svn commit: r184814 - in user/dfr/gssapi/6/usr.sbin: . adduser
cdcontrol config cron freebsd-update gssd mountd newsyslog
nfsd ntp ntp/doc pkg_install portsnap pw rpc.lockd rpc.statd
sysinstall sys...
Doug Rabson
dfr at FreeBSD.org
Mon Nov 10 08:37:03 PST 2008
Author: dfr
Date: Mon Nov 10 16:37:03 2008
New Revision: 184814
URL: http://svn.freebsd.org/changeset/base/184814
Log:
MFC: 184588
Added:
user/dfr/gssapi/6/usr.sbin/gssd/
- copied from r184588, head/usr.sbin/gssd/
Modified:
user/dfr/gssapi/6/usr.sbin/ (props changed)
user/dfr/gssapi/6/usr.sbin/Makefile
user/dfr/gssapi/6/usr.sbin/adduser/ (props changed)
user/dfr/gssapi/6/usr.sbin/cdcontrol/ (props changed)
user/dfr/gssapi/6/usr.sbin/config/ (props changed)
user/dfr/gssapi/6/usr.sbin/cron/ (props changed)
user/dfr/gssapi/6/usr.sbin/freebsd-update/ (props changed)
user/dfr/gssapi/6/usr.sbin/mountd/ (props changed)
user/dfr/gssapi/6/usr.sbin/mountd/exports.5
user/dfr/gssapi/6/usr.sbin/mountd/mountd.c
user/dfr/gssapi/6/usr.sbin/newsyslog/newsyslog.conf.5 (props changed)
user/dfr/gssapi/6/usr.sbin/nfsd/nfsd.c
user/dfr/gssapi/6/usr.sbin/ntp/ (props changed)
user/dfr/gssapi/6/usr.sbin/ntp/doc/ (props changed)
user/dfr/gssapi/6/usr.sbin/pkg_install/ (props changed)
user/dfr/gssapi/6/usr.sbin/portsnap/ (props changed)
user/dfr/gssapi/6/usr.sbin/pw/ (props changed)
user/dfr/gssapi/6/usr.sbin/rpc.lockd/ (props changed)
user/dfr/gssapi/6/usr.sbin/rpc.statd/ (props changed)
user/dfr/gssapi/6/usr.sbin/sysinstall/ (props changed)
user/dfr/gssapi/6/usr.sbin/syslogd/ (props changed)
user/dfr/gssapi/6/usr.sbin/tzsetup/ (props changed)
Modified: user/dfr/gssapi/6/usr.sbin/Makefile
==============================================================================
--- user/dfr/gssapi/6/usr.sbin/Makefile Mon Nov 10 16:23:24 2008 (r184813)
+++ user/dfr/gssapi/6/usr.sbin/Makefile Mon Nov 10 16:37:03 2008 (r184814)
@@ -62,6 +62,7 @@ SUBDIR= ac \
getpmac \
gstat \
${_i4b} \
+ ${_gssd} \
ifmcstat \
inetd \
iostat \
@@ -235,6 +236,10 @@ _bluetooth= bluetooth
_keyserv= keyserv
.endif
+.if ${MK_GSSAPI} != no
+_gssd= gssd
+.endif
+
.if !defined(NO_INET6)
_mld6query= mld6query
_rip6query= rip6query
Modified: user/dfr/gssapi/6/usr.sbin/mountd/exports.5
==============================================================================
--- user/dfr/gssapi/6/usr.sbin/mountd/exports.5 Mon Nov 10 16:23:24 2008 (r184813)
+++ user/dfr/gssapi/6/usr.sbin/mountd/exports.5 Mon Nov 10 16:37:03 2008 (r184814)
@@ -149,6 +149,17 @@ option is given,
all users (including root) will be mapped to that credential in
place of their own.
.Pp
+.Sm off
+.Fl sec Li = Sy flavor1:flavor2...
+.Sm on
+specifies a colon separated list of acceptable security flavors to be
+used for remote access.
+Supported security flavors are sys, krb5, krb5i and krb5p.
+If multiple flavors are listed, they should be ordered with the most
+preferred flavor first.
+If this option is not present,
+the default security flavor list of just sys is used.
+.Pp
The
.Fl ro
option specifies that the file system should be exported read-only
@@ -305,6 +316,8 @@ the default remote mount-point file
/u2 -maproot=root friends
/u2 -alldirs -network cis-net -mask cis-mask
/cdrom -alldirs,quiet,ro -network 192.168.33.0 -mask 255.255.255.0
+/private -sec=krb5i
+/secret -sec=krb5p
.Ed
.Pp
Given that
@@ -411,6 +424,15 @@ While there is no CD-ROM medium mounted
it would export the (normally empty) directory
.Pa /cdrom
of the root file system instead.
+.Pp
+The file system rooted at
+.Pa /private
+will be exported using Kerberos 5 authentication and will require
+integrity protected messages for all accesses.
+The file system rooted at
+.Pa /secret
+will also be exported using Kerberos 5 authentication and all messages
+used to access it will be encrypted.
.Sh SEE ALSO
.Xr netgroup 5 ,
.Xr mountd 8 ,
Modified: user/dfr/gssapi/6/usr.sbin/mountd/mountd.c
==============================================================================
--- user/dfr/gssapi/6/usr.sbin/mountd/mountd.c Mon Nov 10 16:23:24 2008 (r184813)
+++ user/dfr/gssapi/6/usr.sbin/mountd/mountd.c Mon Nov 10 16:37:03 2008 (r184814)
@@ -113,6 +113,8 @@ struct exportlist {
fsid_t ex_fs;
char *ex_fsdir;
char *ex_indexfile;
+ int ex_numsecflavors;
+ int ex_secflavors[MAXSECFLAVORS];
};
/* ex_flag bits */
#define EX_LINKED 0x1
@@ -150,6 +152,8 @@ struct fhreturn {
int fhr_flag;
int fhr_vers;
nfsfh_t fhr_fh;
+ int fhr_numsecflavors;
+ int *fhr_secflavors;
};
/* Global defs */
@@ -239,6 +243,7 @@ struct pidfh *pfh = NULL;
#define OP_HAVEMASK 0x80 /* A mask was specified or inferred. */
#define OP_QUIET 0x100
#define OP_MASKLEN 0x200
+#define OP_SEC 0x400
#ifdef DEBUG
int debug = 1;
@@ -817,6 +822,8 @@ mntsrv(rqstp, transp)
sigprocmask(SIG_UNBLOCK, &sighup_mask, NULL);
return;
}
+ fhr.fhr_numsecflavors = ep->ex_numsecflavors;
+ fhr.fhr_secflavors = ep->ex_secflavors;
if (!svc_sendreply(transp, (xdrproc_t)xdr_fhs,
(caddr_t)&fhr))
syslog(LOG_ERR, "can't send reply");
@@ -934,6 +941,7 @@ xdr_fhs(xdrsp, cp)
{
struct fhreturn *fhrp = (struct fhreturn *)cp;
u_long ok = 0, len, auth;
+ int i;
if (!xdr_long(xdrsp, &ok))
return (0);
@@ -946,11 +954,20 @@ xdr_fhs(xdrsp, cp)
return (0);
if (!xdr_opaque(xdrsp, (caddr_t)&fhrp->fhr_fh, len))
return (0);
- auth = RPCAUTH_UNIX;
- len = 1;
- if (!xdr_long(xdrsp, &len))
- return (0);
- return (xdr_long(xdrsp, &auth));
+ if (fhrp->fhr_numsecflavors) {
+ if (!xdr_int(xdrsp, &fhrp->fhr_numsecflavors))
+ return (0);
+ for (i = 0; i < fhrp->fhr_numsecflavors; i++)
+ if (!xdr_int(xdrsp, &fhrp->fhr_secflavors[i]))
+ return (0);
+ return (1);
+ } else {
+ auth = AUTH_SYS;
+ len = 1;
+ if (!xdr_long(xdrsp, &len))
+ return (0);
+ return (xdr_long(xdrsp, &auth));
+ }
};
return (0);
}
@@ -1744,6 +1761,57 @@ free_dir(dp)
}
/*
+ * Parse a colon separated list of security flavors
+ */
+int
+parsesec(seclist, ep)
+ char *seclist;
+ struct exportlist *ep;
+{
+ char *cp, savedc;
+ int flavor;
+
+ ep->ex_numsecflavors = 0;
+ for (;;) {
+ cp = strchr(seclist, ':');
+ if (cp) {
+ savedc = *cp;
+ *cp = '\0';
+ }
+
+ if (!strcmp(seclist, "sys"))
+ flavor = AUTH_SYS;
+ else if (!strcmp(seclist, "krb5"))
+ flavor = RPCSEC_GSS_KRB5;
+ else if (!strcmp(seclist, "krb5i"))
+ flavor = RPCSEC_GSS_KRB5I;
+ else if (!strcmp(seclist, "krb5p"))
+ flavor = RPCSEC_GSS_KRB5P;
+ else {
+ if (cp)
+ *cp = savedc;
+ syslog(LOG_ERR, "bad sec flavor: %s", seclist);
+ return (1);
+ }
+ if (ep->ex_numsecflavors == MAXSECFLAVORS) {
+ if (cp)
+ *cp = savedc;
+ syslog(LOG_ERR, "too many sec flavors: %s", seclist);
+ return (1);
+ }
+ ep->ex_secflavors[ep->ex_numsecflavors] = flavor;
+ ep->ex_numsecflavors++;
+ if (cp) {
+ *cp = savedc;
+ seclist = cp + 1;
+ } else {
+ break;
+ }
+ }
+ return (0);
+}
+
+/*
* Parse the option string and update fields.
* Option arguments may either be -<option>=<value> or
* -<option> <value>
@@ -1838,6 +1906,11 @@ do_opt(cpp, endcpp, ep, grp, has_hostp,
ep->ex_indexfile = strdup(cpoptarg);
} else if (!strcmp(cpopt, "quiet")) {
opt_flags |= OP_QUIET;
+ } else if (!strcmp(cpopt, "sec")) {
+ if (parsesec(cpoptarg, ep))
+ return (1);
+ opt_flags |= OP_SEC;
+ usedarg++;
} else {
syslog(LOG_ERR, "bad opt %s", cpopt);
return (1);
@@ -1996,7 +2069,7 @@ do_mount(struct exportlist *ep, struct g
int done;
char savedc;
struct iovec *iov;
- int iovlen;
+ int i, iovlen;
int ret;
cp = NULL;
@@ -2013,6 +2086,13 @@ do_mount(struct exportlist *ep, struct g
ai = grp->gr_ptr.gt_addrinfo;
else
ai = NULL;
+ eap.ex_numsecflavors = ep->ex_numsecflavors;
+ for (i = 0; i < eap.ex_numsecflavors; i++)
+ eap.ex_secflavors[i] = ep->ex_secflavors[i];
+ if (eap.ex_numsecflavors == 0) {
+ eap.ex_numsecflavors = 1;
+ eap.ex_secflavors[0] = AUTH_SYS;
+ }
done = FALSE;
build_iovec(&iov, &iovlen, "fstype", NULL, 0);
Modified: user/dfr/gssapi/6/usr.sbin/nfsd/nfsd.c
==============================================================================
--- user/dfr/gssapi/6/usr.sbin/nfsd/nfsd.c Mon Nov 10 16:23:24 2008 (r184813)
+++ user/dfr/gssapi/6/usr.sbin/nfsd/nfsd.c Mon Nov 10 16:37:03 2008 (r184814)
@@ -81,6 +81,7 @@ int debug = 0;
#define DEFNFSDCNT 4
pid_t children[MAXNFSDCNT]; /* PIDs of children */
int nfsdcnt; /* number of children */
+int new_syscall;
void cleanup(int);
void child_cleanup(int);
@@ -116,7 +117,7 @@ void usage(void);
int
main(int argc, char **argv)
{
- struct nfsd_args nfsdargs;
+ struct nfsd_addsock_args addsockargs;
struct addrinfo *ai_udp, *ai_tcp, *ai_udp6, *ai_tcp6, hints;
struct netconfig *nconf_udp, *nconf_tcp, *nconf_udp6, *nconf_tcp6;
struct netbuf nb_udp, nb_tcp, nb_udp6, nb_tcp6;
@@ -325,23 +326,54 @@ main(int argc, char **argv)
openlog("nfsd", LOG_PID, LOG_DAEMON);
- /* If we use UDP only, we start the last server below. */
- srvcnt = tcpflag ? nfsdcnt : nfsdcnt - 1;
- for (i = 0; i < srvcnt; i++) {
- switch ((pid = fork())) {
- case -1:
+ /*
+ * Figure out if the kernel supports the new-style
+ * NFSSVC_NFSD. Old kernels will return ENXIO because they
+ * don't recognise the flag value, new ones will return EINVAL
+ * because argp is NULL.
+ */
+ new_syscall = FALSE;
+ if (nfssvc(NFSSVC_NFSD, NULL) < 0 && errno == EINVAL)
+ new_syscall = TRUE;
+ new_syscall = FALSE;
+
+ if (!new_syscall) {
+ /* If we use UDP only, we start the last server below. */
+ srvcnt = tcpflag ? nfsdcnt : nfsdcnt - 1;
+ for (i = 0; i < srvcnt; i++) {
+ switch ((pid = fork())) {
+ case -1:
+ syslog(LOG_ERR, "fork: %m");
+ nfsd_exit(1);
+ case 0:
+ break;
+ default:
+ children[i] = pid;
+ continue;
+ }
+ (void)signal(SIGUSR1, child_cleanup);
+ setproctitle("server");
+
+ start_server(0);
+ }
+ } else if (tcpflag) {
+ /*
+ * For TCP mode, we fork once to start the first
+ * kernel nfsd thread. The kernel will add more
+ * threads as needed.
+ */
+ pid = fork();
+ if (pid == -1) {
syslog(LOG_ERR, "fork: %m");
nfsd_exit(1);
- case 0:
- break;
- default:
- children[i] = pid;
- continue;
}
- (void)signal(SIGUSR1, child_cleanup);
- setproctitle("server");
-
- start_server(0);
+ if (pid) {
+ children[0] = pid;
+ } else {
+ (void)signal(SIGUSR1, child_cleanup);
+ setproctitle("server");
+ start_server(0);
+ }
}
(void)signal(SIGUSR1, cleanup);
@@ -377,10 +409,10 @@ main(int argc, char **argv)
nfsd_exit(1);
}
freeaddrinfo(ai_udp);
- nfsdargs.sock = sock;
- nfsdargs.name = NULL;
- nfsdargs.namelen = 0;
- if (nfssvc(NFSSVC_ADDSOCK, &nfsdargs) < 0) {
+ addsockargs.sock = sock;
+ addsockargs.name = NULL;
+ addsockargs.namelen = 0;
+ if (nfssvc(NFSSVC_ADDSOCK, &addsockargs) < 0) {
syslog(LOG_ERR, "can't Add UDP socket");
nfsd_exit(1);
}
@@ -445,10 +477,10 @@ main(int argc, char **argv)
nfsd_exit(1);
}
freeaddrinfo(ai_udp6);
- nfsdargs.sock = sock;
- nfsdargs.name = NULL;
- nfsdargs.namelen = 0;
- if (nfssvc(NFSSVC_ADDSOCK, &nfsdargs) < 0) {
+ addsockargs.sock = sock;
+ addsockargs.name = NULL;
+ addsockargs.namelen = 0;
+ if (nfssvc(NFSSVC_ADDSOCK, &addsockargs) < 0) {
syslog(LOG_ERR,
"can't add UDP6 socket");
nfsd_exit(1);
@@ -675,10 +707,10 @@ main(int argc, char **argv)
SO_KEEPALIVE, (char *)&on, sizeof(on)) < 0)
syslog(LOG_ERR,
"setsockopt SO_KEEPALIVE: %m");
- nfsdargs.sock = msgsock;
- nfsdargs.name = (caddr_t)&inetpeer;
- nfsdargs.namelen = len;
- nfssvc(NFSSVC_ADDSOCK, &nfsdargs);
+ addsockargs.sock = msgsock;
+ addsockargs.name = (caddr_t)&inetpeer;
+ addsockargs.namelen = len;
+ nfssvc(NFSSVC_ADDSOCK, &addsockargs);
(void)close(msgsock);
} else if (FD_ISSET(tcpsock, &v6bits)) {
len = sizeof(inet6peer);
@@ -697,10 +729,10 @@ main(int argc, char **argv)
sizeof(on)) < 0)
syslog(LOG_ERR, "setsockopt "
"SO_KEEPALIVE: %m");
- nfsdargs.sock = msgsock;
- nfsdargs.name = (caddr_t)&inet6peer;
- nfsdargs.namelen = len;
- nfssvc(NFSSVC_ADDSOCK, &nfsdargs);
+ addsockargs.sock = msgsock;
+ addsockargs.name = (caddr_t)&inet6peer;
+ addsockargs.namelen = len;
+ nfssvc(NFSSVC_ADDSOCK, &addsockargs);
(void)close(msgsock);
}
}
@@ -828,12 +860,27 @@ nfsd_exit(int status)
void
start_server(int master)
{
+ char principal[128];
+ char hostname[128];
+ struct nfsd_nfsd_args nfsdargs;
int status;
status = 0;
- if (nfssvc(NFSSVC_NFSD, NULL) < 0) {
- syslog(LOG_ERR, "nfssvc: %m");
- status = 1;
+ if (new_syscall) {
+ gethostname(hostname, sizeof(hostname));
+ snprintf(principal, sizeof(principal), "nfs@%s", hostname);
+ nfsdargs.principal = principal;
+ nfsdargs.minthreads = nfsdcnt;
+ nfsdargs.maxthreads = nfsdcnt;
+ if (nfssvc(NFSSVC_NFSD, &nfsdargs) < 0) {
+ syslog(LOG_ERR, "nfssvc: %m");
+ status = 1;
+ }
+ } else {
+ if (nfssvc(NFSSVC_OLDNFSD, NULL) < 0) {
+ syslog(LOG_ERR, "nfssvc: %m");
+ status = 1;
+ }
}
if (master)
nfsd_exit(status);
More information about the svn-src-user
mailing list