2 * Copyright 2009 Oracle. All rights reserved.
4 * This file is part of nfs-utils.
6 * nfs-utils is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * nfs-utils is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with nfs-utils. If not, see <http://www.gnu.org/licenses/>.
23 * Callback information and NSM state is stored in files, usually
24 * under /var/lib/nfs. A database of information contained in local
25 * files stores NLM callback data and what remote peers to notify of
28 * For each monitored remote peer, a text file is created under the
29 * directory specified by NSM_MONITOR_DIR. The name of the file
30 * is a valid DNS hostname. The hostname string must be a valid
31 * ASCII DNS name, and must not contain slash characters, white space,
32 * or '\0' (ie. anything that might have some special meaning in a
35 * The contents of each file include seven blank-separated fields of
36 * text, finished with '\n'. The first field contains the network
37 * address of the NLM service to call back. The current implementation
38 * supports using only IPv4 addresses, so the only contents of this
39 * field are a network order IPv4 address expressed in 8 hexadecimal
42 * The next four fields are text strings of hexadecimal characters,
45 * 2. A 4 byte RPC program number of the NLM service to call back
46 * 3. A 4 byte RPC version number of the NLM service to call back
47 * 4. A 4 byte RPC procedure number of the NLM service to call back
48 * 5. A 16 byte opaque cookie that the NLM service uses to identify
51 * The sixth field is the monitored host's mon_name, passed to statd
52 * via an SM_MON request.
54 * The seventh field is the my_name for this peer, which is the
55 * hostname of the local NLM (currently on Linux, the result of
56 * `uname -n`). This can be used as the source address/hostname
57 * when sending SM_NOTIFY requests.
59 * The NSM protocol does not limit the contents of these strings
60 * in any way except that they must fit into 1024 bytes. Our
61 * implementation requires that these strings not contain
62 * white space or '\0'.
69 #include <sys/types.h>
70 #ifdef HAVE_SYS_CAPABILITY_H
71 #include <sys/capability.h>
73 #include <sys/prctl.h>
92 #define RPCARGSLEN (4 * (8 + 1))
93 #define LINELEN (RPCARGSLEN + SM_PRIV_SIZE * 2 + 1)
95 #define NSM_KERNEL_STATE_FILE "/proc/sys/fs/nfs/nsm_local_state"
98 * Some distributions place statd's files in a subdirectory
100 #define NSM_PATH_EXTENSION
101 /* #define NSM_PATH_EXTENSION "/statd" */
103 #define NSM_DEFAULT_STATEDIR NFS_STATEDIR NSM_PATH_EXTENSION
105 static char nsm_base_dirname[PATH_MAX] = NSM_DEFAULT_STATEDIR;
107 #define NSM_MONITOR_DIR "sm"
108 #define NSM_NOTIFY_DIR "sm.bak"
109 #define NSM_STATE_FILE "state"
113 error_check(const int len, const size_t buflen)
115 return (len < 0) || ((size_t)len >= buflen);
119 exact_error_check(const ssize_t len, const size_t buflen)
121 return (len < 0) || ((size_t)len != buflen);
125 * Returns a dynamically allocated, '\0'-terminated buffer
126 * containing an appropriate pathname, or NULL if an error
127 * occurs. Caller must free the returned result with free(3).
129 __attribute__((__malloc__))
131 nsm_make_record_pathname(const char *directory, const char *hostname)
139 * Block hostnames that contain characters that have
140 * meaning to the file system (like '/'), or that can
141 * be confusing on visual inspection (like ' ').
143 for (c = hostname; *c != '\0'; c++)
144 if (*c == '/' || isspace((int)*c) != 0) {
145 xlog(D_GENERAL, "Hostname contains invalid characters");
149 size = strlen(nsm_base_dirname) + strlen(directory) + strlen(hostname) + 3;
150 if (size > PATH_MAX) {
151 xlog(D_GENERAL, "Hostname results in pathname that is too long");
157 xlog(D_GENERAL, "Failed to allocate memory for pathname");
161 len = snprintf(path, size, "%s/%s/%s",
162 nsm_base_dirname, directory, hostname);
163 if (error_check(len, size)) {
164 xlog(D_GENERAL, "Pathname did not fit in specified buffer");
173 * Returns a dynamically allocated, '\0'-terminated buffer
174 * containing an appropriate pathname, or NULL if an error
175 * occurs. Caller must free the returned result with free(3).
177 __attribute__((__malloc__))
179 nsm_make_pathname(const char *directory)
185 size = strlen(nsm_base_dirname) + strlen(directory) + 2;
193 len = snprintf(path, size, "%s/%s", nsm_base_dirname, directory);
194 if (error_check(len, size)) {
203 * Returns a dynamically allocated, '\0'-terminated buffer
204 * containing an appropriate pathname, or NULL if an error
205 * occurs. Caller must free the returned result with free(3).
207 __attribute__((__malloc__))
209 nsm_make_temp_pathname(const char *pathname)
215 size = strlen(pathname) + sizeof(".new") + 2;
223 len = snprintf(path, size, "%s.new", pathname);
224 if (error_check(len, size)) {
233 * Use "mktemp, write, rename" to update the contents of a file atomically.
235 * Returns true if completely successful, or false if some error occurred.
238 nsm_atomic_write(const char *path, const void *buf, const size_t buflen)
240 _Bool result = false;
245 temp = nsm_make_temp_pathname(path);
247 xlog(L_ERROR, "Failed to create new path for %s", path);
251 fd = open(temp, O_CREAT | O_TRUNC | O_SYNC | O_WRONLY, 0644);
253 xlog(L_ERROR, "Failed to create %s: %m", temp);
257 len = write(fd, buf, buflen);
258 if (exact_error_check(len, buflen)) {
259 xlog(L_ERROR, "Failed to write %s: %m", temp);
265 if (close(fd) == -1) {
266 xlog(L_ERROR, "Failed to close %s: %m", temp);
271 if (rename(temp, path) == -1) {
272 xlog(L_ERROR, "Failed to rename %s -> %s: %m",
278 /* Ostensibly, a sync(2) is not needed here because
279 * open(O_CREAT), write(O_SYNC), and rename(2) are
280 * already synchronous with persistent storage, for
281 * any file system we care about. */
291 * nsm_setup_pathnames - set up pathname
292 * @progname: C string containing name of program, for error messages
293 * @parentdir: C string containing pathname to on-disk state, or NULL
295 * This runs before logging is set up, so error messages are directed
298 * Returns true and sets up our pathnames, if @parentdir was valid
299 * and usable; otherwise false is returned.
302 nsm_setup_pathnames(const char *progname, const char *parentdir)
304 static char buf[PATH_MAX];
308 /* First: test length of name and whether it exists */
309 if (lstat(parentdir, &st) == -1) {
310 (void)fprintf(stderr, "%s: Failed to stat %s: %s",
311 progname, parentdir, strerror(errno));
315 /* Ensure we have a clean directory pathname */
316 strncpy(buf, parentdir, sizeof(buf));
319 (void)fprintf(stderr, "%s: Unusable directory %s",
320 progname, parentdir);
324 xlog(D_CALL, "Using %s as the state directory", parentdir);
325 strncpy(nsm_base_dirname, parentdir, sizeof(nsm_base_dirname));
330 * nsm_is_default_parentdir - check if parent directory is default
332 * Returns true if the active statd parent directory, set by
333 * nsm_change_pathname(), is the same as the built-in default
334 * parent directory; otherwise false is returned.
337 nsm_is_default_parentdir(void)
339 return strcmp(nsm_base_dirname, NSM_DEFAULT_STATEDIR) == 0;
343 * Clear all capabilities but CAP_NET_BIND_SERVICE. This permits
344 * callers to acquire privileged source ports, but all other root
345 * capabilities are disallowed.
347 * Returns true if successful, or false if some error occurred.
350 nsm_clear_capabilities(void)
352 #ifdef HAVE_SYS_CAPABILITY_H
355 caps = cap_from_text("cap_net_bind_service=ep");
357 xlog(L_ERROR, "Failed to allocate capability: %m");
361 if (cap_set_proc(caps) == -1) {
362 xlog(L_ERROR, "Failed to set capability flags: %m");
363 (void)cap_free(caps);
367 (void)cap_free(caps);
373 * nsm_drop_privileges - drop root privileges
374 * @pidfd: file descriptor of a pid file
376 * Returns true if successful, or false if some error occurred.
378 * Set our effective UID and GID to that of our on-disk database.
381 nsm_drop_privileges(const int pidfd)
385 (void)umask(S_IRWXO);
388 * XXX: If we can't stat dirname, or if dirname is owned by
389 * root, we should use "statduser" instead, which is set up
390 * by configure.ac. Nothing in nfs-utils seems to use
391 * "statduser," though.
393 if (lstat(nsm_base_dirname, &st) == -1) {
394 xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname);
398 if (chdir(nsm_base_dirname) == -1) {
399 xlog(L_ERROR, "Failed to change working directory to %s: %m",
404 if (st.st_uid == 0) {
405 xlog_warn("Running as root. "
406 "chown %s to choose different user", nsm_base_dirname);
411 * If the pidfile happens to reside on NFS, dropping privileges
412 * will probably cause us to lose access, even though we are
413 * holding it open. Chown it to prevent this.
416 if (fchown(pidfd, st.st_uid, st.st_gid) == -1)
417 xlog_warn("Failed to change owner of pidfile: %m");
420 * Don't clear capabilities when dropping root.
422 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
423 xlog(L_ERROR, "prctl(PR_SET_KEEPCAPS) failed: %m");
427 if (setgroups(0, NULL) == -1) {
428 xlog(L_ERROR, "Failed to drop supplementary groups: %m");
435 * setgid(2) first, as setuid(2) may remove privileges needed
436 * to set the group id.
438 if (setgid(st.st_gid) == -1 || setuid(st.st_uid) == -1) {
439 xlog(L_ERROR, "Failed to drop privileges: %m");
443 xlog(D_CALL, "Effective UID, GID: %u, %u", st.st_uid, st.st_gid);
445 return nsm_clear_capabilities();
449 * nsm_get_state - retrieve on-disk NSM state number
451 * Returns an odd NSM state number read from disk, or an initial
452 * state number. Zero is returned if some error occurs.
455 nsm_get_state(_Bool update)
461 path = nsm_make_pathname(NSM_STATE_FILE);
463 xlog(L_ERROR, "Failed to allocate path for " NSM_STATE_FILE);
467 fd = open(path, O_RDONLY);
469 if (errno != ENOENT) {
470 xlog(L_ERROR, "Failed to open %s: %m", path);
474 xlog(L_NOTICE, "Initializing NSM state");
480 result = read(fd, &state, sizeof(state));
481 if (exact_error_check(result, sizeof(state))) {
482 xlog_warn("Failed to read %s: %m", path);
484 xlog(L_NOTICE, "Initializing NSM state");
490 if ((state & 1) == 0)
498 if (!nsm_atomic_write(path, &state, sizeof(state)))
508 * nsm_update_kernel_state - attempt to post new NSM state to kernel
509 * @state: NSM state number
513 nsm_update_kernel_state(const int state)
519 fd = open(NSM_KERNEL_STATE_FILE, O_WRONLY);
521 xlog(D_GENERAL, "Failed to open " NSM_KERNEL_STATE_FILE ": %m");
525 len = snprintf(buf, sizeof(buf), "%d", state);
526 if (error_check(len, sizeof(buf))) {
527 xlog_warn("Failed to form NSM state number string");
531 result = write(fd, buf, strlen(buf));
532 if (exact_error_check(result, strlen(buf)))
533 xlog_warn("Failed to write NSM state number: %m");
536 xlog(L_ERROR, "Failed to close NSM state file "
537 NSM_KERNEL_STATE_FILE ": %m");
541 * nsm_retire_monitored_hosts - back up all hosts from "sm/" to "sm.bak/"
543 * Returns the count of host records that were moved.
545 * Note that if any error occurs during this process, some monitor
546 * records may be left in the "sm" directory.
549 nsm_retire_monitored_hosts(void)
551 unsigned int count = 0;
556 path = nsm_make_pathname(NSM_MONITOR_DIR);
558 xlog(L_ERROR, "Failed to allocate path for " NSM_MONITOR_DIR);
565 xlog_warn("Failed to open " NSM_MONITOR_DIR ": %m");
569 while ((de = readdir(dir)) != NULL) {
573 if (de->d_name[0] == '.')
576 src = nsm_make_record_pathname(NSM_MONITOR_DIR, de->d_name);
578 xlog_warn("Bad monitor file name, skipping");
582 /* NB: not all file systems fill in d_type correctly */
583 if (lstat(src, &stb) == -1) {
584 xlog_warn("Bad monitor file %s, skipping: %m",
589 if (!S_ISREG(stb.st_mode)) {
590 xlog(D_GENERAL, "Skipping non-regular file %s",
596 dst = nsm_make_record_pathname(NSM_NOTIFY_DIR, de->d_name);
599 xlog_warn("Bad notify file name, skipping");
603 if (rename(src, dst) == -1)
604 xlog_warn("Failed to rename %s -> %s: %m",
607 xlog(D_GENERAL, "Retired record for mon_name %s",
621 * nsm_priv_to_hex - convert a NSM private cookie to a hex string.
623 * @priv: buffer holding the binary NSM private cookie
624 * @buf: output buffer for NULL terminated hex string
625 * @buflen: size of output buffer
627 * Returns the length of the resulting string or 0 on error
630 nsm_priv_to_hex(const char *priv, char *buf, const size_t buflen)
633 size_t remaining = buflen;
635 for (i = 0; i < SM_PRIV_SIZE; i++) {
636 len = snprintf(buf, remaining, "%02x",
637 (unsigned int)(0xff & priv[i]));
638 if (error_check(len, remaining))
641 remaining -= (size_t)len;
644 return buflen - remaining;
648 * Returns the length in bytes of the created record.
650 __attribute__((__noinline__))
652 nsm_create_monitor_record(char *buf, const size_t buflen,
653 const struct sockaddr *sap, const struct mon *m)
655 const struct sockaddr_in *sin = (const struct sockaddr_in *)sap;
656 size_t hexlen, remaining = buflen;
659 len = snprintf(buf, remaining, "%08x %08x %08x %08x ",
660 (unsigned int)sin->sin_addr.s_addr,
661 (unsigned int)m->mon_id.my_id.my_prog,
662 (unsigned int)m->mon_id.my_id.my_vers,
663 (unsigned int)m->mon_id.my_id.my_proc);
664 if (error_check(len, remaining))
667 remaining -= (size_t)len;
669 hexlen = nsm_priv_to_hex(m->priv, buf, remaining);
675 len = snprintf(buf, remaining, " %s %s\n",
676 m->mon_id.mon_name, m->mon_id.my_id.my_name);
677 if (error_check(len, remaining))
679 remaining -= (size_t)len;
681 return buflen - remaining;
685 nsm_append_monitored_host(const char *path, const char *line)
687 _Bool result = false;
694 if (stat(path, &stb) == -1) {
695 xlog(L_ERROR, "Failed to insert: "
696 "could not stat original file %s: %m", path);
699 buflen = (size_t)stb.st_size + strlen(line);
701 buf = malloc(buflen + 1);
703 xlog(L_ERROR, "Failed to insert: no memory");
706 memset(buf, 0, buflen + 1);
708 fd = open(path, O_RDONLY);
710 xlog(L_ERROR, "Failed to insert: "
711 "could not open original file %s: %m", path);
715 len = read(fd, buf, (size_t)stb.st_size);
716 if (exact_error_check(len, (size_t)stb.st_size)) {
717 xlog(L_ERROR, "Failed to insert: "
718 "could not read original file %s: %m", path);
726 if (nsm_atomic_write(path, buf, buflen))
735 * nsm_insert_monitored_host - write callback data for one host to disk
736 * @hostname: C string containing a hostname
737 * @sap: sockaddr containing NLM callback address
738 * @mon: SM_MON arguments to save
740 * Returns true if successful, otherwise false if some error occurs.
743 nsm_insert_monitored_host(const char *hostname, const struct sockaddr *sap,
746 static char buf[LINELEN + 1 + SM_MAXSTRLEN + 2];
748 _Bool result = false;
753 path = nsm_make_record_pathname(NSM_MONITOR_DIR, hostname);
755 xlog(L_ERROR, "Failed to insert: bad monitor hostname '%s'",
760 size = nsm_create_monitor_record(buf, sizeof(buf), sap, m);
762 xlog(L_ERROR, "Failed to insert: record too long");
767 * If exclusive create fails, we're adding a new line to an
770 fd = open(path, O_WRONLY | O_CREAT | O_EXCL | O_SYNC, S_IRUSR | S_IWUSR);
772 if (errno != EEXIST) {
773 xlog(L_ERROR, "Failed to insert: creating %s: %m", path);
777 result = nsm_append_monitored_host(path, buf);
782 len = write(fd, buf, size);
783 if (exact_error_check(len, size)) {
784 xlog_warn("Failed to insert: writing %s: %m", path);
789 if (close(fd) == -1) {
790 xlog(L_ERROR, "Failed to insert: closing %s: %m", path);
800 __attribute__((__noinline__))
802 nsm_parse_line(char *line, struct sockaddr_in *sin, struct mon *m)
808 c = strchr(line, '\n');
812 count = sscanf(line, "%8x %8x %8x %8x ",
813 (unsigned int *)&sin->sin_addr.s_addr,
814 (unsigned int *)&m->mon_id.my_id.my_prog,
815 (unsigned int *)&m->mon_id.my_id.my_vers,
816 (unsigned int *)&m->mon_id.my_id.my_proc);
820 c = line + RPCARGSLEN;
821 for (i = 0; i < SM_PRIV_SIZE; i++) {
822 if (sscanf(c, "%2x", &tmp) != 1)
824 m->priv[i] = (char)tmp;
829 m->mon_id.mon_name = c;
830 while (*c != '\0' && *c != ' ')
836 m->mon_id.my_id.my_name = c;
842 * Stuff a 'struct mon' with callback data, and call @func.
844 * Returns the count of in-core records created.
847 nsm_read_line(const char *hostname, const time_t timestamp, char *line,
850 struct sockaddr_in sin = {
851 .sin_family = AF_INET,
855 if (!nsm_parse_line(line, &sin, &m))
858 return func(hostname, (struct sockaddr *)(char *)&sin, &m, timestamp);
862 * Given a filename, reads data from a file under "directory"
863 * and invokes @func so caller can populate their in-core
864 * database with this data.
867 nsm_load_host(const char *directory, const char *filename, nsm_populate_t func)
869 char buf[LINELEN + 1 + SM_MAXSTRLEN + 2];
870 unsigned int result = 0;
875 path = nsm_make_record_pathname(directory, filename);
879 if (lstat(path, &stb) == -1) {
880 xlog(L_ERROR, "Failed to stat %s: %m", path);
883 if (!S_ISREG(stb.st_mode)) {
884 xlog(D_GENERAL, "Skipping non-regular file %s",
889 f = fopen(path, "r");
891 xlog(L_ERROR, "Failed to open %s: %m", path);
895 while (fgets(buf, (int)sizeof(buf), f) != NULL) {
896 buf[sizeof(buf) - 1] = '\0';
897 result += nsm_read_line(filename, stb.st_mtime, buf, func);
900 xlog(L_ERROR, "Failed to read monitor data from %s", path);
911 nsm_load_dir(const char *directory, nsm_populate_t func)
913 unsigned int count = 0;
918 path = nsm_make_pathname(directory);
920 xlog(L_ERROR, "Failed to allocate path for directory %s",
928 xlog(L_ERROR, "Failed to open directory %s: %m",
933 while ((de = readdir(dir)) != NULL) {
934 if (de->d_name[0] == '.')
937 count += nsm_load_host(directory, de->d_name, func);
945 * nsm_load_monitor_list - load list of hosts to monitor
946 * @func: callback function to create entry for one host
948 * Returns the count of hosts that were found in the directory.
951 nsm_load_monitor_list(nsm_populate_t func)
953 return nsm_load_dir(NSM_MONITOR_DIR, func);
957 * nsm_load_notify_list - load list of hosts to notify
958 * @func: callback function to create entry for one host
960 * Returns the count of hosts that were found in the directory.
963 nsm_load_notify_list(nsm_populate_t func)
965 return nsm_load_dir(NSM_NOTIFY_DIR, func);
969 nsm_delete_host(const char *directory, const char *hostname,
970 const char *mon_name, const char *my_name)
972 char line[LINELEN + 1 + SM_MAXSTRLEN + 2];
979 path = nsm_make_record_pathname(directory, hostname);
981 xlog(L_ERROR, "Bad filename, not deleting");
985 if (stat(path, &stb) == -1) {
986 xlog(L_ERROR, "Failed to delete: "
987 "could not stat original file %s: %m", path);
990 remaining = (size_t)stb.st_size + 1;
992 outbuf = malloc(remaining);
993 if (outbuf == NULL) {
994 xlog(L_ERROR, "Failed to delete: no memory");
998 f = fopen(path, "r");
1000 xlog(L_ERROR, "Failed to delete: "
1001 "could not open original file %s: %m", path);
1006 * Walk the records in the file, and copy the non-matching
1007 * ones to our output buffer.
1010 while (fgets(line, (int)sizeof(line), f) != NULL) {
1011 struct sockaddr_in sin;
1015 if (!nsm_parse_line(line, &sin, &m)) {
1016 xlog(L_ERROR, "Failed to delete: "
1017 "could not parse original file %s", path);
1022 if (strcmp(mon_name, m.mon_id.mon_name) == 0 &&
1023 strcmp(my_name, m.mon_id.my_id.my_name) == 0)
1026 /* nsm_parse_line destroys the contents of line[], so
1027 * reconstruct the copy in our output buffer. */
1028 len = nsm_create_monitor_record(next, remaining,
1029 (struct sockaddr *)(char *)&sin, &m);
1031 xlog(L_ERROR, "Failed to delete: "
1032 "could not construct output record");
1043 * If nothing was copied when we're done, then unlink the file.
1044 * Otherwise, atomically update the contents of the file.
1046 if (next != outbuf) {
1047 if (!nsm_atomic_write(path, outbuf, strlen(outbuf)))
1048 xlog(L_ERROR, "Failed to delete: "
1049 "could not write new file %s: %m", path);
1051 if (unlink(path) == -1)
1052 xlog(L_ERROR, "Failed to delete: "
1053 "could not unlink file %s: %m", path);
1062 * nsm_delete_monitored_host - delete on-disk record for monitored host
1063 * @hostname: '\0'-terminated C string containing hostname of record to delete
1064 * @mon_name: '\0'-terminated C string containing monname of record to delete
1065 * @my_name: '\0'-terminated C string containing myname of record to delete
1069 nsm_delete_monitored_host(const char *hostname, const char *mon_name,
1070 const char *my_name)
1072 nsm_delete_host(NSM_MONITOR_DIR, hostname, mon_name, my_name);
1076 * nsm_delete_notified_host - delete on-disk host record after notification
1077 * @hostname: '\0'-terminated C string containing hostname of record to delete
1078 * @mon_name: '\0'-terminated C string containing monname of record to delete
1079 * @my_name: '\0'-terminated C string containing myname of record to delete
1083 nsm_delete_notified_host(const char *hostname, const char *mon_name,
1084 const char *my_name)
1086 nsm_delete_host(NSM_NOTIFY_DIR, hostname, mon_name, my_name);