#define NFSD_DIR "/proc/net/rpc"
#endif
+#ifndef CLIENT_CACHE_TIMEOUT_FILE
+#define CLIENT_CACHE_TIMEOUT_FILE "/proc/sys/fs/nfs/idmap_cache_timeout"
+#endif
+
#ifndef NFS4NOBODY_USER
#define NFS4NOBODY_USER "nobody"
#endif
void release_parent();
static int verbose = 0;
+#define DEFAULT_IDMAP_CACHE_EXPIRY 600 /* seconds */
+static int cache_entry_expiration = 0;
static char pipefsdir[PATH_MAX];
static char *nobodyuser, *nobodygroup;
static uid_t nobodyuid;
if (stat(conf_path, &sb) == -1 && (errno == ENOENT || errno == EACCES)) {
warn("Skipping configuration file \"%s\"", conf_path);
+ conf_path = NULL;
} else {
conf_init();
verbose = conf_get_num("General", "Verbosity", 0);
+ cache_entry_expiration = conf_get_num("General",
+ "Cache-Expiration", DEFAULT_IDMAP_CACHE_EXPIRY);
CONF_SAVE(xpipefsdir, conf_get_str("General", "Pipefs-Directory"));
if (xpipefsdir != NULL)
strlcpy(pipefsdir, xpipefsdir, sizeof(pipefsdir));
CONF_SAVE(nobodyuser, conf_get_str("Mapping", "Nobody-User"));
CONF_SAVE(nobodygroup, conf_get_str("Mapping", "Nobody-Group"));
- nfs4_init_name_mapping(conf_path);
}
while ((opt = getopt(argc, argv, GETOPTSTR)) != -1)
errx(1, "Could not find group \"%s\"", nobodygroup);
nobodygid = gr->gr_gid;
+#ifdef HAVE_NFS4_SET_DEBUG
+ nfs4_set_debug(verbose, idmapd_warnx);
+#endif
+ if (conf_path == NULL)
+ conf_path = _PATH_IDMAPDCONF;
+ if (nfs4_init_name_mapping(conf_path))
+ errx(1, "Unable to create name to user id mappings.");
+
if (!fg)
mydaemon(0, 0);
event_init();
+ if (verbose > 0)
+ idmapd_warnx("Expiration time is %d seconds.",
+ cache_entry_expiration);
if (serverstart) {
nfsdret = nfsdopen();
if (nfsdret == 0) {
.tv_usec = 0,
};
+ if (cache_entry_expiration != DEFAULT_IDMAP_CACHE_EXPIRY) {
+ int timeout_fd, len;
+ char timeout_buf[12];
+ if ((timeout_fd = open(CLIENT_CACHE_TIMEOUT_FILE,
+ O_RDWR)) == -1) {
+ idmapd_warnx("Unable to open '%s' to set "
+ "client cache expiration time "
+ "to %d seconds\n",
+ CLIENT_CACHE_TIMEOUT_FILE,
+ cache_entry_expiration);
+ } else {
+ len = snprintf(timeout_buf, sizeof(timeout_buf),
+ "%d", cache_entry_expiration);
+ if ((write(timeout_fd, timeout_buf, len)) != len)
+ idmapd_warnx("Error writing '%s' to "
+ "'%s' to set client "
+ "cache expiration time\n",
+ timeout_buf,
+ CLIENT_CACHE_TIMEOUT_FILE);
+ close(timeout_fd);
+ }
+ }
+
if ((fd = open(pipefsdir, O_RDONLY)) == -1)
idmapd_err(1, "main: open(%s)", pipefsdir);
{
int nent, i;
struct dirent **ents;
- struct idmap_client *ic;
+ struct idmap_client *ic, *nextic;
char path[PATH_MAX];
struct idmap_clientq *icq = data;
goto next;
if ((ic = calloc(1, sizeof(*ic))) == NULL)
- return;
+ goto out;
strlcpy(ic->ic_clid, ents[i]->d_name + 4,
sizeof(ic->ic_clid));
path[0] = '\0';
if ((ic->ic_dirfd = open(path, O_RDONLY, 0)) == -1) {
idmapd_warn("dirscancb: open(%s)", path);
free(ic);
- return;
+ goto out;
}
strlcat(path, "/idmap", sizeof(path));
if (nfsopen(ic) == -1) {
close(ic->ic_dirfd);
free(ic);
- return;
+ goto out;
}
ic->ic_id = "Client";
}
}
- TAILQ_FOREACH(ic, icq, ic_next) {
+ ic = TAILQ_FIRST(icq);
+ while(ic != NULL) {
+ nextic=TAILQ_NEXT(ic, ic_next);
if (!ic->ic_scanned) {
event_del(&ic->ic_event);
close(ic->ic_fd);
free(ic);
} else
ic->ic_scanned = 0;
+ ic = nextic;
}
+
+out:
+ for (i = 0; i < nent; i++)
+ free(ents[i]);
+ free(ents);
return;
}
struct idmap_client *ic = data;
struct idmap_msg im;
u_char buf[IDMAP_MAXMSGSZ + 1];
- size_t len, bsiz;
+ size_t len;
+ ssize_t bsiz;
char *bp, typebuf[IDMAP_MAXMSGSZ],
buf1[IDMAP_MAXMSGSZ], authbuf[IDMAP_MAXMSGSZ], *p;
unsigned long tmp;
if (which != EV_READ)
goto out;
- if ((len = read(ic->ic_fd, buf, sizeof(buf))) == -1) {
+ if ((len = read(ic->ic_fd, buf, sizeof(buf))) <= 0) {
idmapd_warnx("nfsdcb: read(%s) failed: errno %d (%s)",
- ic->ic_path, errno, strerror(errno));
+ ic->ic_path, len?errno:0,
+ len?strerror(errno):"End of File");
goto out;
}
/* Get rid of newline and terminate buffer*/
buf[len - 1] = '\0';
- bp = buf;
+ bp = (char *)buf;
memset(&im, 0, sizeof(im));
imconv(ic, &im);
buf[0] = '\0';
- bp = buf;
+ bp = (char *)buf;
bsiz = sizeof(buf);
/* Authentication name */
addfield(&bp, &bsiz, p);
/* Name */
addfield(&bp, &bsiz, im.im_name);
-#define NFSD_EXPIRY 300 /* seconds */
/* expiry */
- snprintf(buf1, sizeof(buf1), "%lu", time(NULL) + NFSD_EXPIRY);
- addfield(&bp, &bsiz, buf1);
- /* ID */
- snprintf(buf1, sizeof(buf1), "%u", im.im_id);
+ snprintf(buf1, sizeof(buf1), "%lu",
+ time(NULL) + cache_entry_expiration);
addfield(&bp, &bsiz, buf1);
+ /* Note that we don't want to write the id if the mapping
+ * failed; instead, by leaving it off, we write a negative
+ * cache entry which will result in an error returned to
+ * the client. We don't want a chown or setacl referring
+ * to an unknown user to result in giving permissions to
+ * "nobody"! */
+ if (im.im_status == IDMAP_STATUS_SUCCESS) {
+ /* ID */
+ snprintf(buf1, sizeof(buf1), "%u", im.im_id);
+ addfield(&bp, &bsiz, buf1);
+ }
//if (bsiz == sizeof(buf)) /* XXX */
bp[-1] = '\n';
snprintf(buf1, sizeof(buf1), "%u", im.im_id);
addfield(&bp, &bsiz, buf1);
/* expiry */
- snprintf(buf1, sizeof(buf1), "%lu", time(NULL) + NFSD_EXPIRY);
+ snprintf(buf1, sizeof(buf1), "%lu",
+ time(NULL) + cache_entry_expiration);
addfield(&bp, &bsiz, buf1);
+ /* Note we're ignoring the status field in this case; we'll
+ * just map to nobody instead. */
/* Name */
addfield(&bp, &bsiz, im.im_name);
imconv(ic, &im);
+ /* XXX: I don't like ignoring this error in the id->name case,
+ * but we've never returned it, and I need to check that the client
+ * can handle it gracefully before starting to return it now. */
+
+ if (im.im_status == IDMAP_STATUS_LOOKUPFAIL)
+ im.im_status = IDMAP_STATUS_SUCCESS;
+
if (atomicio(write, ic->ic_fd, &im, sizeof(im)) != sizeof(im))
idmapd_warn("nfscb: write(%s)", ic->ic_path);
out:
}
break;
}
- /* XXX Hack? */
- im->im_status = IDMAP_STATUS_SUCCESS;
+ if (ret)
+ im->im_status = IDMAP_STATUS_LOOKUPFAIL;
+ else
+ im->im_status = IDMAP_STATUS_SUCCESS;
}
static void
gid_t gid;
int ret = 0;
- /* XXX: nobody fallbacks shouldn't always happen:
- * server id -> name should be OK
- * client name -> id should be OK
- * but not otherwise */
/* XXX: move nobody stuff to library calls
* (nfs4_get_nobody_user(domain), nfs4_get_nobody_group(domain)) */
- /* XXX: should make this call higher up in the call chain (so we'd
- * have a chance on looking up server/whatever. */
+
+ im->im_status = IDMAP_STATUS_SUCCESS;
+
switch (im->im_type) {
case IDMAP_TYPE_USER:
ret = nfs4_name_to_uid(im->im_name, &uid);
im->im_id = (u_int32_t) uid;
- if (ret)
+ if (ret) {
+ im->im_status = IDMAP_STATUS_LOOKUPFAIL;
im->im_id = nobodyuid;
- break;
+ }
+ return;
case IDMAP_TYPE_GROUP:
ret = nfs4_name_to_gid(im->im_name, &gid);
im->im_id = (u_int32_t) gid;
- if (ret)
+ if (ret) {
+ im->im_status = IDMAP_STATUS_LOOKUPFAIL;
im->im_id = nobodygid;
- break;
+ }
+ return;
}
- /* XXX? */
- im->im_status = IDMAP_STATUS_SUCCESS;
}
static int
if (noclose == 0) {
tempfd = open("/dev/null", O_RDWR);
- dup2(tempfd, 0);
- dup2(tempfd, 1);
- dup2(tempfd, 2);
- closeall(3);
+ if (tempfd < 0)
+ tempfd = open("/", O_RDONLY);
+ if (tempfd >= 0) {
+ dup2(tempfd, 0);
+ dup2(tempfd, 1);
+ dup2(tempfd, 2);
+ closeall(3);
+ } else
+ closeall(0);
}
return;