--- /dev/null
+/*
+ * GPL HEADER START
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 only,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License version 2 for more details (a copy is included
+ * in the LICENSE file that accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; If not, see
+ * http://www.gnu.org/licenses/gpl-2.0.html
+ *
+ * GPL HEADER END
+ */
+/*
+ * Copyright (c) 2020, Whamcloud.
+ */
+/*
+ * This file is part of Lustre, http://www.lustre.org/
+ */
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <pwd.h>
+#include <grp.h>
+#include <fcntl.h>
+
+void print_groups(int num_groups, gid_t *groups)
+{
+ int i;
+
+ fprintf(stdout, "\tGroups ");
+ for (i = 0; i < num_groups; i++) {
+ struct group *gr = getgrgid(groups[i]);
+
+ if (gr == NULL)
+ perror("getgrgid");
+ fprintf(stdout, "%6d - %s, ", gr->gr_gid, gr->gr_name);
+ }
+ fprintf(stdout, "\n");
+}
+
+char usage[] =
+"Usage: %s <user to switch euid to> <path to file to access>\n";
+
+int main(int argc, char **argv)
+{
+ char *user_to_euid;
+ char *filename;
+ struct passwd *user_pwd;
+ char *user_name;
+ int num_groups = 0;
+ gid_t *groups;
+ struct passwd *switch_pwd;
+ uid_t switch_uid, switch_gid;
+ int switch_num_groups = 0;
+ gid_t *switch_groups;
+ int final_num_groups = 0;
+ gid_t *final_groups;
+ int fd = 0;
+ int save_errno;
+ int rc;
+
+ if (argc != 3) {
+ fprintf(stderr, usage, argv[0]);
+ exit(1);
+ }
+
+ user_to_euid = argv[1];
+ filename = argv[2];
+
+ user_pwd = getpwuid(getuid());
+ if (!user_pwd) {
+ if (errno) {
+ save_errno = errno;
+ perror("getpwuid");
+ } else {
+ save_errno = 1;
+ fprintf(stderr, "Cannot find user in passwd db\n");
+ }
+ exit(save_errno);
+ }
+ user_name = user_pwd->pw_name;
+
+ fprintf(stdout, "Initially %s ruid:rgid %d:%d, euid:egid %d:%d\n",
+ user_name, getuid(), getgid(), geteuid(), getegid());
+
+ num_groups = getgroups(0, NULL);
+ if (num_groups) {
+ groups = malloc(sizeof(gid_t) * num_groups);
+ if (!groups) {
+ save_errno = errno;
+ perror("groups");
+ exit(save_errno);
+ }
+ rc = getgrouplist(user_name, getgid(), groups, &num_groups);
+ if (rc == -1) {
+ save_errno = errno;
+ free(groups);
+ perror("groups list");
+ exit(save_errno);
+ }
+ print_groups(num_groups, groups);
+ free(groups);
+ }
+
+ /* lookup information about switch_user provided */
+ switch_pwd = getpwnam(user_to_euid);
+ if (!switch_pwd) {
+ if (errno) {
+ save_errno = errno;
+ perror("getpwnam");
+ } else {
+ save_errno = 1;
+ fprintf(stderr, "Cannot find user %s in passwd db\n",
+ user_to_euid);
+ }
+ exit(save_errno);
+ }
+ switch_uid = switch_pwd->pw_uid;
+ switch_gid = switch_pwd->pw_gid;
+
+ fprintf(stdout, "To switch to effective %s uid:gid %d:%d\n",
+ user_to_euid, switch_uid, switch_gid);
+
+ rc = setegid(switch_gid);
+ if (rc == -1) {
+ save_errno = errno;
+ perror("setegid");
+ exit(save_errno);
+ }
+
+ getgrouplist(user_to_euid, switch_gid, NULL, &switch_num_groups);
+ if (switch_num_groups) {
+ switch_groups = malloc(sizeof(gid_t) * switch_num_groups);
+ if (!switch_groups) {
+ save_errno = errno;
+ perror("switch_groups");
+ exit(save_errno);
+ }
+ rc = getgrouplist(user_to_euid, switch_gid,
+ switch_groups, &switch_num_groups);
+ if (rc == -1) {
+ save_errno = errno;
+ free(switch_groups);
+ perror("switch_groups list");
+ exit(save_errno);
+ }
+ print_groups(switch_num_groups, switch_groups);
+ rc = setgroups(switch_num_groups, switch_groups);
+ save_errno = errno;
+ free(switch_groups);
+ if (rc == -1) {
+ perror("setgroups");
+ exit(save_errno);
+ }
+ }
+
+ rc = seteuid(switch_uid);
+ if (rc == -1) {
+ save_errno = errno;
+ perror("seteuid");
+ exit(save_errno);
+ }
+
+ fprintf(stdout, "Now %s ruid:rgid %d:%d, euid:egid %d:%d\n",
+ user_name, getuid(), getgid(), geteuid(), getegid());
+
+ final_num_groups = getgroups(0, NULL);
+ final_groups = malloc(sizeof(gid_t) * final_num_groups);
+ if (!final_groups) {
+ save_errno = errno;
+ perror("final_groups");
+ exit(save_errno);
+ }
+ rc = getgroups(final_num_groups, final_groups);
+ if (rc == -1) {
+ save_errno = errno;
+ free(final_groups);
+ perror("final_groups list");
+ exit(save_errno);
+ }
+ print_groups(final_num_groups, final_groups);
+ free(final_groups);
+
+ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_APPEND, 0666);
+ if (fd == -1) {
+ save_errno = errno;
+ perror("open");
+ exit(save_errno);
+ }
+ rc = write(fd, "test", 5);
+ if (rc == -1) {
+ save_errno = errno;
+ perror("write");
+ exit(save_errno);
+ }
+ close(fd);
+ fprintf(stdout, "File %s successfully written\n", filename);
+
+ exit(0);
+}
+
cleanup_nodemap_after_enc_tests() {
do_facet mgs $LCTL nodemap_modify --name default \
- --property forbid_encryption --value 1
+ --property forbid_encryption --value 0
wait_nm_sync default forbid_encryption
do_facet mgs $LCTL nodemap_activate 0
wait_nm_sync active
}
run_test 54 "Encryption policies with fscrypt"
+cleanup_55() {
+ # unmount client
+ if is_mounted $MOUNT; then
+ umount_client $MOUNT || error "umount $MOUNT failed"
+ fi
+
+ do_facet mgs $LCTL nodemap_del c0
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property admin --value 0
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property trusted --value 0
+ wait_nm_sync default admin_nodemap
+ wait_nm_sync default trusted_nodemap
+
+ do_facet mgs $LCTL nodemap_activate 0
+ wait_nm_sync active 0
+
+ if $SHARED_KEY; then
+ export SK_UNIQUE_NM=false
+ fi
+
+ # remount client
+ mount_client $MOUNT ${MOUNT_OPTS} || error "remount failed"
+ if [ "$MOUNT_2" ]; then
+ mount_client $MOUNT2 ${MOUNT_OPTS} || error "remount failed"
+ fi
+}
+
+test_55() {
+ local client_ip
+ local client_nid
+
+ mkdir -p $DIR/$tdir/$USER0/testdir_groups
+ chown root:$ID0 $DIR/$tdir/$USER0
+ chmod 770 $DIR/$tdir/$USER0
+ chmod g+s $DIR/$tdir/$USER0
+ chown $ID0:$ID0 $DIR/$tdir/$USER0/testdir_groups
+ chmod 770 $DIR/$tdir/$USER0/testdir_groups
+ chmod g+s $DIR/$tdir/$USER0/testdir_groups
+
+ # unmount client completely
+ umount_client $MOUNT || error "umount $MOUNT failed"
+ if is_mounted $MOUNT2; then
+ umount_client $MOUNT2 || error "umount $MOUNT2 failed"
+ fi
+
+ do_nodes $(comma_list $(all_mdts_nodes)) \
+ $LCTL set_param mdt.*.identity_upcall=NONE
+
+ stack_trap cleanup_55 EXIT
+
+ do_facet mgs $LCTL nodemap_activate 1
+ wait_nm_sync active
+
+ do_facet mgs $LCTL nodemap_del c0 || true
+ wait_nm_sync c0 id ''
+
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property admin --value 1
+ do_facet mgs $LCTL nodemap_modify --name default \
+ --property trusted --value 1
+ wait_nm_sync default admin_nodemap
+ wait_nm_sync default trusted_nodemap
+
+ client_ip=$(host_nids_address $HOSTNAME $NETTYPE)
+ client_nid=$(h2nettype $client_ip)
+ do_facet mgs $LCTL nodemap_add c0
+ do_facet mgs $LCTL nodemap_add_range \
+ --name c0 --range $client_nid
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property admin --value 0
+ do_facet mgs $LCTL nodemap_modify --name c0 \
+ --property trusted --value 1
+ wait_nm_sync c0 admin_nodemap
+ wait_nm_sync c0 trusted_nodemap
+
+ if $SHARED_KEY; then
+ export SK_UNIQUE_NM=true
+ # set some generic fileset to trigger SSK code
+ export FILESET=/
+ fi
+
+ # remount client to take nodemap into account
+ zconf_mount_clients $HOSTNAME $MOUNT $MOUNT_OPTS ||
+ error "remount failed"
+ unset FILESET
+
+ euid_access $USER0 $DIR/$tdir/$USER0/testdir_groups/file
+}
+run_test 55 "access with seteuid"
+
log "cleanup: ======================================================"
sec_unsetup() {