/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2012, 2016 by Delphix. All rights reserved. * Copyright 2016 Nexenta Systems, Inc. All rights reserved. * Copyright 2022 RackTop Systems. */ /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */ /* All Rights Reserved */ /* * Portions of this source code were derived from Berkeley 4.3 BSD * under license from the Regents of the University of California. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "../../fslib.h" #include #include #include "../lib/sharetab.h" #include "mountd.h" #include #include #include #include #include #include #include #include #include "smfcfg.h" #include #include #include #include #include extern int daemonize_init(void); extern void daemonize_fini(int); extern int _nfssys(int, void *); struct sh_list *share_list; rwlock_t sharetab_lock; /* lock to protect the cached sharetab */ static mutex_t mnttab_lock; /* prevent concurrent mnttab readers */ static mutex_t logging_queue_lock; static cond_t logging_queue_cv; static share_t *find_lofsentry(char *, int *); static int getclientsflavors_old(share_t *, struct cln *, int *); static int getclientsflavors_new(share_t *, struct cln *, int *); static int check_client_old(share_t *, struct cln *, int, uid_t, gid_t, uint_t, gid_t *, uid_t *, gid_t *, uint_t *, gid_t **); static int check_client_new(share_t *, struct cln *, int, uid_t, gid_t, uint_t, gid_t *, uid_t *, gid_t *i, uint_t *, gid_t **); static void mnt(struct svc_req *, SVCXPRT *); static void mnt_pathconf(struct svc_req *); static int mount(struct svc_req *r); static void sh_free(struct sh_list *); static void umount(struct svc_req *); static void umountall(struct svc_req *); static int newopts(char *); static tsol_tpent_t *get_client_template(struct sockaddr *); static int debug; static int verbose; static int rejecting; static int mount_vers_min = MOUNTVERS; static int mount_vers_max = MOUNTVERS3; static int mountd_port = 0; static boolean_t mountd_remote_dump = B_FALSE; extern void nfscmd_func(void *, char *, size_t, door_desc_t *, uint_t); thread_t nfsauth_thread; thread_t cmd_thread; thread_t logging_thread; typedef struct logging_data { char *ld_host; char *ld_path; char *ld_rpath; int ld_status; char *ld_netid; struct netbuf *ld_nb; struct logging_data *ld_next; } logging_data; static logging_data *logging_head = NULL; static logging_data *logging_tail = NULL; /* * Our copy of some system variables obtained using sysconf(3c) */ static long ngroups_max; /* _SC_NGROUPS_MAX */ static long pw_size; /* _SC_GETPW_R_SIZE_MAX */ /* Cached address info for this host. */ static struct addrinfo *host_ai = NULL; static void * nfsauth_svc(void *arg __unused) { int doorfd = -1; uint_t darg; #ifdef DEBUG int dfd; #endif if ((doorfd = door_create(nfsauth_func, NULL, DOOR_REFUSE_DESC | DOOR_NO_CANCEL)) == -1) { syslog(LOG_ERR, "Unable to create door: %m\n"); exit(10); } #ifdef DEBUG /* * Create a file system path for the door */ if ((dfd = open(MOUNTD_DOOR, O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) { syslog(LOG_ERR, "Unable to open %s: %m\n", MOUNTD_DOOR); (void) close(doorfd); exit(11); } /* * Clean up any stale namespace associations */ (void) fdetach(MOUNTD_DOOR); /* * Register in namespace to pass to the kernel to door_ki_open */ if (fattach(doorfd, MOUNTD_DOOR) == -1) { syslog(LOG_ERR, "Unable to fattach door: %m\n"); (void) close(dfd); (void) close(doorfd); exit(12); } (void) close(dfd); #endif /* * Must pass the doorfd down to the kernel. */ darg = doorfd; (void) _nfssys(MOUNTD_ARGS, &darg); /* * Wait for incoming calls */ /*CONSTCOND*/ for (;;) (void) pause(); /*NOTREACHED*/ syslog(LOG_ERR, gettext("Door server exited")); return (NULL); } /* * NFS command service thread code for setup and handling of the * nfs_cmd requests for character set conversion and other future * events. */ static void * cmd_svc(void *arg) { int doorfd = -1; uint_t darg; if ((doorfd = door_create(nfscmd_func, NULL, DOOR_REFUSE_DESC | DOOR_NO_CANCEL)) == -1) { syslog(LOG_ERR, "Unable to create cmd door: %m\n"); exit(10); } /* * Must pass the doorfd down to the kernel. */ darg = doorfd; (void) _nfssys(NFSCMD_ARGS, &darg); /* * Wait for incoming calls */ /*CONSTCOND*/ for (;;) (void) pause(); /*NOTREACHED*/ syslog(LOG_ERR, gettext("Cmd door server exited")); return (NULL); } static void free_logging_data(logging_data *lq) { if (lq != NULL) { free(lq->ld_host); free(lq->ld_netid); if (lq->ld_nb != NULL) { free(lq->ld_nb->buf); free(lq->ld_nb); } free(lq->ld_path); free(lq->ld_rpath); free(lq); } } static logging_data * remove_head_of_queue(void) { logging_data *lq; /* * Pull it off the queue. */ lq = logging_head; if (lq) { logging_head = lq->ld_next; /* * Drained it. */ if (logging_head == NULL) { logging_tail = NULL; } } return (lq); } static void do_logging_queue(logging_data *lq) { int cleared = 0; char *host; while (lq) { struct cln cln; if (lq->ld_host == NULL) { DTRACE_PROBE(mountd, name_by_lazy); cln_init_lazy(&cln, lq->ld_netid, lq->ld_nb); host = cln_gethost(&cln); } else host = lq->ld_host; audit_mountd_mount(host, lq->ld_path, lq->ld_status); /* BSM */ /* add entry to mount list */ if (lq->ld_rpath) mntlist_new(host, lq->ld_rpath); if (lq->ld_host == NULL) cln_fini(&cln); free_logging_data(lq); cleared++; (void) mutex_lock(&logging_queue_lock); lq = remove_head_of_queue(); (void) mutex_unlock(&logging_queue_lock); } DTRACE_PROBE1(mountd, logging_cleared, cleared); } static void * logging_svc(void *arg __unused) { logging_data *lq; for (;;) { (void) mutex_lock(&logging_queue_lock); while (logging_head == NULL) { (void) cond_wait(&logging_queue_cv, &logging_queue_lock); } lq = remove_head_of_queue(); (void) mutex_unlock(&logging_queue_lock); do_logging_queue(lq); } /*NOTREACHED*/ syslog(LOG_ERR, gettext("Logging server exited")); return (NULL); } /* * This function is called for each configured network type to * bind and register our RPC service programs. * * On TCP or UDP, we may want to bind MOUNTPROG on a specific port * (when mountd_port is specified) in which case we'll use the * variant of svc_tp_create() that lets us pass a bind address. */ static void md_svc_tp_create(struct netconfig *nconf) { char port_str[8]; struct nd_hostserv hs; struct nd_addrlist *al = NULL; SVCXPRT *xprt = NULL; rpcvers_t vers; vers = mount_vers_max; /* * If mountd_port is set and this is an inet transport, * bind this service on the specified port. The TLI way * to create such a bind address is netdir_getbyname() * with the special "host" HOST_SELF_BIND. This builds * an all-zeros IP address with the specified port. */ if (mountd_port != 0 && (strcmp(nconf->nc_protofmly, NC_INET) == 0 || strcmp(nconf->nc_protofmly, NC_INET6) == 0)) { int err; (void) snprintf(port_str, sizeof (port_str), "%u", (unsigned short)mountd_port); hs.h_host = HOST_SELF_BIND; hs.h_serv = port_str; err = netdir_getbyname((struct netconfig *)nconf, &hs, &al); if (err == 0 && al != NULL) { xprt = svc_tp_create_addr(mnt, MOUNTPROG, vers, nconf, al->n_addrs); netdir_free(al, ND_ADDRLIST); } if (xprt == NULL) { syslog(LOG_ERR, "mountd: unable to create " "(MOUNTD,%d) on transport %s (port %d)", vers, nconf->nc_netid, mountd_port); } /* fall-back to default bind */ } if (xprt == NULL) { /* * Had mountd_port=0, or non-inet transport, * or the bind to a specific port failed. * Do a default bind. */ xprt = svc_tp_create(mnt, MOUNTPROG, vers, nconf); } if (xprt == NULL) { syslog(LOG_ERR, "mountd: unable to create " "(MOUNTD,%d) on transport %s", vers, nconf->nc_netid); return; } /* * Register additional versions on this transport. */ while (--vers >= mount_vers_min) { if (!svc_reg(xprt, MOUNTPROG, vers, mnt, nconf)) { (void) syslog(LOG_ERR, "mountd: " "failed to register vers %d on %s", vers, nconf->nc_netid); } } } int main(int argc, char *argv[]) { int pid; int c; int rpc_svc_fdunlim = 1; int rpc_svc_mode = RPC_SVC_MT_AUTO; int maxrecsz = RPC_MAXDATASIZE; bool_t exclbind = TRUE; bool_t can_do_mlp; long thr_flags = (THR_NEW_LWP|THR_DAEMON); char defval[5]; int ret, bufsz; struct rlimit rl; int listen_backlog = 0; int max_threads = 0; int tmp; struct netconfig *nconf; NCONF_HANDLE *nc; const char *errstr; int pipe_fd = -1; char hostbuf[256]; /* * Mountd requires uid 0 for: * /etc/rmtab updates (we could chown it to daemon) * /etc/dfs/dfstab reading (it wants to lock out share which * doesn't do any locking before first truncate; * NFS share does; should use fcntl locking instead) * Needed privileges: * auditing * nfs syscall * file dac search (so it can stat all files) * Optional privileges: * MLP */ can_do_mlp = priv_ineffect(PRIV_NET_BINDMLP); if (__init_daemon_priv(PU_RESETGROUPS|PU_CLEARLIMITSET, -1, -1, PRIV_SYS_NFS, PRIV_PROC_AUDIT, PRIV_FILE_DAC_SEARCH, PRIV_NET_PRIVADDR, can_do_mlp ? PRIV_NET_BINDMLP : NULL, NULL) == -1) { (void) fprintf(stderr, "%s: must be run with sufficient privileges\n", argv[0]); exit(1); } if (getrlimit(RLIMIT_NOFILE, &rl) != 0) { syslog(LOG_ERR, "getrlimit failed"); } else { rl.rlim_cur = rl.rlim_max; if (setrlimit(RLIMIT_NOFILE, &rl) != 0) syslog(LOG_ERR, "setrlimit failed"); } (void) enable_extended_FILE_stdio(-1, -1); /* Upgrade SMF settings, if necessary. */ nfs_config_upgrade(NFSD); ret = nfs_smf_get_iprop("mountd_max_threads", &max_threads, DEFAULT_INSTANCE, SCF_TYPE_INTEGER, NFSD); if (ret != SA_OK) { syslog(LOG_ERR, "Reading of mountd_max_threads from SMF " "failed, using default value"); } ret = nfs_smf_get_iprop("mountd_port", &mountd_port, DEFAULT_INSTANCE, SCF_TYPE_INTEGER, NFSD); if (ret != SA_OK) { syslog(LOG_ERR, "Reading of mountd_port from SMF " "failed, using default value"); } while ((c = getopt(argc, argv, "dvrm:p:")) != EOF) { switch (c) { case 'd': debug++; break; case 'v': verbose++; break; case 'r': rejecting = 1; break; case 'm': tmp = strtonum(optarg, 1, INT_MAX, &errstr); if (errstr != NULL) { (void) fprintf(stderr, "%s: invalid " "max_threads option: %s, using defaults\n", argv[0], errstr); break; } max_threads = tmp; break; case 'p': tmp = strtonum(optarg, 1, UINT16_MAX, &errstr); if (errstr != NULL) { (void) fprintf(stderr, "%s: invalid port " "number: %s\n", argv[0], errstr); break; } mountd_port = tmp; break; default: fprintf(stderr, "usage: mountd [-v] [-r]\n"); exit(1); } } /* * One might be tempted to use the NFS configuration values * server_versmin, server_versmax to constrain the range of * mountd versions supported here. However, older clients * use mountd V1 for showmount, so just leave all mountd * versions enabled here. (mount_vers_min, mount_vers_max) */ ret = nfs_smf_get_iprop("mountd_listen_backlog", &listen_backlog, DEFAULT_INSTANCE, SCF_TYPE_INTEGER, NFSD); if (ret != SA_OK) { syslog(LOG_ERR, "Reading of mountd_listen_backlog from SMF " "failed, using default value"); } bufsz = sizeof (defval); ret = nfs_smf_get_prop("mountd_remote_dump", defval, DEFAULT_INSTANCE, SCF_TYPE_BOOLEAN, NFSD, &bufsz); if (ret == SA_OK) { mountd_remote_dump = string_to_boolean(defval); } if (!mountd_remote_dump) { /* Cache host address list */ if (gethostname(hostbuf, sizeof (hostbuf)) < 0) { syslog(LOG_ERR, "gethostname() failed"); exit(1); } if (getaddrinfo(hostbuf, NULL, NULL, &host_ai) != 0) { syslog(LOG_ERR, "getaddrinfo() failed"); exit(1); } } /* * Sanity check versions, * even though we may get versions > MOUNTVERS3, we still need * to start nfsauth service, so continue on regardless of values. */ if (mount_vers_max > MOUNTVERS3) mount_vers_max = MOUNTVERS3; if (mount_vers_min > mount_vers_max) { fprintf(stderr, "server_versmin > server_versmax\n"); mount_vers_max = mount_vers_min; } (void) setlocale(LC_ALL, ""); (void) rwlock_init(&sharetab_lock, USYNC_THREAD, NULL); (void) mutex_init(&mnttab_lock, USYNC_THREAD, NULL); (void) mutex_init(&logging_queue_lock, USYNC_THREAD, NULL); (void) cond_init(&logging_queue_cv, USYNC_THREAD, NULL); netgroup_init(); #if !defined(TEXT_DOMAIN) #define TEXT_DOMAIN "SYS_TEST" #endif (void) textdomain(TEXT_DOMAIN); /* Don't drop core if the NFS module isn't loaded. */ (void) signal(SIGSYS, SIG_IGN); if (!debug) pipe_fd = daemonize_init(); /* * If we coredump it'll be in /core */ if (chdir("/") < 0) fprintf(stderr, "chdir /: %s\n", strerror(errno)); if (!debug) openlog("mountd", LOG_PID, LOG_DAEMON); /* * establish our lock on the lock file and write our pid to it. * exit if some other process holds the lock, or if there's any * error in writing/locking the file. */ pid = _enter_daemon_lock(MOUNTD); switch (pid) { case 0: break; case -1: fprintf(stderr, "error locking for %s: %s\n", MOUNTD, strerror(errno)); exit(2); default: /* daemon was already running */ exit(0); } audit_mountd_setup(); /* BSM */ /* * Get required system variables */ if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) == -1) { syslog(LOG_ERR, "Unable to get _SC_NGROUPS_MAX"); exit(1); } if ((pw_size = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) { syslog(LOG_ERR, "Unable to get _SC_GETPW_R_SIZE_MAX"); exit(1); } /* * Set number of file descriptors to unlimited */ if (!rpc_control(RPC_SVC_USE_POLLFD, &rpc_svc_fdunlim)) { syslog(LOG_INFO, "unable to set number of FDs to unlimited"); } /* * Tell RPC that we want automatic thread mode. * A new thread will be spawned for each request. */ if (!rpc_control(RPC_SVC_MTMODE_SET, &rpc_svc_mode)) { fprintf(stderr, "unable to set automatic MT mode\n"); exit(1); } /* * Enable non-blocking mode and maximum record size checks for * connection oriented transports. */ if (!rpc_control(RPC_SVC_CONNMAXREC_SET, &maxrecsz)) { fprintf(stderr, "unable to set RPC max record size\n"); } /* * Prevent our non-priv udp and tcp ports bound w/wildcard addr * from being hijacked by a bind to a more specific addr. */ if (!rpc_control(__RPC_SVC_EXCLBIND_SET, &exclbind)) { fprintf(stderr, "warning: unable to set udp/tcp EXCLBIND\n"); } /* * Set the maximum number of outstanding connection * indications (listen backlog) to the value specified. */ if (listen_backlog > 0 && !rpc_control(__RPC_SVC_LSTNBKLOG_SET, &listen_backlog)) { fprintf(stderr, "unable to set listen backlog\n"); exit(1); } /* * If max_threads was specified, then set the * maximum number of threads to the value specified. */ if (max_threads > 0 && !rpc_control(RPC_SVC_THRMAX_SET, &max_threads)) { fprintf(stderr, "unable to set max_threads\n"); exit(1); } if (mountd_port < 0 || mountd_port > UINT16_MAX) { fprintf(stderr, "unable to use specified port\n"); exit(1); } /* * Make sure to unregister any previous versions in case the * user is reconfiguring the server in interesting ways. */ svc_unreg(MOUNTPROG, MOUNTVERS); svc_unreg(MOUNTPROG, MOUNTVERS_POSIX); svc_unreg(MOUNTPROG, MOUNTVERS3); /* * Create the nfsauth thread with same signal disposition * as the main thread. We need to create a separate thread * since mountd() will be both an RPC server (for remote * traffic) _and_ a doors server (for kernel upcalls). */ if (thr_create(NULL, 0, nfsauth_svc, 0, thr_flags, &nfsauth_thread)) { fprintf(stderr, gettext("Failed to create NFSAUTH svc thread\n")); exit(2); } /* * Create the cmd service thread with same signal disposition * as the main thread. We need to create a separate thread * since mountd() will be both an RPC server (for remote * traffic) _and_ a doors server (for kernel upcalls). */ if (thr_create(NULL, 0, cmd_svc, 0, thr_flags, &cmd_thread)) { syslog(LOG_ERR, gettext("Failed to create CMD svc thread")); exit(2); } /* * Create an additional thread to service the rmtab and * audit_mountd_mount logging for mount requests. Use the same * signal disposition as the main thread. We create * a separate thread to allow the mount request threads to * clear as soon as possible. */ if (thr_create(NULL, 0, logging_svc, 0, thr_flags, &logging_thread)) { syslog(LOG_ERR, gettext("Failed to create LOGGING svc thread")); exit(2); } /* * Enumerate network transports and create service listeners * as appropriate for each. */ if ((nc = setnetconfig()) == NULL) { syslog(LOG_ERR, "setnetconfig failed: %m"); return (-1); } while ((nconf = getnetconfig(nc)) != NULL) { /* * Skip things like tpi_raw, invisible... */ if ((nconf->nc_flag & NC_VISIBLE) == 0) continue; if (nconf->nc_semantics != NC_TPI_CLTS && nconf->nc_semantics != NC_TPI_COTS && nconf->nc_semantics != NC_TPI_COTS_ORD) continue; md_svc_tp_create(nconf); } (void) endnetconfig(nc); /* * Start serving */ rmtab_load(); daemonize_fini(pipe_fd); /* Get rid of the most dangerous basic privileges. */ __fini_daemon_priv(PRIV_PROC_EXEC, PRIV_PROC_INFO, PRIV_PROC_SESSION, (char *)NULL); svc_run(); syslog(LOG_ERR, "Error: svc_run shouldn't have returned"); abort(); /* NOTREACHED */ return (0); } /* * copied from usr/src/uts/common/klm/nlm_impl.c */ static bool_t caller_is_local(SVCXPRT *transp) { struct addrinfo *a; char *netid; struct netbuf *rtaddr; struct sockaddr_storage addr; bool_t rv = FALSE; netid = transp->xp_netid; rtaddr = svc_getrpccaller(transp); if (netid == NULL) return (FALSE); if (strcmp(netid, "ticlts") == 0 || strcmp(netid, "ticotsord") == 0) return (TRUE); if (strcmp(netid, "tcp") == 0 || strcmp(netid, "udp") == 0) { struct sockaddr_in *sin = (void *)rtaddr->buf; if (sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) return (TRUE); memmove(&addr, sin, sizeof (*sin)); } if (strcmp(netid, "tcp6") == 0 || strcmp(netid, "udp6") == 0) { struct sockaddr_in6 *sin6 = (void *)rtaddr->buf; if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr)) return (TRUE); memmove(&addr, sin6, sizeof (*sin6)); } for (a = host_ai; a != NULL; a = a->ai_next) { if (sockaddrcmp(&addr, (struct sockaddr_storage *)a->ai_addr)) { rv = TRUE; break; } } return (rv); } /* * Server procedure switch routine */ void mnt(struct svc_req *rqstp, SVCXPRT *transp) { switch (rqstp->rq_proc) { case NULLPROC: errno = 0; if (!svc_sendreply(transp, xdr_void, (char *)0)) log_cant_reply(transp); return; case MOUNTPROC_MNT: (void) mount(rqstp); return; case MOUNTPROC_DUMP: if (mountd_remote_dump || caller_is_local(transp)) mntlist_send(transp); else svcerr_noproc(transp); return; case MOUNTPROC_UMNT: umount(rqstp); return; case MOUNTPROC_UMNTALL: umountall(rqstp); return; case MOUNTPROC_EXPORT: case MOUNTPROC_EXPORTALL: export(rqstp); return; case MOUNTPROC_PATHCONF: if (rqstp->rq_vers == MOUNTVERS_POSIX) mnt_pathconf(rqstp); else svcerr_noproc(transp); return; default: svcerr_noproc(transp); return; } } void log_cant_reply_cln(struct cln *cln) { int saverrno; char *host; saverrno = errno; /* save error code */ host = cln_gethost(cln); if (host == NULL) return; errno = saverrno; if (errno == 0) syslog(LOG_ERR, "couldn't send reply to %s", host); else syslog(LOG_ERR, "couldn't send reply to %s: %m", host); } void log_cant_reply(SVCXPRT *transp) { int saverrno; struct cln cln; saverrno = errno; /* save error code */ cln_init(&cln, transp); errno = saverrno; log_cant_reply_cln(&cln); cln_fini(&cln); } /* * Answer pathconf questions for the mount point fs */ static void mnt_pathconf(struct svc_req *rqstp) { SVCXPRT *transp; struct pathcnf p; char *path, rpath[MAXPATHLEN]; struct stat st; transp = rqstp->rq_xprt; path = NULL; (void) memset((caddr_t)&p, 0, sizeof (p)); if (!svc_getargs(transp, xdr_dirpath, (caddr_t)&path)) { svcerr_decode(transp); return; } if (lstat(path, &st) < 0) { _PC_SET(_PC_ERROR, p.pc_mask); goto done; } /* * Get a path without symbolic links. */ if (realpath(path, rpath) == NULL) { syslog(LOG_DEBUG, "mount request: realpath failed on %s: %m", path); _PC_SET(_PC_ERROR, p.pc_mask); goto done; } (void) memset((caddr_t)&p, 0, sizeof (p)); /* * can't ask about devices over NFS */ _PC_SET(_PC_MAX_CANON, p.pc_mask); _PC_SET(_PC_MAX_INPUT, p.pc_mask); _PC_SET(_PC_PIPE_BUF, p.pc_mask); _PC_SET(_PC_VDISABLE, p.pc_mask); errno = 0; p.pc_link_max = pathconf(rpath, _PC_LINK_MAX); if (errno) _PC_SET(_PC_LINK_MAX, p.pc_mask); p.pc_name_max = pathconf(rpath, _PC_NAME_MAX); if (errno) _PC_SET(_PC_NAME_MAX, p.pc_mask); p.pc_path_max = pathconf(rpath, _PC_PATH_MAX); if (errno) _PC_SET(_PC_PATH_MAX, p.pc_mask); if (pathconf(rpath, _PC_NO_TRUNC) == 1) _PC_SET(_PC_NO_TRUNC, p.pc_mask); if (pathconf(rpath, _PC_CHOWN_RESTRICTED) == 1) _PC_SET(_PC_CHOWN_RESTRICTED, p.pc_mask); done: errno = 0; if (!svc_sendreply(transp, xdr_ppathcnf, (char *)&p)) log_cant_reply(transp); if (path != NULL) (void) svc_freeargs(transp, xdr_dirpath, (caddr_t)&path); } /* * If the rootmount (export) option is specified, the all mount requests for * subdirectories return EACCES. */ static int checkrootmount(share_t *sh, char *rpath) { char *val; if ((val = getshareopt(sh->sh_opts, SHOPT_NOSUB)) != NULL) { free(val); if (strcmp(sh->sh_path, rpath) != 0) return (0); else return (1); } else return (1); } #define MAX_FLAVORS 128 /* * Return only EACCES if client does not have access * to this directory. * "If the server exports only /a/b, an attempt to * mount a/b/c will fail with ENOENT if the directory * does not exist"... However, if the client * does not have access to /a/b, an attacker can * determine whether the directory exists. * This routine checks either existence of the file or * existence of the file name entry in the mount table. * If the file exists and there is no file name entry, * the error returned should be EACCES. * If the file does not exist, it must be determined * whether the client has access to a parent * directory. If the client has access to a parent * directory, the error returned should be ENOENT, * otherwise EACCES. */ static int mount_enoent_error(struct cln *cln, char *path, char *rpath, int *flavor_list) { char *checkpath, *dp; share_t *sh = NULL; int realpath_error = ENOENT, reply_error = EACCES, lofs_tried = 0; int flavor_count; checkpath = strdup(path); if (checkpath == NULL) { syslog(LOG_ERR, "mount_enoent: no memory"); return (EACCES); } /* CONSTCOND */ while (1) { if (sh) { sharefree(sh); sh = NULL; } if ((sh = findentry(rpath)) == NULL && (sh = find_lofsentry(rpath, &lofs_tried)) == NULL) { /* * There is no file name entry. * If the file (with symbolic links resolved) exists, * the error returned should be EACCES. */ if (realpath_error == 0) break; } else if (checkrootmount(sh, rpath) == 0) { /* * This is a "nosub" only export, in which case, * mounting subdirectories isn't allowed. * If the file (with symbolic links resolved) exists, * the error returned should be EACCES. */ if (realpath_error == 0) break; } else { /* * Check permissions in mount table. */ if (newopts(sh->sh_opts)) flavor_count = getclientsflavors_new(sh, cln, flavor_list); else flavor_count = getclientsflavors_old(sh, cln, flavor_list); if (flavor_count != 0) { /* * Found entry in table and * client has correct permissions. */ reply_error = ENOENT; break; } } /* * Check all parent directories. */ dp = strrchr(checkpath, '/'); if (dp == NULL) break; *dp = '\0'; if (strlen(checkpath) == 0) break; /* * Get the real path (no symbolic links in it) */ if (realpath(checkpath, rpath) == NULL) { if (errno != ENOENT) break; } else { realpath_error = 0; } } if (sh) sharefree(sh); free(checkpath); return (reply_error); } /* * We need to inform the caller whether or not we were * able to add a node to the queue. If we are not, then * it is up to the caller to go ahead and log the data. */ static int enqueue_logging_data(char *host, SVCXPRT *transp, char *path, char *rpath, int status, int error) { logging_data *lq; struct netbuf *nb; lq = (logging_data *)calloc(1, sizeof (logging_data)); if (lq == NULL) goto cleanup; /* * We might not yet have the host... */ if (host) { DTRACE_PROBE1(mountd, log_host, host); lq->ld_host = strdup(host); if (lq->ld_host == NULL) goto cleanup; } else { DTRACE_PROBE(mountd, log_no_host); lq->ld_netid = strdup(transp->xp_netid); if (lq->ld_netid == NULL) goto cleanup; lq->ld_nb = calloc(1, sizeof (struct netbuf)); if (lq->ld_nb == NULL) goto cleanup; nb = svc_getrpccaller(transp); if (nb == NULL) { DTRACE_PROBE(mountd, e__nb__enqueue); goto cleanup; } DTRACE_PROBE(mountd, nb_set_enqueue); lq->ld_nb->maxlen = nb->maxlen; lq->ld_nb->len = nb->len; lq->ld_nb->buf = malloc(lq->ld_nb->len); if (lq->ld_nb->buf == NULL) goto cleanup; bcopy(nb->buf, lq->ld_nb->buf, lq->ld_nb->len); } lq->ld_path = strdup(path); if (lq->ld_path == NULL) goto cleanup; if (!error) { lq->ld_rpath = strdup(rpath); if (lq->ld_rpath == NULL) goto cleanup; } lq->ld_status = status; /* * Add to the tail of the logging queue. */ (void) mutex_lock(&logging_queue_lock); if (logging_tail == NULL) { logging_tail = logging_head = lq; } else { logging_tail->ld_next = lq; logging_tail = lq; } (void) cond_signal(&logging_queue_cv); (void) mutex_unlock(&logging_queue_lock); return (TRUE); cleanup: free_logging_data(lq); return (FALSE); } #define CLN_CLNAMES (1 << 0) #define CLN_HOST (1 << 1) static void cln_init_common(struct cln *cln, SVCXPRT *transp, char *netid, struct netbuf *nbuf) { if ((cln->transp = transp) != NULL) { assert(netid == NULL && nbuf == NULL); cln->netid = transp->xp_netid; cln->nbuf = svc_getrpccaller(transp); } else { cln->netid = netid; cln->nbuf = nbuf; } cln->nconf = NULL; cln->clnames = NULL; cln->host = NULL; cln->flags = 0; } void cln_init(struct cln *cln, SVCXPRT *transp) { cln_init_common(cln, transp, NULL, NULL); } void cln_init_lazy(struct cln *cln, char *netid, struct netbuf *nbuf) { cln_init_common(cln, NULL, netid, nbuf); } void cln_fini(struct cln *cln) { if (cln->nconf != NULL) freenetconfigent(cln->nconf); if (cln->clnames != NULL) netdir_free(cln->clnames, ND_HOSTSERVLIST); free(cln->host); } struct netbuf * cln_getnbuf(struct cln *cln) { return (cln->nbuf); } struct nd_hostservlist * cln_getclientsnames(struct cln *cln) { if ((cln->flags & CLN_CLNAMES) == 0) { /* * nconf is not needed if we do not have nbuf (see * cln_gethost() too), so we check for nbuf and in a case it is * NULL we do not try to get nconf. */ if (cln->netid != NULL && cln->nbuf != NULL) { cln->nconf = getnetconfigent(cln->netid); if (cln->nconf == NULL) syslog(LOG_ERR, "%s: getnetconfigent failed", cln->netid); } if (cln->nconf != NULL && cln->nbuf != NULL) (void) __netdir_getbyaddr_nosrv(cln->nconf, &cln->clnames, cln->nbuf); cln->flags |= CLN_CLNAMES; } return (cln->clnames); } /* * Return B_TRUE if the host is already available at no cost */ boolean_t cln_havehost(struct cln *cln) { return ((cln->flags & (CLN_CLNAMES | CLN_HOST)) != 0); } char * cln_gethost(struct cln *cln) { if (cln_getclientsnames(cln) != NULL) return (cln->clnames->h_hostservs[0].h_host); if ((cln->flags & CLN_HOST) == 0) { if (cln->nconf == NULL || cln->nbuf == NULL) { cln->host = strdup("(anon)"); } else { char host[MAXIPADDRLEN]; if (strcmp(cln->nconf->nc_protofmly, NC_INET) == 0) { struct sockaddr_in *sa; /* LINTED pointer alignment */ sa = (struct sockaddr_in *)(cln->nbuf->buf); (void) inet_ntoa_r(sa->sin_addr, host); cln->host = strdup(host); } else if (strcmp(cln->nconf->nc_protofmly, NC_INET6) == 0) { struct sockaddr_in6 *sa; /* LINTED pointer alignment */ sa = (struct sockaddr_in6 *)(cln->nbuf->buf); (void) inet_ntop(AF_INET6, sa->sin6_addr.s6_addr, host, INET6_ADDRSTRLEN); cln->host = strdup(host); } else { syslog(LOG_ERR, gettext("Client's address is " "neither IPv4 nor IPv6")); cln->host = strdup("(anon)"); } } cln->flags |= CLN_HOST; } return (cln->host); } /* * Check mount requests, add to mounted list if ok */ static int mount(struct svc_req *rqstp) { SVCXPRT *transp; int version, vers; struct fhstatus fhs; struct mountres3 mountres3; char fh[FHSIZE3]; int len = FHSIZE3; char *path, rpath[MAXPATHLEN]; share_t *sh = NULL; struct cln cln; char *host = NULL; int error = 0, lofs_tried = 0, enqueued; int flavor_list[MAX_FLAVORS]; int flavor_count; ucred_t *uc = NULL; int audit_status; transp = rqstp->rq_xprt; version = rqstp->rq_vers; path = NULL; if (!svc_getargs(transp, xdr_dirpath, (caddr_t)&path)) { svcerr_decode(transp); return (EACCES); } cln_init(&cln, transp); /* * Put off getting the name for the client until we * need it. This is a performance gain. If we are logging, * then we don't care about performance and might as well * get the host name now in case we need to spit out an * error message. */ if (verbose) { DTRACE_PROBE(mountd, name_by_verbose); if ((host = cln_gethost(&cln)) == NULL) { /* * We failed to get a name for the client, even * 'anon', probably because we ran out of memory. * In this situation it doesn't make sense to * allow the mount to succeed. */ error = EACCES; goto reply; } } /* * If the version being used is less than the minimum version, * the filehandle translation should not be provided to the * client. */ if (rejecting || version < mount_vers_min) { if (verbose) syslog(LOG_NOTICE, "Rejected mount: %s for %s", host, path); error = EACCES; goto reply; } /* * Trusted Extension doesn't support nfsv2. nfsv2 client * uses MOUNT protocol v1 and v2. To prevent circumventing * TX label policy via using nfsv2 client, reject a mount * request with version less than 3 and log an error. */ if (is_system_labeled()) { if (version < 3) { if (verbose) syslog(LOG_ERR, "Rejected mount: TX doesn't support NFSv2"); error = EACCES; goto reply; } } /* * Get the real path (no symbolic links in it) */ if (realpath(path, rpath) == NULL) { error = errno; if (verbose) syslog(LOG_ERR, "mount request: realpath: %s: %m", path); if (error == ENOENT) error = mount_enoent_error(&cln, path, rpath, flavor_list); goto reply; } if ((sh = findentry(rpath)) == NULL && (sh = find_lofsentry(rpath, &lofs_tried)) == NULL) { error = EACCES; goto reply; } /* * Check if this is a "nosub" only export, in which case, mounting * subdirectories isn't allowed. Bug 1184573. */ if (checkrootmount(sh, rpath) == 0) { error = EACCES; goto reply; } if (newopts(sh->sh_opts)) flavor_count = getclientsflavors_new(sh, &cln, flavor_list); else flavor_count = getclientsflavors_old(sh, &cln, flavor_list); if (flavor_count == 0) { error = EACCES; goto reply; } /* * Check MAC policy here. The server side policy should be * consistent with client side mount policy, i.e. * - we disallow an admin_low unlabeled client to mount * - we disallow mount from a lower labeled client. */ if (is_system_labeled()) { m_label_t *clabel = NULL; m_label_t *slabel = NULL; m_label_t admin_low; if (svc_getcallerucred(rqstp->rq_xprt, &uc) != 0) { syslog(LOG_ERR, "mount request: Failed to get caller's ucred : %m"); error = EACCES; goto reply; } if ((clabel = ucred_getlabel(uc)) == NULL) { syslog(LOG_ERR, "mount request: can't get client label from ucred"); error = EACCES; goto reply; } bsllow(&admin_low); if (blequal(&admin_low, clabel)) { struct sockaddr *ca; tsol_tpent_t *tp; ca = (struct sockaddr *)(void *)svc_getrpccaller( rqstp->rq_xprt)->buf; if (ca == NULL) { error = EACCES; goto reply; } /* * get trusted network template associated * with the client. */ tp = get_client_template(ca); if (tp == NULL || tp->host_type != SUN_CIPSO) { if (tp != NULL) tsol_freetpent(tp); error = EACCES; goto reply; } tsol_freetpent(tp); } else { if ((slabel = m_label_alloc(MAC_LABEL)) == NULL) { error = EACCES; goto reply; } if (getlabel(rpath, slabel) != 0) { m_label_free(slabel); error = EACCES; goto reply; } if (!bldominates(clabel, slabel)) { m_label_free(slabel); error = EACCES; goto reply; } m_label_free(slabel); } } /* * Now get the filehandle. * * NFS V2 clients get a 32 byte filehandle. * NFS V3 clients get a 32 or 64 byte filehandle, depending on * the embedded FIDs. */ vers = (version == MOUNTVERS3) ? NFS_V3 : NFS_VERSION; /* LINTED pointer alignment */ while (nfs_getfh(rpath, vers, &len, fh) < 0) { if (errno == EINVAL && (sh = find_lofsentry(rpath, &lofs_tried)) != NULL) { errno = 0; continue; } error = errno == EINVAL ? EACCES : errno; syslog(LOG_DEBUG, "mount request: getfh failed on %s: %m", path); break; } if (version == MOUNTVERS3) { mountres3.mountres3_u.mountinfo.fhandle.fhandle3_len = len; mountres3.mountres3_u.mountinfo.fhandle.fhandle3_val = fh; } else { bcopy(fh, &fhs.fhstatus_u.fhs_fhandle, NFS_FHSIZE); } reply: if (uc != NULL) ucred_free(uc); switch (version) { case MOUNTVERS: case MOUNTVERS_POSIX: if (error == EINVAL) fhs.fhs_status = NFSERR_ACCES; else if (error == EREMOTE) fhs.fhs_status = NFSERR_REMOTE; else fhs.fhs_status = error; if (!svc_sendreply(transp, xdr_fhstatus, (char *)&fhs)) log_cant_reply_cln(&cln); audit_status = fhs.fhs_status; break; case MOUNTVERS3: if (!error) { mountres3.mountres3_u.mountinfo.auth_flavors.auth_flavors_val = flavor_list; mountres3.mountres3_u.mountinfo.auth_flavors.auth_flavors_len = flavor_count; } else if (error == ENAMETOOLONG) error = MNT3ERR_NAMETOOLONG; mountres3.fhs_status = error; if (!svc_sendreply(transp, xdr_mountres3, (char *)&mountres3)) log_cant_reply_cln(&cln); audit_status = mountres3.fhs_status; break; } if (cln_havehost(&cln)) host = cln_gethost(&cln); if (verbose) syslog(LOG_NOTICE, "MOUNT: %s %s %s", (host == NULL) ? "unknown host" : host, error ? "denied" : "mounted", path); /* * If we can not create a queue entry, go ahead and do it * in the context of this thread. */ enqueued = enqueue_logging_data(host, transp, path, rpath, audit_status, error); if (enqueued == FALSE) { if (host == NULL) { DTRACE_PROBE(mountd, name_by_in_thread); host = cln_gethost(&cln); } DTRACE_PROBE(mountd, logged_in_thread); audit_mountd_mount(host, path, audit_status); /* BSM */ if (!error) mntlist_new(host, rpath); /* add entry to mount list */ } if (path != NULL) (void) svc_freeargs(transp, xdr_dirpath, (caddr_t)&path); if (sh) sharefree(sh); cln_fini(&cln); return (error); } /* * Determine whether two paths are within the same file system. * Returns nonzero (true) if paths are the same, zero (false) if * they are different. If an error occurs, return false. * * Use the actual FSID if it's available (via getattrat()); otherwise, * fall back on st_dev. * * With ZFS snapshots, st_dev differs from the regular file system * versus the snapshot. But the fsid is the same throughout. Thus * the fsid is a better test. */ static int same_file_system(const char *path1, const char *path2) { uint64_t fsid1, fsid2; struct stat64 st1, st2; nvlist_t *nvl1 = NULL; nvlist_t *nvl2 = NULL; if ((getattrat(AT_FDCWD, XATTR_VIEW_READONLY, path1, &nvl1) == 0) && (getattrat(AT_FDCWD, XATTR_VIEW_READONLY, path2, &nvl2) == 0) && (nvlist_lookup_uint64(nvl1, A_FSID, &fsid1) == 0) && (nvlist_lookup_uint64(nvl2, A_FSID, &fsid2) == 0)) { nvlist_free(nvl1); nvlist_free(nvl2); /* * We have found fsid's for both paths. */ if (fsid1 == fsid2) return (B_TRUE); return (B_FALSE); } nvlist_free(nvl1); nvlist_free(nvl2); /* * We were unable to find fsid's for at least one of the paths. * fall back on st_dev. */ if (stat64(path1, &st1) < 0) { syslog(LOG_NOTICE, "%s: %m", path1); return (B_FALSE); } if (stat64(path2, &st2) < 0) { syslog(LOG_NOTICE, "%s: %m", path2); return (B_FALSE); } if (st1.st_dev == st2.st_dev) return (B_TRUE); return (B_FALSE); } share_t * findentry(char *path) { share_t *sh = NULL; struct sh_list *shp; char *p1, *p2; check_sharetab(); (void) rw_rdlock(&sharetab_lock); for (shp = share_list; shp; shp = shp->shl_next) { sh = shp->shl_sh; for (p1 = sh->sh_path, p2 = path; *p1 == *p2; p1++, p2++) if (*p1 == '\0') goto done; /* exact match */ /* * Now compare the pathnames for three cases: * * Parent: /export/foo (no trailing slash on parent) * Child: /export/foo/bar * * Parent: /export/foo/ (trailing slash on parent) * Child: /export/foo/bar * * Parent: /export/foo/ (no trailing slash on child) * Child: /export/foo */ if ((*p1 == '\0' && *p2 == '/') || (*p1 == '\0' && *(p1-1) == '/') || (*p2 == '\0' && *p1 == '/' && *(p1+1) == '\0')) { /* * We have a subdirectory. Test whether the * subdirectory is in the same file system. */ if (same_file_system(path, sh->sh_path)) goto done; } } done: sh = shp ? sharedup(sh) : NULL; (void) rw_unlock(&sharetab_lock); return (sh); } static int is_substring(char **mntp, char **path) { char *p1 = *mntp, *p2 = *path; if (*p1 == '\0' && *p2 == '\0') /* exact match */ return (1); else if (*p1 == '\0' && *p2 == '/') return (1); else if (*p1 == '\0' && *(p1-1) == '/') { *path = --p2; /* we need the slash in p2 */ return (1); } else if (*p2 == '\0') { while (*p1 == '/') p1++; if (*p1 == '\0') /* exact match */ return (1); } return (0); } /* * find_lofsentry() searches for the real path which this requested LOFS path * (rpath) shadows. If found, it will return the sharetab entry of * the real path that corresponds to the LOFS path. * We first search mnttab to see if the requested path is an automounted * path. If it is an automounted path, it will trigger the mount by stat()ing * the requested path. Note that it is important to check that this path is * actually an automounted path, otherwise we would stat() a path which may * turn out to be NFS and block indefinitely on a dead server. The automounter * times-out if the server is dead, so there's no risk of hanging this * thread waiting for stat(). * After the mount has been triggered (if necessary), we look for a * mountpoint of type LOFS (by searching /etc/mnttab again) which * is a substring of the rpath. If found, we construct a new path by * concatenating the mnt_special and the remaining of rpath, call findentry() * to make sure the 'real path' is shared. */ static share_t * find_lofsentry(char *rpath, int *done_flag) { struct stat r_stbuf; mntlist_t *ml, *mntl, *mntpnt = NULL; share_t *retcode = NULL; char tmp_path[MAXPATHLEN]; int mntpnt_len = 0, tmp; char *p1, *p2; if ((*done_flag)++) return (retcode); /* * While fsgetmntlist() uses lockf() to * lock the mnttab before reading it in, * the lock ignores threads in the same process. * Read in the mnttab with the protection of a mutex. */ (void) mutex_lock(&mnttab_lock); mntl = fsgetmntlist(); (void) mutex_unlock(&mnttab_lock); /* * Obtain the mountpoint for the requested path. */ for (ml = mntl; ml; ml = ml->mntl_next) { for (p1 = ml->mntl_mnt->mnt_mountp, p2 = rpath; *p1 == *p2 && *p1; p1++, p2++) ; if (is_substring(&p1, &p2) && (tmp = strlen(ml->mntl_mnt->mnt_mountp)) >= mntpnt_len) { mntpnt = ml; mntpnt_len = tmp; } } /* * If the path needs to be autoFS mounted, trigger the mount by * stat()ing it. This is determined by checking whether the * mountpoint we just found is of type autofs. */ if (mntpnt != NULL && strcmp(mntpnt->mntl_mnt->mnt_fstype, "autofs") == 0) { /* * The requested path is a substring of an autoFS filesystem. * Trigger the mount. */ if (stat(rpath, &r_stbuf) < 0) { if (verbose) syslog(LOG_NOTICE, "%s: %m", rpath); goto done; } if ((r_stbuf.st_mode & S_IFMT) == S_IFDIR) { /* * The requested path is a directory, stat(2) it * again with a trailing '.' to force the autoFS * module to trigger the mount of indirect * automount entries, such as /net/jurassic/. */ if (strlen(rpath) + 2 > MAXPATHLEN) { if (verbose) { syslog(LOG_NOTICE, "%s/.: exceeds MAXPATHLEN %d", rpath, MAXPATHLEN); } goto done; } (void) strcpy(tmp_path, rpath); (void) strcat(tmp_path, "/."); if (stat(tmp_path, &r_stbuf) < 0) { if (verbose) syslog(LOG_NOTICE, "%s: %m", tmp_path); goto done; } } /* * The mount has been triggered, re-read mnttab to pick up * the changes made by autoFS. */ fsfreemntlist(mntl); (void) mutex_lock(&mnttab_lock); mntl = fsgetmntlist(); (void) mutex_unlock(&mnttab_lock); } /* * The autoFS mountpoint has been triggered if necessary, * now search mnttab again to determine if the requested path * is an LOFS mount of a shared path. */ mntpnt_len = 0; for (ml = mntl; ml; ml = ml->mntl_next) { if (strcmp(ml->mntl_mnt->mnt_fstype, "lofs")) continue; for (p1 = ml->mntl_mnt->mnt_mountp, p2 = rpath; *p1 == *p2 && *p1; p1++, p2++) ; if (is_substring(&p1, &p2) && ((tmp = strlen(ml->mntl_mnt->mnt_mountp)) >= mntpnt_len)) { mntpnt_len = tmp; if ((strlen(ml->mntl_mnt->mnt_special) + strlen(p2)) > MAXPATHLEN) { if (verbose) { syslog(LOG_NOTICE, "%s%s: exceeds %d", ml->mntl_mnt->mnt_special, p2, MAXPATHLEN); } if (retcode) sharefree(retcode); retcode = NULL; goto done; } (void) strcpy(tmp_path, ml->mntl_mnt->mnt_special); (void) strcat(tmp_path, p2); if (retcode) sharefree(retcode); retcode = findentry(tmp_path); } } if (retcode) { assert(strlen(tmp_path) > 0); (void) strcpy(rpath, tmp_path); } done: fsfreemntlist(mntl); return (retcode); } /* * Determine whether an access list grants rights to a particular host. * We match on aliases of the hostname as well as on the canonical name. * Names in the access list may be either hosts or netgroups; they're * not distinguished syntactically. We check for hosts first because * it's cheaper, then try netgroups. * * Return values: * 1 - access is granted * 0 - access is denied * -1 - an error occured */ int in_access_list(struct cln *cln, char *access_list) /* N.B. we clobber this "input" parameter */ { char addr[INET_ADDRSTRLEN]; char buff[256]; int nentries = 0; char *cstr = access_list; char *gr = access_list; int i; int response; int ret; struct netbuf *pnb; struct nd_hostservlist *clnames = NULL; /* If no access list - then it's unrestricted */ if (access_list == NULL || *access_list == '\0') return (1); if ((pnb = cln_getnbuf(cln)) == NULL) return (-1); for (;;) { if ((cstr = strpbrk(cstr, "[:")) != NULL) { if (*cstr == ':') { *cstr = '\0'; } else { assert(*cstr == '['); cstr = strchr(cstr + 1, ']'); if (cstr == NULL) return (-1); cstr++; continue; } } /* * If the list name has a '-' prepended then a match of * the following name implies failure instead of success. */ if (*gr == '-') { response = 0; gr++; } else { response = 1; } /* * First check if we have '@' entry, as it doesn't * require client hostname. */ if (*gr == '@') { gr++; /* Netname support */ if (!isdigit(*gr) && *gr != '[') { struct netent n, *np; if ((np = getnetbyname_r(gr, &n, buff, sizeof (buff))) != NULL && np->n_net != 0) { while ((np->n_net & 0xFF000000u) == 0) np->n_net <<= 8; np->n_net = htonl(np->n_net); if (inet_ntop(AF_INET, &np->n_net, addr, INET_ADDRSTRLEN) == NULL) break; ret = inet_matchaddr(pnb->buf, addr); if (ret == -1) { if (errno == EINVAL) { syslog(LOG_WARNING, "invalid access " "list entry: %s", addr); } return (-1); } else if (ret == 1) { return (response); } } } else { ret = inet_matchaddr(pnb->buf, gr); if (ret == -1) { if (errno == EINVAL) { syslog(LOG_WARNING, "invalid access list " "entry: %s", gr); } return (-1); } else if (ret == 1) { return (response); } } goto next; } /* * No other checks can be performed if client address * can't be resolved. */ if ((clnames = cln_getclientsnames(cln)) == NULL) goto next; /* Otherwise loop through all client hostname aliases */ for (i = 0; i < clnames->h_cnt; i++) { char *host = clnames->h_hostservs[i].h_host; /* * If the list name begins with a dot then * do a domain name suffix comparison. * A single dot matches any name with no * suffix. */ if (*gr == '.') { if (*(gr + 1) == '\0') { /* single dot */ if (strchr(host, '.') == NULL) return (response); } else { int off = strlen(host) - strlen(gr); if (off > 0 && strcasecmp(host + off, gr) == 0) { return (response); } } } else { /* Just do a hostname match */ if (strcasecmp(gr, host) == 0) return (response); } } nentries++; next: if (cstr == NULL) break; gr = ++cstr; } if (clnames == NULL) return (0); return (netgroup_check(clnames, access_list, nentries)); } static char *optlist[] = { #define OPT_RO 0 SHOPT_RO, #define OPT_RW 1 SHOPT_RW, #define OPT_ROOT 2 SHOPT_ROOT, #define OPT_SECURE 3 SHOPT_SECURE, #define OPT_ANON 4 SHOPT_ANON, #define OPT_WINDOW 5 SHOPT_WINDOW, #define OPT_NOSUID 6 SHOPT_NOSUID, #define OPT_ACLOK 7 SHOPT_ACLOK, #define OPT_SEC 8 SHOPT_SEC, #define OPT_NONE 9 SHOPT_NONE, #define OPT_UIDMAP 10 SHOPT_UIDMAP, #define OPT_GIDMAP 11 SHOPT_GIDMAP, NULL }; static int map_flavor(char *str) { seconfig_t sec; if (nfs_getseconfig_byname(str, &sec)) return (-1); return (sec.sc_nfsnum); } /* * If the option string contains a "sec=" * option, then use new option syntax. */ static int newopts(char *opts) { char *head, *p, *val; if (!opts || *opts == '\0') return (0); head = strdup(opts); if (head == NULL) { syslog(LOG_ERR, "opts: no memory"); return (0); } p = head; while (*p) { if (getsubopt(&p, optlist, &val) == OPT_SEC) { free(head); return (1); } } free(head); return (0); } /* * Given an export and the clients hostname(s) * determine the security flavors that this * client is permitted to use. * * This routine is called only for "old" syntax, i.e. * only one security flavor is allowed. So we need * to determine two things: the particular flavor, * and whether the client is allowed to use this * flavor, i.e. is in the access list. * * Note that if there is no access list, then the * default is that access is granted. */ static int getclientsflavors_old(share_t *sh, struct cln *cln, int *flavors) { char *opts, *p, *val; boolean_t ok = B_FALSE; int defaultaccess = 1; boolean_t reject = B_FALSE; opts = strdup(sh->sh_opts); if (opts == NULL) { syslog(LOG_ERR, "getclientsflavors: no memory"); return (0); } flavors[0] = AUTH_SYS; p = opts; while (*p) { switch (getsubopt(&p, optlist, &val)) { case OPT_SECURE: flavors[0] = AUTH_DES; break; case OPT_RO: case OPT_RW: defaultaccess = 0; if (in_access_list(cln, val) > 0) ok = B_TRUE; break; case OPT_NONE: defaultaccess = 0; if (in_access_list(cln, val) > 0) reject = B_TRUE; } } free(opts); /* none takes precedence over everything else */ if (reject) ok = B_FALSE; return (defaultaccess || ok); } /* * Given an export and the clients hostname(s) * determine the security flavors that this * client is permitted to use. * * This is somewhat more complicated than the "old" * routine because the options may contain multiple * security flavors (sec=) each with its own access * lists. So a client could be granted access based * on a number of security flavors. Note that the * type of access might not always be the same, the * client may get readonly access with one flavor * and readwrite with another, however the client * is not told this detail, it gets only the list * of flavors, and only if the client is using * version 3 of the mount protocol. */ static int getclientsflavors_new(share_t *sh, struct cln *cln, int *flavors) { char *opts, *p, *val; char *lasts; char *f; boolean_t defaultaccess = B_TRUE; /* default access is rw */ boolean_t access_ok = B_FALSE; int count, c; boolean_t reject = B_FALSE; opts = strdup(sh->sh_opts); if (opts == NULL) { syslog(LOG_ERR, "getclientsflavors: no memory"); return (0); } p = opts; count = c = 0; while (*p) { switch (getsubopt(&p, optlist, &val)) { case OPT_SEC: if (reject) access_ok = B_FALSE; /* * Before a new sec=xxx option, check if we need * to move the c index back to the previous count. */ if (!defaultaccess && !access_ok) { c = count; } /* get all the sec=f1[:f2] flavors */ while ((f = strtok_r(val, ":", &lasts)) != NULL) { flavors[c++] = map_flavor(f); val = NULL; } /* for a new sec=xxx option, default is rw access */ defaultaccess = B_TRUE; access_ok = B_FALSE; reject = B_FALSE; break; case OPT_RO: case OPT_RW: defaultaccess = B_FALSE; if (in_access_list(cln, val) > 0) access_ok = B_TRUE; break; case OPT_NONE: defaultaccess = B_FALSE; if (in_access_list(cln, val) > 0) reject = B_TRUE; /* none overides rw/ro */ break; } } if (reject) access_ok = B_FALSE; if (!defaultaccess && !access_ok) c = count; free(opts); return (c); } /* * This is a tricky piece of code that parses the * share options looking for a match on the auth * flavor that the client is using. If it finds * a match, then the client is given ro, rw, or * no access depending whether it is in the access * list. There is a special case for "secure" * flavor. Other flavors are values of the new "sec=" option. */ int check_client(share_t *sh, struct cln *cln, int flavor, uid_t clnt_uid, gid_t clnt_gid, uint_t clnt_ngids, gid_t *clnt_gids, uid_t *srv_uid, gid_t *srv_gid, uint_t *srv_ngids, gid_t **srv_gids) { if (newopts(sh->sh_opts)) return (check_client_new(sh, cln, flavor, clnt_uid, clnt_gid, clnt_ngids, clnt_gids, srv_uid, srv_gid, srv_ngids, srv_gids)); else return (check_client_old(sh, cln, flavor, clnt_uid, clnt_gid, clnt_ngids, clnt_gids, srv_uid, srv_gid, srv_ngids, srv_gids)); } extern int _getgroupsbymember(const char *, gid_t[], int, int); /* * Get supplemental groups for uid */ static int getusergroups(uid_t uid, uint_t *ngrps, gid_t **grps) { struct passwd pwd; char *pwbuf = alloca(pw_size); gid_t *tmpgrps = alloca(ngroups_max * sizeof (gid_t)); int tmpngrps; if (getpwuid_r(uid, &pwd, pwbuf, pw_size) == NULL) return (-1); tmpgrps[0] = pwd.pw_gid; tmpngrps = _getgroupsbymember(pwd.pw_name, tmpgrps, ngroups_max, 1); if (tmpngrps <= 0) { syslog(LOG_WARNING, "getusergroups(): Unable to get groups for user %s", pwd.pw_name); return (-1); } *grps = malloc(tmpngrps * sizeof (gid_t)); if (*grps == NULL) { syslog(LOG_ERR, "getusergroups(): Memory allocation failed: %m"); return (-1); } *ngrps = tmpngrps; (void) memcpy(*grps, tmpgrps, tmpngrps * sizeof (gid_t)); return (0); } /* * is_a_number(number) * * is the string a number in one of the forms we want to use? */ static int is_a_number(char *number) { int ret = 1; int hex = 0; if (strncmp(number, "0x", 2) == 0) { number += 2; hex = 1; } else if (*number == '-') { number++; /* skip the minus */ } while (ret == 1 && *number != '\0') { if (hex) { ret = isxdigit(*number++); } else { ret = isdigit(*number++); } } return (ret); } static boolean_t get_uid(char *value, uid_t *uid) { if (!is_a_number(value)) { struct passwd *pw; /* * in this case it would have to be a * user name */ pw = getpwnam(value); if (pw == NULL) return (B_FALSE); *uid = pw->pw_uid; endpwent(); } else { uint64_t intval; intval = strtoull(value, NULL, 0); if (intval > UID_MAX && intval != -1) return (B_FALSE); *uid = (uid_t)intval; } return (B_TRUE); } static boolean_t get_gid(char *value, gid_t *gid) { if (!is_a_number(value)) { struct group *gr; /* * in this case it would have to be a * group name */ gr = getgrnam(value); if (gr == NULL) return (B_FALSE); *gid = gr->gr_gid; endgrent(); } else { uint64_t intval; intval = strtoull(value, NULL, 0); if (intval > UID_MAX && intval != -1) return (B_FALSE); *gid = (gid_t)intval; } return (B_TRUE); } static int check_client_old(share_t *sh, struct cln *cln, int flavor, uid_t clnt_uid, gid_t clnt_gid, uint_t clnt_ngids, gid_t *clnt_gids, uid_t *srv_uid, gid_t *srv_gid, uint_t *srv_ngids, gid_t **srv_gids) { char *opts, *p, *val; int match; /* Set when a flavor is matched */ int perm = 0; /* Set when "ro", "rw" or "root" is matched */ int list = 0; /* Set when "ro", "rw" is found */ int ro_val = 0; /* Set if ro option is 'ro=' */ int rw_val = 0; /* Set if rw option is 'rw=' */ boolean_t map_deny = B_FALSE; opts = strdup(sh->sh_opts); if (opts == NULL) { syslog(LOG_ERR, "check_client: no memory"); return (0); } /* * If client provided 16 supplemental groups with AUTH_SYS, lookup * locally for all of them */ if (flavor == AUTH_SYS && clnt_ngids == NGRPS && ngroups_max > NGRPS) if (getusergroups(clnt_uid, srv_ngids, srv_gids) == 0) perm |= NFSAUTH_GROUPS; p = opts; match = AUTH_UNIX; while (*p) { switch (getsubopt(&p, optlist, &val)) { case OPT_SECURE: match = AUTH_DES; if (perm & NFSAUTH_GROUPS) { free(*srv_gids); *srv_ngids = 0; *srv_gids = NULL; perm &= ~NFSAUTH_GROUPS; } break; case OPT_RO: list++; if (val != NULL) ro_val++; if (in_access_list(cln, val) > 0) perm |= NFSAUTH_RO; break; case OPT_RW: list++; if (val != NULL) rw_val++; if (in_access_list(cln, val) > 0) perm |= NFSAUTH_RW; break; case OPT_ROOT: /* * Check if the client is in * the root list. Only valid * for AUTH_SYS. */ if (flavor != AUTH_SYS) break; if (val == NULL || *val == '\0') break; if (clnt_uid != 0) break; if (in_access_list(cln, val) > 0) { perm |= NFSAUTH_ROOT; perm |= NFSAUTH_UIDMAP | NFSAUTH_GIDMAP; map_deny = B_FALSE; if (perm & NFSAUTH_GROUPS) { free(*srv_gids); *srv_ngids = 0; *srv_gids = NULL; perm &= ~NFSAUTH_GROUPS; } } break; case OPT_NONE: /* * Check if the client should have no access * to this share at all. This option behaves * more like "root" than either "rw" or "ro". */ if (in_access_list(cln, val) > 0) perm |= NFSAUTH_DENIED; break; case OPT_UIDMAP: { char *c; char *n; /* * The uidmap is supported for AUTH_SYS only. */ if (flavor != AUTH_SYS) break; if (perm & NFSAUTH_UIDMAP || map_deny) break; for (c = val; c != NULL; c = n) { char *s; char *al; uid_t srv; n = strchr(c, '~'); if (n != NULL) *n++ = '\0'; s = strchr(c, ':'); if (s != NULL) { *s++ = '\0'; al = strchr(s, ':'); if (al != NULL) *al++ = '\0'; } if (s == NULL || al == NULL) continue; if (*c == '\0') { if (clnt_uid != (uid_t)-1) continue; } else if (strcmp(c, "*") != 0) { uid_t clnt; if (!get_uid(c, &clnt)) continue; if (clnt_uid != clnt) continue; } if (*s == '\0') srv = UID_NOBODY; else if (!get_uid(s, &srv)) continue; else if (srv == (uid_t)-1) { map_deny = B_TRUE; break; } if (in_access_list(cln, al) > 0) { *srv_uid = srv; perm |= NFSAUTH_UIDMAP; if (perm & NFSAUTH_GROUPS) { free(*srv_gids); *srv_ngids = 0; *srv_gids = NULL; perm &= ~NFSAUTH_GROUPS; } break; } } break; } case OPT_GIDMAP: { char *c; char *n; /* * The gidmap is supported for AUTH_SYS only. */ if (flavor != AUTH_SYS) break; if (perm & NFSAUTH_GIDMAP || map_deny) break; for (c = val; c != NULL; c = n) { char *s; char *al; gid_t srv; n = strchr(c, '~'); if (n != NULL) *n++ = '\0'; s = strchr(c, ':'); if (s != NULL) { *s++ = '\0'; al = strchr(s, ':'); if (al != NULL) *al++ = '\0'; } if (s == NULL || al == NULL) break; if (*c == '\0') { if (clnt_gid != (gid_t)-1) continue; } else if (strcmp(c, "*") != 0) { gid_t clnt; if (!get_gid(c, &clnt)) continue; if (clnt_gid != clnt) continue; } if (*s == '\0') srv = UID_NOBODY; else if (!get_gid(s, &srv)) continue; else if (srv == (gid_t)-1) { map_deny = B_TRUE; break; } if (in_access_list(cln, al) > 0) { *srv_gid = srv; perm |= NFSAUTH_GIDMAP; if (perm & NFSAUTH_GROUPS) { free(*srv_gids); *srv_ngids = 0; *srv_gids = NULL; perm &= ~NFSAUTH_GROUPS; } break; } } break; } default: break; } } free(opts); if (perm & NFSAUTH_ROOT) { *srv_uid = 0; *srv_gid = 0; } if (map_deny) perm |= NFSAUTH_DENIED; if (!(perm & NFSAUTH_UIDMAP)) *srv_uid = clnt_uid; if (!(perm & NFSAUTH_GIDMAP)) *srv_gid = clnt_gid; if (flavor != match || perm & NFSAUTH_DENIED) return (NFSAUTH_DENIED); if (list) { /* * If the client doesn't match an "ro" or "rw" * list then set no access. */ if ((perm & (NFSAUTH_RO | NFSAUTH_RW)) == 0) perm |= NFSAUTH_DENIED; } else { /* * The client matched a flavor entry that * has no explicit "rw" or "ro" determination. * Default it to "rw". */ perm |= NFSAUTH_RW; } /* * The client may show up in both ro= and rw= * lists. If so, then turn off the RO access * bit leaving RW access. */ if (perm & NFSAUTH_RO && perm & NFSAUTH_RW) { /* * Logically cover all permutations of rw=,ro=. * In the case where, rw,ro= we would like * to remove RW access for the host. In all other cases * RW wins the precedence battle. */ if (!rw_val && ro_val) { perm &= ~(NFSAUTH_RW); } else { perm &= ~(NFSAUTH_RO); } } return (perm); } /* * Check if the client has access by using a flavor different from * the given "flavor". If "flavor" is not in the flavor list, * return TRUE to indicate that this "flavor" is a wrong sec. */ static bool_t is_wrongsec(share_t *sh, struct cln *cln, int flavor) { int flavor_list[MAX_FLAVORS]; int flavor_count, i; /* get the flavor list that the client has access with */ flavor_count = getclientsflavors_new(sh, cln, flavor_list); if (flavor_count == 0) return (FALSE); /* * Check if the given "flavor" is in the flavor_list. */ for (i = 0; i < flavor_count; i++) { if (flavor == flavor_list[i]) return (FALSE); } /* * If "flavor" is not in the flavor_list, return TRUE to indicate * that the client should have access by using a security flavor * different from this "flavor". */ return (TRUE); } /* * Given an export and the client's hostname, we * check the security options to see whether the * client is allowed to use the given security flavor. * * The strategy is to proceed through the options looking * for a flavor match, then pay attention to the ro, rw, * and root options. * * Note that an entry may list several flavors in a * single entry, e.g. * * sec=krb5,rw=clnt1:clnt2,ro,sec=sys,ro * */ static int check_client_new(share_t *sh, struct cln *cln, int flavor, uid_t clnt_uid, gid_t clnt_gid, uint_t clnt_ngids, gid_t *clnt_gids, uid_t *srv_uid, gid_t *srv_gid, uint_t *srv_ngids, gid_t **srv_gids) { char *opts, *p, *val; char *lasts; char *f; int match = 0; /* Set when a flavor is matched */ int perm = 0; /* Set when "ro", "rw" or "root" is matched */ int list = 0; /* Set when "ro", "rw" is found */ int ro_val = 0; /* Set if ro option is 'ro=' */ int rw_val = 0; /* Set if rw option is 'rw=' */ boolean_t map_deny = B_FALSE; opts = strdup(sh->sh_opts); if (opts == NULL) { syslog(LOG_ERR, "check_client: no memory"); return (0); } /* * If client provided 16 supplemental groups with AUTH_SYS, lookup * locally for all of them */ if (flavor == AUTH_SYS && clnt_ngids == NGRPS && ngroups_max > NGRPS) if (getusergroups(clnt_uid, srv_ngids, srv_gids) == 0) perm |= NFSAUTH_GROUPS; p = opts; while (*p) { switch (getsubopt(&p, optlist, &val)) { case OPT_SEC: if (match) goto done; while ((f = strtok_r(val, ":", &lasts)) != NULL) { if (flavor == map_flavor(f)) { match = 1; break; } val = NULL; } break; case OPT_RO: if (!match) break; list++; if (val != NULL) ro_val++; if (in_access_list(cln, val) > 0) perm |= NFSAUTH_RO; break; case OPT_RW: if (!match) break; list++; if (val != NULL) rw_val++; if (in_access_list(cln, val) > 0) perm |= NFSAUTH_RW; break; case OPT_ROOT: /* * Check if the client is in * the root list. Only valid * for AUTH_SYS. */ if (flavor != AUTH_SYS) break; if (!match) break; if (val == NULL || *val == '\0') break; if (clnt_uid != 0) break; if (in_access_list(cln, val) > 0) { perm |= NFSAUTH_ROOT; perm |= NFSAUTH_UIDMAP | NFSAUTH_GIDMAP; map_deny = B_FALSE; if (perm & NFSAUTH_GROUPS) { free(*srv_gids); *srv_gids = NULL; *srv_ngids = 0; perm &= ~NFSAUTH_GROUPS; } } break; case OPT_NONE: /* * Check if the client should have no access * to this share at all. This option behaves * more like "root" than either "rw" or "ro". */ if (in_access_list(cln, val) > 0) perm |= NFSAUTH_DENIED; break; case OPT_UIDMAP: { char *c; char *n; /* * The uidmap is supported for AUTH_SYS only. */ if (flavor != AUTH_SYS) break; if (!match || perm & NFSAUTH_UIDMAP || map_deny) break; for (c = val; c != NULL; c = n) { char *s; char *al; uid_t srv; n = strchr(c, '~'); if (n != NULL) *n++ = '\0'; s = strchr(c, ':'); if (s != NULL) { *s++ = '\0'; al = strchr(s, ':'); if (al != NULL) *al++ = '\0'; } if (s == NULL || al == NULL) continue; if (*c == '\0') { if (clnt_uid != (uid_t)-1) continue; } else if (strcmp(c, "*") != 0) { uid_t clnt; if (!get_uid(c, &clnt)) continue; if (clnt_uid != clnt) continue; } if (*s == '\0') srv = UID_NOBODY; else if (!get_uid(s, &srv)) continue; else if (srv == (uid_t)-1) { map_deny = B_TRUE; break; } if (in_access_list(cln, al) > 0) { *srv_uid = srv; perm |= NFSAUTH_UIDMAP; if (perm & NFSAUTH_GROUPS) { free(*srv_gids); *srv_gids = NULL; *srv_ngids = 0; perm &= ~NFSAUTH_GROUPS; } break; } } break; } case OPT_GIDMAP: { char *c; char *n; /* * The gidmap is supported for AUTH_SYS only. */ if (flavor != AUTH_SYS) break; if (!match || perm & NFSAUTH_GIDMAP || map_deny) break; for (c = val; c != NULL; c = n) { char *s; char *al; gid_t srv; n = strchr(c, '~'); if (n != NULL) *n++ = '\0'; s = strchr(c, ':'); if (s != NULL) { *s++ = '\0'; al = strchr(s, ':'); if (al != NULL) *al++ = '\0'; } if (s == NULL || al == NULL) break; if (*c == '\0') { if (clnt_gid != (gid_t)-1) continue; } else if (strcmp(c, "*") != 0) { gid_t clnt; if (!get_gid(c, &clnt)) continue; if (clnt_gid != clnt) continue; } if (*s == '\0') srv = UID_NOBODY; else if (!get_gid(s, &srv)) continue; else if (srv == (gid_t)-1) { map_deny = B_TRUE; break; } if (in_access_list(cln, al) > 0) { *srv_gid = srv; perm |= NFSAUTH_GIDMAP; if (perm & NFSAUTH_GROUPS) { free(*srv_gids); *srv_gids = NULL; *srv_ngids = 0; perm &= ~NFSAUTH_GROUPS; } break; } } break; } default: break; } } done: if (perm & NFSAUTH_ROOT) { *srv_uid = 0; *srv_gid = 0; } if (map_deny) perm |= NFSAUTH_DENIED; if (!(perm & NFSAUTH_UIDMAP)) *srv_uid = clnt_uid; if (!(perm & NFSAUTH_GIDMAP)) *srv_gid = clnt_gid; /* * If no match then set the perm accordingly */ if (!match || perm & NFSAUTH_DENIED) { free(opts); return (NFSAUTH_DENIED); } if (list) { /* * If the client doesn't match an "ro" or "rw" list then * check if it may have access by using a different flavor. * If so, return NFSAUTH_WRONGSEC. * If not, return NFSAUTH_DENIED. */ if ((perm & (NFSAUTH_RO | NFSAUTH_RW)) == 0) { if (is_wrongsec(sh, cln, flavor)) perm |= NFSAUTH_WRONGSEC; else perm |= NFSAUTH_DENIED; } } else { /* * The client matched a flavor entry that * has no explicit "rw" or "ro" determination. * Make sure it defaults to "rw". */ perm |= NFSAUTH_RW; } /* * The client may show up in both ro= and rw= * lists. If so, then turn off the RO access * bit leaving RW access. */ if (perm & NFSAUTH_RO && perm & NFSAUTH_RW) { /* * Logically cover all permutations of rw=,ro=. * In the case where, rw,ro= we would like * to remove RW access for the host. In all other cases * RW wins the precedence battle. */ if (!rw_val && ro_val) { perm &= ~(NFSAUTH_RW); } else { perm &= ~(NFSAUTH_RO); } } free(opts); return (perm); } void check_sharetab() { FILE *f; struct stat st; static timestruc_t last_sharetab_time; timestruc_t prev_sharetab_time; share_t *sh; struct sh_list *shp, *shp_prev; int res, c = 0; /* * read in /etc/dfs/sharetab if it has changed */ if (stat(SHARETAB, &st) != 0) { syslog(LOG_ERR, "Cannot stat %s: %m", SHARETAB); return; } if (st.st_mtim.tv_sec == last_sharetab_time.tv_sec && st.st_mtim.tv_nsec == last_sharetab_time.tv_nsec) { /* * No change. */ return; } /* * Remember the mod time, then after getting the * write lock check again. If another thread * already did the update, then there's no * work to do. */ prev_sharetab_time = last_sharetab_time; (void) rw_wrlock(&sharetab_lock); if (prev_sharetab_time.tv_sec != last_sharetab_time.tv_sec || prev_sharetab_time.tv_nsec != last_sharetab_time.tv_nsec) { (void) rw_unlock(&sharetab_lock); return; } /* * Note that since the sharetab is now in memory * and a snapshot is taken, we no longer have to * lock the file. */ f = fopen(SHARETAB, "r"); if (f == NULL) { syslog(LOG_ERR, "Cannot open %s: %m", SHARETAB); (void) rw_unlock(&sharetab_lock); return; } /* * Once we are sure /etc/dfs/sharetab has been * modified, flush netgroup cache entries. */ netgrp_cache_flush(); sh_free(share_list); /* free old list */ share_list = NULL; while ((res = getshare(f, &sh)) > 0) { c++; if (strcmp(sh->sh_fstype, "nfs") != 0) continue; shp = malloc(sizeof (*shp)); if (shp == NULL) goto alloc_failed; if (share_list == NULL) share_list = shp; else /* LINTED not used before set */ shp_prev->shl_next = shp; shp_prev = shp; shp->shl_next = NULL; shp->shl_sh = sharedup(sh); if (shp->shl_sh == NULL) goto alloc_failed; } if (res < 0) syslog(LOG_ERR, "%s: invalid at line %d\n", SHARETAB, c + 1); if (stat(SHARETAB, &st) != 0) { syslog(LOG_ERR, "Cannot stat %s: %m", SHARETAB); (void) fclose(f); (void) rw_unlock(&sharetab_lock); return; } last_sharetab_time = st.st_mtim; (void) fclose(f); (void) rw_unlock(&sharetab_lock); return; alloc_failed: syslog(LOG_ERR, "check_sharetab: no memory"); sh_free(share_list); share_list = NULL; (void) fclose(f); (void) rw_unlock(&sharetab_lock); } static void sh_free(struct sh_list *shp) { struct sh_list *next; while (shp) { sharefree(shp->shl_sh); next = shp->shl_next; free(shp); shp = next; } } /* * Remove an entry from mounted list */ static void umount(struct svc_req *rqstp) { char *host, *path, *remove_path; char rpath[MAXPATHLEN]; SVCXPRT *transp; struct cln cln; transp = rqstp->rq_xprt; path = NULL; if (!svc_getargs(transp, xdr_dirpath, (caddr_t)&path)) { svcerr_decode(transp); return; } cln_init(&cln, transp); errno = 0; if (!svc_sendreply(transp, xdr_void, (char *)NULL)) log_cant_reply_cln(&cln); host = cln_gethost(&cln); if (host == NULL) { /* * Without the hostname we can't do audit or delete * this host from the mount entries. */ (void) svc_freeargs(transp, xdr_dirpath, (caddr_t)&path); return; } if (verbose) syslog(LOG_NOTICE, "UNMOUNT: %s unmounted %s", host, path); audit_mountd_umount(host, path); remove_path = rpath; /* assume we will use the cannonical path */ if (realpath(path, rpath) == NULL) { if (verbose) syslog(LOG_WARNING, "UNMOUNT: realpath: %s: %m ", path); remove_path = path; /* use path provided instead */ } mntlist_delete(host, remove_path); /* remove from mount list */ cln_fini(&cln); (void) svc_freeargs(transp, xdr_dirpath, (caddr_t)&path); } /* * Remove all entries for one machine from mounted list */ static void umountall(struct svc_req *rqstp) { SVCXPRT *transp; char *host; struct cln cln; transp = rqstp->rq_xprt; if (!svc_getargs(transp, xdr_void, NULL)) { svcerr_decode(transp); return; } /* * We assume that this call is asynchronous and made via rpcbind * callit routine. Therefore return control immediately. The error * causes rpcbind to remain silent, as opposed to every machine * on the net blasting the requester with a response. */ svcerr_systemerr(transp); cln_init(&cln, transp); host = cln_gethost(&cln); if (host == NULL) { /* Can't do anything without the name of the client */ return; } /* * Remove all hosts entries from mount list */ mntlist_delete_all(host); if (verbose) syslog(LOG_NOTICE, "UNMOUNTALL: from %s", host); cln_fini(&cln); } void * exmalloc(size_t size) { void *ret; if ((ret = malloc(size)) == NULL) { syslog(LOG_ERR, "Out of memory"); exit(1); } return (ret); } static tsol_tpent_t * get_client_template(struct sockaddr *sock) { in_addr_t v4client; in6_addr_t v6client; char v4_addr[INET_ADDRSTRLEN]; char v6_addr[INET6_ADDRSTRLEN]; tsol_rhent_t *rh; tsol_tpent_t *tp; switch (sock->sa_family) { case AF_INET: v4client = ((struct sockaddr_in *)(void *)sock)-> sin_addr.s_addr; if (inet_ntop(AF_INET, &v4client, v4_addr, INET_ADDRSTRLEN) == NULL) return (NULL); rh = tsol_getrhbyaddr(v4_addr, sizeof (v4_addr), AF_INET); if (rh == NULL) return (NULL); tp = tsol_gettpbyname(rh->rh_template); tsol_freerhent(rh); return (tp); break; case AF_INET6: v6client = ((struct sockaddr_in6 *)(void *)sock)->sin6_addr; if (inet_ntop(AF_INET6, &v6client, v6_addr, INET6_ADDRSTRLEN) == NULL) return (NULL); rh = tsol_getrhbyaddr(v6_addr, sizeof (v6_addr), AF_INET6); if (rh == NULL) return (NULL); tp = tsol_gettpbyname(rh->rh_template); tsol_freerhent(rh); return (tp); break; default: return (NULL); } }