From 2bf6442d7d9bd452153e6b1ea08ddaae3dfb3716 Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Mon, 5 Oct 2020 21:14:09 +0900 Subject: [PATCH] LU-13498 sec: fix credentials with nodemap and SSK When SSK is enabled, credentials are evaluated in new_init_ucred(). In case a nodemap entry is defined with squash UID/GID, it must prevail over normally mapped UID/GID. Signed-off-by: Sebastien Buisson Change-Id: I1adfd98759e5b98ec78f0477846e1820fed5d8b3 Reviewed-on: https://review.whamcloud.com/40140 Tested-by: jenkins Reviewed-by: Andreas Dilger Tested-by: Maloo Reviewed-by: Lai Siyao Reviewed-by: Oleg Drokin --- lustre/mdt/mdt_lib.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c index 24bc1e8..87c4a61 100644 --- a/lustre/mdt/mdt_lib.c +++ b/lustre/mdt/mdt_lib.c @@ -214,9 +214,6 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, RETURN(-EACCES); } - ucred->uc_fsuid = nodemap->nm_squash_uid; - ucred->uc_fsgid = nodemap->nm_squash_gid; - ucred->uc_cap = 0; ucred->uc_suppgids[0] = -1; ucred->uc_suppgids[1] = -1; } @@ -318,13 +315,20 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, ucred->uc_uid = pud->pud_uid; ucred->uc_gid = pud->pud_gid; - ucred->uc_fsuid = pud->pud_fsuid; - ucred->uc_fsgid = pud->pud_fsgid; + + if (nodemap && ucred->uc_o_uid == nodemap->nm_squash_uid) { + ucred->uc_fsuid = nodemap->nm_squash_uid; + ucred->uc_fsgid = nodemap->nm_squash_gid; + ucred->uc_cap = 0; + } else { + ucred->uc_fsuid = pud->pud_fsuid; + ucred->uc_fsgid = pud->pud_fsgid; + ucred->uc_cap = pud->pud_cap; + } /* process root_squash here. */ mdt_root_squash(info, peernid); - ucred->uc_cap = pud->pud_cap; ucred->uc_valid = UCRED_NEW; ucred_set_jobid(info, ucred); ucred_set_nid(info, ucred); -- 1.8.3.1