83
84
* linked list of struct clnt_info which associates a clntXXX directory
84
85
* with an index into pollarray[], and other basic data about that client.
86
* Directory structure: created by the kernel nfs client
87
* {pipefs_nfsdir}/clntXX : one per rpc_clnt struct in the kernel
88
* {pipefs_nfsdir}/clntXX/krb5 : read uid for which kernel wants
87
* Directory structure: created by the kernel
88
* {rpc_pipefs}/{dir}/clntXX : one per rpc_clnt struct in the kernel
89
* {rpc_pipefs}/{dir}/clntXX/krb5 : read uid for which kernel wants
89
90
* a context, write the resulting context
90
* {pipefs_nfsdir}/clntXX/info : stores info such as server name
91
* {rpc_pipefs}/{dir}/clntXX/info : stores info such as server name
92
* {rpc_pipefs}/{dir}/clntXX/gssd : pipe for all gss mechanisms using
93
* a text-based string of parameters
93
* Poll all {pipefs_nfsdir}/clntXX/krb5 files. When ready, data read
94
* is a uid; performs rpcsec_gss context initialization protocol to
96
* Poll all {rpc_pipefs}/{dir}/clntXX/YYYY files. When data is ready,
97
* read and process; performs rpcsec_gss context initialization protocol to
95
98
* get a cred for that user. Writes result to corresponding krb5 file
96
99
* in a form the kernel code will understand.
97
100
* In addition, we make sure we are notified whenever anything is
98
* created or destroyed in {pipefs_nfsdir} or in an of the clntXX directories,
99
* and rescan the whole {pipefs_nfsdir} when this happens.
101
* created or destroyed in {rpc_pipefs} or in any of the clntXX directories,
102
* and rescan the whole {rpc_pipefs} when this happens.
102
105
struct pollfd * pollarray;
117
120
* not really feasible at present.
120
addrstr_to_sockaddr(struct sockaddr *sa, const char *addr, const int port)
123
addrstr_to_sockaddr(struct sockaddr *sa, const char *node, const char *port)
122
struct sockaddr_in *s4 = (struct sockaddr_in *) sa;
123
#ifdef IPV6_SUPPORTED
124
struct sockaddr_in6 *s6 = (struct sockaddr_in6 *) sa;
125
#endif /* IPV6_SUPPORTED */
127
if (inet_pton(AF_INET, addr, &s4->sin_addr)) {
128
s4->sin_family = AF_INET;
129
s4->sin_port = htons(port);
130
#ifdef IPV6_SUPPORTED
131
} else if (inet_pton(AF_INET6, addr, &s6->sin6_addr)) {
132
s6->sin6_family = AF_INET6;
133
s6->sin6_port = htons(port);
134
#endif /* IPV6_SUPPORTED */
136
printerr(0, "ERROR: unable to convert %s to address\n", addr);
126
struct addrinfo *res;
127
struct addrinfo hints = { .ai_flags = AI_NUMERICHOST | AI_NUMERICSERV };
129
#ifndef IPV6_SUPPORTED
130
hints.ai_family = AF_INET;
131
#endif /* IPV6_SUPPORTED */
133
rc = getaddrinfo(node, port, &hints, &res);
135
printerr(0, "ERROR: unable to convert %s|%s to sockaddr: %s\n",
136
node, port, rc == EAI_SYSTEM ? strerror(errno) :
141
#ifdef IPV6_SUPPORTED
143
* getnameinfo ignores the scopeid. If the address turns out to have
144
* a non-zero scopeid, we can't use it -- the resolved host might be
145
* completely different from the one intended.
147
if (res->ai_addr->sa_family == AF_INET6) {
148
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)res->ai_addr;
149
if (sin6->sin6_scope_id) {
150
printerr(0, "ERROR: address %s has non-zero "
151
"sin6_scope_id!\n", node);
156
#endif /* IPV6_SUPPORTED */
158
memcpy(sa, res->ai_addr, res->ai_addrlen);
231
250
if ((p = strstr(buf, "port")) != NULL)
232
sscanf(p, "port: %127s\n", cb_port);
251
sscanf(p, "port: %127s\n", port);
234
253
/* check service, program, and version */
235
if(memcmp(service, "nfs", 3)) return -1;
254
if (memcmp(service, "nfs", 3) != 0)
236
256
*prog = atoi(program + 1); /* skip open paren */
237
257
*vers = atoi(version);
238
if((*prog != 100003) || ((*vers != 2) && (*vers != 3) && (*vers != 4)))
241
if (cb_port[0] != '\0') {
242
port = atoi(cb_port);
243
if (port < 0 || port > 65535)
259
if (strlen(service) == 3 ) {
260
if ((*prog != 100003) || ((*vers != 2) && (*vers != 3) &&
263
} else if (memcmp(service, "nfs4_cb", 7) == 0) {
316
343
process_clnt_dir_files(struct clnt_info * clp)
320
char info_file_name[32];
322
if (clp->krb5_fd == -1) {
323
snprintf(kname, sizeof(kname), "%s/krb5", clp->dirname);
324
clp->krb5_fd = open(kname, O_RDWR);
326
if (clp->spkm3_fd == -1) {
327
snprintf(sname, sizeof(sname), "%s/spkm3", clp->dirname);
328
clp->spkm3_fd = open(sname, O_RDWR);
330
if((clp->krb5_fd == -1) && (clp->spkm3_fd == -1))
346
char gname[PATH_MAX];
347
char info_file_name[PATH_MAX];
349
if (clp->gssd_fd == -1) {
350
snprintf(gname, sizeof(gname), "%s/gssd", clp->dirname);
351
clp->gssd_fd = open(gname, O_RDWR);
353
if (clp->gssd_fd == -1) {
354
if (clp->krb5_fd == -1) {
355
snprintf(name, sizeof(name), "%s/krb5", clp->dirname);
356
clp->krb5_fd = open(name, O_RDWR);
358
if (clp->spkm3_fd == -1) {
359
snprintf(name, sizeof(name), "%s/spkm3", clp->dirname);
360
clp->spkm3_fd = open(name, O_RDWR);
363
/* If we opened a gss-specific pipe, let's try opening
364
* the new upcall pipe again. If we succeed, close
365
* gss-specific pipe(s).
367
if (clp->krb5_fd != -1 || clp->spkm3_fd != -1) {
368
clp->gssd_fd = open(gname, O_RDWR);
369
if (clp->gssd_fd != -1) {
370
if (clp->krb5_fd != -1)
373
if (clp->spkm3_fd != -1)
374
close(clp->spkm3_fd);
380
if ((clp->krb5_fd == -1) && (clp->spkm3_fd == -1) &&
381
(clp->gssd_fd == -1))
332
383
snprintf(info_file_name, sizeof(info_file_name), "%s/info",
387
process_clnt_dir(char *dir)
447
process_clnt_dir(char *dir, char *pdir)
389
449
struct clnt_info * clp;
391
451
if (!(clp = insert_new_clnt()))
392
452
goto fail_destroy_client;
394
if (!(clp->dirname = calloc(strlen(dir) + 1, 1))) {
454
/* An extra for the '/', and an extra for the null */
455
if (!(clp->dirname = calloc(strlen(dir) + strlen(pdir) + 2, 1))) {
395
456
goto fail_destroy_client;
397
memcpy(clp->dirname, dir, strlen(dir));
458
sprintf(clp->dirname, "%s/%s", pdir, dir);
398
459
if ((clp->dir_fd = open(clp->dirname, O_RDONLY)) == -1) {
399
460
printerr(0, "ERROR: can't open %s: %s\n",
400
461
clp->dirname, strerror(errno));
438
499
* directories, since the DNOTIFY could have been in there.
441
update_old_clients(struct dirent **namelist, int size)
502
update_old_clients(struct dirent **namelist, int size, char *pdir)
443
504
struct clnt_info *clp;
445
506
int i, stillhere;
507
char fname[PATH_MAX];
447
509
for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) {
510
/* only compare entries in the global list that are from the
511
* same pipefs parent directory as "pdir"
513
if (strncmp(clp->dirname, pdir, strlen(pdir)) != 0) continue;
449
516
for (i=0; i < size; i++) {
450
if (!strcmp(clp->dirname, namelist[i]->d_name)) {
517
snprintf(fname, sizeof(fname), "%s/%s",
518
pdir, namelist[i]->d_name);
519
if (strcmp(clp->dirname, fname) == 0) {
469
538
/* Search for a client by directory name, return 1 if found, 0 otherwise */
471
find_client(char *dirname)
540
find_client(char *dirname, char *pdir)
473
542
struct clnt_info *clp;
543
char fname[PATH_MAX];
475
for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next)
476
if (!strcmp(clp->dirname, dirname))
545
for (clp = clnt_list.tqh_first; clp != NULL; clp = clp->list.tqe_next) {
546
snprintf(fname, sizeof(fname), "%s/%s", pdir, dirname);
547
if (strcmp(clp->dirname, fname) == 0)
481
/* Used to read (and re-read) list of clients, set up poll array. */
483
update_client_list(void)
554
process_pipedir(char *pipe_name)
485
556
struct dirent **namelist;
488
if (chdir(pipefs_nfsdir) < 0) {
559
if (chdir(pipe_name) < 0) {
489
560
printerr(0, "ERROR: can't chdir to %s: %s\n",
490
pipefs_nfsdir, strerror(errno));
561
pipe_name, strerror(errno));
494
j = scandir(pipefs_nfsdir, &namelist, NULL, alphasort);
565
j = scandir(pipe_name, &namelist, NULL, alphasort);
496
567
printerr(0, "ERROR: can't scandir %s: %s\n",
497
pipefs_nfsdir, strerror(errno));
568
pipe_name, strerror(errno));
500
update_old_clients(namelist, j);
572
update_old_clients(namelist, j, pipe_name);
501
573
for (i=0; i < j; i++) {
502
574
if (i < FD_ALLOC_BLOCK
503
575
&& !strncmp(namelist[i]->d_name, "clnt", 4)
504
&& !find_client(namelist[i]->d_name))
505
process_clnt_dir(namelist[i]->d_name);
576
&& !find_client(namelist[i]->d_name, pipe_name))
577
process_clnt_dir(namelist[i]->d_name, pipe_name);
506
578
free(namelist[i]);
586
/* Used to read (and re-read) list of clients, set up poll array. */
588
update_client_list(void)
591
struct topdirs_info *tdi;
593
TAILQ_FOREACH(tdi, &topdirs_list, list) {
594
retval = process_pipedir(tdi->dirname);
596
printerr(1, "WARNING: error processing %s\n",
514
604
do_downcall(int k5_fd, uid_t uid, struct authgss_private_data *pd,
515
605
gss_buffer_desc *context_token)
817
906
int create_resp = -1;
819
printerr(1, "handling krb5 upcall\n");
907
int err, downcall_err = -EACCES;
909
printerr(2, "handling krb5 upcall (%s)\n", clp->dirname);
912
if (clp->servicename) {
913
free(clp->servicename);
914
clp->servicename = strdup(tgtname);
821
917
token.length = 0;
822
918
token.value = NULL;
823
919
memset(&pd, 0, sizeof(struct authgss_private_data));
825
if (read(clp->krb5_fd, &uid, sizeof(uid)) < sizeof(uid)) {
826
printerr(0, "WARNING: failed reading uid from krb5 "
827
"upcall pipe: %s\n", strerror(errno));
831
if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0)) {
922
* If "service" is specified, then the kernel is indicating that
923
* we must use machine credentials for this request. (Regardless
924
* of the uid value or the setting of root_uses_machine_creds.)
925
* If the service value is "*", then any service name can be used.
926
* Otherwise, it specifies the service name that should be used.
927
* (For now, the values of service will only be "*" or "nfs".)
929
* Restricting gssd to use "nfs" service name is needed for when
930
* the NFS server is doing a callback to the NFS client. In this
931
* case, the NFS server has to authenticate itself as "nfs" --
932
* even if there are other service keys such as "host" or "root"
935
* Another case when the kernel may specify the service attribute
936
* is when gssd is being asked to create the context for a
937
* SETCLIENT_ID operation. In this case, machine credentials
938
* must be used for the authentication. However, the service name
939
* used for this case is not important.
942
printerr(2, "%s: service is '%s'\n", __func__,
943
service ? service : "<null>");
944
if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0 &&
832
946
/* Tell krb5 gss which credentials cache to use */
833
947
for (dirname = ccachesearch; *dirname != NULL; dirname++) {
834
if (gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname) == 0)
948
err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname);
949
if (err == -EKEYEXPIRED)
950
downcall_err = -EKEYEXPIRED;
835
952
create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid,
837
954
if (create_resp == 0)
841
958
if (create_resp != 0) {
842
if (uid == 0 && root_uses_machine_creds == 1) {
959
if (uid == 0 && (root_uses_machine_creds == 1 ||
845
gssd_refresh_krb5_machine_credential(clp->servername,
848
* Get a list of credential cache names and try each
849
* of them until one works or we've tried them all
851
if (gssd_get_krb5_machine_cred_list(&credlist)) {
852
printerr(0, "ERROR: No credentials found "
853
"for connection to server %s\n",
855
goto out_return_error;
857
for (ccname = credlist; ccname && *ccname; ccname++) {
858
gssd_setup_krb5_machine_gss_ccache(*ccname);
859
if ((create_auth_rpc_client(clp, &rpc_clnt,
861
AUTHTYPE_KRB5)) == 0) {
866
printerr(2, "WARNING: Failed to create krb5 context "
867
"for user with uid %d with credentials "
868
"cache %s for server %s\n",
869
uid, *ccname, clp->servername);
871
gssd_free_krb5_machine_cred_list(credlist);
873
printerr(1, "WARNING: Failed to create krb5 context "
874
"for user with uid %d with any "
875
"credentials cache for server %s\n",
876
uid, clp->servername);
877
goto out_return_error;
964
gssd_refresh_krb5_machine_credential(clp->servername,
967
* Get a list of credential cache names and try each
968
* of them until one works or we've tried them all
970
if (gssd_get_krb5_machine_cred_list(&credlist)) {
971
printerr(0, "ERROR: No credentials found "
972
"for connection to server %s\n",
974
goto out_return_error;
976
for (ccname = credlist; ccname && *ccname; ccname++) {
977
gssd_setup_krb5_machine_gss_ccache(*ccname);
978
if ((create_auth_rpc_client(clp, &rpc_clnt,
980
AUTHTYPE_KRB5)) == 0) {
985
printerr(2, "WARNING: Failed to create machine krb5 context "
986
"with credentials cache %s for server %s\n",
987
*ccname, clp->servername);
989
gssd_free_krb5_machine_cred_list(credlist);
993
printerr(2, "WARNING: Machine cache is prematurely expired or corrupted "
994
"trying to recreate cache for server %s\n", clp->servername);
996
printerr(1, "WARNING: Failed to create machine krb5 context "
997
"with any credentials cache for server %s\n",
999
goto out_return_error;
880
1004
printerr(1, "WARNING: Failed to create krb5 context "
881
1005
"for user with uid %d for server %s\n",
922
1046
* this code uses the userland rpcsec gss library to create an spkm3
923
1047
* context on behalf of the kernel
926
handle_spkm3_upcall(struct clnt_info *clp)
1050
process_spkm3_upcall(struct clnt_info *clp, uid_t uid, int fd)
929
1052
CLIENT *rpc_clnt = NULL;
930
1053
AUTH *auth = NULL;
931
1054
struct authgss_private_data pd;
932
1055
gss_buffer_desc token;
934
printerr(2, "handling spkm3 upcall\n");
1057
printerr(2, "handling spkm3 upcall (%s)\n", clp->dirname);
936
1059
token.length = 0;
937
1060
token.value = NULL;
939
if (read(clp->spkm3_fd, &uid, sizeof(uid)) < sizeof(uid)) {
940
printerr(0, "WARNING: failed reading uid from spkm3 "
941
"upcall pipe: %s\n", strerror(errno));
945
1062
if (create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, AUTHTYPE_SPKM3)) {
946
1063
printerr(0, "WARNING: Failed to create spkm3 context for "
947
1064
"user with uid %d\n", uid);
976
1093
out_return_error:
977
do_error_downcall(clp->spkm3_fd, uid, -1);
1094
do_error_downcall(fd, uid, -1);
1099
handle_krb5_upcall(struct clnt_info *clp)
1103
if (read(clp->krb5_fd, &uid, sizeof(uid)) < sizeof(uid)) {
1104
printerr(0, "WARNING: failed reading uid from krb5 "
1105
"upcall pipe: %s\n", strerror(errno));
1109
return process_krb5_upcall(clp, uid, clp->krb5_fd, NULL, NULL);
1113
handle_spkm3_upcall(struct clnt_info *clp)
1117
if (read(clp->spkm3_fd, &uid, sizeof(uid)) < sizeof(uid)) {
1118
printerr(0, "WARNING: failed reading uid from spkm3 "
1119
"upcall pipe: %s\n", strerror(errno));
1123
return process_spkm3_upcall(clp, uid, clp->spkm3_fd);
1127
handle_gssd_upcall(struct clnt_info *clp)
1134
char *target = NULL;
1135
char *service = NULL;
1137
printerr(1, "handling gssd upcall (%s)\n", clp->dirname);
1139
if (readline(clp->gssd_fd, &lbuf, &lbuflen) != 1) {
1140
printerr(0, "WARNING: handle_gssd_upcall: "
1141
"failed reading request\n");
1144
printerr(2, "%s: '%s'\n", __func__, lbuf);
1146
/* find the mechanism name */
1147
if ((p = strstr(lbuf, "mech=")) != NULL) {
1148
mech = malloc(lbuflen);
1151
if (sscanf(p, "mech=%s", mech) != 1) {
1152
printerr(0, "WARNING: handle_gssd_upcall: "
1153
"failed to parse gss mechanism name "
1154
"in upcall string '%s'\n", lbuf);
1158
printerr(0, "WARNING: handle_gssd_upcall: "
1159
"failed to find gss mechanism name "
1160
"in upcall string '%s'\n", lbuf);
1165
if ((p = strstr(lbuf, "uid=")) != NULL) {
1166
if (sscanf(p, "uid=%d", &uid) != 1) {
1167
printerr(0, "WARNING: handle_gssd_upcall: "
1168
"failed to parse uid "
1169
"in upcall string '%s'\n", lbuf);
1173
printerr(0, "WARNING: handle_gssd_upcall: "
1174
"failed to find uid "
1175
"in upcall string '%s'\n", lbuf);
1179
/* read target name */
1180
if ((p = strstr(lbuf, "target=")) != NULL) {
1181
target = malloc(lbuflen);
1184
if (sscanf(p, "target=%s", target) != 1) {
1185
printerr(0, "WARNING: handle_gssd_upcall: "
1186
"failed to parse target name "
1187
"in upcall string '%s'\n", lbuf);
1193
* read the service name
1195
* The presence of attribute "service=" indicates that machine
1196
* credentials should be used for this request. If the value
1197
* is "*", then any machine credentials available can be used.
1198
* If the value is anything else, then machine credentials for
1199
* the specified service name (always "nfs" for now) should be
1202
if ((p = strstr(lbuf, "service=")) != NULL) {
1203
service = malloc(lbuflen);
1206
if (sscanf(p, "service=%s", service) != 1) {
1207
printerr(0, "WARNING: handle_gssd_upcall: "
1208
"failed to parse service type "
1209
"in upcall string '%s'\n", lbuf);
1214
if (strcmp(mech, "krb5") == 0)
1215
process_krb5_upcall(clp, uid, clp->gssd_fd, target, service);
1216
else if (strcmp(mech, "spkm3") == 0)
1217
process_spkm3_upcall(clp, uid, clp->gssd_fd);
1219
printerr(0, "WARNING: handle_gssd_upcall: "
1220
"received unknown gss mech '%s'\n", mech);
added
removed
utils/gssd/gssd_proc.c
