From 233656e5dbffec99421326644f64db3d4e46dbc7 Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Mon, 5 Oct 2020 21:14:09 +0900 Subject: [PATCH] LU-13498 sec: fix credentials with nodemap and SSK When SSK is enabled, credentials are evaluated in new_init_ucred(). In case a nodemap entry is defined with squash UID/GID, it must prevail over normally mapped UID/GID. Lustre-change: https://review.whamcloud.com/40140 Lustre-commit: 2bf6442d7d9bd452153e6b1ea08ddaae3dfb3716 Signed-off-by: Sebastien Buisson Change-Id: I1adfd98759e5b98ec78f0477846e1820fed5d8b3 Reviewed-on: https://review.whamcloud.com/40960 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Lai Siyao Reviewed-by: Andreas Dilger Reviewed-by: Oleg Drokin --- lustre/mdt/mdt_lib.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c index 2818339..d77e3ee 100644 --- a/lustre/mdt/mdt_lib.c +++ b/lustre/mdt/mdt_lib.c @@ -215,9 +215,6 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, RETURN(-EACCES); } - ucred->uc_fsuid = nodemap->nm_squash_uid; - ucred->uc_fsgid = nodemap->nm_squash_gid; - ucred->uc_cap = 0; ucred->uc_suppgids[0] = -1; ucred->uc_suppgids[1] = -1; } @@ -319,8 +316,16 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, ucred->uc_uid = pud->pud_uid; ucred->uc_gid = pud->pud_gid; - ucred->uc_fsuid = pud->pud_fsuid; - ucred->uc_fsgid = pud->pud_fsgid; + + if (nodemap && ucred->uc_o_uid == nodemap->nm_squash_uid) { + ucred->uc_fsuid = nodemap->nm_squash_uid; + ucred->uc_fsgid = nodemap->nm_squash_gid; + ucred->uc_cap = 0; + } else { + ucred->uc_fsuid = pud->pud_fsuid; + ucred->uc_fsgid = pud->pud_fsgid; + ucred->uc_cap = pud->pud_cap; + } /* process root_squash here. */ mdt_root_squash(info, peernid); -- 1.8.3.1