-
- ucred->mu_valid = UCRED_INVALID;
-
- ucred->mu_o_uid = pud->pud_uid;
- ucred->mu_o_gid = pud->pud_gid;
- ucred->mu_o_fsuid = pud->pud_fsuid;
- ucred->mu_o_fsgid = pud->pud_fsgid;
-
- if (type == BODY_INIT) {
- struct mdt_body *body = (struct mdt_body *)buf;
-
- ucred->mu_suppgids[0] = body->suppgid;
- ucred->mu_suppgids[1] = -1;
- }
-
- /* sanity check: we expect the uid which client claimed is true */
- if (med->med_rmtclient) {
- if (req->rq_auth_mapped_uid == INVALID_UID) {
- CDEBUG(D_SEC, "remote user not mapped, deny access!\n");
- RETURN(-EACCES);
- }
-
- if (ptlrpc_user_desc_do_idmap(req, pud))
- RETURN(-EACCES);
-
- if (req->rq_auth_mapped_uid != pud->pud_uid) {
- CDEBUG(D_SEC, "remote client %s: auth/mapped uid %u/%u "
- "while client claims %u:%u/%u:%u\n",
- libcfs_nid2str(peernid), req->rq_auth_uid,
- req->rq_auth_mapped_uid,
- pud->pud_uid, pud->pud_gid,
- pud->pud_fsuid, pud->pud_fsgid);
- RETURN(-EACCES);
- }
- } else {
- if (req->rq_auth_uid != pud->pud_uid) {
- CDEBUG(D_SEC, "local client %s: auth uid %u "
- "while client claims %u:%u/%u:%u\n",
- libcfs_nid2str(peernid), req->rq_auth_uid,
- pud->pud_uid, pud->pud_gid,
- pud->pud_fsuid, pud->pud_fsgid);
- RETURN(-EACCES);
- }
- }
-
- if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
- if (med->med_rmtclient) {
- CDEBUG(D_SEC, "remote client must run with identity_get "
- "enabled!\n");
- RETURN(-EACCES);
- } else {
- ucred->mu_identity = NULL;
- perm = CFS_SETUID_PERM | CFS_SETGID_PERM |
- CFS_SETGRP_PERM;
- }
- } else {
- struct md_identity *identity;
-
- identity = mdt_identity_get(mdt->mdt_identity_cache,
- pud->pud_uid);
- if (IS_ERR(identity)) {
- if (unlikely(PTR_ERR(identity) == -EREMCHG &&
- !med->med_rmtclient)) {
- ucred->mu_identity = NULL;
- perm = CFS_SETUID_PERM | CFS_SETGID_PERM |
- CFS_SETGRP_PERM;
- } else {
- CDEBUG(D_SEC, "Deny access without identity: uid %u\n",
- pud->pud_uid);
- RETURN(-EACCES);
- }
- } else {
- ucred->mu_identity = identity;
- perm = mdt_identity_get_perm(ucred->mu_identity,
- med->med_rmtclient,
- peernid);
- }
- }
-
- /* find out the setuid/setgid attempt */
- setuid = (pud->pud_uid != pud->pud_fsuid);
- setgid = ((pud->pud_gid != pud->pud_fsgid) ||
- (ucred->mu_identity &&
- (pud->pud_gid != ucred->mu_identity->mi_gid)));
+ LASSERT(ucred != NULL);
+
+ ucred->uc_valid = UCRED_INVALID;
+
+ ucred->uc_o_uid = pud->pud_uid;
+ ucred->uc_o_gid = pud->pud_gid;
+ ucred->uc_o_fsuid = pud->pud_fsuid;
+ ucred->uc_o_fsgid = pud->pud_fsgid;
+
+ if (type == BODY_INIT) {
+ struct mdt_body *body = (struct mdt_body *)buf;
+
+ ucred->uc_suppgids[0] = body->mbo_suppgid;
+ ucred->uc_suppgids[1] = -1;
+ }
+
+ if (!flvr_is_rootonly(req->rq_flvr.sf_rpc) &&
+ req->rq_auth_uid != pud->pud_uid) {
+ CDEBUG(D_SEC, "local client %s: auth uid %u "
+ "while client claims %u:%u/%u:%u\n",
+ libcfs_nid2str(peernid), req->rq_auth_uid,
+ pud->pud_uid, pud->pud_gid,
+ pud->pud_fsuid, pud->pud_fsgid);
+ RETURN(-EACCES);
+ }
+
+ if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
+ ucred->uc_identity = NULL;
+ perm = CFS_SETUID_PERM | CFS_SETGID_PERM | CFS_SETGRP_PERM;
+ } else {
+ struct md_identity *identity;
+
+ identity = mdt_identity_get(mdt->mdt_identity_cache,
+ pud->pud_uid);
+ if (IS_ERR(identity)) {
+ if (unlikely(PTR_ERR(identity) == -EREMCHG)) {
+ ucred->uc_identity = NULL;
+ perm = CFS_SETUID_PERM | CFS_SETGID_PERM |
+ CFS_SETGRP_PERM;
+ } else {
+ CDEBUG(D_SEC,
+ "Deny access without identity: uid %u\n",
+ pud->pud_uid);
+ RETURN(-EACCES);
+ }
+ } else {
+ ucred->uc_identity = identity;
+ perm = mdt_identity_get_perm(ucred->uc_identity,
+ peernid);
+ }
+ }
+
+ /* find out the setuid/setgid attempt */
+ setuid = (pud->pud_uid != pud->pud_fsuid);
+ setgid = ((pud->pud_gid != pud->pud_fsgid) ||
+ (ucred->uc_identity &&
+ (pud->pud_gid != ucred->uc_identity->mi_gid)));