X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fgssd_proc.c;h=ec251fa0b6069c8bcb42dafdcef89f73afd8e9d2;hp=e393d5902f578f91134463ed9073c849c69a9499;hb=fbcdfb5150d8263196bad0f074f74d9d5c69113f;hpb=41f32cd96eca95a2730603ebc539440c48a1dda5 diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index e393d59..ec251fa 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -659,19 +659,22 @@ parse_enctypes(char *enctypes) static int do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd, - gss_buffer_desc *context_token) + gss_buffer_desc *context_token, OM_uint32 lifetime_rec) { char *buf = NULL, *p = NULL, *end = NULL; unsigned int timeout = context_timeout; unsigned int buf_size = 0; - printerr(1, "doing downcall\n"); + printerr(1, "doing downcall lifetime_rec %u\n", lifetime_rec); buf_size = sizeof(uid) + sizeof(timeout) + sizeof(pd->pd_seq_win) + sizeof(pd->pd_ctx_hndl.length) + pd->pd_ctx_hndl.length + sizeof(context_token->length) + context_token->length; p = buf = malloc(buf_size); end = buf + buf_size; + /* context_timeout set by -t option overrides context lifetime */ + if (timeout == 0) + timeout = lifetime_rec; if (WRITE_BYTES(&p, end, uid)) goto out_err; if (WRITE_BYTES(&p, end, timeout)) goto out_err; if (WRITE_BYTES(&p, end, pd->pd_seq_win)) goto out_err; @@ -799,11 +802,12 @@ set_port: * Create an RPC connection and establish an authenticated * gss context with a server. */ -int create_auth_rpc_client(struct clnt_info *clp, - CLIENT **clnt_return, - AUTH **auth_return, - uid_t uid, - int authtype) +static int +create_auth_rpc_client(struct clnt_info *clp, + CLIENT **clnt_return, + AUTH **auth_return, + uid_t uid, + int authtype) { CLIENT *rpc_clnt = NULL; struct rpc_gss_sec sec; @@ -937,23 +941,6 @@ int create_auth_rpc_client(struct clnt_info *clp, goto out; } -static char * -user_cachedir(char *dirname, uid_t uid) -{ - struct passwd *pw; - char *ptr; - - if ((pw = getpwuid(uid)) == NULL) { - printerr(0, "user_cachedir: Failed to find '%d' uid" - " for cache directory\n"); - return NULL; - } - ptr = malloc(strlen(dirname)+strlen(pw->pw_name)+2); - if (ptr) - sprintf(ptr, "%s/%s", dirname, pw->pw_name); - - return ptr; -} /* * this code uses the userland rpcsec gss library to create a krb5 * context on behalf of the kernel @@ -968,9 +955,10 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, gss_buffer_desc token; char **credlist = NULL; char **ccname; - char **dirname, *dir, *userdir; + char **dirname; int create_resp = -1; int err, downcall_err = -EACCES; + OM_uint32 maj_stat, min_stat, lifetime_rec; printerr(1, "handling krb5 upcall (%s)\n", clp->dirname); @@ -1011,22 +999,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, service == NULL)) { /* Tell krb5 gss which credentials cache to use */ for (dirname = ccachesearch; *dirname != NULL; dirname++) { - /* See if the user name is needed */ - if (strncmp(*dirname, GSSD_USER_CRED_DIR, - strlen(GSSD_USER_CRED_DIR)) == 0) { - userdir = user_cachedir(*dirname, uid); - if (userdir == NULL) - continue; - dir = userdir; - } else - dir = *dirname; - - err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, dir); - - if (userdir) { - free(userdir); - userdir = NULL; - } + err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); if (err == -EKEYEXPIRED) downcall_err = -EKEYEXPIRED; else if (!err) @@ -1096,6 +1069,15 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, goto out_return_error; } + /* Grab the context lifetime to pass to the kernel. lifetime_rec + * is set to zero on error */ + maj_stat = gss_inquire_context(&min_stat, pd.pd_ctx, NULL, NULL, + &lifetime_rec, NULL, NULL, NULL, NULL); + + if (maj_stat) + printerr(1, "WARNING: Failed to inquire context for lifetme " + "maj_stat %u\n", maj_stat); + if (serialize_context_for_kernel(pd.pd_ctx, &token, &krb5oid, NULL)) { printerr(0, "WARNING: Failed to serialize krb5 context for " "user with uid %d for server %s\n", @@ -1103,7 +1085,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, goto out_return_error; } - do_downcall(fd, uid, &pd, &token); + do_downcall(fd, uid, &pd, &token, lifetime_rec); out: if (token.value) @@ -1134,7 +1116,7 @@ handle_krb5_upcall(struct clnt_info *clp) return; } - return process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); + process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL); } void