From 69aa69e7de80b6cdf2ea0212a2f3df20fc8d3853 Mon Sep 17 00:00:00 2001 From: Steve Dickson Date: Thu, 17 Nov 2011 13:02:38 -0500 Subject: [PATCH] nfsidmap: Allow keys to be cleared from the keyring Added the '-c' command line argument that will clear all the keys from the keyring. Signed-off-by: Steve Dickson --- utils/nfsidmap/nfsidmap.c | 66 ++++++++++++++++++++++++++++++++++--- utils/nfsidmap/nfsidmap.man | 12 ++++++- 2 files changed, 73 insertions(+), 5 deletions(-) diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c index 6a09f38..cec2cb3 100644 --- a/utils/nfsidmap/nfsidmap.c +++ b/utils/nfsidmap/nfsidmap.c @@ -13,13 +13,19 @@ #include "xlog.h" int verbose = 0; -char *usage="Usage: %s [-v] [-t timeout] key desc"; +char *usage="Usage: %s [-v] [-c || [-t timeout] key desc]"; #define MAX_ID_LEN 11 #define IDMAP_NAMESZ 128 #define USER 1 #define GROUP 0 +#define PROCKEYS "/proc/keys" +#ifndef DEFAULT_KEYRING +#define DEFAULT_KEYRING "id_resolver" +#endif + + /* * Find either a user or group id based on the name@domain string */ @@ -87,6 +93,50 @@ int name_lookup(char *id, key_serial_t key, int type) out: return rc; } +/* + * Clear all the keys on the given keyring + */ +static int keyring_clear(char *keyring) +{ + FILE *fp; + char buf[BUFSIZ]; + key_serial_t key; + + xlog_syslog(0); + if (keyring == NULL) + keyring = DEFAULT_KEYRING; + + if ((fp = fopen(PROCKEYS, "r")) == NULL) { + xlog_err("fopen(%s) failed: %m", PROCKEYS); + return 1; + } + + while(fgets(buf, BUFSIZ, fp) != NULL) { + if (strstr(buf, "keyring") == NULL) + continue; + if (strstr(buf, keyring) == NULL) + continue; + if (verbose) { + *(strchr(buf, '\n')) = '\0'; + xlog_warn("clearing '%s'", buf); + } + /* + * The key is the first arugment in the string + */ + *(strchr(buf, ' ')) = '\0'; + sscanf(buf, "%x", &key); + if (keyctl_clear(key) < 0) { + xlog_err("keyctl_clear(0x%x) failed: %m", key); + fclose(fp); + return 1; + } + fclose(fp); + return 0; + } + xlog_err("'%s' keyring was not found.", keyring); + fclose(fp); + return 1; +} int main(int argc, char **argv) { @@ -97,6 +147,7 @@ int main(int argc, char **argv) int timeout = 600; key_serial_t key; char *progname; + int clearring; /* Set the basename */ if ((progname = strrchr(argv[0], '/')) != NULL) @@ -105,11 +156,12 @@ int main(int argc, char **argv) progname = argv[0]; xlog_open(progname); - xlog_syslog(1); - xlog_stderr(0); - while ((opt = getopt(argc, argv, "t:v")) != -1) { + while ((opt = getopt(argc, argv, "ct:v")) != -1) { switch (opt) { + case 'c': + clearring++; + break; case 'v': verbose++; break; @@ -122,6 +174,12 @@ int main(int argc, char **argv) } } + if (clearring) { + rc = keyring_clear(DEFAULT_KEYRING); + return rc; + } + + xlog_stderr(0); if ((argc - optind) != 2) { xlog_err("Bad arg count. Check /etc/request-key.conf"); xlog_warn(usage, progname); diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man index c67aab6..9badb3f 100644 --- a/utils/nfsidmap/nfsidmap.man +++ b/utils/nfsidmap/nfsidmap.man @@ -7,6 +7,8 @@ nfsidmap \- The NFS idmapper upcall program .SH SYNOPSIS .B "nfsidmap [-v] [-t timeout] key desc" +.br +.B "nfsidmap [-v] [-c]" .SH DESCRIPTION The file .I /usr/sbin/nfsidmap @@ -14,10 +16,18 @@ is used by the NFS idmapper to translate user and group ids into names, and to translate user and group names into ids. Idmapper uses request-key to perform the upcall and cache the result. .I /usr/sbin/nfsidmap -should only be called by request-key, and will perform the translation and +is called by /sbin/request-key, and will perform the translation and initialize a key with the resulting information. +.PP +.I nfsidmap +can also used to clear the keyring of all the keys. +This is useful when all the mappings have failed to due to an DNS outage +or some other error resulting in all the cached uid/gid to be invalid. .SH OPTIONS .TP +.B -c +Clear the keyring of all the keys. +.TP .B -t timeout Set the expiration timer, in seconds, on the key. The default is 600 seconds (10 mins). -- 2.39.5