NeilBrown [Wed, 13 Feb 2013 20:11:05 +0000 (15:11 -0500)]
gssd: Call authgss_free_private_data() if library provides it.
librpcsecgss provides authgss_free_private_data() as a pair to
authgss_get_private_data(). libtirpc does not - until recently.
This ommision results in authgss_destroy_context() sending an
incorrect RPCSEC_GSS_DESTROY request when gssd calls AUTH_DESTROY().
The call has been added to libtirpc, so this patch updates nfs-utils
to check for the presense of the function in libtirpc and to set
HAVE_AUTHGSS_FREE_PRIVATE_DATA if it is present.
This is also set unconditionally if librpcsecgss is used.
gssd is changed to test this value rather than HAVE_LIBTIRPC when
chosing whether to call authgss_free_private_data().
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Hemmo Nieminen [Wed, 16 Jan 2013 20:29:14 +0000 (15:29 -0500)]
rpc.statd: Fix socket binding loop.
From: Hemmo Nieminen <hemmo.nieminen@iki.fi>
Instead of closing the sockets before requesting a new one, keep them
open until a suitable one is found. Otherwise bindresvport will return
the same port over and over again.
David Jeffery [Wed, 16 Jan 2013 20:21:55 +0000 (15:21 -0500)]
rpc.idmapd: Ignore open failures in dirscancb()
From: David Jeffery <djeffery@redhat.com>
The daemon "rpc.idmapd" scans the /var/lib/nfs/rpc_pipefs/nfs/ directory
periodically looking for NFS client mounts to communicate to. The daemon
tried to open communication with a client mount but it disappeared in
between looking for directory entries and opening them. NFS mount was
umounted just before rpc.idmapd tried to communicate with it. This
behavior is usually seen when autofs is configured on the system.
Suresh Jayaraman [Mon, 17 Dec 2012 21:29:44 +0000 (16:29 -0500)]
idmapd: allow non-ASCII characters (UTF-8) in NFSv4 domain name
The validateascii() check in imconv() maps NFSv4 domain names with
non-ASCII characters to 'nobody'. In setups where Active directory
or LDAP is used this causes names with UTF-8 characters to being
mapped to 'nobody' because of this check.
As Bruce Fields puts it:
"idmapd doesn't seem like the right place to enforce restrictions on
names. Once the system has allowed a name it's too late to be
complaining about it here."
Replace the validateascii() call in imconv() with a check for
null-termination just to be extra-careful and remove the validateascii()
function itself as the only user of that function is being
removed by this patch.
Acked-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Suresh Jayaraman <sjayaraman@suse.com> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Mon, 17 Dec 2012 21:21:15 +0000 (16:21 -0500)]
mountd: fix is_subdirectory to understand '/'
The is_subdirectory() function checks if a given 'child' is a
subdirectory of the given 'parent'. However it always fails
if 'parent' == "/" (because 'child' doesn't begin with 'parent'
followed by "/").
So change is_subdirectory() to special-case "/".
subexport() also tests if one directory is a subdirectory of the
other, and contains the same bug. So change it to use
is_subdirectory().
Finally, move is_subdirectory() and related path_matches() and
export_matches() earlier in the file to avoid a forward-reference.
This patch fixes a bug wherein if you export "/" with 'crossmnt', the
crossmnt flag is ineffective and you can only access the root
filesystem, not any descendants.
Acked-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
changed writes to some sysfs files to be line buffered (_IOLBF) where
they weren't before. While this probably makes sense, it introduced a
bug.
With fully buffered streams, you don't expect to get an error until you
call fflush(). With line buffered streams you can get the error
from fprintf() et al.
qword_eol() only tests the return from fflush(), not from fprintf().
Consequently errors were not noticed.
One result of this is that if you export, with crossmnt, a filesystem
underneath which are mounted non-exportable filesystems (e.g. /proc)
then an 'ls -l' on the client will block indefinitely waiting for a
meaningful 'yes' or 'no' from the server, but will never get one.
This patch changes qword_eol to test both fprintf and fflush.
Acked-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Wed, 12 Dec 2012 15:31:06 +0000 (10:31 -0500)]
mountd: Report the absolute path used to load the junction plug-in
As a debugging feature, report the absolute pathname of the plug-in
library that mountd loads to resolve junctions.
Since mountd passes a relative path to dlopen(3), dlopen(3) must
search for the right library. Displaying the absolute pathname of
the object that it found verifies that mountd loaded the correct
plug-in.
Note: dlinfo(3) is provided by libdl, but there doesn't seem to be a
man page on Fedora 16 for dlinfo(3). Instead, see:
http://www.unix.com/man-page/all/3/dlinfo/
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Wed, 28 Nov 2012 19:35:25 +0000 (14:35 -0500)]
gssd: base the size of the fd array on the RLIMIT_NOFILE limit.
We have previously raised the size of the 'pollarray' once (32 -> 256)
and I have had another request to make it bigger.
Rather than changing the hard-coded value, make it depend on
RLIMIT_NOFILE. This is an upper limit on the size of the array
that can be passed to poll() anyway.
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Wed, 28 Nov 2012 19:32:00 +0000 (14:32 -0500)]
gssd_proc: use pollsize, not FD_ALLOC_BLOCK, in get_poll_index()
get_poll_index wants to walk the entire "pollarray", but uses
the constant FD_ALLOC_BLOCK, rather than the variable
pollsize (which has the same value). If we want to make the
size of the array variable, it is best not to use the constant.
As pollsize is 'unsigned long', 'i' should be too.
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Trond Myklebust [Wed, 28 Nov 2012 19:30:07 +0000 (14:30 -0500)]
gssd: Handle the target name correctly
The target name contains a hostname in the realm that we are
authenticating
to. Since we may be authenticating to a different realm than the default
realm for the server, we should not assume that the target name and host
name point to the same string.
In fact, the kernel NFS client will always use its own hostname as the
target name, since it is always authenticating to its own default realm.
On the other hand, the NFS server's callback channel will pass the
hostname
of the NFS client that it is authenticating too (Section 3.4, RFC3530).
This patch fixes the handling of the target name in process_krb5_upcall,
and ensures that it gets passed to find_keytab_entry().
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Trond Myklebust [Wed, 28 Nov 2012 19:25:33 +0000 (14:25 -0500)]
gssd: Remove insane sanity checks of the service name
Either we trust the info file, or we don't. The current
'checks' only work for the combination 'nfs', '100003' and
a version number between 2 and 4.
The problem is that the callback channel also wants to use
'nfs' in combination with a different program number and
version number.
This patch throws the bogus checks out altogether and lets the
kernel use whatever combination it wants....
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Wed, 28 Nov 2012 14:20:15 +0000 (09:20 -0500)]
mount.nfs: Continue to trying address when the server return EACCES
With recent changes to the /etc/hosts file, the 'localhost'
host name is now multiply defined as both an IPv4 address (127.0.01)
and an IPv6 address (::1). This causes first address returned
by getaddrinfo('localhost') to be the IPv6 address instead of
the IPv4 address.
The change in the default 'localhost' address type causes
existing exports using '127.0.0.1' to fail, because the
'::1' address is tried first and fails. The problem is
not all the addresses in the address list are being tried.
So this patch allows that address list to continue to be
process when a 'EACCES' error is returned by the server.
J. Bruce Fields [Wed, 28 Nov 2012 14:11:29 +0000 (09:11 -0500)]
mountd: auth_unix_ip should downcall on error to prevent hangs
Since bf6a4febaa78bf188896b7b5b02c46562dd08b70 "mountd: handle
allocation failures in auth_unix_ip upcall", a failure to map the
address of an incoming client to a name could result in a hang.
We should be responding with an error in the case, not just skipping the
downcall and leaving everybody hanging.
Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Sat, 17 Nov 2012 13:50:09 +0000 (08:50 -0500)]
svcgssd: Encryption types not being parsed correctly
When svcgssd reads the supported encrytion types from the
kernel, they are prefixed with a 'enctypes='. That prefix
has to be ignored to correctly parse the rest of the types.
Jeff Layton [Thu, 8 Nov 2012 20:09:41 +0000 (15:09 -0500)]
nfsdcltrack: remove the nfsdcld daemon
Since we want to move to using the usermodehelper upcall
unconditionally, just remove nfsdcld. The kernel code to handle
this will be formally deprecated in 3.10 as well.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Jeff Layton [Thu, 8 Nov 2012 20:02:20 +0000 (15:02 -0500)]
nfsdcltrack: add a legacy transition mechanism
If the kernel passes the legacy recdir path in the environment, then we
can use that to transition from the old legacy tracker to the new one.
On a "check" operation, if there is no record of the client in the
database, check to see if there is a matching recoverydir. If there
isn't then just refuse the reclaim. If there is, then insert a new
record for this client into the db, and remove the legacy recoverydir.
If either of those operations fail, then refuse the reclaim.
On a "gracedone" operation, clean out the entire legacy recoverydir
after purging any unreclaimed records from the db. There's not much
we can do if this fails, so just log a warning if it does.
Note that this is a one-way conversion. If the user later boots back
into an older kernel, it will have no knowledge of the new database.
In principle, we could create a tool that would walk the clients
table, md5 hash the clientids and create directories in the
v4recovery dir. Doing that automatically would be pretty difficult
however.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Jeff Layton [Thu, 8 Nov 2012 20:00:04 +0000 (15:00 -0500)]
nfsdcltrack: add a new "one-shot" program for manipulating the client tracking db
Usermode helper upcalls are all the rage these days for infrequent
upcalls, since they make it rather idiot-proof. No running daemon is
required, so there's really no setup beyond ensuring that the callout
exists and is runnable.
This program adds a callout program to nfs-utils for that purpose. The
storage engine on the backend is identical to the one used by nfsdcld.
This just adds a new frontend for it.
For now, building with --enable-nfsdcltrack gives you both nfsdcld and
nfsdcltrack programs. A later patch will remove nfsdcld altogether.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Jeff Layton [Thu, 8 Nov 2012 19:56:51 +0000 (14:56 -0500)]
nfsdcltrack: break out a function to open the database handle
When we add a new usermodehelper upcall program to do the database
access, the existing "init" function will be overkill every time
we start up the program.
Break out the database handle establishment routine into a separate
function that we can call from each upcall command in the one-shot
program.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
This is holdover from an earlier version of the code and doesn't really
provide any benefit. Also, mark the topdir and dirname arguments const
since they should never be changed.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Jeff Layton [Thu, 8 Nov 2012 19:36:56 +0000 (14:36 -0500)]
nfsdcltrack: rename the nfsdcld directory and options to nfsdcltrack
We'll soon be adding a new nfsdcltrack program, at which point it won't
make much sense to call this directory and the config option "nfsdcld".
Rename it to be a bit more generic.
While we're at it, change the default for --enable-cltrack to "yes".
When we introduce the one-shot program, we're going to want to build
it by default anyway.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Tue, 30 Oct 2012 18:06:22 +0000 (14:06 -0400)]
mountd: Make local functions static
Removed a couple Wmissing-prototypes warnings in the mountd code.
Once the parse_fsid() function was made static, the compiler
detected execution paths through it that did not initialize some
fields in *parsed.
[ I'm pretty sure these problems are currently harmless, since each
path is taken depending on the value of the .fsidtype field. Each
path accesses only the fields in *parsed that it cares about. ]
This is because parsed_fsid isn't a union type. parse_fsid() leaves
uninitialized fields that are not used by a particular fsidtype. To
prevent an accidental dereference of stack garbage (.fhuuid being an
example of a pointer that is left uninitialized sometimes), have
parse_fsid() defensively pre-initialize *parsed to zero.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Fri, 19 Oct 2012 14:43:50 +0000 (10:43 -0400)]
mountd: Simplify "no junction support" case
We've added logic in the "not an export" case in nfsd_export(), so it's
no longer a simple function call. Clean up this code by splitting
it into a new function, and make plain what happens when junction
support is compiled out.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Fri, 19 Oct 2012 14:41:54 +0000 (10:41 -0400)]
mountd: Dynamically allocate exportent that represents junctions
We're now duplicating a real exportent with arbitrary export options
to create a junction exportent. After a dupexportent() call,
several of the structure's fields can point to dynamically allocated
memory. We have to be careful about not orphaning that memory.
What's more, returning a pointer to a static structure is as 90's as
a bad mullet. It's more straightforward to allocate the exportent
dynamically and release it when we are through with it.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Fri, 19 Oct 2012 14:38:51 +0000 (10:38 -0400)]
mountd: Add exportent_release()
Split out the logic that releases dynamically allocated data in an
exportent. The junction resolution code will invoke this to clean
up the junction exportent once it has been dumped to the kernel.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Fri, 19 Oct 2012 14:37:26 +0000 (10:37 -0400)]
mountd: Junctions inherit parent export's options
Attempting to access junctions on a Linux NFS server from an NFS
client connected via an ephemeral source port fails with a "client
insecure" error on the server. This happens even when the
"insecure" export option is specified on the junction's parent
export.
As a test, via a mountd code change, I added "insecure" to the fixed
export options that mountd sets up for each junction, and the error
disappeared.
It's simple enough for old-school referrals configured directly in
/etc/exports ("refer=") to have the needed options specified there.
Cache entries for junctions, however, are created on the fly by
mountd, and don't ever appear in /etc/exports. So there's nowhere
obvious that export options for junctions can be specified.
Bruce suggested that in order to specify unique export options for
junctions, they should inherit the export options of their parent
export. The junction's parent's exportent is duplicated in order
to create an exportent for the junction itself.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Fri, 19 Oct 2012 14:29:28 +0000 (10:29 -0400)]
mountd: Add lookup_export_parent()
In a moment I will be adding some logic that needs to know an
junction's parent export.
Here's a function that can discover an export's parent. It takes
the target export's pathname, chops off the rightmost component, and
tries a lookup_export(). If that succeeds, we have our answer.
If not, it chops off the next rightmost component and tries again,
until the root is reached.
At the same time, infrastructure is added to pass the parent export
down into the functions that convert locations into a new junction
export entry. For now the parent export remains unused.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Fri, 19 Oct 2012 14:27:26 +0000 (10:27 -0400)]
mountd: Set e_fslocdata field directly
To create an export entry for a junction, an options string is
constructed from the set of locations in the junction. This options
string is then passed to mkexportent() where it is parsed and
converted into an exportent.
There is only one export option that is used to create a junction's
exportent: "refer=". When that option is parsed, it's value is
simply copied to a fresh string and planted in the new export's
e_fslocdata field.
Let's avoid the option parsing and extra string copy. Construct
a string for the new e_fslocdata field and plant it in the exportent
directly.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Fri, 19 Oct 2012 14:25:14 +0000 (10:25 -0400)]
mountd: Use static buffer when constructing junction export options
Clean up: Simplify locations_to_export() by constructing a junction's
export options in a static buffer.
We can do this because all of this code is called serially, in one
thread, and the result is thrown away immediately after the caller
is finished. The returned exportent itself is static.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Andy Adamson [Thu, 18 Oct 2012 17:21:09 +0000 (13:21 -0400)]
GSSD: Pass GSS_context lifetime to the kernel.
From: Andy Adamson <andros@netapp.com>
The kernel gss_cl_ctx stores the context lifetime in gc_expiry, set
by gssd in do_downcall() called by process_krb5_upcall(). The lifetime
value is currently not related at all to the Kerberos TGS lifetime.
It is either set to the value of gssd -t <timeout>, or to a kernel
default of 3600 seconds.
Most of the time the gssd -t command line is not set, and a timeout
value of zero was sent to the kernel triggering the use of the 3600
second kernel default timeout.
In order for the kernel to properly know when to renew a context, or to
stop buffering writes for a context about to expire, the gc_expiry value
needs to reflect the credential lifetime used to create the context.
Note that gss_inquire_cred returns the number of seconds for which the
context remains valid in the lifetime_rec parameter.
Send the actual TGS remaining lifetime to the kernel. It can still be
overwritten by the gssd -t command line option, or set to the kernel
default if the gss_inquire_cred call fails (which sets the lifetime_rec
to zero).
Signed-off-by: Andy Adamson <andros@netapp.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Wolfram Gloger [Mon, 15 Oct 2012 19:31:23 +0000 (15:31 -0400)]
mount.nfs4: Backgrounding mount broken with NFS versions <4
When the NFS version isn't specified in the mount options, mount.nfs
attempts V4 first and appends 'vers=4' to the extra_options string in
the mount options. If the server isn't immediately reachable, this
attempt fails. However, if the background option is specified and the
server comes up later on, the extra_options are used again for all
further attempts and thus they fail if the server only supports
vers<4.
Fix this by only amending extra_options on a successful vers=4 mount.
This is now Debian bug #690181 and has apparently been around for
ages.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Wolfram Gloger <bugzilla1@malloc.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Neil Brown [Mon, 15 Oct 2012 16:50:35 +0000 (12:50 -0400)]
mount.nfs mapage: clear up confusion between 'proto' and 'transport'
The mount option "proto=" actually set the "transport" which in
netconfig usage is the pairing of a protocol (e.g. UDP, TCP) with
a protocol family (e.g. INET, INET6).
This can cause confusion if people naively except "proto=udp" to work
equally well on IPv6.
So add some text to both nfs(5) and nfsmount.conf(5) to hopefully
clarify this.
Acked-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Nalin Dahyabhai [Wed, 22 Aug 2012 18:43:05 +0000 (14:43 -0400)]
gssd: Use /run/user/${UID} instead of /run/user/${USER}
Newer versions of systemd create a /run/user/${UID} directory
instead of the /run/user/${USER} directory, so switch to
scanning for that. To make the per-user directory bit a little
less magical, change the default to incorporate a "%U", which
gets dynamically expanded to the user's UID when needed.
Nalin Dahyabhai [Wed, 22 Aug 2012 18:35:17 +0000 (14:35 -0400)]
gssd: scan for DIR: ccaches, too
In addition to matching "FILE:krb5cc_*" in the specified directory or
directories, also match "DIR:krb5cc*", if we find subdirectories with
names that match the search pattern.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 6 Aug 2012 13:08:53 +0000 (09:08 -0400)]
rpc.gssd: don't call poll(2) twice a second
Use ppoll() instead.
[ cel Wed Aug 1 11:44:46 EDT 2012 - autoconfiscated Bruce's version ]
Related clean-up: Since we're pulling the poll/ppoll call out into a
separate function, note that the second argument of poll(2) and
ppoll(2) is not an int, it's an unsigned long. The nfds_t typedef
is a recent invention, so use the raw type for compatibility with
older glibc headers.
Acked-by: J. Bruce Fields" <bfields@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
J. Bruce Fields [Mon, 6 Aug 2012 12:55:45 +0000 (08:55 -0400)]
rpc.gssd: don't call printerr from signal handler
From: "J. Bruce Fields" <bfields@redhat.com>
printerr() isn't actually safe to call from a signal handler. It might
be possible to make it so, but I think this is the only case in
nfs-utils where we try to, and I'm not convince it's worth it.
This fixes a bug that would eventually cause mounts to hang when gssd
is run with -vv.
Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Mon, 6 Aug 2012 12:41:13 +0000 (08:41 -0400)]
umount: use correct return value for is_vers4.
is_vers4 in mount_libmount.c is based on nfs_umount_is_vers4
in nfsumount.c, except the return values are reversed.
The result of this is:
- a MOUNT_UMNT call is not sent when an NFSv3 or NFSv2
filesystem is unmounted
- a MOUNT_UMNT call *is* sent when and 'nfs4' filesystem
is unmounted (but not when an 'nfs -o vers=4 filesystem
is unmounted, as that is checked elsewhere).
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
# umount.nfs /boot; echo $?
# umount.nfs: /boot: is not an NFS filesystem
1
Note that the function mnt_context_set_fstype_pattern() has never
been used for mtab/fstab evaluation. It's usable only for "umount -a"
and for "mount -t" operations.
Reported-by: NeilBrown <neilb@suse.de> Signed-off-by: Karel Zak <kzak@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Thu, 19 Jul 2012 13:40:30 +0000 (09:40 -0400)]
rpc.gssd: close upcall pipe on POLLHUP
When a POLLHUP event is received on a pipe file descriptor, that
means the other side has closed its end of the pipe. If the
receiver does not close its end of the pipe, the pipe is left in an
open-but-unlinked state.
For a "gssd" upcall pipe, the kernel may close its end, removing the
directory entry for it, and then later create a fresh pipe named
"gssd" in the same directory. In this case, rpc.gssd continues to
listen on the open-but-unlinked previous "gssd" pipe. Thus upcalls
on the new "gssd" pipe are left unanswered.
In addition, poll(2) continues to return POLLHUP on the old pipe.
Since there is no logic to close the pipe in rpc.gssd, poll(2) always
returns immediately, and rpc.gssd goes into a tight loop.
Typically, the kernel closes upcall pipes and destroys their
parent directory at the same time. When an RPC client's directory
vanishes, rpc.gssd sees the change via dnotify and eventually
invokes destroy_client() which closes the user-space end of the
pipes.
However, if the kernel wants to switch authentication flavors (say
from AUTH_KRB5 to AUTH_UNIX) on an RPC client without destroying it,
the upcall pipes go away, but the RPC client's directory remains.
rpc.gssd invokes update_client_list(), but that logic never closes
upcall pipes if the client directory is still in place.
After a POLLHUP on a pipe, close it when rpc.gssd reconstructs its
list of upcall clients.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
mount.nfs: restore correct error status when umount fails
If nfs-utils is built without --enable-libmount-mount, then
an unmount that failed due to the filesystem being busy will
exit with '16' - EX_FILEIO.
Autofs apparently relies on this.
When built with --enable-libmount-mount, the same case will
exit with '32' - EX_FAIL. Normally this is reserved for
internal errors.
This patch restores the use of EX_FILEIO for errors from umount.
Reviewed-by: Karel Zak <kzak@redhat.com> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Thu, 5 Jul 2012 12:58:47 +0000 (08:58 -0400)]
nfsidmap: Default domain not being set.
nfsidmap is not calling the nfs4_init_name_mapping()
function which initializes the default domain from
either the DNS domain or the Domain variable in /etc/idmap.conf
Jeff Layton [Tue, 19 Jun 2012 14:57:55 +0000 (10:57 -0400)]
mount.nfs: try the next address after mount fails with ETIMEDOUT
If a NFS mount attempt fails with an ETIMEDOUT error, the mount.nfs code
doesn't currently attempt the next address in the list. For a NFSv4
mount the initial mount() call almost always ends up going over
NFS_DEF_FG_TIMEOUT_MINUTES and the mount is never retried.
For a v3 mount, it ends up continually retrying against the same IPv6
address, and never tries the IPv4 address. Eventually it gives up once
it hits the NFS_DEF_FG_TIMEOUT_MINUTES timeout.
It's possible that a server is just unreachable via IPv6 (due to a
routing misconfiguration for instance), or is dropping IPv6 frames on
the floor. In that situation, it might still be reachable via IPv4 and
trying the next address could have allowed the mount to succeed.
Fix this by treating ETIMEDOUT in a similar fashion to ECONNREFUSED.
Have the client try the next address in the list before giving up and
returning an error.
Our QA folks noticed this after a routing problem in one of our test
labs. I was able to reproduce it by having the server drop incoming
IPv6 frames from the client's address.
With this patch, the mount eventually succeeds over IPv4 instead of
returning an error.
Cc: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Harald Hoyer [Tue, 19 Jun 2012 14:53:29 +0000 (10:53 -0400)]
nfsdcld: Before clearing the capability bounding set, check if we have the cap
From: Harald Hoyer <harald@redhat.com>
PR_CAPBSET_DROP can return EINVAL, if an older kernel does support
some capabilities, which are defined by CAP_LAST_CAP, which results in
a failure of the service.
For example kernel 3.4 errors on CAP_EPOLLWAKEUP, which was newly
introduced in 3.5.
So, for future capabilities, we clear until we get an EINVAL for
PR_CAPBSET_READ.
Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
J. Bruce Fields [Tue, 29 May 2012 18:40:38 +0000 (14:40 -0400)]
mountd: Honor the no_root_squash flag on pseudo roots
From: "J. Bruce Fields" <bfields@redhat.com>
If root squashing is turned off on a export that
has multiple directories, the parent directories
of the pseudo exports that's built, also needs to
have root squashing turned off.
Tested-by: Steve Dickson <steved@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Tue, 29 May 2012 18:27:24 +0000 (14:27 -0400)]
nfsidmap: Allow verbosity level to be set in the config file
To make it easier to enable ID mapping debugging, nfsidmap
should read /etc/idmap.conf to see if the verbosity level
is set, similar to what rpc.idmapd does
Jeff Layton [Tue, 29 May 2012 18:23:18 +0000 (14:23 -0400)]
statd: drop all capabilities from the bounding set as well
statd drops all capabilities except for CAP_NET_BIND when it starts.
It's possible though that if it ever had a compromise that an attacker would
be able to invoke a setuid process (or something with file capabilities) in
order to reinstate some caps.
This could happen as a result of the daemon becoming compromised, or
possibly as a result of the ha-callout program becoming compromised.
In order to prevent that, have statd also prune the capability bounding
set to nothing prior to dropping capabilities. That ensures that the
process won't be able to reacquire capabilities via any means --
including exec'ing a setuid program.
We do however need to be cognizant of the fact that PR_CAPBSET_DROP was
only added in 2.6.25, so check to make sure that #define exists via
autoconf before we rely on it. In order to do that, we must add
ax_check_define.m4 from the GNU autoconf macro archive.
Furthermore, do a runtime check to see if /proc/sys/kernel/cap-bound
exists before attempting to clear the bounding set. If it does, then
don't bother trying since it won't work. In that event though, do
throw a warning however since the presence of that file indicates that
there is a disconnect between the build and runtime environments.
Acked-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
build: avoid AM_CONDITIONAL in conditional execution.
Automake does not support conditional AM_CONDITIONAL calls; what that
means is that you always have to execute AM_CONDITIONAL one way or the
other. Both the libsqlite3.m4 file and the nfsdcld conditionals are
executed only when NFSv4 is enabled, which breaks building with
--disable-nfsv4.
Remove the SQLite3 conditional altogether as it's never used, and move
the nfsdcld conditional outside of the conditional code.
Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu> Signed-off-by: Steve Dickson <steved@redhat.com>
Jeff Layton [Tue, 29 May 2012 17:53:09 +0000 (13:53 -0400)]
autoconf: make the test for prctl have an effect
We currently test to ensure that prctl() is available, but the results
of that test are a no-op either way. statd calls prctl()
unconditionally, so make configure bail out if prctl() isn't available
since the build will fail in that event anyway.
Cc: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Thu, 17 May 2012 12:14:57 +0000 (08:14 -0400)]
osd_login - ensure /sbin is created before installation.
If we use a more standard approach to describing the osd_login
script, the automake infrastructure will create /sbin before
attempting installation.
This is important for: make DESTDIR=/empty-dir install
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Jim Rees [Tue, 15 May 2012 14:10:01 +0000 (10:10 -0400)]
blkmapd: remove pretty_sig()
This really only works against EMC servers. There is at least one server
that returns unprintable signatures, which fill the log with garbage (the
spec does not mandate printable signatures). It could be made more generic,
for example by checking each byte for isprint(). But the signatures are
really only of interest to developers, not admins, so it seems better to
just remove it.
Signed-off-by: Jim Rees <rees@umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com>
Olaf Kirch [Wed, 9 May 2012 18:12:16 +0000 (14:12 -0400)]
Manpage: Add a warning to the nfs manpage regarding using NFS over UDP on
high-speed links
* Using NFS over UDP on high-speed links such as Gigabit can cause
silent data corruption.
* The man page text was written by Olaf Kirch and committed to (but not
upstream):
https://build.opensuse.org/package/view_file?file=warn-nfs-udp.patch&package=nfs-utils&project=openSUSE%3AFactory&rev=8e3e60c70e8270cd4afa036e13f6b2bb
Signed-off-by: Harshula Jayasuriya <harshula@redhat.com> Acked-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Olaf Kirch <okir@suse.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Jeff Layton [Wed, 9 May 2012 17:25:34 +0000 (13:25 -0400)]
nfsdcld: add support for dropping capabilities
As a long running daemon, we need to be security-conscious with nfsdcld,
so let's prune what it can do down to nearly nothing.
We want the daemon to run as root so that it has access to open and
reopen the rpc_pipefs pipe, but we don't actually need any of the
superuser caps that come with it. Have it drop all capabilities early
on. We don't need any of them as long as the fsuid continues to be 0.
Once we do that though, check to ensure that the db dir is actually
usable by root w/o CAP_DAC_OVERRIDE. Do an access() check on it and
throw a warning if it's not. Hopefully that will assist users in
debugging if they get the ownership of the DB dir wrong.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Jeff Layton [Wed, 9 May 2012 16:36:02 +0000 (12:36 -0400)]
nfsdcld: demote pipe opening error to D_GENERAL
It's actually expected that this will fail initially when we start the
daemon. Until knfsd has been started, the pipe doesn't exist, and we
generally want to start nfsdcld before starting knfsd.
Avoid the scary error message by demoting this message to D_GENERAL.
Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
J. Bruce Fields [Thu, 3 May 2012 19:06:21 +0000 (15:06 -0400)]
mountd: prepend '$' to make use_ipaddr clients self-describing
From: "J. Bruce Fields" <bfields@redhat.com>
Mountd is responsible for filling three interrelated kernel caches:
- auth_unix_ip maps an incoming ip addresses to a "domain".
- nfsd_fh maps (domain, filehandle-fragment) pairs to paths.
- nfsd_export maps (domain, path) pairs to export options.
Note that each export is assocated with a "client" string--the part
before the parentheses in an /etc/export line--which may be a domain
name, a netgroup, etc.
The "domain" string in the above three caches may be either:
- in the !use_ipaddr case, a comma-separated list of client
strings.
- in the use_ipaddr case, an ip address.
In the former case, mountd does the hard work of matching an ip address
to the clients when doing the auth_unix_ip mapping. In the latter case,
it delays that until the nfsd_fh or nfsd_export upcall.
We're currently depending on being able to flush the kernel caches
completely when switching between the use_ipaddr and !use_ipaddr cases.
However, the kernel's cache-flushing doesn't really provide reliable
guarantees on return; it's still possible we could see nfsd_fh or
nfsd_export upcalls with the old domain-type after flushing.
So, instead, make the two domain types self-describing by prepending a
"$" in the use_ipaddr case.
Reviewed-by: NeilBrown <neilb@suse.de> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
J. Bruce Fields [Thu, 3 May 2012 18:59:27 +0000 (14:59 -0400)]
mountd: parse ip address earlier
I don't see the point of waiting to the last minute to parse the ip
address. If the client name isn't a legal ip address then this will
fail fairly quickly, so there's not much of a performance penalty.
Also, note the previous code incorrectly assumed client_resolve would
always return non-NULL.
Also factor out some common code.
Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
J. Bruce Fields [Thu, 3 May 2012 18:56:19 +0000 (14:56 -0400)]
mountd: fix export upcall failure in use_ipaddr case
After 0509d3428f523 "mountd: Replace "struct hostent" with "struct
addinfo"", the export upcall fails in the use_ipaddr case.
I think we never noticed because a) the use_ipaddr case is rarer than
the !use_ipaddr case, and b) the nfsd_fh upcall does a preemptive export
downcall that renders the nfsd export call unnecessary in some cases.
Cc: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Tue, 1 May 2012 19:34:34 +0000 (15:34 -0400)]
mounts.nfs: v2 and v3 background mounts should retry when server is down.
The point of background mounts is to have the mount
retried if the mount fails. This patch allows the v2/v3
background mount to proceed in the case when the server
is down by not making EOPNOTSUPP a permanent error.
NeilBrown [Tue, 1 May 2012 19:26:54 +0000 (15:26 -0400)]
v4_root_add_parents: remove a possible buffer overflow.
The loop in v4root_add_parents() is a little odd.
The first time through, 'ptr' points immediately "beyond"
a '/' character (the first). For every other iterration it points
directly "at" a '/' character.
Such inconsistency is error prone and infact there is an error.
If "path" is precisely "/", then the first call to
ptr = strchr(ptr, '/')
will be given a 'ptr' which is beyond the '\0' at the end of
"path". This could potentially contain anything and the strchr()
could search well beyond a buffer (though this depends on exactly how
the string is set up which depends on separate code).
So change the loop to have 'ptr' always point at a '/', and
handle the special case of "/" explicitly.
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Tue, 1 May 2012 19:25:17 +0000 (15:25 -0400)]
v4root: set the time-to-live for V4ROOT exports to the DEFAULT.
e_ttl is set to the default in init_exportent().
However V4ROOT exports never see init_exportent() as they are created
with dupexportent from a template. So e_ttl does not get set and
export entries expire immediately.
This results in an upcall to mountd every time a V4ROOT directory
in accessed.
So set e_ttl in the template.
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Tue, 1 May 2012 19:24:39 +0000 (15:24 -0400)]
4set_root: force "fsid=0" for all exports of '/'
When "fsid=0" is not explicitly given in /etc/exports,
v4set_root creates a pseudo (NFSEXP_V4ROOT) export for '/'
with fsid 0 so that an NFSv4 client can find the root.
However if '/' is explicitly exported to the client, then that
explicit export must be used, and it will not have fsid=0.
So we must impose fsid=0 on all exports of '/'.
Without this, if '/' is exported to a client, that client will
not be able to mount '/' with NFSv4.
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Tue, 1 May 2012 19:22:57 +0000 (15:22 -0400)]
nfsd_fh: if two exports are possible, choose the one without V4ROOT
When nfsd_fh it looking for an export for a particular
client and file-handle, it might find two exports for the same path:
one with NFSEXP_V4ROOT, one with out.
As nfsd_fh calls cache_export_ent to give the export information to
the kernel it much choose the same export that auth_authenticate
chooses for get_rootfh which it also passes cache_export_ent (via
cache_export).
i.e. it must choose the non-V4ROOT on where possible.
Also change
strcmp(foo, bar)
to
strcmp(foo, bar) == 0
because I have a pathological fear of the former.
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Tue, 1 May 2012 19:20:31 +0000 (15:20 -0400)]
auth_authenticate_newcache: prefer non-V4ROOT export over V4ROOT exports
Currently auth_authenticate_internal finds an export and if it
is a V4ROOT export, it reports that there is no match. Unlike
lookup_export() it doesn't keep looking for an acceptable export.
So remove the test from auth_authenticate_internal(), and add it to
auth_authenticate_newcache(), where the search can be allowed to
continue.
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>