16 char *usage="Usage: %s [-v] [-c || [-u|-g|-r key] || [-t timeout] key desc]";
19 #define IDMAP_NAMESZ 128
23 #define PROCKEYS "/proc/keys"
24 #ifndef DEFAULT_KEYRING
25 #define DEFAULT_KEYRING "id_resolver"
33 * Find either a user or group id based on the name@domain string
35 int id_lookup(char *name_at_domain, key_serial_t key, int type)
43 rc = nfs4_owner_to_uid(name_at_domain, &uid);
44 sprintf(id, "%u", uid);
46 rc = nfs4_group_owner_to_gid(name_at_domain, &gid);
47 sprintf(id, "%u", gid);
50 xlog_err("id_lookup: %s: failed: %m",
51 (type == USER ? "nfs4_owner_to_uid" : "nfs4_group_owner_to_gid"));
54 rc = keyctl_instantiate(key, id, strlen(id) + 1, 0);
56 xlog_err("id_lookup: keyctl_instantiate failed: %m");
63 * Find the name@domain string from either a user or group id
65 int name_lookup(char *id, key_serial_t key, int type)
67 char name[IDMAP_NAMESZ];
68 char domain[NFS4_MAX_DOMAIN_LEN];
73 rc = nfs4_get_default_domain(NULL, domain, NFS4_MAX_DOMAIN_LEN);
76 xlog_err("name_lookup: nfs4_get_default_domain failed: %m");
82 rc = nfs4_uid_to_name(uid, domain, name, IDMAP_NAMESZ);
85 rc = nfs4_gid_to_name(gid, domain, name, IDMAP_NAMESZ);
88 xlog_err("name_lookup: %s: failed: %m",
89 (type == USER ? "nfs4_uid_to_name" : "nfs4_gid_to_name"));
92 rc = keyctl_instantiate(key, &name, strlen(name), 0);
94 xlog_err("name_lookup: keyctl_instantiate failed: %m");
100 * Clear all the keys on the given keyring
102 static int keyring_clear(char *keyring)
110 keyring = DEFAULT_KEYRING;
112 if ((fp = fopen(PROCKEYS, "r")) == NULL) {
113 xlog_err("fopen(%s) failed: %m", PROCKEYS);
117 while(fgets(buf, BUFSIZ, fp) != NULL) {
118 if (strstr(buf, "keyring") == NULL)
120 if (strstr(buf, keyring) == NULL)
123 *(strchr(buf, '\n')) = '\0';
124 xlog_warn("clearing '%s'", buf);
127 * The key is the first arugment in the string
129 *(strchr(buf, ' ')) = '\0';
130 sscanf(buf, "%x", &key);
131 if (keyctl_clear(key) < 0) {
132 xlog_err("keyctl_clear(0x%x) failed: %m", key);
139 xlog_err("'%s' keyring was not found.", keyring);
146 static int key_revoke(char *keystr, int keymask)
149 char buf[BUFSIZ], *ptr;
155 if ((fp = fopen(PROCKEYS, "r")) == NULL) {
156 xlog_err("fopen(%s) failed: %m", PROCKEYS);
160 while(fgets(buf, BUFSIZ, fp) != NULL) {
161 if (strstr(buf, "keyring") != NULL)
165 if ((ptr = strstr(buf, "uid:")) != NULL)
167 else if ((ptr = strstr(buf, "gid:")) != NULL)
172 if ((keymask & mask) == 0)
175 if (strncmp(ptr+4, keystr, strlen(keystr)) != NULL)
179 *(strchr(buf, '\n')) = '\0';
180 xlog_warn("revoking '%s'", buf);
183 * The key is the first arugment in the string
185 *(strchr(buf, ' ')) = '\0';
186 sscanf(buf, "%x", &key);
188 if (keyctl_revoke(key) < 0) {
189 xlog_err("keyctl_revoke(0x%x) failed: %m", key);
200 xlog_err("'%s' key was not found.", keystr);
205 int main(int argc, char **argv)
213 char *progname, *keystr = NULL;
214 int clearing = 0, keymask = 0;
216 /* Set the basename */
217 if ((progname = strrchr(argv[0], '/')) != NULL)
224 while ((opt = getopt(argc, argv, "u:g:r:ct:v")) != -1) {
228 keystr = strdup(optarg);
232 keystr = strdup(optarg);
235 keymask = GIDKEYS|UIDKEYS;
236 keystr = strdup(optarg);
245 timeout = atoi(optarg);
248 xlog_warn(usage, progname);
254 rc = key_revoke(keystr, keymask);
258 rc = keyring_clear(DEFAULT_KEYRING);
263 if ((argc - optind) != 2) {
264 xlog_err("Bad arg count. Check /etc/request-key.conf");
265 xlog_warn(usage, progname);
270 nfs4_set_debug(verbose, NULL);
272 key = strtol(argv[optind++], NULL, 10);
274 arg = strdup(argv[optind]);
276 xlog_err("strdup failed: %m");
279 type = strtok(arg, ":");
280 value = strtok(NULL, ":");
283 xlog_warn("key: %ld type: %s value: %s timeout %ld",
284 key, type, value, timeout);
287 if (strcmp(type, "uid") == 0)
288 rc = id_lookup(value, key, USER);
289 else if (strcmp(type, "gid") == 0)
290 rc = id_lookup(value, key, GROUP);
291 else if (strcmp(type, "user") == 0)
292 rc = name_lookup(value, key, USER);
293 else if (strcmp(type, "group") == 0)
294 rc = name_lookup(value, key, GROUP);
296 /* Set timeout to 10 (600 seconds) minutes */
298 keyctl_set_timeout(key, timeout);