4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see
18 * http://www.gnu.org/licenses/gpl-2.0.html
23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Use is subject to license terms.
26 * Copyright (c) 2011, 2014, Intel Corporation.
29 * This file is part of Lustre, http://www.lustre.org/
30 * Lustre is a trademark of Sun Microsystems, Inc.
48 #include <libcfs/util/param.h>
49 #include <libcfs/util/string.h>
50 #include <lnet/nidstr.h>
51 #include <lustre/lustre_user.h>
52 #include <lustre/lustre_idl.h>
54 #define PERM_PATHNAME "/etc/lustre/perm.conf"
57 * permission file format is like this:
60 * '*' nid means any nid
61 * '*' uid means any uid
62 * the valid values for perms are:
63 * setuid/setgid/setgrp/rmtacl -- enable corresponding perm
64 * nosetuid/nosetgid/nosetgrp/normtacl -- disable corresponding perm
65 * they can be listed together, separated by ',',
66 * when perm and noperm are in the same line (item), noperm is preferential,
67 * when they are in different lines (items), the latter is preferential,
68 * '*' nid is as default perm, and is not preferential.
71 static char *progname;
73 static void usage(void)
76 "\nusage: %s {mdtname} {uid}\n"
77 "Normally invoked as an upcall from Lustre, set via:\n"
78 "lctl set_param mdt.${mdtname}.identity_upcall={path to upcall}\n",
82 static int compare_u32(const void *v1, const void *v2)
84 return (*(__u32 *)v1 - *(__u32 *)v2);
87 static void errlog(const char *fmt, ...)
91 openlog(progname, LOG_PERROR | LOG_PID, LOG_AUTHPRIV);
94 vsyslog(LOG_NOTICE, fmt, args);
100 int get_groups_local(struct identity_downcall_data *data,
101 unsigned int maxgroups)
103 gid_t *groups, *groups_tmp = NULL;
104 unsigned int ngroups = 0;
111 pw = getpwuid(data->idd_uid);
113 errlog("no such user %u\n", data->idd_uid);
114 data->idd_err = errno ? errno : EIDRM;
118 data->idd_gid = pw->pw_gid;
119 namelen = sysconf(_SC_LOGIN_NAME_MAX);
120 if (namelen < _POSIX_LOGIN_NAME_MAX)
121 namelen = _POSIX_LOGIN_NAME_MAX;
123 pw_name = malloc(namelen);
125 errlog("malloc error\n");
126 data->idd_err = errno;
130 strlcpy(pw_name, pw->pw_name, namelen);
131 groups = data->idd_groups;
133 /* Allocate array of size maxgroups instead of handling two
134 * consecutive and potentially racy getgrouplist() calls. */
135 groups_tmp = malloc(maxgroups * sizeof(gid_t));
136 if (groups_tmp == NULL) {
138 data->idd_err = errno ? errno : ENOMEM;
139 errlog("malloc error=%u\n",data->idd_err);
143 ngroups_tmp = maxgroups;
144 if (getgrouplist(pw->pw_name, pw->pw_gid, groups_tmp, &ngroups_tmp) <
148 data->idd_err = errno ? errno : EIDRM;
149 errlog("getgrouplist() error for uid %u: error=%u\n",
150 data->idd_uid, data->idd_err);
154 /* Do not place user's group ID in to the resulting groups list */
155 for (i = 0; i < ngroups_tmp; i++)
156 if (pw->pw_gid != groups_tmp[i])
157 groups[ngroups++] = groups_tmp[i];
160 qsort(groups, ngroups, sizeof(*groups), compare_u32);
161 data->idd_ngroups = ngroups;
168 static inline int comment_line(char *line)
172 while (*p && (*p == ' ' || *p == '\t')) p++;
174 if (!*p || *p == '\n' || *p == '#')
179 static inline int match_uid(uid_t uid, const char *str)
184 if(!strcmp(str, "*"))
187 uid2 = strtoul(str, &end, 0);
190 return (uid == uid2);
198 static perm_type_t perm_types[] = {
199 { "setuid", CFS_SETUID_PERM },
200 { "setgid", CFS_SETGID_PERM },
201 { "setgrp", CFS_SETGRP_PERM },
205 static perm_type_t noperm_types[] = {
206 { "nosetuid", CFS_SETUID_PERM },
207 { "nosetgid", CFS_SETGID_PERM },
208 { "nosetgrp", CFS_SETGRP_PERM },
212 int parse_perm(__u32 *perm, __u32 *noperm, char *str)
223 memset(name, 0, sizeof(name));
224 end = strchr(start, ',');
226 end = str + strlen(str);
230 if (len >= sizeof(name))
232 strncpy(name, start, len);
234 for (pt = perm_types; pt->name; pt++) {
235 if (!strcasecmp(name, pt->name)) {
242 for (pt = noperm_types; pt->name; pt++) {
243 if (!strcasecmp(name, pt->name)) {
250 printf("unkown type: %s\n", name);
261 parse_perm_line(struct identity_downcall_data *data, char *line, size_t size)
270 if (data->idd_nperms >= N_PERMS_MAX) {
271 errlog("permission count %d > max %d\n",
272 data->idd_nperms, N_PERMS_MAX);
276 rc = sscanf(line, "%s %s %s", nid_str, uid_str, perm_str);
278 errlog("can't parse line %s\n", line);
282 if (!match_uid(data->idd_uid, uid_str))
285 if (!strcmp(nid_str, "*")) {
288 nid = libcfs_str2nid(nid_str);
289 if (nid == LNET_NID_ANY) {
290 errlog("can't parse nid %s\n", nid_str);
295 if (parse_perm(&perm, &noperm, perm_str)) {
296 errlog("invalid perm %s\n", perm_str);
300 /* merge the perms with the same nid.
302 * If there is LNET_NID_ANY in data->idd_perms[i].pdd_nid,
303 * it must be data->idd_perms[0].pdd_nid, and act as default perm.
305 if (nid != LNET_NID_ANY) {
308 /* search for the same nid */
309 for (i = data->idd_nperms - 1; i >= 0; i--) {
310 if (data->idd_perms[i].pdd_nid == nid) {
311 data->idd_perms[i].pdd_perm =
312 (data->idd_perms[i].pdd_perm | perm) &
319 /* NOT found, add to tail */
321 data->idd_perms[data->idd_nperms].pdd_nid = nid;
322 data->idd_perms[data->idd_nperms].pdd_perm =
327 if (data->idd_nperms > 0) {
328 /* the first one isn't LNET_NID_ANY, need exchange */
329 if (data->idd_perms[0].pdd_nid != LNET_NID_ANY) {
330 data->idd_perms[data->idd_nperms].pdd_nid =
331 data->idd_perms[0].pdd_nid;
332 data->idd_perms[data->idd_nperms].pdd_perm =
333 data->idd_perms[0].pdd_perm;
334 data->idd_perms[0].pdd_nid = LNET_NID_ANY;
335 data->idd_perms[0].pdd_perm = perm & ~noperm;
338 /* only fix LNET_NID_ANY item */
339 data->idd_perms[0].pdd_perm =
340 (data->idd_perms[0].pdd_perm | perm) &
344 /* it is the first one, only add to head */
345 data->idd_perms[0].pdd_nid = LNET_NID_ANY;
346 data->idd_perms[0].pdd_perm = perm & ~noperm;
347 data->idd_nperms = 1;
354 int get_perms(struct identity_downcall_data *data)
359 fp = fopen(PERM_PATHNAME, "r");
361 if (errno == ENOENT) {
364 errlog("open %s failed: %s\n",
365 PERM_PATHNAME, strerror(errno));
366 data->idd_err = errno;
371 while (fgets(line, sizeof(line), fp)) {
372 if (comment_line(line))
375 if (parse_perm_line(data, line, sizeof(line))) {
376 errlog("parse line %s failed!\n", line);
377 data->idd_err = EINVAL;
387 static void show_result(struct identity_downcall_data *data)
392 errlog("failed to get identity for uid %d: %s\n",
393 data->idd_uid, strerror(data->idd_err));
397 printf("uid=%d gid=%d", data->idd_uid, data->idd_gid);
398 for (i = 0; i < data->idd_ngroups; i++)
399 printf(",%u", data->idd_groups[i]);
401 printf("permissions:\n"
403 for (i = 0; i < data->idd_nperms; i++) {
404 struct perm_downcall_data *pdd;
406 pdd = &data->idd_perms[i];
408 printf(" %#jx\t0x%x\n", (uintmax_t)pdd->pdd_nid,
414 int main(int argc, char **argv)
417 struct identity_downcall_data *data = NULL;
420 int fd, rc = -EINVAL, size, maxgroups;
422 progname = basename(argv[0]);
428 uid = strtoul(argv[2], &end, 0);
430 errlog("%s: invalid uid '%s'\n", progname, argv[2]);
434 maxgroups = sysconf(_SC_NGROUPS_MAX);
435 if (maxgroups > NGROUPS_MAX)
436 maxgroups = NGROUPS_MAX;
437 if (maxgroups == -1) {
442 size = offsetof(struct identity_downcall_data, idd_groups[maxgroups]);
445 errlog("malloc identity downcall data(%d) failed!\n", size);
450 memset(data, 0, size);
451 data->idd_magic = IDENTITY_DOWNCALL_MAGIC;
453 /* get groups for uid */
454 rc = get_groups_local(data, maxgroups);
458 size = offsetof(struct identity_downcall_data,
459 idd_groups[data->idd_ngroups]);
460 /* read permission database */
461 rc = get_perms(data);
464 if (getenv("L_GETIDENTITY_TEST")) {
470 rc = cfs_get_param_paths(&path, "mdt/%s/identity_info", argv[1]);
476 fd = open(path.gl_pathv[0], O_WRONLY);
478 errlog("can't open file '%s':%s\n", path.gl_pathv[0],
484 rc = write(fd, data, size);
487 errlog("partial write ret %d: %s\n", rc, strerror(errno));
494 cfs_free_param_data(&path);