nfs-utils.git - NFS utils related patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	Use newly added keytab functions	Kevin Coffman	2007-03-31	1	-3/+5
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Use the new functions added in the previous patch. Obtain machine credentials in a pre-determined order Look for appropriate machine credentials in the following order: root/<fqdn>@REALM nfs/<fqdn>@REALM host/<fqdn>@REALM root/<any-name>@REALM nfs/<any-name>@REALM host/<any-name>@REALM The first matching credential will be used. Also, the machine credentials to be used are now determined "on-demand" rather than at gssd startup. This allows keytab additions to be noticed and used without requiring a restart of gssd. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de>
*	Add missing newlines	Kevin Coffman	2007-03-31	1	-6/+6
\| \| \| \| \| \| \|	Add missing newlines to error messages. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de>
*	Create two separate paths for pipefs_dir and pipefs_nfsdir.	Kevin Coffman	2007-03-19	1	-11/+11
\| \| \| \| \| \| \| \| \|	Future work needs access to the base pipefs directory rather than the nfs subdirectory. Create two separate paths called pipefs_dir and pipefs_nfsdir with the name of each. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de>
*	Add option to allow root to use credentials other than machine credentials	Kevin Coffman	2007-03-19	1	-39/+43
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Add a new option ("-n") to rpc.gssd to indicate that accesses as root (uid 0) should not use machine credentials, but should instead use "normal" Kerberos credentials obtained by root. This change was prompted by a suggestion and patch from Daniel Muntz <Dan.Muntz@netapp.com>. That patch suggested trying "normal" credentials first and falling back to using machine creds for uid 0 if normal creds failed. This opens up the case where root may have credentials as "foo@REALM" and begins accessing files. Then the context using those credentials expires and must be renewed. If the credentials are now expired, then root's new context would fall back and be created with the machine credentials. Instead, this patch insists that the administrator choose to use either machine credentials for accesses by uid 0 (the default behavior, as it was before) or "normal" credentials. In the latter case, arrangements must be made to obtain credentials before attempting a mount. There should be no doubts which credentials are used for uid 0. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de>
*	Fix misc warning messages	Kevin Coffman	2006-10-17	1	-0/+1
\| \| \| \| \| \|	Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Clean up a few warning messages.
*	Use setfsuid() rather than seteuid() while creating contexts	kwc@citi.umich.edu	2006-07-04	1	-7/+7
\| \| \| \| \| \| \| \| \| \|	Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> As suggested by Olaf Kirch <okir@suse.de>, use setfsuid() rather than seteuid() when creating a gss context. This prevents users from using credentials that do not belong to them, while also preventing them from doing things like killing, renicing, or changing the priority of the gssd process while it is processing the context creation.
*	2006-04-10 NeilBrown <neilb@suse.de>	neilbrown	2006-04-10	1	-4/+4
\| \| \| \| \| \| \| \| \| \| \| \| \|	Various paranoia checks: gssd_proc.c: pass max_field sizes to sscanf to avoid buffer overflow svcgssd_proc.c: range_check name.length, to ensure name.length+1 doesn't wrap idmapd.c(nfsdcb): make sure at least one byte is read before zeroing the last byte that was read, otherwise memory corruption is possible. Found by SuSE security audit.
*	2006-04-10 kwc@citi.umich.edu	neilbrown	2006-04-09	1	-33/+47
\| \| \| \| \| \| \|	Fix memory leak of the AUTH structure on context negotiations Free AUTH structure after completing context negotiation and sending context information to the kernel.
*	Don't close and reopen all pipes on every DNOTIFY signal.	neilbrown	2006-03-28	1	-36/+87
\| \| \| \| \| \| \| \| \| \|	From: Vince Busam <vbusam@google.com> Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Don't unnecessarily close and re-open all pipes after every DNOTIFY signal. These unnecessary closes were triggering a kernel Oops. Original patch modified to correct segfault when unmounting last NFSv4 mount.
*	Update krb5 code to use glue routine lucid context functions	neilbrown	2006-03-28	1	-2/+2
\| \| \| \| \| \| \| \| \| \| \|	The gssd code should not know about the glue layer's context structure. A previous patch added gss_export_lucid_sec_context() and gss_free_lucid_sec_context() functions to the gssapi glue layer. Use these functions rather than calling directly to the Kerberos gssapi code (which requires the Kerberos context handle rather than the glue's context handle). (really this time)
*	utils/gssd/gssd_proc.c(create_auth_rpc_client): Use service	neilbrown	2005-12-19	1	-2/+17
\| \| \| \|	portion of clp->servicename rather than hard-coding "nfs".
*	Updates from Kevin Coffman at UMich	neilbrown	2005-12-16	1	-9/+87
\|
*	* empty log message *	neilbrown	2004-11-22	1	-0/+4
\|
*	* empty log message *	neilbrown	2004-11-22	1	-12/+17
\|
*	Add gss support from citi @ umich	neilbrown	2004-10-19	1	-0/+661