X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;ds=sidebyside;f=utils%2Fgssd%2Fgssd_proc.c;h=d6f07e63e714c2fdc77b436ecd7adc825127d64d;hb=051eb4863cf880f0349a1de44517f9c99a9c5bd4;hp=a51dbaeba3d06e8414356573418bf02b36a15d6c;hpb=9810f3cc1e5a95ae756948ecbebfdedbcdde82b0;p=nfs-utils.git diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index a51dbae..d6f07e6 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -52,6 +52,7 @@ #include #include #include +#include #include #include @@ -104,7 +105,7 @@ struct pollfd * pollarray; -int pollsize; /* the size of pollaray (in pollfd's) */ +unsigned long pollsize; /* the size of pollaray (in pollfd's) */ /* * convert a presentation address string to a sockaddr_storage struct. Returns @@ -168,7 +169,7 @@ sockaddr_to_hostname(const struct sockaddr *sa, const char *addr) { socklen_t addrlen; int err; - char *hostname; + char *hostname; char hbuf[NI_MAXHOST]; switch (sa->sa_family) { @@ -250,21 +251,10 @@ read_service_info(char *info_file_name, char **servicename, char **servername, if ((p = strstr(buf, "port")) != NULL) sscanf(p, "port: %127s\n", port); - /* check service, program, and version */ - if (memcmp(service, "nfs", 3) != 0) - return -1; + /* get program, and version numbers */ *prog = atoi(program + 1); /* skip open paren */ *vers = atoi(version); - if (strlen(service) == 3 ) { - if ((*prog != 100003) || ((*vers != 2) && (*vers != 3) && - (*vers != 4))) - goto fail; - } else if (memcmp(service, "nfs4_cb", 7) == 0) { - if (*vers != 1) - goto fail; - } - if (!addrstr_to_sockaddr(addr, address, port)) goto fail; @@ -340,6 +330,25 @@ process_clnt_dir_files(struct clnt_info * clp) char gname[PATH_MAX]; char info_file_name[PATH_MAX]; + if (clp->gssd_close_me) { + printerr(2, "Closing 'gssd' pipe for %s\n", clp->dirname); + close(clp->gssd_fd); + memset(&pollarray[clp->gssd_poll_index], 0, + sizeof(struct pollfd)); + clp->gssd_fd = -1; + clp->gssd_poll_index = -1; + clp->gssd_close_me = 0; + } + if (clp->krb5_close_me) { + printerr(2, "Closing 'krb5' pipe for %s\n", clp->dirname); + close(clp->krb5_fd); + memset(&pollarray[clp->krb5_poll_index], 0, + sizeof(struct pollfd)); + clp->krb5_fd = -1; + clp->krb5_poll_index = -1; + clp->krb5_close_me = 0; + } + if (clp->gssd_fd == -1) { snprintf(gname, sizeof(gname), "%s/gssd", clp->dirname); clp->gssd_fd = open(gname, O_RDWR); @@ -379,10 +388,10 @@ process_clnt_dir_files(struct clnt_info * clp) static int get_poll_index(int *ind) { - int i; + unsigned int i; *ind = -1; - for (i=0; id_name, "clnt", 4) - && !find_client(namelist[i]->d_name, pipe_name)) + if (!strncmp(namelist[i]->d_name, "clnt", 4) + && !find_client(namelist[i]->d_name, pipe_name)) process_clnt_dir(namelist[i]->d_name, pipe_name); free(namelist[i]); } @@ -640,19 +652,22 @@ parse_enctypes(char *enctypes) static int do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd, - gss_buffer_desc *context_token) + gss_buffer_desc *context_token, OM_uint32 lifetime_rec) { char *buf = NULL, *p = NULL, *end = NULL; unsigned int timeout = context_timeout; unsigned int buf_size = 0; - printerr(1, "doing downcall\n"); + printerr(1, "doing downcall lifetime_rec %u\n", lifetime_rec); buf_size = sizeof(uid) + sizeof(timeout) + sizeof(pd->pd_seq_win) + sizeof(pd->pd_ctx_hndl.length) + pd->pd_ctx_hndl.length + sizeof(context_token->length) + context_token->length; p = buf = malloc(buf_size); end = buf + buf_size; + /* context_timeout set by -t option overrides context lifetime */ + if (timeout == 0) + timeout = lifetime_rec; if (WRITE_BYTES(&p, end, uid)) goto out_err; if (WRITE_BYTES(&p, end, timeout)) goto out_err; if (WRITE_BYTES(&p, end, pd->pd_seq_win)) goto out_err; @@ -693,7 +708,7 @@ out_err: /* * If the port isn't already set, do an rpcbind query to the remote server - * using the program and version and get the port. + * using the program and version and get the port. * * Newer kernels send the value of the port= mount option in the "info" * file for the upcall or '0' for NFSv2/3. For NFSv4 it sends the value @@ -780,11 +795,12 @@ set_port: * Create an RPC connection and establish an authenticated * gss context with a server. */ -int create_auth_rpc_client(struct clnt_info *clp, - CLIENT **clnt_return, - AUTH **auth_return, - uid_t uid, - int authtype) +static int +create_auth_rpc_client(struct clnt_info *clp, + CLIENT **clnt_return, + AUTH **auth_return, + uid_t uid, + int authtype) { CLIENT *rpc_clnt = NULL; struct rpc_gss_sec sec; @@ -935,15 +951,10 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, char **dirname; int create_resp = -1; int err, downcall_err = -EACCES; + OM_uint32 maj_stat, min_stat, lifetime_rec; printerr(1, "handling krb5 upcall (%s)\n", clp->dirname); - if (tgtname) { - if (clp->servicename) { - free(clp->servicename); - clp->servicename = strdup(tgtname); - } - } token.length = 0; token.value = NULL; memset(&pd, 0, sizeof(struct authgss_private_data)); @@ -992,7 +1003,8 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, int success = 0; do { gssd_refresh_krb5_machine_credential(clp->servername, - NULL, service); + NULL, service, + tgtname); /* * Get a list of credential cache names and try each * of them until one works or we've tried them all @@ -1001,7 +1013,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, printerr(0, "ERROR: No credentials found " "for connection to server %s\n", clp->servername); - goto out_return_error; + goto out_return_error; } for (ccname = credlist; ccname && *ccname; ccname++) { gssd_setup_krb5_machine_gss_ccache(*ccname); @@ -1011,12 +1023,12 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, /* Success! */ success++; break; - } + } printerr(2, "WARNING: Failed to create machine krb5 context " "with credentials cache %s for server %s\n", *ccname, clp->servername); } - gssd_free_krb5_machine_cred_list(credlist); + gssd_free_krb5_machine_cred_list(credlist); if (!success) { if(nocache == 0) { nocache++; @@ -1045,20 +1057,29 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, goto out_return_error; } - if (serialize_context_for_kernel(pd.pd_ctx, &token, &krb5oid, NULL)) { + /* Grab the context lifetime to pass to the kernel. lifetime_rec + * is set to zero on error */ + maj_stat = gss_inquire_context(&min_stat, pd.pd_ctx, NULL, NULL, + &lifetime_rec, NULL, NULL, NULL, NULL); + + if (maj_stat) + printerr(1, "WARNING: Failed to inquire context for lifetme " + "maj_stat %u\n", maj_stat); + + if (serialize_context_for_kernel(&pd.pd_ctx, &token, &krb5oid, NULL)) { printerr(0, "WARNING: Failed to serialize krb5 context for " "user with uid %d for server %s\n", uid, clp->servername); goto out_return_error; } - do_downcall(fd, uid, &pd, &token); + do_downcall(fd, uid, &pd, &token, lifetime_rec); out: if (token.value) free(token.value); -#ifndef HAVE_LIBTIRPC - if (pd.pd_ctx_hndl.length != 0) +#ifdef HAVE_AUTHGSS_FREE_PRIVATE_DATA + if (pd.pd_ctx_hndl.length != 0 || pd.pd_ctx != 0) authgss_free_private_data(&pd); #endif if (auth) @@ -1083,7 +1104,7 @@ handle_krb5_upcall(struct clnt_info *clp) return; } - return process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); + process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); } void @@ -1204,6 +1225,6 @@ out: free(enctypes); free(target); free(service); - return; + return; }