1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
4 * Copyright (C) 2004-2006 Cluster File Systems, Inc.
6 * This file is part of Lustre, http://www.lustre.org.
8 * Lustre is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
12 * Lustre is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with Lustre; if not, write to the Free Software
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
37 #include <liblustre.h>
38 #include <lustre/lustre_user.h>
39 #include <lustre/lustre_idl.h>
40 #include <libcfs/kp30.h>
42 #define SETXID_PATHNAME "/etc/lustre/setxid.conf"
45 * setxid permission file format is like this:
48 * '*' nid means any nid
49 * '*' uid means any uid
50 * the valid values for perms are:
51 * setuid/setgid/setgrp -- enable corresponding perm
52 * nosetuid/nosetgid/nosetgrp -- disable corresponding perm
53 * they can be listed together, seperated by ',',
54 * when perm and noperm are in the same line (item), noperm is preferential,
55 * when they are in different lines (items), the latter is preferential,
56 * '*' nid is as default perm, and is not preferential.
59 static char *progname;
61 static void usage(void)
64 "\nusage: %s {mdtname} {uid}\n"
65 "Normally invoked as an upcall from Lustre, set via:\n"
66 " /proc/fs/lustre/mdt/{mdtname}/identity_upcall\n",
70 static int compare_u32(const void *v1, const void *v2)
72 return (*(__u32 *)v1 - *(__u32 *)v2);
75 static void errlog(const char *fmt, ...)
79 openlog(progname, LOG_PERROR, LOG_AUTHPRIV);
82 vsyslog(LOG_NOTICE, fmt, args);
83 fprintf(stderr, fmt, args);
89 int get_groups_local(struct identity_downcall_data *data)
93 unsigned int ngroups = 0;
100 pw = getpwuid(data->idd_uid);
102 errlog("no such user %u\n", data->idd_uid);
103 data->idd_err = errno ? errno : EIDRM;
106 data->idd_gid = pw->pw_gid;
108 namelen = sysconf(_SC_LOGIN_NAME_MAX);
109 if (namelen < _POSIX_LOGIN_NAME_MAX)
110 namelen = _POSIX_LOGIN_NAME_MAX;
111 pw_name = (char *)malloc(namelen);
113 errlog("malloc error\n");
114 data->idd_err = errno;
117 memset(pw_name, 0, namelen);
118 strncpy(pw_name, pw->pw_name, namelen - 1);
120 maxgroups = sysconf(_SC_NGROUPS_MAX);
121 if (maxgroups > NGROUPS_MAX)
122 maxgroups = NGROUPS_MAX;
123 groups = data->idd_groups;
125 groups[ngroups++] = pw->pw_gid;
126 while ((gr = getgrent())) {
127 if (gr->gr_gid == groups[0])
131 for (i = 0; gr->gr_mem[i]; i++) {
132 if (!strcmp(gr->gr_mem[i], pw_name)) {
133 groups[ngroups++] = gr->gr_gid;
137 if (ngroups == maxgroups)
141 qsort(groups, ngroups, sizeof(*groups), compare_u32);
142 data->idd_ngroups = ngroups;
148 static inline int comment_line(char *line)
152 while (*p && (*p == ' ' || *p == '\t')) p++;
154 if (!*p || *p == '\n' || *p == '#')
159 static inline int match_uid(uid_t uid, const char *str)
164 if(!strcmp(str, "*"))
167 uid2 = strtoul(str, &end, 0);
171 return (uid == uid2);
177 } setxid_perm_type_t;
179 static setxid_perm_type_t setxid_perm_types[] = {
180 { "setuid", LUSTRE_SETUID_PERM },
181 { "setgid", LUSTRE_SETGID_PERM },
182 { "setgrp", LUSTRE_SETGRP_PERM },
186 static setxid_perm_type_t setxid_noperm_types[] = {
187 { "nosetuid", LUSTRE_SETUID_PERM },
188 { "nosetgid", LUSTRE_SETGID_PERM },
189 { "nosetgrp", LUSTRE_SETGRP_PERM },
193 int parse_setxid_perm(__u32 *perm, __u32 *noperm, char *str)
197 setxid_perm_type_t *pt;
203 memset(name, 0, sizeof(name));
204 end = strchr(start, ',');
206 end = str + strlen(str);
209 strncpy(name, start, end - start);
210 for (pt = setxid_perm_types; pt->name; pt++) {
211 if (!strcasecmp(name, pt->name)) {
218 for (pt = setxid_noperm_types; pt->name; pt++) {
219 if (!strcasecmp(name, pt->name)) {
226 printf("unkown type: %s\n", name);
236 int parse_setxid_perm_line(struct identity_downcall_data *data, char *line)
238 char uid_str[256], nid_str[256], perm_str[256];
243 if (data->idd_nperms >= N_SETXID_PERMS_MAX) {
244 errlog("setxid permission count %d > max %d\n",
245 data->idd_nperms, N_SETXID_PERMS_MAX);
249 rc = sscanf(line, "%s %s %s", nid_str, uid_str, perm_str);
251 errlog("can't parse line %s\n", line);
255 if (!match_uid(data->idd_uid, uid_str))
258 if (!strcmp(nid_str, "*")) {
261 nid = libcfs_str2nid(nid_str);
262 if (nid == LNET_NID_ANY) {
263 errlog("can't parse nid %s\n", nid_str);
268 if (parse_setxid_perm(&perm, &noperm, perm_str)) {
269 errlog("invalid perm %s\n", perm_str);
273 /* merge the perms with the same nid.
275 * If there is LNET_NID_ANY in data->idd_perms[i].pdd_nid,
276 * it must be data->idd_perms[0].pdd_nid, and act as default perm.
278 if (nid != LNET_NID_ANY) {
281 /* search for the same nid */
282 for (i = data->idd_nperms - 1; i >= 0; i--) {
283 if (data->idd_perms[i].pdd_nid == nid) {
284 data->idd_perms[i].pdd_perm =
285 (data->idd_perms[i].pdd_perm | perm) &
292 /* NOT found, add to tail */
294 data->idd_perms[data->idd_nperms].pdd_nid = nid;
295 data->idd_perms[data->idd_nperms].pdd_perm =
300 if (data->idd_nperms > 0) {
301 /* the first one isn't LNET_NID_ANY, need exchange */
302 if (data->idd_perms[0].pdd_nid != LNET_NID_ANY) {
303 data->idd_perms[data->idd_nperms].pdd_nid =
304 data->idd_perms[0].pdd_nid;
305 data->idd_perms[data->idd_nperms].pdd_perm =
306 data->idd_perms[0].pdd_perm;
307 data->idd_perms[0].pdd_nid = LNET_NID_ANY;
308 data->idd_perms[0].pdd_perm = perm & ~noperm;
311 /* only fix LNET_NID_ANY item */
312 data->idd_perms[0].pdd_perm =
313 (data->idd_perms[0].pdd_perm | perm) &
317 /* it is the first one, only add to head */
318 data->idd_perms[0].pdd_nid = LNET_NID_ANY;
319 data->idd_perms[0].pdd_perm = perm & ~noperm;
320 data->idd_nperms = 1;
327 int get_setxid_perms(FILE *fp, struct identity_downcall_data *data)
331 while (fgets(line, 1024, fp)) {
332 if (comment_line(line))
335 if (parse_setxid_perm_line(data, line)) {
336 errlog("parse line %s failed!\n", line);
344 static void show_result(struct identity_downcall_data *data)
349 errlog("failed to get identity for uid %d: %s\n",
350 data->idd_uid, strerror(data->idd_err));
354 printf("uid=%d gid=", data->idd_uid);
355 for (i = 0; i < data->idd_ngroups; i++)
356 printf("%s%u", i > 0 ? "," : "", data->idd_groups[i]);
358 printf("setxid permissions:\n"
360 for (i = 0; i < data->idd_nperms; i++) {
361 struct setxid_perm_downcall_data *pdd;
363 pdd = &data->idd_perms[i];
365 printf(" %#llx\t0x%x\n", pdd->pdd_nid, pdd->pdd_perm);
370 int main(int argc, char **argv)
374 struct identity_downcall_data *data;
379 progname = basename(argv[0]);
386 uid = strtoul(argv[2], &end, 0);
388 errlog("%s: invalid uid '%s'\n", progname, argv[2]);
393 data = malloc(sizeof(*data));
395 errlog("malloc identity downcall data(%d) failed!\n",
399 memset(data, 0, sizeof(*data));
400 data->idd_magic = IDENTITY_DOWNCALL_MAGIC;
403 /* get groups for uid */
404 rc = get_groups_local(data);
408 /* read permission database */
409 perms_fp = fopen(SETXID_PATHNAME, "r");
411 get_setxid_perms(perms_fp, data);
413 } else if (errno != ENOENT) {
414 errlog("open %s failed: %s\n",
415 SETXID_PATHNAME, strerror(errno));
419 if (getenv("L_GETIDENTITY_TEST")) {
424 snprintf(procname, sizeof(procname),
425 "/proc/fs/lustre/mdt/%s/identity_info", argv[1]);
426 fd = open(procname, O_WRONLY);
428 errlog("can't open file %s: %s\n", procname, strerror(errno));
432 rc = write(fd, data, sizeof(*data));
434 if (rc != sizeof(*data)) {
435 errlog("partial write ret %d: %s\n", rc, strerror(errno));