no_entry,
not_exported,
illegal_port,
- faked_hostent,
- no_forward_dns,
success
};
static void auth_fixpath(char *path);
-static nfs_export* auth_authenticate_internal
- (char *what, struct sockaddr_in *caller, char *path,
- struct hostent **hpp, enum auth_error *error);
static char *export_file = NULL;
void
static nfs_export *
auth_authenticate_internal(char *what, struct sockaddr_in *caller,
- char *path, struct hostent **hpp,
+ char *path, struct hostent *hp,
enum auth_error *error)
{
- struct in_addr addr = caller->sin_addr;
nfs_export *exp;
- if (path[0] != '/') {
- *error = bad_path;
- return NULL;
- }
- auth_fixpath(path);
-
- /* First try it w/o doing a hostname lookup... */
- *hpp = get_hostent((const char *)&addr, sizeof(addr), AF_INET);
- exp = export_find(*hpp, path);
-
- if (!exp) {
- /* Ok, that didn't fly. Try it with a reverse lookup. */
- free (*hpp);
- *hpp = gethostbyaddr((const char *)&addr, sizeof(addr),
- AF_INET);
- if (!(*hpp)) {
- *error = no_entry;
- return NULL;
- } else {
- /* must make sure the hostent is authorative. */
- char **sp;
- struct hostent *forward = NULL;
- char *tmpname;
-
- tmpname = xstrdup((*hpp)->h_name);
- if (tmpname) {
- forward = gethostbyname(tmpname);
- free(tmpname);
- }
- if (forward) {
- /* now make sure the "addr" is in the list */
- for (sp = forward->h_addr_list ; *sp ; sp++) {
- if (memcmp(*sp, &addr, forward->h_length)==0)
- break;
- }
-
- if (!*sp) {
- /* it was a FAKE */
- *error = faked_hostent;
- *hpp = hostent_dup (*hpp);
- return NULL;
- }
- *hpp = hostent_dup (forward);
- }
- else {
- /* never heard of it. misconfigured DNS? */
- *error = no_forward_dns;
- *hpp = hostent_dup (*hpp);
- return NULL;
- }
- }
-
- if (!(exp = export_find(*hpp, path))) {
+ if (!(exp = export_find(hp, path))) {
*error = no_entry;
return NULL;
- }
}
-
if (!exp->m_mayexport) {
*error = not_exported;
return NULL;
struct in_addr addr = caller->sin_addr;
enum auth_error error;
- if (path [0] != '/') return exp;
+ if (path [0] != '/') {
+ xlog(L_WARNING, "bad path in %s request from %s: \"%s\"",
+ what, inet_ntoa(addr), path);
+ return exp;
+ }
strncpy(epath, path, sizeof (epath) - 1);
epath[sizeof (epath) - 1] = '\0';
+ auth_fixpath(epath); /* strip duplicate '/' etc */
+
+ hp = get_reliable_hostbyaddr((const char*)&caller->sin_addr, sizeof(struct in_addr),
+ AF_INET);
+ if (!hp)
+ hp = get_hostent((const char*)&caller->sin_addr, sizeof(struct in_addr),
+ AF_INET);
+ if (!hp)
+ return exp;
/* Try the longest matching exported pathname. */
while (1) {
- if (hp) {
- free (hp);
- hp = NULL;
- }
exp = auth_authenticate_internal(what, caller, epath,
- &hp, &error);
+ hp, &error);
if (exp || (error != not_exported && error != no_entry))
break;
/* We have to treat the root, "/", specially. */
if (p == epath) p++;
*p = '\0';
}
+ free(hp);
switch (error) {
case bad_path:
what, hp->h_name, path, epath, ntohs(caller->sin_port));
break;
- case faked_hostent:
- xlog(L_WARNING, "refused %s request from %s (%s) for %s (%s): DNS forward lookup does't match with reverse",
- what, inet_ntoa(addr), hp->h_name, path, epath);
- break;
-
- case no_forward_dns:
- xlog(L_WARNING, "refused %s request from %s (%s) for %s (%s): no DNS forward lookup",
- what, inet_ntoa(addr), hp->h_name, path, epath);
- break;
-
case success:
xlog(L_NOTICE, "authenticated %s request from %s:%d for %s (%s)",
what, hp->h_name, ntohs(caller->sin_port), path, epath);