Add request-key.d/id_resolver.conf to shut up logspam

[donald]

NFS clients of a kernel before 5.15.89.mx64.445 try to use the
id_resolver for sec=mariux mounts when uid or gid file attributes are
transmitted to the server (e.g. when chown or chgrp is done).

The kernel nfs clients makes a user space upcall via /sbin/request-key
for a key of a type id_resolver and a key description like "user:130" or
"group:125".

As keys of the type id_resolver are not configured in
/etc/request-key.conf, this will fail but /sbin/request-key logs
"request-key: Cannot find command to construct key..." to its stdout
which ends up in the syslog.

The nfs clients continues by sending the uid/gid value numerically to
the nfs server, which is what we want.

Configure a (negative) request-key response for keys of the type
id_resolver to avoid logfile spam.

Kernels since 5.15.89.mx64.445 don't need that, because the userspace
upcall is avoided for sec=mariux just the same as it is for sec=sys.

[donald]

buczek@dose:~$ sudo cat /proc/keys|grep id_re
18fc7167 I------     1 perm 1f030000     0     0 keyring   .id_resolver: empty
buczek@dose:~$ ls -l x.x
-rw-rw-r-- 1 buczek buczek 0 Jan 19 13:00 x.x
buczek@dose:~$ chgrp edv x.x
buczek@dose:~$ ls -l x.x
-rw-rw-r-- 1 buczek edv 0 Jan 19 13:00 x.x
buczek@dose:~$ sudo cat /proc/keys|grep id_re
05add641 I--Q-N-     2   4m 3b010000     0     0 id_resolv group:598
18fc7167 I------     1 perm 1f030000     0     0 keyring   .id_resolver: 2
buczek@dose:~$ tail -5 /var/log/messages
2023-01-19T13:02:37+01:00 dose  sudo: pam_unix(sudo:session): session opened for user root by buczek(uid=0)
2023-01-19T13:02:37+01:00 dose  sudo: pam_unix(sudo:session): session closed for user root
2023-01-19T13:02:51+01:00 dose  sudo:   buczek : TTY=pts/2 ; PWD=/home/buczek ; USER=root ; COMMAND=/bin/cat /proc/keys
2023-01-19T13:02:51+01:00 dose  sudo: pam_unix(sudo:session): session opened for user root by buczek(uid=0)
2023-01-19T13:02:51+01:00 dose  sudo: pam_unix(sudo:session): session closed for user root

[pmenzel]

Just a note, that /proc/keys is world readable.

@geniux:~$ ls -l /proc/keys
-r--r--r-- 1 root root 0 Jan  4 12:53 /proc/keys

Or did you want to generate messages for /var/log/messages by using sudo?

[donald]

Just a note, that /proc/keys is world readable.

Yeah, but keyrings(7): "/proc/keys (since Linux 2.6.10) - This file exposes a list of the keys for which the reading thread has view permission...:"

buczek@dose:~$ cat /proc/keys |grep id_resol
buczek@dose:~$ sudo cat /proc/keys |grep id_resol
18fc7167 I------     1 perm 1f030000     0     0 keyring   .id_resolver: 6
1a34f3e2 I--Q-N-     2   4m 3b010000     0     0 id_resolv group:0
1fe1abcf I--Q-N-     2   4m 3b010000     0     0 id_resolv user:0
2d3e95d2 I--Q-N-     2   4m 3b010000     0     0 id_resolv group:598
buczek@dose:~$ 

[pmenzel]

Understood. Thank you for clarifying. Today I learned something. ;-)