X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fmountd%2Fauth.c;h=ccc849a7222f9d596764547b7b2c681d88bc914e;hp=44d998016559c30057e6166a2b67267a69c9c9c6;hb=014e00dfaea0efc92150e2aedc5ca43aa337545e;hpb=ac5b03be829b4c9369ebfb07a688308721103228

diff --git a/utils/mountd/auth.c b/utils/mountd/auth.c
index 44d9980..ccc849a 100644
--- a/utils/mountd/auth.c
+++ b/utils/mountd/auth.c
@@ -14,11 +14,15 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <errno.h>
+#include <unistd.h>
+
+#include "sockaddr.h"
 #include "misc.h"
 #include "nfslib.h"
 #include "exportfs.h"
 #include "mountd.h"
 #include "xmalloc.h"
+#include "v4root.h"
 
 enum auth_error
 {
@@ -36,6 +40,7 @@ static nfs_export my_exp;
 static nfs_client my_client;
 
 extern int new_cache;
+extern int use_ipaddr;
 
 void
 auth_init(char *exports)
@@ -46,82 +51,148 @@ auth_init(char *exports)
 	xtab_mount_write();
 }
 
-int
+/*
+ * A client can match many different netgroups and it's tough to know
+ * beforehand whether it will. If the concatenated string of netgroup
+ * m_hostnames is >512 bytes, then enable the "use_ipaddr" mode. This
+ * makes mountd change how it matches a client ip address when a mount
+ * request comes in. It's more efficient at handling netgroups at the
+ * expense of larger kernel caches.
+ */
+static void
+check_useipaddr(void)
+{
+	nfs_client *clp;
+	int old_use_ipaddr = use_ipaddr;
+	unsigned int len = 0;
+
+	/* add length of m_hostname + 1 for the comma */
+	for (clp = clientlist[MCL_NETGROUP]; clp; clp = clp->m_next)
+		len += (strlen(clp->m_hostname) + 1);
+
+	if (len > (NFSCLNT_IDMAX / 2))
+		use_ipaddr = 1;
+	else
+		use_ipaddr = 0;
+
+	if (use_ipaddr != old_use_ipaddr)
+		cache_flush(1);
+}
+
+unsigned int
 auth_reload()
 {
 	struct stat		stb;
-	static time_t		last_modified = 0;
-
-	if (stat(_PATH_ETAB, &stb) < 0)
+	static ino_t		last_inode;
+	static int		last_fd;
+	static unsigned int	counter;
+	int			fd;
+
+	if ((fd = open(_PATH_ETAB, O_RDONLY)) < 0) {
+		xlog(L_FATAL, "couldn't open %s", _PATH_ETAB);
+	} else if (fstat(fd, &stb) < 0) {
 		xlog(L_FATAL, "couldn't stat %s", _PATH_ETAB);
-	if (stb.st_mtime == last_modified)
-		return 0;
-	last_modified = stb.st_mtime;
+	} else if (stb.st_ino == last_inode) {
+		close(fd);
+		return counter;
+	} else {
+		close(last_fd);
+		last_fd = fd;
+		last_inode = stb.st_ino;
+	}
 
 	export_freeall();
 	memset(&my_client, 0, sizeof(my_client));
-	// export_read(export_file);
 	xtab_export_read();
+	check_useipaddr();
+	v4root_set();
 
-	return 1;
+	++counter;
+
+	return counter;
 }
 
+static char *
+get_client_hostname(const struct sockaddr *caller, struct addrinfo *ai,
+		enum auth_error *error)
+{
+	char buf[INET6_ADDRSTRLEN];
+	char *n;
+
+	if (use_ipaddr)
+		return strdup(host_ntop(caller, buf, sizeof(buf)));
+	n = client_compose(ai);
+	*error = unknown_host;
+	if (!n)
+		return NULL;
+	if (*n)
+		return n;
+	free(n);
+	return strdup("DEFAULT");
+}
+
+/* return static nfs_export with details filled in */
 static nfs_export *
-auth_authenticate_internal(char *what, struct sockaddr_in *caller,
-			   char *path, struct hostent *hp,
+auth_authenticate_newcache(const struct sockaddr *caller,
+			   const char *path, struct addrinfo *ai,
 			   enum auth_error *error)
 {
-	nfs_export		*exp;
+	nfs_export *exp;
+	int i;
 
-	if (new_cache) {
-		int i;
-		/* return static nfs_export with details filled in */
-		if (my_client.m_naddr != 1 ||
-		    my_client.m_addrlist[0].s_addr != caller->sin_addr.s_addr) {
-			/* different client to last time, so do a lookup */
-			char *n;
-			my_client.m_naddr = 0;
-			my_client.m_addrlist[0] = caller->sin_addr;
-			n = client_compose(caller->sin_addr);
-			*error = unknown_host;
-			if (!n)
-				return NULL;
-			strcpy(my_client.m_hostname, *n?n:"DEFAULT");
-			free(n);
-			my_client.m_naddr = 1;
+	free(my_client.m_hostname);
+
+	my_client.m_hostname = get_client_hostname(caller, ai, error);
+	if (my_client.m_hostname == NULL)
+		return NULL;
+
+	my_client.m_naddr = 1;
+	set_addrlist(&my_client, 0, caller);
+	my_exp.m_client = &my_client;
+
+	exp = NULL;
+	for (i = 0; !exp && i < MCL_MAXTYPES; i++)
+		for (exp = exportlist[i].p_head; exp; exp = exp->m_next) {
+			if (strcmp(path, exp->m_export.e_path))
+				continue;
+			if (!use_ipaddr && !client_member(my_client.m_hostname, exp->m_client->m_hostname))
+				continue;
+			if (use_ipaddr && !client_check(exp->m_client, ai))
+				continue;
+			break;
 		}
+	*error = not_exported;
+	if (!exp)
+		return NULL;
 
-		my_exp.m_client = &my_client;
-
-		exp = NULL;
-		for (i = 0; !exp && i < MCL_MAXTYPES; i++) 
-			for (exp = exportlist[i]; exp; exp = exp->m_next) {
-				if (!client_member(my_client.m_hostname, exp->m_client->m_hostname))
-					continue;
-				if (strcmp(path, exp->m_export.e_path))
-					continue;
-				break;
-			}
-		*error = not_exported;
-		if (!exp)
-			return exp;
+	my_exp.m_export = exp->m_export;
+	exp = &my_exp;
+	return exp;
+}
 
-		my_exp.m_export = exp->m_export;
-		exp = &my_exp;
+static nfs_export *
+auth_authenticate_internal(const struct sockaddr *caller, const char *path,
+		struct addrinfo *ai, enum auth_error *error)
+{
+	nfs_export *exp;
 
+	if (new_cache) {
+		exp = auth_authenticate_newcache(caller, path, ai, error);
+		if (!exp)
+			return NULL;
 	} else {
-		if (!(exp = export_find(hp, path))) {
+		exp = export_find(ai, path);
+		if (exp == NULL) {
 			*error = no_entry;
 			return NULL;
 		}
-		if (!exp->m_mayexport) {
-			*error = not_exported;
-			return NULL;
-		}
+	}
+	if (exp->m_export.e_flags & NFSEXP_V4ROOT) {
+		*error = no_entry;
+		return NULL;
 	}
 	if (!(exp->m_export.e_flags & NFSEXP_INSECURE_PORT) &&
-		    (ntohs(caller->sin_port) <  IPPORT_RESERVED/2 ||
-		     ntohs(caller->sin_port) >= IPPORT_RESERVED)) {
+		     nfs_get_port(caller) >= IPPORT_RESERVED) {
 		*error = illegal_port;
 		return NULL;
 	}
@@ -131,18 +202,19 @@ auth_authenticate_internal(char *what, struct sockaddr_in *caller,
 }
 
 nfs_export *
-auth_authenticate(char *what, struct sockaddr_in *caller, char *path)
+auth_authenticate(const char *what, const struct sockaddr *caller,
+		const char *path)
 {
 	nfs_export	*exp = NULL;
 	char		epath[MAXPATHLEN+1];
 	char		*p = NULL;
-	struct hostent	*hp = NULL;
-	struct in_addr	addr = caller->sin_addr;
-	enum auth_error	error;
+	char		buf[INET6_ADDRSTRLEN];
+	struct addrinfo *ai = NULL;
+	enum auth_error	error = bad_path;
 
-	if (path [0] != '/') {
-		xlog(L_WARNING, "bad path in %s request from %s: \"%s\"",
-		     what, inet_ntoa(addr), path);
+	if (path[0] != '/') {
+		xlog(L_WARNING, "Bad path in %s request from %s: \"%s\"",
+			     what, host_ntop(caller, buf, sizeof(buf)), path);
 		return exp;
 	}
 
@@ -150,18 +222,13 @@ auth_authenticate(char *what, struct sockaddr_in *caller, char *path)
 	epath[sizeof (epath) - 1] = '\0';
 	auth_fixpath(epath); /* strip duplicate '/' etc */
 
-	hp = get_reliable_hostbyaddr((const char*)&caller->sin_addr, sizeof(struct in_addr),
-				     AF_INET);
-	if (!hp)
-		hp = get_hostent((const char*)&caller->sin_addr, sizeof(struct in_addr),
-				     AF_INET);
-	if (!hp)
+	ai = client_resolve(caller);
+	if (ai == NULL)
 		return exp;
 
 	/* Try the longest matching exported pathname. */
 	while (1) {
-		exp = auth_authenticate_internal(what, caller, epath,
-						 hp, &error);
+		exp = auth_authenticate_internal(caller, epath, ai, &error);
 		if (exp || (error != not_exported && error != no_entry))
 			break;
 		/* We have to treat the root, "/", specially. */
@@ -174,41 +241,40 @@ auth_authenticate(char *what, struct sockaddr_in *caller, char *path)
 	switch (error) {
 	case bad_path:
 		xlog(L_WARNING, "bad path in %s request from %s: \"%s\"",
-		     what, inet_ntoa(addr), path);
+		     what, host_ntop(caller, buf, sizeof(buf)), path);
 		break;
 
 	case unknown_host:
-		xlog(L_WARNING, "%s request from unknown host %s for %s (%s)",
-		     what, inet_ntoa(addr), path, epath);
+		xlog(L_WARNING, "refused %s request from %s for %s (%s): unmatched host",
+		     what, host_ntop(caller, buf, sizeof(buf)), path, epath);
 		break;
 
 	case no_entry:
 		xlog(L_WARNING, "refused %s request from %s for %s (%s): no export entry",
-		     what, hp->h_name, path, epath);
+		     what, ai->ai_canonname, path, epath);
 		break;
 
 	case not_exported:
 		xlog(L_WARNING, "refused %s request from %s for %s (%s): not exported",
-		     what, hp->h_name, path, epath);
+		     what, ai->ai_canonname, path, epath);
 		break;
 
 	case illegal_port:
-		xlog(L_WARNING, "refused %s request from %s for %s (%s): illegal port %d",
-		     what, hp->h_name, path, epath, ntohs(caller->sin_port));
+		xlog(L_WARNING, "refused %s request from %s for %s (%s): illegal port %u",
+		     what, ai->ai_canonname, path, epath, nfs_get_port(caller));
 		break;
 
 	case success:
-		xlog(L_NOTICE, "authenticated %s request from %s:%d for %s (%s)",
-		     what, hp->h_name, ntohs(caller->sin_port), path, epath);
+		xlog(L_NOTICE, "authenticated %s request from %s:%u for %s (%s)",
+		     what, ai->ai_canonname, nfs_get_port(caller), path, epath);
 		break;
 	default:
-		xlog(L_NOTICE, "%s request from %s:%d for %s (%s) gave %d",
-		     what, hp->h_name, ntohs(caller->sin_port), path, epath, error);
+		xlog(L_NOTICE, "%s request from %s:%u for %s (%s) gave %d",
+		     what, ai->ai_canonname, nfs_get_port(caller),
+			path, epath, error);
 	}
 
-	if (hp)
-		free (hp);
-
+	freeaddrinfo(ai);
 	return exp;
 }