| Date: | Thu, 27 Sep 2012 10:49:52 -0500 |
| Subject: | kdb5_util dump race can leave policy refcounts incorrect |
| From: | Nico Williams <nico@cryptonector.com> |
| To: | krb5-bugs@mit.edu |
kdb5_util does not lock the KDB across both record iteration
operations that it does (principals and policies) unless the dump
format requested is an iprop dump format. I don't understand why the
utility locks the whole KDB in the iprop case but not in the non-iprop
cases. A change to any principal's policy assignment that sneaks in
between the iteration of principals and the iteration of policies,
will result in the dump having incorrect policy refcounts. If such a
dump is propagated to a slave that then gets promoted to master then
the incorrect policy refcount will matter.
operations that it does (principals and policies) unless the dump
format requested is an iprop dump format. I don't understand why the
utility locks the whole KDB in the iprop case but not in the non-iprop
cases. A change to any principal's policy assignment that sneaks in
between the iteration of principals and the iteration of policies,
will result in the dump having incorrect policy refcounts. If such a
dump is propagated to a slave that then gets promoted to master then
the incorrect policy refcount will matter.