It looks like the existing algorithm for verifying the passed-in bind
address is as broken as statd_matchhostname() used to be: for IP
addresses, AI_CANONNAME is useless. We need to have getnameinfo(3) or
equivalent in there.
Clean up: extract the logic that verifies the command line bind
address into its own function, and make it handle canonical name
lookup correctly.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Same change as statd_matchhostname() is necessary for the logic in
exportfs.
Recall that these are "separate but nearly equal" because the exportfs
version requires extra expensive string checking that would be onerous
for statd.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
The job of statd_matchhostname() is to work hard at matching two
hostnames or presentation IP addresses that may refer to the same
host.
statd_matchhostname() turns the hostname of the local system into a
list of addresses containing only the loopback address. The actual
DNS registered address of the system does not appear in that list.
Presentation IP addresses, on the other hand, are soundly ignored by
the AI_CANONNAME option of getaddrinfo(3). The ai_canonname string
that is returned is just the same presentation IP address. And the
resulting list of addresses contains just that IP address.
So if the DNS registered IP address of the local host is passed in as
one argument, and the local hostname is passed as the other argument,
statd_matchhostname() whiffs and believes there is no match. To fix
this, the logic needs to be smarter about deriving a hostname from an
IP address.
This appears to cause no end of trouble: monitor records pile up in
/var/lib/nfs/sm and sm.bak, notifications are missed, and so on. This
has likely been around since commit cbd3a131 "statd: Introduce statd
version of matchhostname()" (Jan 14, 2010).
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 29 Aug 2011 17:13:15 +0000 (13:13 -0400)]
sm-notify: Disable syslog messages when debugging is enabled
statd's "-F" flag disables syslog output, and specifies sm-notify's
"-d" option when it runs it. sm-notify's "-d" option should therefore
also disable syslog output.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Mon, 29 Aug 2011 16:56:17 +0000 (12:56 -0400)]
pdate addres for Free Software Foundation
License texts contain multiple address for FSF, some wrong.
So update them and replace COPYING file with
http://www.gnu.org/licenses/gpl-2.0.txt
which has a few changes to preamble and commentary.
Also remove extra COPYING file from utils/statd/
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Ian Kent [Mon, 29 Aug 2011 16:29:36 +0000 (12:29 -0400)]
umount.nfs: fix nfs4 check
From: Ian Kent <ikent@redhat.com>
nfs_umount_is_vers4() doesn't take acount of the escaping of characters
seen in /proc/mounts and /etc/mtab as the functions in fstab.c do. This
leads to an inability to umount a mount containing any of these escaped
characters (like spaces).
This patch changes nfs_umount_is_vers4() to use functions in fstab.c and
adds a function to fstab.c to read /proc/mounts specifically, as it was
used for the check in nfs_umount_is_vers4() previously.
Signed-off-by: Ian Kent <ikent@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Luk Claes [Mon, 29 Aug 2011 15:46:17 +0000 (11:46 -0400)]
exports.man: Fix comment syntax
Using three single-quotes for a comment sort of works because it
results in invoking a nonexistent macro, but it results in a huge
number of warnings when trying to validate the man page.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Luk Claes <luk@debian.org> Signed-off-by: Steve Dickson <steved@redhat.com>
Max Matveev [Tue, 16 Aug 2011 11:57:43 +0000 (07:57 -0400)]
mount.nfs: submarvellous messages from mount.nfs
Consider a setup where mountd on the server is controlled via
tcp_wrappers (usual RHEL setup) and will not process calls from a
particular client because of something in /etc/hosts.deny.
When such client attempts to do v3 mount, the error message printed
by mount.nfs is misleading.
This patch changes that error message from:
mount.nfs: Argument list too long
to
mount.nfs: access denied by server while mounting server:/export
Chuck Lever [Wed, 3 Aug 2011 17:22:52 +0000 (13:22 -0400)]
rpc.statd: Bind downcall socket to loopback address
In the past, rpc.statd posted SM_NOTIFY requests using the same socket
it used for sending downcalls to the kernel. To receive replies from
remote hosts, the socket was bound to INADDR_ANY.
With commit f113db52 "Remove notify functionality from statd in
favour of sm-notify" (Mar 20, 2007), the downcall socket is no longer
used for sending requests to remote hosts. However, the downcall
socket is still bound to INADDR_ANY.
Thus a remote host can inject data on this socket since it is an
unconnected UDP socket listening for RPC replies. Thanks to f113db52,
the port number of this socket is no longer controlled by a command
line option, making it difficult to firewall.
We have demonstrated that data injection on this socket can result in
a DoS by causing rpc.statd to consume CPU and log bandwidth, but so
far we have not found a breach.
To prevent unwanted data injection, bind this socket to the loopback
address.
Fixed the usage of strcmp in the duplicate check in insert groups.
Fixes an issue with showmount and other commands that required
the group information.
Signed-off-by: Matthew Treinish <treinish@linux.vnet.ibm.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Mi Jinlong [Wed, 3 Aug 2011 16:52:48 +0000 (12:52 -0400)]
rpc.mountd: let mountd consult /etc/services for port
At RHEL, if user set port for mountd at /etc/services as
"mount 12345/tcp", mountd should be bind to 12345, but the
latest nfs-utils, mountd get a rand port, not 12345.
This patch make sure mountd be bind to the port which was set
at /etc/service.
Signed-off-by: Mi Jinlong <mijinlong@cn.fujitsu.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Statd should always 'chdir' to its state directory.
s statd can be started by 'mount' which can sometimes be run by a
normal user, the current-working-directory could be anything. In
partcular it could be in a mounted filesystem. As 'statd' continues
running as a daemon it could keep prevent that filesystem from being
unmounted.
statd does currently 'chdir' to the state directory, but only if the
state directory is not owned by root. This is wrong - it should check
for root after the chdir, not before.
So swap the two if statements around.
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Kevin Coffman [Thu, 21 Jul 2011 18:16:59 +0000 (14:16 -0400)]
svcgssd: use correct defaults in call to gss_set_allowable_enctypes
For the window of kernels between 2.6.35 (when the support
for newer encryption was added) and 2.6.39 (when the ability
to read the supported enctypes from the kernel was added),
use a default of all enctypes when the kernel supported
enctypes file cannot be read.
For kernels before 2.6.35, continue to use a default of
only DES enctypes.
Note that the version of Kerberos must also support the use of
gss_set_allowable_enctypes for service-side negotiations.
See also: http://bugzilla.redhat.com/show_bug.cgi?id=719776
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com>
Michael Guntsche [Wed, 13 Jul 2011 17:26:57 +0000 (13:26 -0400)]
nfsidmap: Manpage corrections
I recently upgraded to 1.2.4 to use the new nfsidmap feature. While
following the manpage and the kernel documentation I noticed a
difference. Kernel docs mention key TYPE id_resolver while the manpage
states nfs_idmap. The following patch changes the manpage to the proper
type.
mount.nfs: Do not segfault because of kernel version
mount.nfs segfaults if kernel version number does not contain
at least 3 components delimited with a dot.
Avoid this by matching up to three unsigned integers inialised
to zero, separated by dots.
A version that does not start with an integer is probably a future
version where the versioning evolved to another scheme.
Return UINT_MAX which is guaranteed to be higher than existing
versions. This would also make it possible to easily identify
versions that do not start with an integer.
Signed-off-by: Luk Claes <luk@debian.org> Signed-off-by: Steve Dickson <steved@redhat.com>
Kevin Coffman [Thu, 30 Jun 2011 15:13:38 +0000 (11:13 -0400)]
Add requirement for newer libgssglue for svcgssd -n option
SNAFU. This came to my attention minutes after 1.2.4 was
released...
Changes in commit d6c1b35c require that gss_acquire_cred()
is now called when the "-n" option is used. This requires an
updated libgssglue which properly handles name GSS_C_NO_NAME
as input to gss_import_name()/gss_acquire_cred().
Add a requirement for the newer version.
Without the newer libgssglue, when svcgssd is started with "-n"
you will see the error message, "ERROR: GSS-API: error in
gss_acquire_cred(): GSS_S_BAD_NAME (An invalid name was supplied)
- Unknown error"
Steve Dickson [Wed, 21 Sep 2011 18:05:07 +0000 (14:05 -0400)]
mountstats: Breaks on 3.1 kernels
mountstats depend on all devices entries in /proc/self/mountstats
to start with the word 'device'. With 3.1 kernels, NFS entries
start with the actual device (i.e. server:/export) not
the word 'device'. This change confused mountstats parsing.
Steve Dickson [Wed, 21 Sep 2011 17:52:49 +0000 (13:52 -0400)]
nfsiostat: Breaks on 3.1 kernels
nfsiostat depend on all devices entries in /proc/self/mountstats
to start with the word 'device'. With 3.1 kernels, NFS entries
start with the actual device (i.e. server:/export) not
the word 'device'. This change confused nfsiostat parsing.
The decoded octal will always be positive and (char) -1 is negative. Any
field containing an encoded octal will be rejected.
As the encoded value should be an unsigned char, fix the check to reject
all values > (unsigned char) -1 = UCHAR_MAX, as this indicate an error
in the encoding.
Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Steve Dickson [Tue, 20 Sep 2011 16:52:46 +0000 (12:52 -0400)]
statd: Decouple statd's state directory from the NFS state directory
To allow greater flexibility to where statd's state is kept,
statd's state path can now be decoupled from the normal
NFS state directory.
In configure.ac, the NSM_DEFAULT_STATEDIR definition will now define
the path to where the state information is kept. The default
value, /var/lib/nfs, can be redefined with the --with-statdpath
flag.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
J. Bruce Fields [Tue, 20 Sep 2011 11:40:15 +0000 (07:40 -0400)]
nfsd: allow choosing server 41 support at runtime
In the case where -N 4.1 is left off the commandline, the current code
explicitly turns it on or off anyway, depending on configure options.
Instead, just leave 4.1 support alone. This allows a user to add an
"echo +4.1 >/proc/fs/nfsd/versions" to their init scripts, if they want.
Otherwise they will get the kernel's default (currently to leave 4.1
off, as long as 4.1 support is experimental).
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 19 Sep 2011 18:23:54 +0000 (14:23 -0400)]
sm-notify: sm-notify leaves monitor records in sm.bak
sm-notify fails to remove monitor records from sm.bak when it has
finally notified a host. This is because of a recent change to send
two SM_NOTIFY requests for each monitored peer: one with the local
host's FQDN, and one with an unqualified version of same. This was
commit baa41b2c: "sm-notify: Send fully-qualified and unqualified
mon_names" (March 19, 2010).
Because of the March 2010 commit, sm-notify modifies the "my_name"
string during notification, but then uses this modified string to try
to find the monitor record to remove. Of course the search for the
record fails. So a persistent monitor record is left in sm.bak.
Aside from leaving trash around, this causes the same hosts to be
notified after every reboot, even if they successfully responded to
the previous SM_NOTIFY and they had no contact with us during the last
boot.
I also noticed that the trick of truncating the argument of SM_NOTIFY
doesn't work at all if a substitute "my_name" was specified via the "-v"
command line option. This patch attempts to address that as well.
sm-notify should preserve the original my_name string so that
nsm_delete_host() can find the correct monitor record to delete. Also
add some degree of protection to the mon_name and my_name strings in
each nsm_host record to prevent a future change from breaking this
dependency.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 19 Sep 2011 18:20:25 +0000 (14:20 -0400)]
sm-notify: Avoid extra rpcbind queries
The logic in notify_host() watches the host->retries counter to see if
progress is not being made. If progress stalls, notify_host() tries
another IP address. This means sm-notify will generate a fresh
rpcbind query.
After an RPC succeeds, be sure to reset host->retries so sm-notify
doesn't start walking down the host's addrinfo list when we _are_
making progress. In the common case, if the host responds, we avoid
extra rpcbind queries and send all requests for the host to the same
IP address.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 19 Sep 2011 18:18:47 +0000 (14:18 -0400)]
sm-notify: Use correct retransmit timeout when sending a fresh RPC
An RPC retransmit timeout should start out the same for each new RPC
request. Don't increase the retransmit timeout after receiving the
reply to the rpcbind query.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 19 Sep 2011 18:10:08 +0000 (14:10 -0400)]
nfsumount: Squelch compiler warning
nfsumount.c: In function nfs_umount_is_vers4:
nfsumount.c:164: warning: conversion to int from size_t may alter its value
nfsumount.c:173: warning: conversion to ?size_t? from int may change the sign of the result
Chuck Lever [Mon, 19 Sep 2011 18:02:10 +0000 (14:02 -0400)]
configure.ac: Fix help string for --with-statedir= option
The help string for --with-statedir attempts to show "/var/lib/nfs" in
square brackets, but they don't appear on my system (Fedora 13). Use
the AC_HELP_STRING macro to display the help string properly, like all
the other "with" and "enable" options specified in our configure.ac.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Mike Frysinger [Thu, 1 Sep 2011 15:34:25 +0000 (11:34 -0400)]
exportfs: do not warn if /etc/exports.d/ does not exist
It isn't uncommon for /etc/exports.d/ to not exist, and imo, it's not
that big of a deal as often times, a simple /etc/exports is sufficient.
So silently skip the case where the dir is missing.
Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Steve Dickson <steved@redhat.com>
It looks like the existing algorithm for verifying the passed-in bind
address is as broken as statd_matchhostname() used to be: for IP
addresses, AI_CANONNAME is useless. We need to have getnameinfo(3) or
equivalent in there.
Clean up: extract the logic that verifies the command line bind
address into its own function, and make it handle canonical name
lookup correctly.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Same change as statd_matchhostname() is necessary for the logic in
exportfs.
Recall that these are "separate but nearly equal" because the exportfs
version requires extra expensive string checking that would be onerous
for statd.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
The job of statd_matchhostname() is to work hard at matching two
hostnames or presentation IP addresses that may refer to the same
host.
statd_matchhostname() turns the hostname of the local system into a
list of addresses containing only the loopback address. The actual
DNS registered address of the system does not appear in that list.
Presentation IP addresses, on the other hand, are soundly ignored by
the AI_CANONNAME option of getaddrinfo(3). The ai_canonname string
that is returned is just the same presentation IP address. And the
resulting list of addresses contains just that IP address.
So if the DNS registered IP address of the local host is passed in as
one argument, and the local hostname is passed as the other argument,
statd_matchhostname() whiffs and believes there is no match. To fix
this, the logic needs to be smarter about deriving a hostname from an
IP address.
This appears to cause no end of trouble: monitor records pile up in
/var/lib/nfs/sm and sm.bak, notifications are missed, and so on. This
has likely been around since commit cbd3a131 "statd: Introduce statd
version of matchhostname()" (Jan 14, 2010).
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Chuck Lever [Mon, 29 Aug 2011 17:13:15 +0000 (13:13 -0400)]
sm-notify: Disable syslog messages when debugging is enabled
statd's "-F" flag disables syslog output, and specifies sm-notify's
"-d" option when it runs it. sm-notify's "-d" option should therefore
also disable syslog output.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
NeilBrown [Mon, 29 Aug 2011 16:56:17 +0000 (12:56 -0400)]
pdate addres for Free Software Foundation
License texts contain multiple address for FSF, some wrong.
So update them and replace COPYING file with
http://www.gnu.org/licenses/gpl-2.0.txt
which has a few changes to preamble and commentary.
Also remove extra COPYING file from utils/statd/
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Ian Kent [Mon, 29 Aug 2011 16:29:36 +0000 (12:29 -0400)]
umount.nfs: fix nfs4 check
From: Ian Kent <ikent@redhat.com>
nfs_umount_is_vers4() doesn't take acount of the escaping of characters
seen in /proc/mounts and /etc/mtab as the functions in fstab.c do. This
leads to an inability to umount a mount containing any of these escaped
characters (like spaces).
This patch changes nfs_umount_is_vers4() to use functions in fstab.c and
adds a function to fstab.c to read /proc/mounts specifically, as it was
used for the check in nfs_umount_is_vers4() previously.
Signed-off-by: Ian Kent <ikent@redhat.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Luk Claes [Mon, 29 Aug 2011 15:46:17 +0000 (11:46 -0400)]
exports.man: Fix comment syntax
Using three single-quotes for a comment sort of works because it
results in invoking a nonexistent macro, but it results in a huge
number of warnings when trying to validate the man page.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Luk Claes <luk@debian.org> Signed-off-by: Steve Dickson <steved@redhat.com>
Max Matveev [Tue, 16 Aug 2011 11:57:43 +0000 (07:57 -0400)]
mount.nfs: submarvellous messages from mount.nfs
Consider a setup where mountd on the server is controlled via
tcp_wrappers (usual RHEL setup) and will not process calls from a
particular client because of something in /etc/hosts.deny.
When such client attempts to do v3 mount, the error message printed
by mount.nfs is misleading.
This patch changes that error message from:
mount.nfs: Argument list too long
to
mount.nfs: access denied by server while mounting server:/export
Chuck Lever [Wed, 3 Aug 2011 17:22:52 +0000 (13:22 -0400)]
rpc.statd: Bind downcall socket to loopback address
In the past, rpc.statd posted SM_NOTIFY requests using the same socket
it used for sending downcalls to the kernel. To receive replies from
remote hosts, the socket was bound to INADDR_ANY.
With commit f113db52 "Remove notify functionality from statd in
favour of sm-notify" (Mar 20, 2007), the downcall socket is no longer
used for sending requests to remote hosts. However, the downcall
socket is still bound to INADDR_ANY.
Thus a remote host can inject data on this socket since it is an
unconnected UDP socket listening for RPC replies. Thanks to f113db52,
the port number of this socket is no longer controlled by a command
line option, making it difficult to firewall.
We have demonstrated that data injection on this socket can result in
a DoS by causing rpc.statd to consume CPU and log bandwidth, but so
far we have not found a breach.
To prevent unwanted data injection, bind this socket to the loopback
address.
Fixed the usage of strcmp in the duplicate check in insert groups.
Fixes an issue with showmount and other commands that required
the group information.
Signed-off-by: Matthew Treinish <treinish@linux.vnet.ibm.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Mi Jinlong [Wed, 3 Aug 2011 16:52:48 +0000 (12:52 -0400)]
rpc.mountd: let mountd consult /etc/services for port
At RHEL, if user set port for mountd at /etc/services as
"mount 12345/tcp", mountd should be bind to 12345, but the
latest nfs-utils, mountd get a rand port, not 12345.
This patch make sure mountd be bind to the port which was set
at /etc/service.
Signed-off-by: Mi Jinlong <mijinlong@cn.fujitsu.com> Signed-off-by: Steve Dickson <steved@redhat.com>
Statd should always 'chdir' to its state directory.
s statd can be started by 'mount' which can sometimes be run by a
normal user, the current-working-directory could be anything. In
partcular it could be in a mounted filesystem. As 'statd' continues
running as a daemon it could keep prevent that filesystem from being
unmounted.
statd does currently 'chdir' to the state directory, but only if the
state directory is not owned by root. This is wrong - it should check
for root after the chdir, not before.
So swap the two if statements around.
Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Steve Dickson <steved@redhat.com>
Kevin Coffman [Thu, 21 Jul 2011 18:16:59 +0000 (14:16 -0400)]
svcgssd: use correct defaults in call to gss_set_allowable_enctypes
For the window of kernels between 2.6.35 (when the support
for newer encryption was added) and 2.6.39 (when the ability
to read the supported enctypes from the kernel was added),
use a default of all enctypes when the kernel supported
enctypes file cannot be read.
For kernels before 2.6.35, continue to use a default of
only DES enctypes.
Note that the version of Kerberos must also support the use of
gss_set_allowable_enctypes for service-side negotiations.
See also: http://bugzilla.redhat.com/show_bug.cgi?id=719776
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com>
Michael Guntsche [Wed, 13 Jul 2011 17:26:57 +0000 (13:26 -0400)]
nfsidmap: Manpage corrections
I recently upgraded to 1.2.4 to use the new nfsidmap feature. While
following the manpage and the kernel documentation I noticed a
difference. Kernel docs mention key TYPE id_resolver while the manpage
states nfs_idmap. The following patch changes the manpage to the proper
type.
mount.nfs: Do not segfault because of kernel version
mount.nfs segfaults if kernel version number does not contain
at least 3 components delimited with a dot.
Avoid this by matching up to three unsigned integers inialised
to zero, separated by dots.
A version that does not start with an integer is probably a future
version where the versioning evolved to another scheme.
Return UINT_MAX which is guaranteed to be higher than existing
versions. This would also make it possible to easily identify
versions that do not start with an integer.
Signed-off-by: Luk Claes <luk@debian.org> Signed-off-by: Steve Dickson <steved@redhat.com>
Kevin Coffman [Thu, 30 Jun 2011 15:13:38 +0000 (11:13 -0400)]
Add requirement for newer libgssglue for svcgssd -n option
SNAFU. This came to my attention minutes after 1.2.4 was
released...
Changes in commit d6c1b35c require that gss_acquire_cred()
is now called when the "-n" option is used. This requires an
updated libgssglue which properly handles name GSS_C_NO_NAME
as input to gss_import_name()/gss_acquire_cred().
Add a requirement for the newer version.
Without the newer libgssglue, when svcgssd is started with "-n"
you will see the error message, "ERROR: GSS-API: error in
gss_acquire_cred(): GSS_S_BAD_NAME (An invalid name was supplied)
- Unknown error"