X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fgssd_proc.c;h=ec251fa0b6069c8bcb42dafdcef89f73afd8e9d2;hp=aa394359e27398fd3dfe25462ca2be177b7088d4;hb=fbcdfb5150d8263196bad0f074f74d9d5c69113f;hpb=245fad6be5a32866b2cefad55b3e2d50f6b197af diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index aa39435..ec251fa 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -104,7 +104,7 @@ struct pollfd * pollarray; -int pollsize; /* the size of pollaray (in pollfd's) */ +unsigned long pollsize; /* the size of pollaray (in pollfd's) */ /* * convert a presentation address string to a sockaddr_storage struct. Returns @@ -340,6 +340,25 @@ process_clnt_dir_files(struct clnt_info * clp) char gname[PATH_MAX]; char info_file_name[PATH_MAX]; + if (clp->gssd_close_me) { + printerr(2, "Closing 'gssd' pipe for %s\n", clp->dirname); + close(clp->gssd_fd); + memset(&pollarray[clp->gssd_poll_index], 0, + sizeof(struct pollfd)); + clp->gssd_fd = -1; + clp->gssd_poll_index = -1; + clp->gssd_close_me = 0; + } + if (clp->krb5_close_me) { + printerr(2, "Closing 'krb5' pipe for %s\n", clp->dirname); + close(clp->krb5_fd); + memset(&pollarray[clp->krb5_poll_index], 0, + sizeof(struct pollfd)); + clp->krb5_fd = -1; + clp->krb5_poll_index = -1; + clp->krb5_close_me = 0; + } + if (clp->gssd_fd == -1) { snprintf(gname, sizeof(gname), "%s/gssd", clp->dirname); clp->gssd_fd = open(gname, O_RDWR); @@ -640,19 +659,22 @@ parse_enctypes(char *enctypes) static int do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd, - gss_buffer_desc *context_token) + gss_buffer_desc *context_token, OM_uint32 lifetime_rec) { char *buf = NULL, *p = NULL, *end = NULL; unsigned int timeout = context_timeout; unsigned int buf_size = 0; - printerr(1, "doing downcall\n"); + printerr(1, "doing downcall lifetime_rec %u\n", lifetime_rec); buf_size = sizeof(uid) + sizeof(timeout) + sizeof(pd->pd_seq_win) + sizeof(pd->pd_ctx_hndl.length) + pd->pd_ctx_hndl.length + sizeof(context_token->length) + context_token->length; p = buf = malloc(buf_size); end = buf + buf_size; + /* context_timeout set by -t option overrides context lifetime */ + if (timeout == 0) + timeout = lifetime_rec; if (WRITE_BYTES(&p, end, uid)) goto out_err; if (WRITE_BYTES(&p, end, timeout)) goto out_err; if (WRITE_BYTES(&p, end, pd->pd_seq_win)) goto out_err; @@ -780,11 +802,12 @@ set_port: * Create an RPC connection and establish an authenticated * gss context with a server. */ -int create_auth_rpc_client(struct clnt_info *clp, - CLIENT **clnt_return, - AUTH **auth_return, - uid_t uid, - int authtype) +static int +create_auth_rpc_client(struct clnt_info *clp, + CLIENT **clnt_return, + AUTH **auth_return, + uid_t uid, + int authtype) { CLIENT *rpc_clnt = NULL; struct rpc_gss_sec sec; @@ -918,23 +941,6 @@ int create_auth_rpc_client(struct clnt_info *clp, goto out; } -static char * -user_cachedir(char *dirname, uid_t uid) -{ - struct passwd *pw; - char *ptr; - - if ((pw = getpwuid(uid)) == NULL) { - printerr(0, "user_cachedir: Failed to find '%d' uid" - " for cache directory\n"); - return NULL; - } - ptr = malloc(strlen(dirname)+strlen(pw->pw_name)+2); - if (ptr) - sprintf(ptr, "%s/%s", dirname, pw->pw_name); - - return ptr; -} /* * this code uses the userland rpcsec gss library to create a krb5 * context on behalf of the kernel @@ -949,9 +955,10 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, gss_buffer_desc token; char **credlist = NULL; char **ccname; - char **dirname, *dir, *userdir; + char **dirname; int create_resp = -1; int err, downcall_err = -EACCES; + OM_uint32 maj_stat, min_stat, lifetime_rec; printerr(1, "handling krb5 upcall (%s)\n", clp->dirname); @@ -992,22 +999,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, service == NULL)) { /* Tell krb5 gss which credentials cache to use */ for (dirname = ccachesearch; *dirname != NULL; dirname++) { - /* See if the user name is needed */ - if (strncmp(*dirname, GSSD_USER_CRED_DIR, - strlen(GSSD_USER_CRED_DIR)) == 0) { - userdir = user_cachedir(*dirname, uid); - if (userdir == NULL) - continue; - dir = userdir; - } else - dir = *dirname; - - err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, dir); - - if (userdir) { - free(userdir); - userdir = NULL; - } + err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); if (err == -EKEYEXPIRED) downcall_err = -EKEYEXPIRED; else if (!err) @@ -1077,6 +1069,15 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, goto out_return_error; } + /* Grab the context lifetime to pass to the kernel. lifetime_rec + * is set to zero on error */ + maj_stat = gss_inquire_context(&min_stat, pd.pd_ctx, NULL, NULL, + &lifetime_rec, NULL, NULL, NULL, NULL); + + if (maj_stat) + printerr(1, "WARNING: Failed to inquire context for lifetme " + "maj_stat %u\n", maj_stat); + if (serialize_context_for_kernel(pd.pd_ctx, &token, &krb5oid, NULL)) { printerr(0, "WARNING: Failed to serialize krb5 context for " "user with uid %d for server %s\n", @@ -1084,7 +1085,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, goto out_return_error; } - do_downcall(fd, uid, &pd, &token); + do_downcall(fd, uid, &pd, &token, lifetime_rec); out: if (token.value) @@ -1115,7 +1116,7 @@ handle_krb5_upcall(struct clnt_info *clp) return; } - return process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); + process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); } void