17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 51cc55349Srmesta * Common Development and Distribution License (the "License"). 61cc55349Srmesta * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 21a237e38eSth 227c478bd9Sstevel@tonic-gate /* 238c3630f0SGerald Thornbrugh * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 241cc55349Srmesta * Use is subject to license terms. 257c478bd9Sstevel@tonic-gate */ 26*5cb0d679SMarcel Telka /* 27*5cb0d679SMarcel Telka * Copyright 2014 Nexenta Systems, Inc. All rights reserved. 28*5cb0d679SMarcel Telka */ 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gate #include <stdio.h> 317c478bd9Sstevel@tonic-gate #include <stdlib.h> 327c478bd9Sstevel@tonic-gate #include <sys/types.h> 337c478bd9Sstevel@tonic-gate #include <string.h> 347c478bd9Sstevel@tonic-gate #include <sys/param.h> 357c478bd9Sstevel@tonic-gate #include <sys/stat.h> 367c478bd9Sstevel@tonic-gate #include <sys/file.h> 377c478bd9Sstevel@tonic-gate #include <sys/time.h> 387c478bd9Sstevel@tonic-gate #include <sys/errno.h> 397c478bd9Sstevel@tonic-gate #include <rpcsvc/mount.h> 407c478bd9Sstevel@tonic-gate #include <sys/pathconf.h> 417c478bd9Sstevel@tonic-gate #include <sys/systeminfo.h> 427c478bd9Sstevel@tonic-gate #include <sys/utsname.h> 437c478bd9Sstevel@tonic-gate #include <arpa/inet.h> 447c478bd9Sstevel@tonic-gate #include <signal.h> 457c478bd9Sstevel@tonic-gate #include <syslog.h> 467c478bd9Sstevel@tonic-gate #include <locale.h> 477c478bd9Sstevel@tonic-gate #include <unistd.h> 487c478bd9Sstevel@tonic-gate #include <thread.h> 497c478bd9Sstevel@tonic-gate #include <netdir.h> 501cc55349Srmesta #include <nfs/auth.h> 51a237e38eSth #include <sharefs/share.h> 527c478bd9Sstevel@tonic-gate #include "../lib/sharetab.h" 537c478bd9Sstevel@tonic-gate #include "mountd.h" 547c478bd9Sstevel@tonic-gate 557c478bd9Sstevel@tonic-gate static void 561cc55349Srmesta nfsauth_access(auth_req *argp, auth_res *result) 577c478bd9Sstevel@tonic-gate { 587c478bd9Sstevel@tonic-gate struct netconfig *nconf; 597c478bd9Sstevel@tonic-gate struct nd_hostservlist *clnames = NULL; 607c478bd9Sstevel@tonic-gate struct netbuf nbuf; 617c478bd9Sstevel@tonic-gate struct share *sh; 627c478bd9Sstevel@tonic-gate char tmp[MAXIPADDRLEN]; 637c478bd9Sstevel@tonic-gate char *host = NULL; 647c478bd9Sstevel@tonic-gate 657c478bd9Sstevel@tonic-gate result->auth_perm = NFSAUTH_DENIED; 667c478bd9Sstevel@tonic-gate 677c478bd9Sstevel@tonic-gate /* 687c478bd9Sstevel@tonic-gate * Convert the client's address to a hostname 697c478bd9Sstevel@tonic-gate */ 707c478bd9Sstevel@tonic-gate nconf = getnetconfigent(argp->req_netid); 717c478bd9Sstevel@tonic-gate if (nconf == NULL) { 727c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "No netconfig entry for %s", argp->req_netid); 737c478bd9Sstevel@tonic-gate return; 747c478bd9Sstevel@tonic-gate } 757c478bd9Sstevel@tonic-gate 767c478bd9Sstevel@tonic-gate nbuf.len = argp->req_client.n_len; 777c478bd9Sstevel@tonic-gate nbuf.buf = argp->req_client.n_bytes; 787c478bd9Sstevel@tonic-gate 790a701b1eSRobert Gordon if (nbuf.len == 0 || nbuf.buf == NULL) 808c3630f0SGerald Thornbrugh goto done; 810a701b1eSRobert Gordon 827c478bd9Sstevel@tonic-gate if (netdir_getbyaddr(nconf, &clnames, &nbuf)) { 837c478bd9Sstevel@tonic-gate host = &tmp[0]; 847c478bd9Sstevel@tonic-gate if (strcmp(nconf->nc_protofmly, NC_INET) == 0) { 857c478bd9Sstevel@tonic-gate struct sockaddr_in *sa; 867c478bd9Sstevel@tonic-gate 877c478bd9Sstevel@tonic-gate /* LINTED pointer alignment */ 887c478bd9Sstevel@tonic-gate sa = (struct sockaddr_in *)nbuf.buf; 897c478bd9Sstevel@tonic-gate (void) inet_ntoa_r(sa->sin_addr, tmp); 907c478bd9Sstevel@tonic-gate } else if (strcmp(nconf->nc_protofmly, NC_INET6) == 0) { 917c478bd9Sstevel@tonic-gate struct sockaddr_in6 *sa; 927c478bd9Sstevel@tonic-gate /* LINTED pointer */ 937c478bd9Sstevel@tonic-gate sa = (struct sockaddr_in6 *)nbuf.buf; 947c478bd9Sstevel@tonic-gate (void) inet_ntop(AF_INET6, sa->sin6_addr.s6_addr, 950a701b1eSRobert Gordon tmp, INET6_ADDRSTRLEN); 967c478bd9Sstevel@tonic-gate } 977c478bd9Sstevel@tonic-gate clnames = anon_client(host); 987c478bd9Sstevel@tonic-gate } 998c3630f0SGerald Thornbrugh /* 1008c3630f0SGerald Thornbrugh * Both netdir_getbyaddr() and anon_client() can return a NULL 1018c3630f0SGerald Thornbrugh * clnames. This has been seen when the DNS entry for the client 1028c3630f0SGerald Thornbrugh * name does not have the correct format or a reverse lookup DNS 1038c3630f0SGerald Thornbrugh * entry cannot be found for the client's IP address. 1048c3630f0SGerald Thornbrugh */ 1058c3630f0SGerald Thornbrugh if (clnames == NULL) { 1068c3630f0SGerald Thornbrugh syslog(LOG_ERR, "Could not find DNS entry for %s", 1078c3630f0SGerald Thornbrugh argp->req_netid); 1088c3630f0SGerald Thornbrugh goto done; 1098c3630f0SGerald Thornbrugh } 1107c478bd9Sstevel@tonic-gate 1117c478bd9Sstevel@tonic-gate /* 1127c478bd9Sstevel@tonic-gate * Now find the export 1137c478bd9Sstevel@tonic-gate */ 1147c478bd9Sstevel@tonic-gate sh = findentry(argp->req_path); 1157c478bd9Sstevel@tonic-gate if (sh == NULL) { 1167c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "%s not exported", argp->req_path); 1177c478bd9Sstevel@tonic-gate goto done; 1187c478bd9Sstevel@tonic-gate } 1197c478bd9Sstevel@tonic-gate 120*5cb0d679SMarcel Telka result->auth_perm = check_client(sh, &nbuf, clnames, argp->req_flavor, 121*5cb0d679SMarcel Telka argp->req_clnt_uid, argp->req_clnt_gid, &result->auth_srv_uid, 122*5cb0d679SMarcel Telka &result->auth_srv_gid); 1237c478bd9Sstevel@tonic-gate 1247c478bd9Sstevel@tonic-gate sharefree(sh); 1257c478bd9Sstevel@tonic-gate 1267c478bd9Sstevel@tonic-gate if (result->auth_perm == NFSAUTH_DENIED) { 1277c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "%s denied access to %s", 1280a701b1eSRobert Gordon clnames->h_hostservs[0].h_host, argp->req_path); 1297c478bd9Sstevel@tonic-gate } 1307c478bd9Sstevel@tonic-gate 1317c478bd9Sstevel@tonic-gate done: 1327c478bd9Sstevel@tonic-gate freenetconfigent(nconf); 1337c478bd9Sstevel@tonic-gate if (clnames) 1347c478bd9Sstevel@tonic-gate netdir_free(clnames, ND_HOSTSERVLIST); 1357c478bd9Sstevel@tonic-gate } 1361cc55349Srmesta 1371cc55349Srmesta void 1381cc55349Srmesta nfsauth_func(void *cookie, char *dataptr, size_t arg_size, 1391cc55349Srmesta door_desc_t *dp, uint_t n_desc) 1401cc55349Srmesta 1411cc55349Srmesta { 1421cc55349Srmesta nfsauth_arg_t *ap; 1431cc55349Srmesta nfsauth_res_t res = {0}; 1441cc55349Srmesta nfsauth_res_t *rp = &res; 1451cc55349Srmesta XDR xdrs_a; 1461cc55349Srmesta XDR xdrs_r; 1471cc55349Srmesta caddr_t abuf = dataptr; 1481cc55349Srmesta size_t absz = arg_size; 149*5cb0d679SMarcel Telka size_t rbsz = (size_t)(BYTES_PER_XDR_UNIT * 4); 150*5cb0d679SMarcel Telka char result[BYTES_PER_XDR_UNIT * 4]; 1511cc55349Srmesta caddr_t rbuf = (caddr_t)&result; 1521cc55349Srmesta varg_t varg = {0}; 1531cc55349Srmesta 1541cc55349Srmesta /* 1551cc55349Srmesta * Decode the inbound door data, so we can look at the cmd. 1561cc55349Srmesta */ 1571cc55349Srmesta xdrmem_create(&xdrs_a, abuf, absz, XDR_DECODE); 1581cc55349Srmesta if (!xdr_varg(&xdrs_a, &varg)) { 1591cc55349Srmesta /* 1601cc55349Srmesta * If the arguments can't be decoded, bail. 1611cc55349Srmesta */ 1621cc55349Srmesta if (varg.vers == V_ERROR) 1631cc55349Srmesta syslog(LOG_ERR, gettext("Arg version mismatch")); 1641cc55349Srmesta res.stat = NFSAUTH_DR_DECERR; 1651cc55349Srmesta goto encres; 1661cc55349Srmesta } 1671cc55349Srmesta 1681cc55349Srmesta /* 1691cc55349Srmesta * Now set the args pointer to the proper version of the args 1701cc55349Srmesta */ 1711cc55349Srmesta switch (varg.vers) { 1721cc55349Srmesta case V_PROTO: 1731cc55349Srmesta ap = &varg.arg_u.arg; 1741cc55349Srmesta break; 1751cc55349Srmesta 1761cc55349Srmesta /* Additional arguments versions go here */ 1771cc55349Srmesta 1781cc55349Srmesta default: 1791cc55349Srmesta syslog(LOG_ERR, gettext("Invalid args version")); 1801cc55349Srmesta goto encres; 1811cc55349Srmesta } 1821cc55349Srmesta 1831cc55349Srmesta /* 1841cc55349Srmesta * Call the specified cmd 1851cc55349Srmesta */ 1861cc55349Srmesta switch (ap->cmd) { 1871cc55349Srmesta case NFSAUTH_ACCESS: 1881cc55349Srmesta nfsauth_access(&ap->areq, &rp->ares); 1891cc55349Srmesta rp->stat = NFSAUTH_DR_OKAY; 1901cc55349Srmesta break; 1911cc55349Srmesta default: 1921cc55349Srmesta rp->stat = NFSAUTH_DR_BADCMD; 1931cc55349Srmesta break; 1941cc55349Srmesta } 1951cc55349Srmesta 1961cc55349Srmesta encres: 1971cc55349Srmesta /* 1981cc55349Srmesta * Free space used to decode the args 1991cc55349Srmesta */ 2001cc55349Srmesta xdrs_a.x_op = XDR_FREE; 2011cc55349Srmesta (void) xdr_varg(&xdrs_a, &varg); 2021cc55349Srmesta xdr_destroy(&xdrs_a); 2031cc55349Srmesta 2041cc55349Srmesta /* 2051cc55349Srmesta * Encode the results before passing thru door. 2061cc55349Srmesta * 2071cc55349Srmesta * The result (nfsauth_res_t) is always two int's, so we don't 2081cc55349Srmesta * have to dynamically size (or allocate) the results buffer. 2091cc55349Srmesta */ 2101cc55349Srmesta xdrmem_create(&xdrs_r, rbuf, rbsz, XDR_ENCODE); 2111cc55349Srmesta if (!xdr_nfsauth_res(&xdrs_r, rp)) { 2121cc55349Srmesta /* 2131cc55349Srmesta * return only the status code 2141cc55349Srmesta */ 2151cc55349Srmesta rp->stat = NFSAUTH_DR_EFAIL; 2161cc55349Srmesta rbsz = sizeof (uint_t); 2171cc55349Srmesta *rbuf = (uint_t)rp->stat; 2181cc55349Srmesta } 2191cc55349Srmesta xdr_destroy(&xdrs_r); 2201cc55349Srmesta 2211cc55349Srmesta (void) door_return((char *)rbuf, rbsz, NULL, 0); 2221cc55349Srmesta (void) door_return(NULL, 0, NULL, 0); 2231cc55349Srmesta /* NOTREACHED */ 2241cc55349Srmesta } 225