X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fmountd%2Fauth.c;h=ccc849a7222f9d596764547b7b2c681d88bc914e;hp=afa2292888088afdd572661ce9b65d5c6e21f1c0;hb=014e00dfaea0efc92150e2aedc5ca43aa337545e;hpb=b45205d2d37bfc6cedba593f52897787511520cc diff --git a/utils/mountd/auth.c b/utils/mountd/auth.c index afa2292..ccc849a 100644 --- a/utils/mountd/auth.c +++ b/utils/mountd/auth.c @@ -6,16 +6,23 @@ * Copyright (C) 1995, 1996 Olaf Kirch */ -#include "config.h" +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include #include +#include + +#include "sockaddr.h" #include "misc.h" #include "nfslib.h" #include "exportfs.h" #include "mountd.h" +#include "xmalloc.h" +#include "v4root.h" enum auth_error { @@ -24,16 +31,16 @@ enum auth_error no_entry, not_exported, illegal_port, - faked_hostent, - no_forward_dns, success }; static void auth_fixpath(char *path); -static nfs_export* auth_authenticate_internal - (char *what, struct sockaddr_in *caller, char *path, - struct hostent **hpp, enum auth_error *error); static char *export_file = NULL; +static nfs_export my_exp; +static nfs_client my_client; + +extern int new_cache; +extern int use_ipaddr; void auth_init(char *exports) @@ -44,115 +51,184 @@ auth_init(char *exports) xtab_mount_write(); } -int +/* + * A client can match many different netgroups and it's tough to know + * beforehand whether it will. If the concatenated string of netgroup + * m_hostnames is >512 bytes, then enable the "use_ipaddr" mode. This + * makes mountd change how it matches a client ip address when a mount + * request comes in. It's more efficient at handling netgroups at the + * expense of larger kernel caches. + */ +static void +check_useipaddr(void) +{ + nfs_client *clp; + int old_use_ipaddr = use_ipaddr; + unsigned int len = 0; + + /* add length of m_hostname + 1 for the comma */ + for (clp = clientlist[MCL_NETGROUP]; clp; clp = clp->m_next) + len += (strlen(clp->m_hostname) + 1); + + if (len > (NFSCLNT_IDMAX / 2)) + use_ipaddr = 1; + else + use_ipaddr = 0; + + if (use_ipaddr != old_use_ipaddr) + cache_flush(1); +} + +unsigned int auth_reload() { struct stat stb; - static time_t last_modified = 0; - - if (stat(_PATH_ETAB, &stb) < 0) + static ino_t last_inode; + static int last_fd; + static unsigned int counter; + int fd; + + if ((fd = open(_PATH_ETAB, O_RDONLY)) < 0) { + xlog(L_FATAL, "couldn't open %s", _PATH_ETAB); + } else if (fstat(fd, &stb) < 0) { xlog(L_FATAL, "couldn't stat %s", _PATH_ETAB); - if (stb.st_mtime == last_modified) - return 0; - last_modified = stb.st_mtime; + } else if (stb.st_ino == last_inode) { + close(fd); + return counter; + } else { + close(last_fd); + last_fd = fd; + last_inode = stb.st_ino; + } export_freeall(); - // export_read(export_file); + memset(&my_client, 0, sizeof(my_client)); xtab_export_read(); + check_useipaddr(); + v4root_set(); + + ++counter; + + return counter; +} - return 1; +static char * +get_client_hostname(const struct sockaddr *caller, struct addrinfo *ai, + enum auth_error *error) +{ + char buf[INET6_ADDRSTRLEN]; + char *n; + + if (use_ipaddr) + return strdup(host_ntop(caller, buf, sizeof(buf))); + n = client_compose(ai); + *error = unknown_host; + if (!n) + return NULL; + if (*n) + return n; + free(n); + return strdup("DEFAULT"); } +/* return static nfs_export with details filled in */ static nfs_export * -auth_authenticate_internal(char *what, struct sockaddr_in *caller, - char *path, struct hostent **hpp, +auth_authenticate_newcache(const struct sockaddr *caller, + const char *path, struct addrinfo *ai, enum auth_error *error) { - struct in_addr addr = caller->sin_addr; - nfs_export *exp; + nfs_export *exp; + int i; - if (path[0] != '/') { - *error = bad_path; + free(my_client.m_hostname); + + my_client.m_hostname = get_client_hostname(caller, ai, error); + if (my_client.m_hostname == NULL) return NULL; - } - auth_fixpath(path); - - if (!(*hpp = gethostbyaddr((const char *)&addr, sizeof(addr), AF_INET))) - *hpp = get_hostent((const char *)&addr, sizeof(addr), - AF_INET); - else { - /* must make sure the hostent is authorative. */ - char **sp; - struct hostent *forward; - - forward = gethostbyname((*hpp)->h_name); - if (forward) { - /* now make sure the "addr" is in the list */ - for (sp = forward->h_addr_list ; *sp ; sp++) { - if (memcmp(*sp, &addr, forward->h_length)==0) - break; - } - - if (!*sp) { - /* it was a FAKE */ - *error = faked_hostent; - *hpp = hostent_dup (*hpp); - return NULL; - } - *hpp = hostent_dup (forward); + + my_client.m_naddr = 1; + set_addrlist(&my_client, 0, caller); + my_exp.m_client = &my_client; + + exp = NULL; + for (i = 0; !exp && i < MCL_MAXTYPES; i++) + for (exp = exportlist[i].p_head; exp; exp = exp->m_next) { + if (strcmp(path, exp->m_export.e_path)) + continue; + if (!use_ipaddr && !client_member(my_client.m_hostname, exp->m_client->m_hostname)) + continue; + if (use_ipaddr && !client_check(exp->m_client, ai)) + continue; + break; } - else { - /* never heard of it. misconfigured DNS? */ - *error = no_forward_dns; - *hpp = hostent_dup (*hpp); + *error = not_exported; + if (!exp) + return NULL; + + my_exp.m_export = exp->m_export; + exp = &my_exp; + return exp; +} + +static nfs_export * +auth_authenticate_internal(const struct sockaddr *caller, const char *path, + struct addrinfo *ai, enum auth_error *error) +{ + nfs_export *exp; + + if (new_cache) { + exp = auth_authenticate_newcache(caller, path, ai, error); + if (!exp) + return NULL; + } else { + exp = export_find(ai, path); + if (exp == NULL) { + *error = no_entry; return NULL; } } - - if (!(exp = export_find(*hpp, path))) { + if (exp->m_export.e_flags & NFSEXP_V4ROOT) { *error = no_entry; return NULL; } - if (!exp->m_mayexport) { - *error = not_exported; - return NULL; - } - if (!(exp->m_export.e_flags & NFSEXP_INSECURE_PORT) && - (ntohs(caller->sin_port) < IPPORT_RESERVED/2 || - ntohs(caller->sin_port) >= IPPORT_RESERVED)) { + nfs_get_port(caller) >= IPPORT_RESERVED) { *error = illegal_port; return NULL; } - *error = success; return exp; } nfs_export * -auth_authenticate(char *what, struct sockaddr_in *caller, char *path) +auth_authenticate(const char *what, const struct sockaddr *caller, + const char *path) { nfs_export *exp = NULL; char epath[MAXPATHLEN+1]; char *p = NULL; - struct hostent *hp = NULL; - struct in_addr addr = caller->sin_addr; - enum auth_error error; + char buf[INET6_ADDRSTRLEN]; + struct addrinfo *ai = NULL; + enum auth_error error = bad_path; - if (path [0] != '/') return exp; + if (path[0] != '/') { + xlog(L_WARNING, "Bad path in %s request from %s: \"%s\"", + what, host_ntop(caller, buf, sizeof(buf)), path); + return exp; + } strncpy(epath, path, sizeof (epath) - 1); epath[sizeof (epath) - 1] = '\0'; + auth_fixpath(epath); /* strip duplicate '/' etc */ + + ai = client_resolve(caller); + if (ai == NULL) + return exp; /* Try the longest matching exported pathname. */ while (1) { - if (hp) { - free (hp); - hp = NULL; - } - exp = auth_authenticate_internal(what, caller, epath, - &hp, &error); + exp = auth_authenticate_internal(caller, epath, ai, &error); if (exp || (error != not_exported && error != no_entry)) break; /* We have to treat the root, "/", specially. */ @@ -165,51 +241,40 @@ auth_authenticate(char *what, struct sockaddr_in *caller, char *path) switch (error) { case bad_path: xlog(L_WARNING, "bad path in %s request from %s: \"%s\"", - what, inet_ntoa(addr), path); + what, host_ntop(caller, buf, sizeof(buf)), path); break; case unknown_host: - xlog(L_WARNING, "%s request from unknown host %s for %s (%s)", - what, inet_ntoa(addr), path, epath); + xlog(L_WARNING, "refused %s request from %s for %s (%s): unmatched host", + what, host_ntop(caller, buf, sizeof(buf)), path, epath); break; case no_entry: xlog(L_WARNING, "refused %s request from %s for %s (%s): no export entry", - what, hp->h_name, path, epath); + what, ai->ai_canonname, path, epath); break; case not_exported: xlog(L_WARNING, "refused %s request from %s for %s (%s): not exported", - what, hp->h_name, path, epath); + what, ai->ai_canonname, path, epath); break; case illegal_port: - xlog(L_WARNING, "refused %s request from %s for %s (%s): illegal port %d", - what, hp->h_name, path, epath, ntohs(caller->sin_port)); - break; - - case faked_hostent: - xlog(L_WARNING, "refused %s request from %s (%s) for %s (%s): DNS forward lookup does't match with reverse", - what, inet_ntoa(addr), hp->h_name, path, epath); - break; - - case no_forward_dns: - xlog(L_WARNING, "refused %s request from %s (%s) for %s (%s): no DNS forward lookup", - what, inet_ntoa(addr), hp->h_name, path, epath); + xlog(L_WARNING, "refused %s request from %s for %s (%s): illegal port %u", + what, ai->ai_canonname, path, epath, nfs_get_port(caller)); break; case success: - xlog(L_NOTICE, "authenticated %s request from %s:%d for %s (%s)", - what, hp->h_name, ntohs(caller->sin_port), path, epath); + xlog(L_NOTICE, "authenticated %s request from %s:%u for %s (%s)", + what, ai->ai_canonname, nfs_get_port(caller), path, epath); break; default: - xlog(L_NOTICE, "%s request from %s:%d for %s (%s) gave %d", - what, hp->h_name, ntohs(caller->sin_port), path, epath, error); + xlog(L_NOTICE, "%s request from %s:%u for %s (%s) gave %d", + what, ai->ai_canonname, nfs_get_port(caller), + path, epath, error); } - if (hp) - free (hp); - + freeaddrinfo(ai); return exp; }