowells@redhat.com>
25+Date: Tue, 14 Apr 2020 16:07:26 +0100
26+Subject: dns: Apply a default TTL to records obtained from getaddrinfo()
27+ Address records obtained from getaddrinfo() don't come with any TTL
28+ information, even if they're obtained from the DNS, with the result that
29+ key.dns_resolver upcall program doesn't set an expiry time on dns_resolver
30+ records unless they include a component obtained directly from the DNS,
31+ such as an SRV or AFSDB record.
32+ .
33+ Fix this to apply a default TTL of 10mins in the event that we haven't got
34+ one. This can be configured in /etc/keyutils/key.dns_resolver.conf by
35+ adding the line:
36+ .
37+ default_ttl = <number-of-seconds>
38+ .
39+ to the file.
40+ .
41+ Signed-off-by: David Howells <dhowells@redhat.com>
42+ Reviewed-by: Ben Boeckel <me@benboeckel.net>
43+ Reviewed-by: Jeff Layton <jlayton@kernel.org>
44+Description: The upstream patch doesn't apply when cherry-picked, as-is,
45+ so we've manually stripped down the configuration bits and only taken
46+ the hunk which actually addresses the problem, that is, setting the
47+ timeout.
48+Co-author: Utkarsh Gupta <utkarsh.gupta@canonical.com>
49+Origin: upstream, https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/commit/?id=75e7568dc516db698093b33ea273e1b4a30b70be
50+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/keyutils/+bug/1962453
51+Last-Updated: 2022-02-28
52+
53+--- a/key.dns_resolver.c
54++++ b/key.dns_resolver.c
55+@@ -67,6 +67,7 @@
56+ static key_serial_t key;
57+ static int verbose;
58+ static int debug_mode;
59++unsigned int key_expiry = 5;
60+
61+
62+ #define MAX_VLS 15 /* Max Volume Location Servers Per-Cell */
63+@@ -584,6 +585,9 @@
64+
65+ /* load the key with data key */
66+ if (!debug_mode) {
67++ ret = keyctl_set_timeout(key, key_expiry);
68++ if (ret == -1)
69++ error("%s: keyctl_set_timeout: %m", __func__);
70+ ret = keyctl_instantiate_iov(key, payload, payload_index, 0);
71+ if (ret == -1)
72+ error("%s: keyctl_instantiate: %m", __func__);
73diff --git a/debian/patches/series b/debian/patches/series
74index 6af5e5b..f370345 100644
75--- a/debian/patches/series
76+++ b/debian/patches/series
77@@ -17,3 +17,4 @@ Make-build-reproducible.patch
78 Drop-tests-requiring-CONFIG_BIG_KEYS.patch
79 Adjust-tests-for-3.18-kernel-change.patch
80 endianness-and-PIE.patch
81+apply-default-ttl-to-records.patch

Subscribers

People subscribed via source and target branches