X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fgssd_proc.c;h=af1844c2d38490e1ccb5c21e2aa45cd34cca376e;hp=ec251fa0b6069c8bcb42dafdcef89f73afd8e9d2;hb=f9f5450f8f946ffc664397c86d05d27ba0406e21;hpb=fbcdfb5150d8263196bad0f074f74d9d5c69113f diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index ec251fa..af1844c 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -52,6 +52,7 @@ #include #include #include +#include #include #include @@ -66,6 +67,7 @@ #include #include #include +#include #include "gssd.h" #include "err_util.h" @@ -106,6 +108,9 @@ struct pollfd * pollarray; unsigned long pollsize; /* the size of pollaray (in pollfd's) */ +/* Avoid DNS reverse lookups on server names */ +int avoid_dns = 1; + /* * convert a presentation address string to a sockaddr_storage struct. Returns * true on success or false on failure. @@ -164,12 +169,31 @@ addrstr_to_sockaddr(struct sockaddr *sa, const char *node, const char *port) * convert a sockaddr to a hostname */ static char * -sockaddr_to_hostname(const struct sockaddr *sa, const char *addr) +get_servername(const char *name, const struct sockaddr *sa, const char *addr) { socklen_t addrlen; int err; - char *hostname; + char *hostname; char hbuf[NI_MAXHOST]; + unsigned char buf[sizeof(struct in6_addr)]; + int servername = 0; + + if (avoid_dns) { + /* + * Determine if this is a server name, or an IP address. + * If it is an IP address, do the DNS lookup otherwise + * skip the DNS lookup. + */ + servername = 0; + if (strchr(name, '.') && inet_pton(AF_INET, name, buf) == 1) + servername = 1; /* IPv4 */ + else if (strchr(name, ':') && inet_pton(AF_INET6, name, buf) == 1) + servername = 1; /* or IPv6 */ + + if (servername) { + return strdup(name); + } + } switch (sa->sa_family) { case AF_INET: @@ -207,7 +231,7 @@ read_service_info(char *info_file_name, char **servicename, char **servername, struct sockaddr *addr) { #define INFOBUFLEN 256 char buf[INFOBUFLEN + 1]; - static char dummy[128]; + static char server[128]; int nbytes; static char service[128]; static char address[128]; @@ -235,7 +259,7 @@ read_service_info(char *info_file_name, char **servicename, char **servername, "service: %127s %15s version %15s\n" "address: %127s\n" "protocol: %15s\n", - dummy, + server, service, program, version, address, protoname); @@ -250,25 +274,14 @@ read_service_info(char *info_file_name, char **servicename, char **servername, if ((p = strstr(buf, "port")) != NULL) sscanf(p, "port: %127s\n", port); - /* check service, program, and version */ - if (memcmp(service, "nfs", 3) != 0) - return -1; + /* get program, and version numbers */ *prog = atoi(program + 1); /* skip open paren */ *vers = atoi(version); - if (strlen(service) == 3 ) { - if ((*prog != 100003) || ((*vers != 2) && (*vers != 3) && - (*vers != 4))) - goto fail; - } else if (memcmp(service, "nfs4_cb", 7) == 0) { - if (*vers != 1) - goto fail; - } - if (!addrstr_to_sockaddr(addr, address, port)) goto fail; - *servername = sockaddr_to_hostname(addr, address); + *servername = get_servername(server, addr, address); if (*servername == NULL) goto fail; @@ -398,10 +411,10 @@ process_clnt_dir_files(struct clnt_info * clp) static int get_poll_index(int *ind) { - int i; + unsigned int i; *ind = -1; - for (i=0; id_name, "clnt", 4) - && !find_client(namelist[i]->d_name, pipe_name)) + if (!strncmp(namelist[i]->d_name, "clnt", 4) + && !find_client(namelist[i]->d_name, pipe_name)) process_clnt_dir(namelist[i]->d_name, pipe_name); free(namelist[i]); } @@ -715,7 +731,7 @@ out_err: /* * If the port isn't already set, do an rpcbind query to the remote server - * using the program and version and get the port. + * using the program and version and get the port. * * Newer kernels send the value of the port= mount option in the "info" * file for the upcall or '0' for NFSv2/3. For NFSv4 it sends the value @@ -807,7 +823,8 @@ create_auth_rpc_client(struct clnt_info *clp, CLIENT **clnt_return, AUTH **auth_return, uid_t uid, - int authtype) + int authtype, + gss_cred_id_t cred) { CLIENT *rpc_clnt = NULL; struct rpc_gss_sec sec; @@ -833,7 +850,7 @@ create_auth_rpc_client(struct clnt_info *clp, sec.qop = GSS_C_QOP_DEFAULT; sec.svc = RPCSEC_GSS_SVC_NONE; - sec.cred = GSS_C_NO_CREDENTIAL; + sec.cred = cred; sec.req_flags = 0; if (authtype == AUTHTYPE_KRB5) { sec.mech = (gss_OID)&krb5oid; @@ -958,16 +975,11 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, char **dirname; int create_resp = -1; int err, downcall_err = -EACCES; + gss_cred_id_t gss_cred; OM_uint32 maj_stat, min_stat, lifetime_rec; printerr(1, "handling krb5 upcall (%s)\n", clp->dirname); - if (tgtname) { - if (clp->servicename) { - free(clp->servicename); - clp->servicename = strdup(tgtname); - } - } token.length = 0; token.value = NULL; memset(&pd, 0, sizeof(struct authgss_private_data)); @@ -998,15 +1010,20 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0 && service == NULL)) { /* Tell krb5 gss which credentials cache to use */ - for (dirname = ccachesearch; *dirname != NULL; dirname++) { + /* Try first to acquire credentials directly via GSSAPI */ + err = gssd_acquire_user_cred(uid, &gss_cred); + if (!err) + create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, + AUTHTYPE_KRB5, gss_cred); + /* if create_auth_rplc_client fails try the traditional method of + * trolling for credentials */ + for (dirname = ccachesearch; create_resp != 0 && *dirname != NULL; dirname++) { err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); if (err == -EKEYEXPIRED) downcall_err = -EKEYEXPIRED; else if (!err) create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, - AUTHTYPE_KRB5); - if (create_resp == 0) - break; + AUTHTYPE_KRB5, GSS_C_NO_CREDENTIAL); } } if (create_resp != 0) { @@ -1016,7 +1033,8 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, int success = 0; do { gssd_refresh_krb5_machine_credential(clp->servername, - NULL, service); + NULL, service, + tgtname); /* * Get a list of credential cache names and try each * of them until one works or we've tried them all @@ -1025,22 +1043,23 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, printerr(0, "ERROR: No credentials found " "for connection to server %s\n", clp->servername); - goto out_return_error; + goto out_return_error; } for (ccname = credlist; ccname && *ccname; ccname++) { gssd_setup_krb5_machine_gss_ccache(*ccname); if ((create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, - AUTHTYPE_KRB5)) == 0) { + AUTHTYPE_KRB5, + GSS_C_NO_CREDENTIAL)) == 0) { /* Success! */ success++; break; - } + } printerr(2, "WARNING: Failed to create machine krb5 context " "with credentials cache %s for server %s\n", *ccname, clp->servername); } - gssd_free_krb5_machine_cred_list(credlist); + gssd_free_krb5_machine_cred_list(credlist); if (!success) { if(nocache == 0) { nocache++; @@ -1078,7 +1097,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, printerr(1, "WARNING: Failed to inquire context for lifetme " "maj_stat %u\n", maj_stat); - if (serialize_context_for_kernel(pd.pd_ctx, &token, &krb5oid, NULL)) { + if (serialize_context_for_kernel(&pd.pd_ctx, &token, &krb5oid, NULL)) { printerr(0, "WARNING: Failed to serialize krb5 context for " "user with uid %d for server %s\n", uid, clp->servername); @@ -1090,8 +1109,8 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, out: if (token.value) free(token.value); -#ifndef HAVE_LIBTIRPC - if (pd.pd_ctx_hndl.length != 0) +#ifdef HAVE_AUTHGSS_FREE_PRIVATE_DATA + if (pd.pd_ctx_hndl.length != 0 || pd.pd_ctx != 0) authgss_free_private_data(&pd); #endif if (auth) @@ -1237,6 +1256,6 @@ out: free(enctypes); free(target); free(service); - return; + return; }