4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see
18 * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
20 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
21 * CA 95054 USA or visit www.sun.com if you need additional information or
27 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
28 * Use is subject to license terms.
30 * Copyright (c) 2011, Whamcloud, Inc.
33 * This file is part of Lustre, http://www.lustre.org/
34 * Lustre is a trademark of Sun Microsystems, Inc.
51 #include <liblustre.h>
52 #include <lustre/lustre_user.h>
53 #include <lustre/lustre_idl.h>
55 #define PERM_PATHNAME "/etc/lustre/perm.conf"
58 * permission file format is like this:
61 * '*' nid means any nid
62 * '*' uid means any uid
63 * the valid values for perms are:
64 * setuid/setgid/setgrp/rmtacl -- enable corresponding perm
65 * nosetuid/nosetgid/nosetgrp/normtacl -- disable corresponding perm
66 * they can be listed together, seperated by ',',
67 * when perm and noperm are in the same line (item), noperm is preferential,
68 * when they are in different lines (items), the latter is preferential,
69 * '*' nid is as default perm, and is not preferential.
72 static char *progname;
74 static void usage(void)
77 "\nusage: %s {mdtname} {uid}\n"
78 "Normally invoked as an upcall from Lustre, set via:\n"
79 "/proc/fs/lustre/mdt/${mdtname}/identity_upcall\n",
83 static int compare_u32(const void *v1, const void *v2)
85 return (*(__u32 *)v1 - *(__u32 *)v2);
88 static void errlog(const char *fmt, ...)
92 openlog(progname, LOG_PERROR | LOG_PID, LOG_AUTHPRIV);
95 vsyslog(LOG_NOTICE, fmt, args);
101 int get_groups_local(struct identity_downcall_data *data,
102 unsigned int maxgroups)
105 unsigned int ngroups = 0;
112 pw = getpwuid(data->idd_uid);
114 errlog("no such user %u\n", data->idd_uid);
115 data->idd_err = errno ? errno : EIDRM;
119 data->idd_gid = pw->pw_gid;
120 namelen = sysconf(_SC_LOGIN_NAME_MAX);
121 if (namelen < _POSIX_LOGIN_NAME_MAX)
122 namelen = _POSIX_LOGIN_NAME_MAX;
124 pw_name = (char *)malloc(namelen);
126 errlog("malloc error\n");
127 data->idd_err = errno;
131 memset(pw_name, 0, namelen);
132 strncpy(pw_name, pw->pw_name, namelen - 1);
133 groups = data->idd_groups;
135 while ((gr = getgrent()) && ngroups < maxgroups) {
136 if (gr->gr_gid == groups[0])
140 for (i = 0; gr->gr_mem[i]; i++) {
141 if (!strcmp(gr->gr_mem[i], pw_name)) {
142 groups[ngroups++] = gr->gr_gid;
149 qsort(groups, ngroups, sizeof(*groups), compare_u32);
150 data->idd_ngroups = ngroups;
156 static inline int comment_line(char *line)
160 while (*p && (*p == ' ' || *p == '\t')) p++;
162 if (!*p || *p == '\n' || *p == '#')
167 static inline int match_uid(uid_t uid, const char *str)
172 if(!strcmp(str, "*"))
175 uid2 = strtoul(str, &end, 0);
178 return (uid == uid2);
186 static perm_type_t perm_types[] = {
187 { "setuid", CFS_SETUID_PERM },
188 { "setgid", CFS_SETGID_PERM },
189 { "setgrp", CFS_SETGRP_PERM },
190 { "rmtacl", CFS_RMTACL_PERM },
191 { "rmtown", CFS_RMTOWN_PERM },
195 static perm_type_t noperm_types[] = {
196 { "nosetuid", CFS_SETUID_PERM },
197 { "nosetgid", CFS_SETGID_PERM },
198 { "nosetgrp", CFS_SETGRP_PERM },
199 { "normtacl", CFS_RMTACL_PERM },
200 { "normtown", CFS_RMTOWN_PERM },
204 int parse_perm(__u32 *perm, __u32 *noperm, char *str)
214 memset(name, 0, sizeof(name));
215 end = strchr(start, ',');
217 end = str + strlen(str);
220 strncpy(name, start, end - start);
221 for (pt = perm_types; pt->name; pt++) {
222 if (!strcasecmp(name, pt->name)) {
229 for (pt = noperm_types; pt->name; pt++) {
230 if (!strcasecmp(name, pt->name)) {
237 printf("unkown type: %s\n", name);
247 int parse_perm_line(struct identity_downcall_data *data, char *line)
249 char uid_str[256], nid_str[256], perm_str[256];
254 if (data->idd_nperms >= N_PERMS_MAX) {
255 errlog("permission count %d > max %d\n",
256 data->idd_nperms, N_PERMS_MAX);
260 rc = sscanf(line, "%s %s %s", nid_str, uid_str, perm_str);
262 errlog("can't parse line %s\n", line);
266 if (!match_uid(data->idd_uid, uid_str))
269 if (!strcmp(nid_str, "*")) {
272 nid = libcfs_str2nid(nid_str);
273 if (nid == LNET_NID_ANY) {
274 errlog("can't parse nid %s\n", nid_str);
279 if (parse_perm(&perm, &noperm, perm_str)) {
280 errlog("invalid perm %s\n", perm_str);
284 /* merge the perms with the same nid.
286 * If there is LNET_NID_ANY in data->idd_perms[i].pdd_nid,
287 * it must be data->idd_perms[0].pdd_nid, and act as default perm.
289 if (nid != LNET_NID_ANY) {
292 /* search for the same nid */
293 for (i = data->idd_nperms - 1; i >= 0; i--) {
294 if (data->idd_perms[i].pdd_nid == nid) {
295 data->idd_perms[i].pdd_perm =
296 (data->idd_perms[i].pdd_perm | perm) &
303 /* NOT found, add to tail */
305 data->idd_perms[data->idd_nperms].pdd_nid = nid;
306 data->idd_perms[data->idd_nperms].pdd_perm =
311 if (data->idd_nperms > 0) {
312 /* the first one isn't LNET_NID_ANY, need exchange */
313 if (data->idd_perms[0].pdd_nid != LNET_NID_ANY) {
314 data->idd_perms[data->idd_nperms].pdd_nid =
315 data->idd_perms[0].pdd_nid;
316 data->idd_perms[data->idd_nperms].pdd_perm =
317 data->idd_perms[0].pdd_perm;
318 data->idd_perms[0].pdd_nid = LNET_NID_ANY;
319 data->idd_perms[0].pdd_perm = perm & ~noperm;
322 /* only fix LNET_NID_ANY item */
323 data->idd_perms[0].pdd_perm =
324 (data->idd_perms[0].pdd_perm | perm) &
328 /* it is the first one, only add to head */
329 data->idd_perms[0].pdd_nid = LNET_NID_ANY;
330 data->idd_perms[0].pdd_perm = perm & ~noperm;
331 data->idd_nperms = 1;
338 int get_perms(struct identity_downcall_data *data)
343 fp = fopen(PERM_PATHNAME, "r");
345 if (errno == ENOENT) {
348 errlog("open %s failed: %s\n",
349 PERM_PATHNAME, strerror(errno));
350 data->idd_err = errno;
355 while (fgets(line, 1024, fp)) {
356 if (comment_line(line))
359 if (parse_perm_line(data, line)) {
360 errlog("parse line %s failed!\n", line);
361 data->idd_err = EINVAL;
371 static void show_result(struct identity_downcall_data *data)
376 errlog("failed to get identity for uid %d: %s\n",
377 data->idd_uid, strerror(data->idd_err));
381 printf("uid=%d gid=%d", data->idd_uid, data->idd_gid);
382 for (i = 0; i < data->idd_ngroups; i++)
383 printf(",%u", data->idd_groups[i]);
385 printf("permissions:\n"
387 for (i = 0; i < data->idd_nperms; i++) {
388 struct perm_downcall_data *pdd;
390 pdd = &data->idd_perms[i];
392 printf(" "LPX64"\t0x%x\n", pdd->pdd_nid, pdd->pdd_perm);
397 int main(int argc, char **argv)
400 struct identity_downcall_data *data = NULL;
403 int fd, rc = -EINVAL, size, maxgroups;
405 progname = basename(argv[0]);
411 uid = strtoul(argv[2], &end, 0);
413 errlog("%s: invalid uid '%s'\n", progname, argv[2]);
417 maxgroups = sysconf(_SC_NGROUPS_MAX);
418 if (maxgroups > NGROUPS_MAX)
419 maxgroups = NGROUPS_MAX;
421 size = offsetof(struct identity_downcall_data, idd_groups[maxgroups]);
424 errlog("malloc identity downcall data(%d) failed!\n", size);
429 memset(data, 0, size);
430 data->idd_magic = IDENTITY_DOWNCALL_MAGIC;
432 /* get groups for uid */
433 rc = get_groups_local(data, maxgroups);
437 size = offsetof(struct identity_downcall_data,
438 idd_groups[data->idd_ngroups]);
439 /* read permission database */
440 rc = get_perms(data);
443 if (getenv("L_GETIDENTITY_TEST")) {
449 snprintf(procname, sizeof(procname),
450 "/proc/fs/lustre/mdt/%s/identity_info", argv[1]);
451 fd = open(procname, O_WRONLY);
453 errlog("can't open file %s: %s\n", procname, strerror(errno));
458 rc = write(fd, data, size);
461 errlog("partial write ret %d: %s\n", rc, strerror(errno));