[Bug 2099914] Re: cifs.upcall program in cifs-utils package incorrectly makes an upcall to different namespace in case of container environments
Matthew Ruffell
2099914 at bugs.launchpad.net
Wed Apr 2 05:06:42 UTC 2025
Attached is a debdiff for cifs-utils on jammy
** Patch added: "Debdiff for cifs-utils on jammy"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914/+attachment/5868797/+files/lp2099914_jammy.debdiff
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2099914
Title:
cifs.upcall program in cifs-utils package incorrectly makes an upcall
to different namespace in case of container environments
Status in cifs-utils package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in cifs-utils source package in Focal:
In Progress
Status in linux source package in Focal:
In Progress
Status in cifs-utils source package in Jammy:
In Progress
Status in linux source package in Jammy:
In Progress
Status in cifs-utils source package in Noble:
In Progress
Status in linux source package in Noble:
In Progress
Status in cifs-utils source package in Oracular:
In Progress
Status in linux source package in Oracular:
In Progress
Status in cifs-utils source package in Plucky:
Fix Released
Status in linux source package in Plucky:
Fix Released
Bug description:
In some cases, the cifs.upcall program from the cifs-utils package
makes an upcall to the wrong namespace in containerized environments.
Consider the following scenario:
A CIFS/SMB file share is mounted on a host node using Kerberos
authentication.
During the session setup phase, the Linux kernel's cifs.ko module
makes an upcall to user space to retrieve the Kerberos service ticket
from the credential cache.
In typical (non-container) environments, this process works correctly,
but in containerized environments, the upcall may be directed to a
different namespace than intended, leading to issues. For example:
a) The file share is mounted on the host node at /mnt/testshare1, meaning the Kerberos credential cache is stored in the host's namespace.
b) A Docker container is created, and the file share path /mnt/testshare1 is exported to the container at /sharedpath.
c) When the service ticket expires and the SMB connection is lost, before the ticket is refreshed in the credential cache, an application inside the container performs a file operation. This triggers the kernel to attempt a session reconnect.
d) During the session setup, a Kerberos ticket is needed, so the kernel invokes the cifs.upcall binary using the request_key function. However, cifs.upcall switches to the namespace of the caller (i.e., the container), causing it to attempt to read the credential cache from the container's namespace. But since the original mount happened in the host namespace, the credential cache is located on the host, not in the container. This results in the upcall failing to access the correct credential cache or accessinng credential cache which doesn't belong to correct user.
It fixed here:
https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174
Documentation: https://git.samba.org/?p=cifs-
utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions
More information about the foundations-bugs
mailing list