X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fgssd_proc.c;h=d6f07e63e714c2fdc77b436ecd7adc825127d64d;hp=e393d5902f578f91134463ed9073c849c69a9499;hb=051eb4863cf880f0349a1de44517f9c99a9c5bd4;hpb=41f32cd96eca95a2730603ebc539440c48a1dda5 diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index e393d59..d6f07e6 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -52,6 +52,7 @@ #include #include #include +#include #include #include @@ -168,7 +169,7 @@ sockaddr_to_hostname(const struct sockaddr *sa, const char *addr) { socklen_t addrlen; int err; - char *hostname; + char *hostname; char hbuf[NI_MAXHOST]; switch (sa->sa_family) { @@ -250,21 +251,10 @@ read_service_info(char *info_file_name, char **servicename, char **servername, if ((p = strstr(buf, "port")) != NULL) sscanf(p, "port: %127s\n", port); - /* check service, program, and version */ - if (memcmp(service, "nfs", 3) != 0) - return -1; + /* get program, and version numbers */ *prog = atoi(program + 1); /* skip open paren */ *vers = atoi(version); - if (strlen(service) == 3 ) { - if ((*prog != 100003) || ((*vers != 2) && (*vers != 3) && - (*vers != 4))) - goto fail; - } else if (memcmp(service, "nfs4_cb", 7) == 0) { - if (*vers != 1) - goto fail; - } - if (!addrstr_to_sockaddr(addr, address, port)) goto fail; @@ -398,10 +388,10 @@ process_clnt_dir_files(struct clnt_info * clp) static int get_poll_index(int *ind) { - int i; + unsigned int i; *ind = -1; - for (i=0; id_name, "clnt", 4) - && !find_client(namelist[i]->d_name, pipe_name)) + if (!strncmp(namelist[i]->d_name, "clnt", 4) + && !find_client(namelist[i]->d_name, pipe_name)) process_clnt_dir(namelist[i]->d_name, pipe_name); free(namelist[i]); } @@ -659,19 +652,22 @@ parse_enctypes(char *enctypes) static int do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd, - gss_buffer_desc *context_token) + gss_buffer_desc *context_token, OM_uint32 lifetime_rec) { char *buf = NULL, *p = NULL, *end = NULL; unsigned int timeout = context_timeout; unsigned int buf_size = 0; - printerr(1, "doing downcall\n"); + printerr(1, "doing downcall lifetime_rec %u\n", lifetime_rec); buf_size = sizeof(uid) + sizeof(timeout) + sizeof(pd->pd_seq_win) + sizeof(pd->pd_ctx_hndl.length) + pd->pd_ctx_hndl.length + sizeof(context_token->length) + context_token->length; p = buf = malloc(buf_size); end = buf + buf_size; + /* context_timeout set by -t option overrides context lifetime */ + if (timeout == 0) + timeout = lifetime_rec; if (WRITE_BYTES(&p, end, uid)) goto out_err; if (WRITE_BYTES(&p, end, timeout)) goto out_err; if (WRITE_BYTES(&p, end, pd->pd_seq_win)) goto out_err; @@ -712,7 +708,7 @@ out_err: /* * If the port isn't already set, do an rpcbind query to the remote server - * using the program and version and get the port. + * using the program and version and get the port. * * Newer kernels send the value of the port= mount option in the "info" * file for the upcall or '0' for NFSv2/3. For NFSv4 it sends the value @@ -799,11 +795,12 @@ set_port: * Create an RPC connection and establish an authenticated * gss context with a server. */ -int create_auth_rpc_client(struct clnt_info *clp, - CLIENT **clnt_return, - AUTH **auth_return, - uid_t uid, - int authtype) +static int +create_auth_rpc_client(struct clnt_info *clp, + CLIENT **clnt_return, + AUTH **auth_return, + uid_t uid, + int authtype) { CLIENT *rpc_clnt = NULL; struct rpc_gss_sec sec; @@ -937,23 +934,6 @@ int create_auth_rpc_client(struct clnt_info *clp, goto out; } -static char * -user_cachedir(char *dirname, uid_t uid) -{ - struct passwd *pw; - char *ptr; - - if ((pw = getpwuid(uid)) == NULL) { - printerr(0, "user_cachedir: Failed to find '%d' uid" - " for cache directory\n"); - return NULL; - } - ptr = malloc(strlen(dirname)+strlen(pw->pw_name)+2); - if (ptr) - sprintf(ptr, "%s/%s", dirname, pw->pw_name); - - return ptr; -} /* * this code uses the userland rpcsec gss library to create a krb5 * context on behalf of the kernel @@ -968,18 +948,13 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, gss_buffer_desc token; char **credlist = NULL; char **ccname; - char **dirname, *dir, *userdir; + char **dirname; int create_resp = -1; int err, downcall_err = -EACCES; + OM_uint32 maj_stat, min_stat, lifetime_rec; printerr(1, "handling krb5 upcall (%s)\n", clp->dirname); - if (tgtname) { - if (clp->servicename) { - free(clp->servicename); - clp->servicename = strdup(tgtname); - } - } token.length = 0; token.value = NULL; memset(&pd, 0, sizeof(struct authgss_private_data)); @@ -1011,22 +986,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, service == NULL)) { /* Tell krb5 gss which credentials cache to use */ for (dirname = ccachesearch; *dirname != NULL; dirname++) { - /* See if the user name is needed */ - if (strncmp(*dirname, GSSD_USER_CRED_DIR, - strlen(GSSD_USER_CRED_DIR)) == 0) { - userdir = user_cachedir(*dirname, uid); - if (userdir == NULL) - continue; - dir = userdir; - } else - dir = *dirname; - - err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, dir); - - if (userdir) { - free(userdir); - userdir = NULL; - } + err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); if (err == -EKEYEXPIRED) downcall_err = -EKEYEXPIRED; else if (!err) @@ -1043,7 +1003,8 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, int success = 0; do { gssd_refresh_krb5_machine_credential(clp->servername, - NULL, service); + NULL, service, + tgtname); /* * Get a list of credential cache names and try each * of them until one works or we've tried them all @@ -1052,7 +1013,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, printerr(0, "ERROR: No credentials found " "for connection to server %s\n", clp->servername); - goto out_return_error; + goto out_return_error; } for (ccname = credlist; ccname && *ccname; ccname++) { gssd_setup_krb5_machine_gss_ccache(*ccname); @@ -1062,12 +1023,12 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, /* Success! */ success++; break; - } + } printerr(2, "WARNING: Failed to create machine krb5 context " "with credentials cache %s for server %s\n", *ccname, clp->servername); } - gssd_free_krb5_machine_cred_list(credlist); + gssd_free_krb5_machine_cred_list(credlist); if (!success) { if(nocache == 0) { nocache++; @@ -1096,20 +1057,29 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, goto out_return_error; } - if (serialize_context_for_kernel(pd.pd_ctx, &token, &krb5oid, NULL)) { + /* Grab the context lifetime to pass to the kernel. lifetime_rec + * is set to zero on error */ + maj_stat = gss_inquire_context(&min_stat, pd.pd_ctx, NULL, NULL, + &lifetime_rec, NULL, NULL, NULL, NULL); + + if (maj_stat) + printerr(1, "WARNING: Failed to inquire context for lifetme " + "maj_stat %u\n", maj_stat); + + if (serialize_context_for_kernel(&pd.pd_ctx, &token, &krb5oid, NULL)) { printerr(0, "WARNING: Failed to serialize krb5 context for " "user with uid %d for server %s\n", uid, clp->servername); goto out_return_error; } - do_downcall(fd, uid, &pd, &token); + do_downcall(fd, uid, &pd, &token, lifetime_rec); out: if (token.value) free(token.value); -#ifndef HAVE_LIBTIRPC - if (pd.pd_ctx_hndl.length != 0) +#ifdef HAVE_AUTHGSS_FREE_PRIVATE_DATA + if (pd.pd_ctx_hndl.length != 0 || pd.pd_ctx != 0) authgss_free_private_data(&pd); #endif if (auth) @@ -1134,7 +1104,7 @@ handle_krb5_upcall(struct clnt_info *clp) return; } - return process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); + process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); } void @@ -1255,6 +1225,6 @@ out: free(enctypes); free(target); free(service); - return; + return; }