Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id F08753EB73; Thu, 27 Sep 2012 12:11:17 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q8RGBHbj013650; Thu, 27 Sep 2012 12:11:17 -0400 Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q8RFnsVa009823 for ; Thu, 27 Sep 2012 11:49:54 -0400 Received: from dmz-mailsec-scanner-6.mit.edu (DMZ-MAILSEC-SCANNER-6.MIT.EDU [18.7.68.35]) by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id q8RFl9GF023129 for ; Thu, 27 Sep 2012 11:49:54 -0400 X-Auditid: 12074423-b7fab6d0000008f9-1e-506475a17cdf Authentication-Results: symauth.service.identifier Received: from homiemail-a16.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 9E.AB.02297.1A574605; Thu, 27 Sep 2012 11:49:54 -0400 (EDT) Received: from homiemail-a16.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTP id DCA3250807B for ; Thu, 27 Sep 2012 08:49:52 -0700 (PDT) Dkim-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:date:message-id:subject:from:to:content-type; s= cryptonector.com; bh=ncD1blw1W/jgHQmlb8Zx6r8APOM=; b=A61K0ZPI7UJ iInSvlxBvmAoJUfja/n9kS35aXh3vf4g2maUay8gTEjRq20ug7ibn6asxwynt5Hs ZUQ4lFD7/tqemQ/TvzXnDemQlQKTBudDZAOYNzXgIPKKINSFGvp6leZmSVHQmraT qU9CWi0lEIGxdJBgZJZHPtdVoxeKaJrQ= Received: from mail-pb0-f49.google.com (mail-pb0-f49.google.com [209.85.160.49]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTPSA id C7471508072 for ; Thu, 27 Sep 2012 08:49:52 -0700 (PDT) Received: by pbcxa7 with SMTP id xa7so2656609pbc.36 for ; Thu, 27 Sep 2012 08:49:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.220.104 with SMTP id pv8mr12546630pbc.119.1348760992269; Thu, 27 Sep 2012 08:49:52 -0700 (PDT) Received: by 10.68.20.194 with HTTP; Thu, 27 Sep 2012 08:49:52 -0700 (PDT) Date: Thu, 27 Sep 2012 10:49:52 -0500 Message-ID: Subject: kdb5_util dump race can leave policy refcounts incorrect From: Nico Williams To: krb5-bugs@mit.edu Content-Type: text/plain; charset=UTF-8 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLKsWRWlGSWpSXmKPExsVyIbFlou6i0pQAg6Y3zBYND4+zOzB6NJ05 yhzAGMVlk5Kak1mWWqRvl8CV8XPla/aCyywV8zavYmpgfMrcxcjJISFgItHff5gRxGYUMJLY fe4VK0RcTOLCvfVsXYxcHEICjxklFuz7yAjhnGGUaN7xlR3EYRF4zyRx988aqMxDJoltU9+x gfQLCVRLdK2fBTaLV0BQ4uTMJywQ8WKJVZ0LGSFsL4n//+eD1bMIqErcf/OcEaI+QOLgii52 EFtYwFHiX+c6oDgHB5uAtsTmbYogYREBUYmXf4+xgISZBdQl1s8TmsAoOAvJslkImQWMTKsY ZVNyq3RzEzNzilOTdYuTE/PyUot0zfRyM0v0UlNKNzECQ1KI3UV5B+Ofg0qHGAU4GJV4eD/Y JgcIsSaWFVfmHmKU5GBSEuXNzE4JEOJLyk+pzEgszogvKs1JLT7EKMHBrCTCG6UKlONNSays Si3Kh0lJc7AoifNeS7npLySQnliSmp2aWpBaBJNl4mA/xCjDwaEkwbu7BKhbsCg1PbUiLTOn BFkNJ4jgAlnDA7RmH0ghb3FBYm5xZjpE0SlGY46PJxc8YOS49HHxA0Yhlrz8vFQpcd4FIKUC IKUZpXlwI2Gp5hKjrJQwLyMDA4MQD9BNwKBAlX/FKA4MBmHeLSBTeDLzSuD2vQI6hQnolKWb kkBOKUlESEk1MOYmfPwbluDx/mnl2uKW5de3iy0++v7r7f72GQvO6a5M0Z3d//ndCpcWBbml 8mHr9c1npO0L/Xyn+GZiK7tJpNBX0ahrs9/eKl10/dnx57XL1jw8GOy5vE36ZNg6h688Xsu8 X+p+O3RtXtSipCXFM5X+nmNyKgiO3JBpuMKYTyNgWg6LWni19V0lluKMREMt5qLiRADrawi1 MAMAAA== X-Mailman-Approved-At: Thu, 27 Sep 2012 12:11:16 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu Content-Length: 586 kdb5_util does not lock the KDB across both record iteration operations that it does (principals and policies) unless the dump format requested is an iprop dump format. I don't understand why the utility locks the whole KDB in the iprop case but not in the non-iprop cases. A change to any principal's policy assignment that sneaks in between the iteration of principals and the iteration of policies, will result in the dump having incorrect policy refcounts. If such a dump is propagated to a slave that then gets promoted to master then the incorrect policy refcount will matter.