X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fmountd%2Fauth.c;h=9de7ba7165be898094252fd5861e3fa1b1e43749;hp=49567c93158b384a592ebed479a689c733dea593;hb=fcb905a5392c31a4c31e7d9e616e691d61358731;hpb=9b2a1e5430e9bcca39eddc25464234fd95d50b83

diff --git a/utils/mountd/auth.c b/utils/mountd/auth.c
index 49567c9..9de7ba7 100644
--- a/utils/mountd/auth.c
+++ b/utils/mountd/auth.c
@@ -25,17 +25,14 @@ enum auth_error
   no_entry,
   not_exported,
   illegal_port,
-  faked_hostent,
-  no_forward_dns,
   success
 };
 
 static void		auth_fixpath(char *path);
-static nfs_export*	auth_authenticate_internal
-  (char *what, struct sockaddr_in *caller, char *path,
-   struct hostent **hpp, enum auth_error *error);
 static char	*export_file = NULL;
 
+extern int new_cache;
+
 void
 auth_init(char *exports)
 {
@@ -66,82 +63,65 @@ auth_reload()
 
 static nfs_export *
 auth_authenticate_internal(char *what, struct sockaddr_in *caller,
-			   char *path, struct hostent **hpp,
+			   char *path, struct hostent *hp,
 			   enum auth_error *error)
 {
-	struct in_addr		addr = caller->sin_addr;
 	nfs_export		*exp;
 
-	if (path[0] != '/') {
-		*error = bad_path;
-		return NULL;
-	}
-	auth_fixpath(path);
-
-	/* First try it w/o doing a hostname lookup... */
-	*hpp = get_hostent((const char *)&addr, sizeof(addr), AF_INET);
-	exp = export_find(*hpp, path);
-
-	if (!exp) {
-	    /* Ok, that didn't fly.  Try it with a reverse lookup. */
-	    free (*hpp);
-	    *hpp = gethostbyaddr((const char *)&addr, sizeof(addr),
-				 AF_INET);
-	    if (!(*hpp)) {
-		*error = no_entry;
-		return NULL;
-	    } else {
-		/* must make sure the hostent is authorative. */
-		char **sp;
-		struct hostent *forward = NULL;
-		char *tmpname;
-
-		tmpname = xstrdup((*hpp)->h_name);
-		if (tmpname) {
-			forward = gethostbyname(tmpname);
-			free(tmpname);
-		}
-		if (forward) {
-			/* now make sure the "addr" is in the list */
-			for (sp = forward->h_addr_list ; *sp ; sp++) {
-				if (memcmp(*sp, &addr, forward->h_length)==0)
-					break;
-			}
-		
-			if (!*sp) {
-				/* it was a FAKE */
-				*error = faked_hostent;
-				*hpp = hostent_dup (*hpp);
+	if (new_cache) {
+		static nfs_export my_exp;
+		static nfs_client my_client;
+		int i;
+		/* return static nfs_export with details filled in */
+		if (my_client.m_naddr != 1 ||
+		    my_client.m_addrlist[0].s_addr != caller->sin_addr.s_addr) {
+			/* different client to last time, so do a lookup */
+			char *n;
+			my_client.m_naddr = 0;
+			my_client.m_addrlist[0] = caller->sin_addr;
+			n = client_compose(caller->sin_addr);
+			*error = unknown_host;
+			if (!n)
 				return NULL;
-			}
-			*hpp = hostent_dup (forward);
+			strcpy(my_client.m_hostname, *n?n:"DEFAULT");
+			free(n);
+			my_client.m_naddr = 1;
 		}
-		else {
-			/* never heard of it. misconfigured DNS? */
-			*error = no_forward_dns;
-			*hpp = hostent_dup (*hpp);
-			return NULL;
-		}
-	    }
 
-	    if (!(exp = export_find(*hpp, path))) {
-		*error = no_entry;
-		return NULL;
-	    }
-	}
+		my_exp.m_client = &my_client;
 
-	if (!exp->m_mayexport) {
+		exp = NULL;
+		for (i = 0; !exp && i < MCL_MAXTYPES; i++) 
+			for (exp = exportlist[i]; exp; exp = exp->m_next) {
+				if (!client_member(my_client.m_hostname, exp->m_client->m_hostname))
+					continue;
+				if (strcmp(path, exp->m_export.e_path))
+					continue;
+				break;
+			}
 		*error = not_exported;
-		return NULL;
-	}
+		if (!exp)
+			return exp;
+
+		my_exp.m_export = exp->m_export;
+		exp = &my_exp;
 
+	} else {
+		if (!(exp = export_find(hp, path))) {
+			*error = no_entry;
+			return NULL;
+		}
+		if (!exp->m_mayexport) {
+			*error = not_exported;
+			return NULL;
+		}
+	}
 	if (!(exp->m_export.e_flags & NFSEXP_INSECURE_PORT) &&
-	    (ntohs(caller->sin_port) <  IPPORT_RESERVED/2 ||
-	     ntohs(caller->sin_port) >= IPPORT_RESERVED)) {
+		    (ntohs(caller->sin_port) <  IPPORT_RESERVED/2 ||
+		     ntohs(caller->sin_port) >= IPPORT_RESERVED)) {
 		*error = illegal_port;
 		return NULL;
 	}
-
 	*error = success;
 
 	return exp;
@@ -157,19 +137,28 @@ auth_authenticate(char *what, struct sockaddr_in *caller, char *path)
 	struct in_addr	addr = caller->sin_addr;
 	enum auth_error	error;
 
-	if (path [0] != '/') return exp;
+	if (path [0] != '/') {
+		xlog(L_WARNING, "bad path in %s request from %s: \"%s\"",
+		     what, inet_ntoa(addr), path);
+		return exp;
+	}
 
 	strncpy(epath, path, sizeof (epath) - 1);
 	epath[sizeof (epath) - 1] = '\0';
+	auth_fixpath(epath); /* strip duplicate '/' etc */
+
+	hp = get_reliable_hostbyaddr((const char*)&caller->sin_addr, sizeof(struct in_addr),
+				     AF_INET);
+	if (!hp)
+		hp = get_hostent((const char*)&caller->sin_addr, sizeof(struct in_addr),
+				     AF_INET);
+	if (!hp)
+		return exp;
 
 	/* Try the longest matching exported pathname. */
 	while (1) {
-		if (hp) {
-			free (hp);
-			hp = NULL;
-		}
 		exp = auth_authenticate_internal(what, caller, epath,
-						 &hp, &error);
+						 hp, &error);
 		if (exp || (error != not_exported && error != no_entry))
 			break;
 		/* We have to treat the root, "/", specially. */
@@ -205,16 +194,6 @@ auth_authenticate(char *what, struct sockaddr_in *caller, char *path)
 		     what, hp->h_name, path, epath, ntohs(caller->sin_port));
 		break;
 
-	case faked_hostent:
-		xlog(L_WARNING, "refused %s request from %s (%s) for %s (%s): DNS forward lookup does't match with reverse",
-		     what, inet_ntoa(addr), hp->h_name, path, epath);
-		break;
-
-	case no_forward_dns:
-		xlog(L_WARNING, "refused %s request from %s (%s) for %s (%s): no DNS forward lookup",
-		     what, inet_ntoa(addr), hp->h_name, path, epath);
-		break;
-
 	case success:
 		xlog(L_NOTICE, "authenticated %s request from %s:%d for %s (%s)",
 		     what, hp->h_name, ntohs(caller->sin_port), path, epath);