]> git.decadent.org.uk Git - nfs-utils.git/blob - utils/mountd/auth.c
The rpc.gssd scans for any suitable kerberos ticket. In cross-realm
[nfs-utils.git] / utils / mountd / auth.c
1 /*
2  * utils/mountd/auth.c
3  *
4  * Authentication procedures for mountd.
5  *
6  * Copyright (C) 1995, 1996 Olaf Kirch <okir@monad.swb.de>
7  */
8
9 #ifdef HAVE_CONFIG_H
10 #include <config.h>
11 #endif
12
13 #include <sys/stat.h>
14 #include <netinet/in.h>
15 #include <arpa/inet.h>
16 #include <errno.h>
17 #include <unistd.h>
18 #include "misc.h"
19 #include "nfslib.h"
20 #include "exportfs.h"
21 #include "mountd.h"
22 #include "xmalloc.h"
23
24 enum auth_error
25 {
26   bad_path,
27   unknown_host,
28   no_entry,
29   not_exported,
30   illegal_port,
31   success
32 };
33
34 static void             auth_fixpath(char *path);
35 static char     *export_file = NULL;
36 static nfs_export my_exp;
37 static nfs_client my_client;
38
39 extern int new_cache;
40 extern int use_ipaddr;
41
42 void
43 auth_init(char *exports)
44 {
45
46         export_file = exports;
47         auth_reload();
48         xtab_mount_write();
49 }
50
51 /*
52  * A client can match many different netgroups and it's tough to know
53  * beforehand whether it will. If the concatenated string of netgroup
54  * m_hostnames is >512 bytes, then enable the "use_ipaddr" mode. This
55  * makes mountd change how it matches a client ip address when a mount
56  * request comes in. It's more efficient at handling netgroups at the
57  * expense of larger kernel caches.
58  */
59 static void
60 check_useipaddr(void)
61 {
62         nfs_client *clp;
63         int old_use_ipaddr = use_ipaddr;
64         unsigned int len = 0;
65
66         /* add length of m_hostname + 1 for the comma */
67         for (clp = clientlist[MCL_NETGROUP]; clp; clp = clp->m_next)
68                 len += (strlen(clp->m_hostname) + 1);
69
70         if (len > (NFSCLNT_IDMAX / 2))
71                 use_ipaddr = 1;
72         else
73                 use_ipaddr = 0;
74
75         if (use_ipaddr != old_use_ipaddr)
76                 cache_flush(1);
77 }
78
79 unsigned int
80 auth_reload()
81 {
82         struct stat             stb;
83         static ino_t            last_inode;
84         static int              last_fd;
85         static unsigned int     counter;
86         int                     fd;
87
88         if ((fd = open(_PATH_ETAB, O_RDONLY)) < 0) {
89                 xlog(L_FATAL, "couldn't open %s", _PATH_ETAB);
90         } else if (fstat(fd, &stb) < 0) {
91                 xlog(L_FATAL, "couldn't stat %s", _PATH_ETAB);
92         } else if (stb.st_ino == last_inode) {
93                 close(fd);
94                 return counter;
95         } else {
96                 close(last_fd);
97                 last_fd = fd;
98                 last_inode = stb.st_ino;
99         }
100
101         export_freeall();
102         memset(&my_client, 0, sizeof(my_client));
103         xtab_export_read();
104         check_useipaddr();
105         ++counter;
106
107         return counter;
108 }
109
110 static nfs_export *
111 auth_authenticate_internal(char *what, struct sockaddr_in *caller,
112                            char *path, struct hostent *hp,
113                            enum auth_error *error)
114 {
115         nfs_export              *exp;
116
117         if (new_cache) {
118                 int i;
119                 /* return static nfs_export with details filled in */
120                 char *n;
121                 free(my_client.m_hostname);
122                 if (use_ipaddr) {
123                         my_client.m_hostname =
124                                 strdup(inet_ntoa(caller->sin_addr));
125                 } else {
126                         n = client_compose(hp);
127                         *error = unknown_host;
128                         if (!n)
129                                 my_client.m_hostname = NULL;
130                         else if (*n)
131                                 my_client.m_hostname = n;
132                         else {
133                                 free(n);
134                                 my_client.m_hostname = strdup("DEFAULT");
135                         }
136                 }
137                 if (my_client.m_hostname == NULL)
138                         return NULL;
139                 my_client.m_naddr = 1;
140                 my_client.m_addrlist[0] = caller->sin_addr;
141                 my_exp.m_client = &my_client;
142
143                 exp = NULL;
144                 for (i = 0; !exp && i < MCL_MAXTYPES; i++) 
145                         for (exp = exportlist[i]; exp; exp = exp->m_next) {
146                                 if (strcmp(path, exp->m_export.e_path))
147                                         continue;
148                                 if (!use_ipaddr && !client_member(my_client.m_hostname, exp->m_client->m_hostname))
149                                         continue;
150                                 if (use_ipaddr && !client_check(exp->m_client, hp))
151                                         continue;
152                                 break;
153                         }
154                 *error = not_exported;
155                 if (!exp)
156                         return exp;
157
158                 my_exp.m_export = exp->m_export;
159                 exp = &my_exp;
160
161         } else {
162                 if (!(exp = export_find(hp, path))) {
163                         *error = no_entry;
164                         return NULL;
165                 }
166                 if (!exp->m_mayexport) {
167                         *error = not_exported;
168                         return NULL;
169                 }
170         }
171         if (!(exp->m_export.e_flags & NFSEXP_INSECURE_PORT) &&
172                     (ntohs(caller->sin_port) <  IPPORT_RESERVED/2 ||
173                      ntohs(caller->sin_port) >= IPPORT_RESERVED)) {
174                 *error = illegal_port;
175                 return NULL;
176         }
177         *error = success;
178
179         return exp;
180 }
181
182 nfs_export *
183 auth_authenticate(char *what, struct sockaddr_in *caller, char *path)
184 {
185         nfs_export      *exp = NULL;
186         char            epath[MAXPATHLEN+1];
187         char            *p = NULL;
188         struct hostent  *hp = NULL;
189         struct in_addr  addr = caller->sin_addr;
190         enum auth_error error = bad_path;
191
192         if (path [0] != '/') {
193                 xlog(L_WARNING, "bad path in %s request from %s: \"%s\"",
194                      what, inet_ntoa(addr), path);
195                 return exp;
196         }
197
198         strncpy(epath, path, sizeof (epath) - 1);
199         epath[sizeof (epath) - 1] = '\0';
200         auth_fixpath(epath); /* strip duplicate '/' etc */
201
202         hp = client_resolve(caller->sin_addr);
203         if (!hp)
204                 return exp;
205
206         /* Try the longest matching exported pathname. */
207         while (1) {
208                 exp = auth_authenticate_internal(what, caller, epath,
209                                                  hp, &error);
210                 if (exp || (error != not_exported && error != no_entry))
211                         break;
212                 /* We have to treat the root, "/", specially. */
213                 if (p == &epath[1]) break;
214                 p = strrchr(epath, '/');
215                 if (p == epath) p++;
216                 *p = '\0';
217         }
218
219         switch (error) {
220         case bad_path:
221                 xlog(L_WARNING, "bad path in %s request from %s: \"%s\"",
222                      what, inet_ntoa(addr), path);
223                 break;
224
225         case unknown_host:
226                 xlog(L_WARNING, "%s request from unknown host %s for %s (%s)",
227                      what, inet_ntoa(addr), path, epath);
228                 break;
229
230         case no_entry:
231                 xlog(L_WARNING, "refused %s request from %s for %s (%s): no export entry",
232                      what, hp->h_name, path, epath);
233                 break;
234
235         case not_exported:
236                 xlog(L_WARNING, "refused %s request from %s for %s (%s): not exported",
237                      what, hp->h_name, path, epath);
238                 break;
239
240         case illegal_port:
241                 xlog(L_WARNING, "refused %s request from %s for %s (%s): illegal port %d",
242                      what, hp->h_name, path, epath, ntohs(caller->sin_port));
243                 break;
244
245         case success:
246                 xlog(L_NOTICE, "authenticated %s request from %s:%d for %s (%s)",
247                      what, hp->h_name, ntohs(caller->sin_port), path, epath);
248                 break;
249         default:
250                 xlog(L_NOTICE, "%s request from %s:%d for %s (%s) gave %d",
251                      what, hp->h_name, ntohs(caller->sin_port), path, epath, error);
252         }
253
254         if (hp)
255                 free (hp);
256
257         return exp;
258 }
259
260 static void
261 auth_fixpath(char *path)
262 {
263         char    *sp, *cp;
264
265         for (sp = cp = path; *sp; sp++) {
266                 if (*sp != '/' || sp[1] != '/')
267                         *cp++ = *sp;
268         }
269         while (cp > path+1 && cp[-1] == '/')
270                 cp--;
271         *cp = '\0';
272 }