diff options
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | configure.in | 2 | ||||
| -rw-r--r-- | debian/nfs-kernel-server.default | 4 | ||||
| -rw-r--r-- | utils/gssd/gssd_proc.c | 4 | ||||
| -rw-r--r-- | utils/idmapd/idmapd.c | 33 | ||||
| -rw-r--r-- | utils/svcgssd/Makefile | 2 | ||||
| -rw-r--r-- | utils/svcgssd/svcgssd_proc.c | 30 |
7 files changed, 31 insertions, 46 deletions
@@ -21,6 +21,8 @@ using a pipe. * utils/idmapd/idmapd.c: Let libnfsidmapd parse the idmapd.conf file for the default domain, instead of doing that ourselves. + * utils/gssd/gssd_proc.c: Make sure we get an error when a gssd + downcall fails. 2004-11-22 NeilBrown <neilb@cse.unsw.edu.au> diff --git a/configure.in b/configure.in index 5b10c20..5d683a6 100644 --- a/configure.in +++ b/configure.in @@ -118,7 +118,7 @@ AC_CHECK_LIB(nsl, main, [LIBNSL="-lnsl"]) AC_CHECK_LIB(crypt, crypt, [LIBCRYPT="-lcrypt"]) if test "$enable_nfsv4" = yes; then AC_CHECK_LIB(event, event_dispatch) - AC_CHECK_LIB(nfsidmap, nfs4_uid_to_name) + AC_CHECK_LIB(nfsidmap, nfs4_init_name_mapping) AC_CHECK_HEADERS(event.h) AC_CHECK_HEADERS(nfsidmap.h) fi diff --git a/debian/nfs-kernel-server.default b/debian/nfs-kernel-server.default index 4c6110b..d6d237d 100644 --- a/debian/nfs-kernel-server.default +++ b/debian/nfs-kernel-server.default @@ -3,3 +3,7 @@ RPCNFSDCOUNT=8 # Options for rpc.mountd RPCMOUNTDOPTS= + +# If you are not running NFS with RPCSEC_GSS security, and wish to +# disable the gssd server daemon then uncomment the following line +# NEED_SVCGSSD=no diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 416653b..788ecf1 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -504,6 +504,10 @@ int create_auth_rpc_client(struct clnt_info *clp, retval = 0; out_fail: + if ((save_uid != -1) && (seteuid(save_uid) != 0)) { + printerr(0, "WARNING: Failed to restore euid" + " to uid %d (in error path)\n", save_uid); + } if (sec.cred != GSS_C_NO_CREDENTIAL) gss_release_cred(&min_stat, &sec.cred); if (rpc_clnt) clnt_destroy(rpc_clnt); diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c index a5d4f72..02604df 100644 --- a/utils/idmapd/idmapd.c +++ b/utils/idmapd/idmapd.c @@ -132,7 +132,6 @@ void mydaemon(int, int); void release_parent(); static int verbose = 0; -static char domain[512]; static char pipefsdir[PATH_MAX]; static char *nobodyuser, *nobodygroup; static uid_t nobodyuid; @@ -153,7 +152,6 @@ main(int argc, char **argv) struct group *gr; struct stat sb; char *xpipefsdir = NULL; - char *xdomain = NULL; int serverstart = 1, clientstart = 1; conf_path = _PATH_IDMAPDCONF; @@ -181,13 +179,11 @@ main(int argc, char **argv) conf_init(); verbose = conf_get_num("General", "Verbosity", 0); CONF_SAVE(xpipefsdir, conf_get_str("General", "Pipefs-Directory")); - CONF_SAVE(xdomain, conf_get_str("General", "Domain")); if (xpipefsdir != NULL) strlcpy(pipefsdir, xpipefsdir, sizeof(pipefsdir)); - if (xdomain != NULL) - strlcpy(domain, xdomain, sizeof(domain)); CONF_SAVE(nobodyuser, conf_get_str("Mapping", "Nobody-User")); CONF_SAVE(nobodygroup, conf_get_str("Mapping", "Nobody-Group")); + nfs4_init_name_mapping(conf_path); } while ((opt = getopt(argc, argv, GETOPTSTR)) != -1) @@ -221,23 +217,6 @@ main(int argc, char **argv) strncat(pipefsdir, "/nfs", sizeof(pipefsdir)); - if (domain[0] == '\0') { - struct hostent *he; - char hname[64], *c; - - if (gethostname(hname, sizeof(hname)) == -1) - errx(1, "Error getting hostname"); - - if ((he = gethostbyname(hname)) == NULL) - errx(1, "Error resolving hostname: %s", hname); - - if ((c = strchr(he->h_name, '.')) == NULL || *++c == '\0') - errx(1, "Error resolving domain, " - "please use the -d switch"); - - strlcpy(domain, c, sizeof(domain)); - } - if ((pw = getpwnam(nobodyuser)) == NULL) errx(1, "Could not find user \"%s\"", nobodyuser); nobodyuid = pw->pw_uid; @@ -246,12 +225,6 @@ main(int argc, char **argv) errx(1, "Could not find group \"%s\"", nobodygroup); nobodygid = gr->gr_gid; - if (strlen(domain) == 0) - errx(1, "Invalid domain; please specify with -d switch"); - - if (verbose > 2) - warnx("Using domain \"%s\"", domain); - if (!fg) mydaemon(0, 0); @@ -640,7 +613,7 @@ nfsdopenone(struct idmap_client *ic, short which, char *path) ic->ic_which = which; ic->ic_id = "Server"; - strlcpy(ic->ic_clid, domain, sizeof(ic->ic_clid)); + strlcpy(ic->ic_clid, "Server", strlen("Server")); if (verbose > 0) warnx("Opened %s", ic->ic_path); @@ -688,8 +661,10 @@ static int write_name(char *dest, char *localname, char *domain, size_t len) static void idtonameres(struct idmap_msg *im) { + char domain[NFS4_MAX_DOMAIN_LEN]; int ret = 0; + ret = nfs4_get_default_domain(NULL, domain, sizeof(domain)); switch (im->im_type) { case IDMAP_TYPE_USER: ret = nfs4_uid_to_name(im->im_id, domain, im->im_name, diff --git a/utils/svcgssd/Makefile b/utils/svcgssd/Makefile index ed3fa98..8b330db 100644 --- a/utils/svcgssd/Makefile +++ b/utils/svcgssd/Makefile @@ -7,7 +7,7 @@ PREFIX = rpc. OBJS = svcgssd.o svcgssd_main_loop.o svcgssd_proc.o err_util.o gss_util.o \ gss_oids.o context.o context_heimdal.o cacheio.o svcgssd_mech2file.o LIBDEPS = $(TOP)support/lib/librpc.a $(TOP)support/lib/libgssapi.a -LIBS = -Wl,-rpath=$(KRBDIR)/lib -lrpc -lgssapi -ldl $(KRBLIB) +LIBS = -Wl,-rpath=$(KRBDIR)/lib -lrpc -lgssapi -ldl $(KRBLIB) -lnfsidmap MAN8 = svcgssd predep :: diff --git a/utils/svcgssd/svcgssd_proc.c b/utils/svcgssd/svcgssd_proc.c index a25c229..8faddc1 100644 --- a/utils/svcgssd/svcgssd_proc.c +++ b/utils/svcgssd/svcgssd_proc.c @@ -44,6 +44,7 @@ #include <string.h> #include <fcntl.h> #include <errno.h> +#include <nfsidmap.h> #include "svcgssd.h" #include "gss_util.h" @@ -162,15 +163,15 @@ send_response(FILE *f, gss_buffer_desc *in_handle, gss_buffer_desc *in_token, #define rpcsec_gsserr_ctxproblem 14 static int -get_ids(gss_name_t client_name, gss_OID *mech, struct svc_cred *cred) +get_ids(gss_name_t client_name, gss_OID mech, struct svc_cred *cred) { u_int32_t maj_stat, min_stat; gss_buffer_desc name; char *sname; int res = -1; - struct passwd *pw = NULL; + uid_t uid, gid; gss_OID name_type; - char *c; + char *secname; maj_stat = gss_display_name(&min_stat, client_name, &name, &name_type); if (maj_stat != GSS_S_COMPLETE) @@ -179,18 +180,17 @@ get_ids(gss_name_t client_name, gss_OID *mech, struct svc_cred *cred) goto out; memcpy(sname, name.value, name.length); printerr(1, "sname = %s\n", sname); - /* XXX: should use same mapping as idmapd? Or something; for now - * I'm just chopping off the domain. */ - /* XXX: note that idmapd also does this! It doesn't check the domain - * name. */ - if ((c = strchr(sname, '@')) != NULL) - *c = '\0'; - /* XXX? mapping unknown users (including machine creds) to nobody: */ - if ( !(pw = getpwnam(sname)) && !(pw = getpwnam("nobody")) ) + + res = -EINVAL; + if ((secname = mech2file(mech)) == NULL) + goto out_free; + nfs4_init_name_mapping(NULL); /* XXX: should only do this once */ + res = nfs4_gss_princ_to_ids(secname, sname, &uid, &gid); + if (res < 0) goto out_free; - cred->cr_uid = pw->pw_uid; - cred->cr_gid = pw->pw_gid; - /* XXX Read password file? Use initgroups? I dunno...*/ + cred->cr_uid = uid; + cred->cr_gid = gid; + /*XXX: want add_supplementary_groups(secname, sname, cred)? */ cred->cr_ngroups = 0; res = 0; out_free: @@ -310,7 +310,7 @@ handle_nullreq(FILE *f) { &null_token, &null_token); goto out_err; } - if (get_ids(client_name, &mech, &cred)) { + if (get_ids(client_name, mech, &cred)) { printerr(0, "WARNING: handle_nullreq: get_uid failed\n"); send_response(f, &in_handle, &in_tok, GSS_S_BAD_NAME /* XXX? */, 0, &null_token, &null_token); |