-/* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
- * vim:expandtab:shiftwidth=8:tabstop=8:
+/*
+ * GPL HEADER START
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
- * Copyright (C) 2004-2006 Cluster File Systems, Inc.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 only,
+ * as published by the Free Software Foundation.
*
- * This file is part of Lustre, http://www.lustre.org.
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License version 2 for more details (a copy is included
+ * in the LICENSE file that accompanied this code).
*
- * Lustre is free software; you can redistribute it and/or
- * modify it under the terms of version 2 of the GNU General Public
- * License as published by the Free Software Foundation.
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; If not, see
+ * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
*
- * Lustre is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
*
- * You should have received a copy of the GNU General Public License
- * along with Lustre; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ * GPL HEADER END
+ */
+/*
+ * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Use is subject to license terms.
*
+ * Copyright (c) 2011, Intel Corporation.
+ */
+/*
+ * This file is part of Lustre, http://www.lustre.org/
+ * Lustre is a trademark of Sun Microsystems, Inc.
*/
#include <stdlib.h>
#include <libgen.h>
#include <syslog.h>
-#include <liblustre.h>
+#include <libcfs/libcfs.h>
#include <lustre/lustre_user.h>
#include <lustre/lustre_idl.h>
-#include <libcfs/kp30.h>
-#define SETXID_PATHNAME "/etc/lustre/setxid.conf"
+#define PERM_PATHNAME "/etc/lustre/perm.conf"
/*
- * setxid permission file format is like this:
+ * permission file format is like this:
* {nid} {uid} {perms}
*
* '*' nid means any nid
* '*' uid means any uid
* the valid values for perms are:
- * setuid/setgid/setgrp -- enable corresponding perm
- * nosetuid/nosetgid/nosetgrp -- disable corresponding perm
+ * setuid/setgid/setgrp/rmtacl -- enable corresponding perm
+ * nosetuid/nosetgid/nosetgrp/normtacl -- disable corresponding perm
* they can be listed together, seperated by ',',
* when perm and noperm are in the same line (item), noperm is preferential,
* when they are in different lines (items), the latter is preferential,
fprintf(stderr,
"\nusage: %s {mdtname} {uid}\n"
"Normally invoked as an upcall from Lustre, set via:\n"
- " /proc/fs/lustre/mdt/{mdtname}/identity_upcall\n",
+ "/proc/fs/lustre/mdt/${mdtname}/identity_upcall\n",
progname);
}
{
va_list args;
- openlog(progname, LOG_PERROR, LOG_AUTHPRIV);
+ openlog(progname, LOG_PERROR | LOG_PID, LOG_AUTHPRIV);
va_start(args, fmt);
vsyslog(LOG_NOTICE, fmt, args);
- fprintf(stderr, fmt, args);
va_end(args);
closelog();
}
-int get_groups_local(struct identity_downcall_data *data)
+int get_groups_local(struct identity_downcall_data *data,
+ unsigned int maxgroups)
{
- int maxgroups;
- gid_t *groups;
- unsigned int ngroups = 0;
- struct passwd *pw;
- struct group *gr;
- char *pw_name;
- int namelen;
- int i;
-
- pw = getpwuid(data->idd_uid);
- if (!pw) {
- errlog("no such user %u\n", data->idd_uid);
- data->idd_err = errno ? errno : EIDRM;
- return -1;
- }
- data->idd_gid = pw->pw_gid;
-
- namelen = sysconf(_SC_LOGIN_NAME_MAX);
- if (namelen < _POSIX_LOGIN_NAME_MAX)
- namelen = _POSIX_LOGIN_NAME_MAX;
- pw_name = (char *)malloc(namelen);
- if (!pw_name) {
- errlog("malloc error\n");
- data->idd_err = errno;
- return -1;
- }
- memset(pw_name, 0, namelen);
- strncpy(pw_name, pw->pw_name, namelen - 1);
-
- maxgroups = sysconf(_SC_NGROUPS_MAX);
- if (maxgroups > NGROUPS_MAX)
- maxgroups = NGROUPS_MAX;
- groups = data->idd_groups;
-
- groups[ngroups++] = pw->pw_gid;
- while ((gr = getgrent())) {
- if (gr->gr_gid == groups[0])
- continue;
- if (!gr->gr_mem)
- continue;
- for (i = 0; gr->gr_mem[i]; i++) {
- if (!strcmp(gr->gr_mem[i], pw_name)) {
- groups[ngroups++] = gr->gr_gid;
- break;
- }
- }
- if (ngroups == maxgroups)
- break;
- }
- endgrent();
- qsort(groups, ngroups, sizeof(*groups), compare_u32);
- data->idd_ngroups = ngroups;
-
- free(pw_name);
- return 0;
+ gid_t *groups, *groups_tmp = NULL;
+ unsigned int ngroups = 0;
+ int ngroups_tmp;
+ struct passwd *pw;
+ char *pw_name;
+ int namelen;
+ int i;
+
+ pw = getpwuid(data->idd_uid);
+ if (!pw) {
+ errlog("no such user %u\n", data->idd_uid);
+ data->idd_err = errno ? errno : EIDRM;
+ return -1;
+ }
+
+ data->idd_gid = pw->pw_gid;
+ namelen = sysconf(_SC_LOGIN_NAME_MAX);
+ if (namelen < _POSIX_LOGIN_NAME_MAX)
+ namelen = _POSIX_LOGIN_NAME_MAX;
+
+ pw_name = malloc(namelen);
+ if (!pw_name) {
+ errlog("malloc error\n");
+ data->idd_err = errno;
+ return -1;
+ }
+
+ memset(pw_name, 0, namelen);
+ strncpy(pw_name, pw->pw_name, namelen - 1);
+ groups = data->idd_groups;
+
+ /* Allocate array of size maxgroups instead of handling two
+ * consecutive and potentially racy getgrouplist() calls. */
+ groups_tmp = malloc(maxgroups * sizeof(gid_t));
+ if (groups_tmp == NULL) {
+ free(pw_name);
+ data->idd_err = errno ? errno : ENOMEM;
+ errlog("malloc error=%u\n",data->idd_err);
+ return -1;
+ }
+
+ ngroups_tmp = maxgroups;
+ if (getgrouplist(pw->pw_name, pw->pw_gid, groups_tmp, &ngroups_tmp) <
+ 0) {
+ free(pw_name);
+ free(groups_tmp);
+ data->idd_err = errno ? errno : EIDRM;
+ errlog("getgrouplist() error for uid %u: error=%u\n",
+ data->idd_uid, data->idd_err);
+ return -1;
+ }
+
+ /* Do not place user's group ID in to the resulting groups list */
+ for (i = 0; i < ngroups_tmp; i++)
+ if (pw->pw_gid != groups_tmp[i])
+ groups[ngroups++] = groups_tmp[i];
+
+ if (ngroups > 0)
+ qsort(groups, ngroups, sizeof(*groups), compare_u32);
+ data->idd_ngroups = ngroups;
+
+ free(pw_name);
+ free(groups_tmp);
+ return 0;
}
static inline int comment_line(char *line)
uid2 = strtoul(str, &end, 0);
if (*end)
return 0;
-
return (uid == uid2);
}
typedef struct {
char *name;
__u32 bit;
-} setxid_perm_type_t;
-
-static setxid_perm_type_t setxid_perm_types[] = {
- { "setuid", LUSTRE_SETUID_PERM },
- { "setgid", LUSTRE_SETGID_PERM },
- { "setgrp", LUSTRE_SETGRP_PERM },
+} perm_type_t;
+
+static perm_type_t perm_types[] = {
+ { "setuid", CFS_SETUID_PERM },
+ { "setgid", CFS_SETGID_PERM },
+ { "setgrp", CFS_SETGRP_PERM },
+ { "rmtacl", CFS_RMTACL_PERM },
+ { "rmtown", CFS_RMTOWN_PERM },
{ 0 }
};
-static setxid_perm_type_t setxid_noperm_types[] = {
- { "nosetuid", LUSTRE_SETUID_PERM },
- { "nosetgid", LUSTRE_SETGID_PERM },
- { "nosetgrp", LUSTRE_SETGRP_PERM },
+static perm_type_t noperm_types[] = {
+ { "nosetuid", CFS_SETUID_PERM },
+ { "nosetgid", CFS_SETGID_PERM },
+ { "nosetgrp", CFS_SETGRP_PERM },
+ { "normtacl", CFS_RMTACL_PERM },
+ { "normtown", CFS_RMTOWN_PERM },
{ 0 }
};
-int parse_setxid_perm(__u32 *perm, __u32 *noperm, char *str)
+int parse_perm(__u32 *perm, __u32 *noperm, char *str)
{
char *start, *end;
char name[64];
- setxid_perm_type_t *pt;
+ perm_type_t *pt;
*perm = 0;
*noperm = 0;
if (start >= end)
break;
strncpy(name, start, end - start);
- for (pt = setxid_perm_types; pt->name; pt++) {
+ for (pt = perm_types; pt->name; pt++) {
if (!strcasecmp(name, pt->name)) {
*perm |= pt->bit;
break;
}
if (!pt->name) {
- for (pt = setxid_noperm_types; pt->name; pt++) {
+ for (pt = noperm_types; pt->name; pt++) {
if (!strcasecmp(name, pt->name)) {
*noperm |= pt->bit;
break;
return 0;
}
-int parse_setxid_perm_line(struct identity_downcall_data *data, char *line)
+int parse_perm_line(struct identity_downcall_data *data, char *line)
{
char uid_str[256], nid_str[256], perm_str[256];
lnet_nid_t nid;
__u32 perm, noperm;
int rc, i;
- if (data->idd_nperms >= N_SETXID_PERMS_MAX) {
- errlog("setxid permission count %d > max %d\n",
- data->idd_nperms, N_SETXID_PERMS_MAX);
+ if (data->idd_nperms >= N_PERMS_MAX) {
+ errlog("permission count %d > max %d\n",
+ data->idd_nperms, N_PERMS_MAX);
return -1;
}
}
}
- if (parse_setxid_perm(&perm, &noperm, perm_str)) {
+ if (parse_perm(&perm, &noperm, perm_str)) {
errlog("invalid perm %s\n", perm_str);
return -1;
}
return 0;
}
-int get_setxid_perms(FILE *fp, struct identity_downcall_data *data)
+int get_perms(struct identity_downcall_data *data)
{
+ FILE *fp;
char line[1024];
+ fp = fopen(PERM_PATHNAME, "r");
+ if (fp == NULL) {
+ if (errno == ENOENT) {
+ return 0;
+ } else {
+ errlog("open %s failed: %s\n",
+ PERM_PATHNAME, strerror(errno));
+ data->idd_err = errno;
+ return -1;
+ }
+ }
+
while (fgets(line, 1024, fp)) {
if (comment_line(line))
continue;
- if (parse_setxid_perm_line(data, line)) {
+ if (parse_perm_line(data, line)) {
errlog("parse line %s failed!\n", line);
+ data->idd_err = EINVAL;
+ fclose(fp);
return -1;
}
}
+ fclose(fp);
return 0;
}
return;
}
- printf("uid=%d gid=", data->idd_uid);
+ printf("uid=%d gid=%d", data->idd_uid, data->idd_gid);
for (i = 0; i < data->idd_ngroups; i++)
- printf("%s%u", i > 0 ? "," : "", data->idd_groups[i]);
+ printf(",%u", data->idd_groups[i]);
printf("\n");
- printf("setxid permissions:\n"
+ printf("permissions:\n"
" nid\t\t\tperm\n");
for (i = 0; i < data->idd_nperms; i++) {
- struct setxid_perm_downcall_data *pdd;
+ struct perm_downcall_data *pdd;
pdd = &data->idd_perms[i];
- printf(" %#llx\t0x%x\n", pdd->pdd_nid, pdd->pdd_perm);
+ printf(" "LPX64"\t0x%x\n", pdd->pdd_nid, pdd->pdd_perm);
}
printf("\n");
}
int main(int argc, char **argv)
{
- FILE *perms_fp;
char *end;
- struct identity_downcall_data *data;
+ struct identity_downcall_data *data = NULL;
char procname[1024];
unsigned long uid;
- int fd, rc;
+ int fd, rc = -EINVAL, size, maxgroups;
progname = basename(argv[0]);
-
if (argc != 3) {
usage();
- return 1;
+ goto out;
}
uid = strtoul(argv[2], &end, 0);
if (*end) {
errlog("%s: invalid uid '%s'\n", progname, argv[2]);
- usage();
- return 1;
+ goto out;
}
- data = malloc(sizeof(*data));
+ maxgroups = sysconf(_SC_NGROUPS_MAX);
+ if (maxgroups > NGROUPS_MAX)
+ maxgroups = NGROUPS_MAX;
+ if (maxgroups == -1) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+ size = offsetof(struct identity_downcall_data, idd_groups[maxgroups]);
+ data = malloc(size);
if (!data) {
- errlog("malloc identity downcall data(%d) failed!\n",
- sizeof(*data));
- return 1;
+ errlog("malloc identity downcall data(%d) failed!\n", size);
+ rc = -ENOMEM;
+ goto out;
}
- memset(data, 0, sizeof(*data));
+
+ memset(data, 0, size);
data->idd_magic = IDENTITY_DOWNCALL_MAGIC;
data->idd_uid = uid;
-
/* get groups for uid */
- rc = get_groups_local(data);
+ rc = get_groups_local(data, maxgroups);
if (rc)
goto downcall;
+ size = offsetof(struct identity_downcall_data,
+ idd_groups[data->idd_ngroups]);
/* read permission database */
- perms_fp = fopen(SETXID_PATHNAME, "r");
- if (perms_fp) {
- get_setxid_perms(perms_fp, data);
- fclose(perms_fp);
- } else if (errno != ENOENT) {
- errlog("open %s failed: %s\n",
- SETXID_PATHNAME, strerror(errno));
- }
+ rc = get_perms(data);
downcall:
if (getenv("L_GETIDENTITY_TEST")) {
show_result(data);
- return 0;
+ rc = 0;
+ goto out;
}
snprintf(procname, sizeof(procname),
fd = open(procname, O_WRONLY);
if (fd < 0) {
errlog("can't open file %s: %s\n", procname, strerror(errno));
- return 1;
+ rc = -1;
+ goto out;
}
- rc = write(fd, data, sizeof(*data));
+ rc = write(fd, data, size);
close(fd);
- if (rc != sizeof(*data)) {
+ if (rc != size) {
errlog("partial write ret %d: %s\n", rc, strerror(errno));
- return 1;
+ rc = -1;
+ } else {
+ rc = 0;
}
- return 0;
+out:
+ if (data != NULL)
+ free(data);
+ return rc;
}