Date: Tue, 4 Nov 2008 12:02:01 +0000 (UTC) From: Doug Rabson <dfr@FreeBSD.org> To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r184627 - in user/dfr/gssapi/7/usr.sbin: . adduser bsnmpd/modules/snmp_pf cdcontrol config cron cron/cron extattr freebsd-update gssd iostat mountd ndiscvt newsyslog nfsd nscd ntp pkg_i... Message-ID: <200811041202.mA4C21CG096007@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dfr Date: Tue Nov 4 12:02:01 2008 New Revision: 184627 URL: http://svn.freebsd.org/changeset/base/184627 Log: Merged /head/usr.sbin:r184588 Added: user/dfr/gssapi/7/usr.sbin/gssd/ - copied from r184588, head/usr.sbin/gssd/ Modified: user/dfr/gssapi/7/usr.sbin/ (props changed) user/dfr/gssapi/7/usr.sbin/Makefile user/dfr/gssapi/7/usr.sbin/adduser/ (props changed) user/dfr/gssapi/7/usr.sbin/bsnmpd/modules/snmp_pf/ (props changed) user/dfr/gssapi/7/usr.sbin/cdcontrol/ (props changed) user/dfr/gssapi/7/usr.sbin/config/ (props changed) user/dfr/gssapi/7/usr.sbin/cron/ (props changed) user/dfr/gssapi/7/usr.sbin/cron/cron/ (props changed) user/dfr/gssapi/7/usr.sbin/extattr/ (props changed) user/dfr/gssapi/7/usr.sbin/freebsd-update/ (props changed) user/dfr/gssapi/7/usr.sbin/iostat/ (props changed) user/dfr/gssapi/7/usr.sbin/mountd/ (props changed) user/dfr/gssapi/7/usr.sbin/mountd/exports.5 user/dfr/gssapi/7/usr.sbin/mountd/mountd.c user/dfr/gssapi/7/usr.sbin/ndiscvt/ (props changed) user/dfr/gssapi/7/usr.sbin/newsyslog/newsyslog.conf.5 (props changed) user/dfr/gssapi/7/usr.sbin/nfsd/nfsd.c user/dfr/gssapi/7/usr.sbin/nscd/ (props changed) user/dfr/gssapi/7/usr.sbin/ntp/ (props changed) user/dfr/gssapi/7/usr.sbin/pkg_install/ (props changed) user/dfr/gssapi/7/usr.sbin/pmcstat/ (props changed) user/dfr/gssapi/7/usr.sbin/portsnap/ (props changed) user/dfr/gssapi/7/usr.sbin/powerd/ (props changed) user/dfr/gssapi/7/usr.sbin/pw/ (props changed) user/dfr/gssapi/7/usr.sbin/rpc.lockd/ (props changed) user/dfr/gssapi/7/usr.sbin/rpc.statd/ (props changed) user/dfr/gssapi/7/usr.sbin/setfib/ (props changed) user/dfr/gssapi/7/usr.sbin/sysinstall/ (props changed) user/dfr/gssapi/7/usr.sbin/syslogd/ (props changed) user/dfr/gssapi/7/usr.sbin/tzsetup/ (props changed) user/dfr/gssapi/7/usr.sbin/wpa/wpa_supplicant/ (props changed) Modified: user/dfr/gssapi/7/usr.sbin/Makefile ============================================================================== --- user/dfr/gssapi/7/usr.sbin/Makefile Tue Nov 4 11:54:26 2008 (r184626) +++ user/dfr/gssapi/7/usr.sbin/Makefile Tue Nov 4 12:02:01 2008 (r184627) @@ -64,6 +64,7 @@ SUBDIR= ac \ getpmac \ gstat \ ${_i4b} \ + ${_gssd} \ ifmcstat \ inetd \ iostat \ @@ -234,6 +235,10 @@ _keyserv= keyserv _ftp-proxy= ftp-proxy .endif +.if ${MK_GSSAPI} != no +_gssd= gssd +.endif + .if ${MK_INET6} != "no" _faithd= faithd _ip6addrctl= ip6addrctl Modified: user/dfr/gssapi/7/usr.sbin/mountd/exports.5 ============================================================================== --- user/dfr/gssapi/7/usr.sbin/mountd/exports.5 Tue Nov 4 11:54:26 2008 (r184626) +++ user/dfr/gssapi/7/usr.sbin/mountd/exports.5 Tue Nov 4 12:02:01 2008 (r184627) @@ -149,6 +149,17 @@ option is given, all users (including root) will be mapped to that credential in place of their own. .Pp +.Sm off +.Fl sec Li = Sy flavor1:flavor2... +.Sm on +specifies a colon separated list of acceptable security flavors to be +used for remote access. +Supported security flavors are sys, krb5, krb5i and krb5p. +If multiple flavors are listed, they should be ordered with the most +preferred flavor first. +If this option is not present, +the default security flavor list of just sys is used. +.Pp The .Fl ro option specifies that the file system should be exported read-only @@ -305,6 +316,8 @@ the default remote mount-point file /u2 -maproot=root friends /u2 -alldirs -network cis-net -mask cis-mask /cdrom -alldirs,quiet,ro -network 192.168.33.0 -mask 255.255.255.0 +/private -sec=krb5i +/secret -sec=krb5p .Ed .Pp Given that @@ -411,6 +424,15 @@ While there is no CD-ROM medium mounted it would export the (normally empty) directory .Pa /cdrom of the root file system instead. +.Pp +The file system rooted at +.Pa /private +will be exported using Kerberos 5 authentication and will require +integrity protected messages for all accesses. +The file system rooted at +.Pa /secret +will also be exported using Kerberos 5 authentication and all messages +used to access it will be encrypted. .Sh SEE ALSO .Xr netgroup 5 , .Xr mountd 8 , Modified: user/dfr/gssapi/7/usr.sbin/mountd/mountd.c ============================================================================== --- user/dfr/gssapi/7/usr.sbin/mountd/mountd.c Tue Nov 4 11:54:26 2008 (r184626) +++ user/dfr/gssapi/7/usr.sbin/mountd/mountd.c Tue Nov 4 12:02:01 2008 (r184627) @@ -113,6 +113,8 @@ struct exportlist { fsid_t ex_fs; char *ex_fsdir; char *ex_indexfile; + int ex_numsecflavors; + int ex_secflavors[MAXSECFLAVORS]; }; /* ex_flag bits */ #define EX_LINKED 0x1 @@ -150,6 +152,8 @@ struct fhreturn { int fhr_flag; int fhr_vers; nfsfh_t fhr_fh; + int fhr_numsecflavors; + int *fhr_secflavors; }; /* Global defs */ @@ -240,6 +244,7 @@ struct pidfh *pfh = NULL; #define OP_HAVEMASK 0x80 /* A mask was specified or inferred. */ #define OP_QUIET 0x100 #define OP_MASKLEN 0x200 +#define OP_SEC 0x400 #ifdef DEBUG int debug = 1; @@ -817,6 +822,8 @@ mntsrv(rqstp, transp) sigprocmask(SIG_UNBLOCK, &sighup_mask, NULL); return; } + fhr.fhr_numsecflavors = ep->ex_numsecflavors; + fhr.fhr_secflavors = ep->ex_secflavors; if (!svc_sendreply(transp, (xdrproc_t)xdr_fhs, (caddr_t)&fhr)) syslog(LOG_ERR, "can't send reply"); @@ -934,6 +941,7 @@ xdr_fhs(xdrsp, cp) { struct fhreturn *fhrp = (struct fhreturn *)cp; u_long ok = 0, len, auth; + int i; if (!xdr_long(xdrsp, &ok)) return (0); @@ -946,11 +954,20 @@ xdr_fhs(xdrsp, cp) return (0); if (!xdr_opaque(xdrsp, (caddr_t)&fhrp->fhr_fh, len)) return (0); - auth = RPCAUTH_UNIX; - len = 1; - if (!xdr_long(xdrsp, &len)) - return (0); - return (xdr_long(xdrsp, &auth)); + if (fhrp->fhr_numsecflavors) { + if (!xdr_int(xdrsp, &fhrp->fhr_numsecflavors)) + return (0); + for (i = 0; i < fhrp->fhr_numsecflavors; i++) + if (!xdr_int(xdrsp, &fhrp->fhr_secflavors[i])) + return (0); + return (1); + } else { + auth = AUTH_SYS; + len = 1; + if (!xdr_long(xdrsp, &len)) + return (0); + return (xdr_long(xdrsp, &auth)); + } }; return (0); } @@ -1765,6 +1782,57 @@ free_dir(dp) } /* + * Parse a colon separated list of security flavors + */ +int +parsesec(seclist, ep) + char *seclist; + struct exportlist *ep; +{ + char *cp, savedc; + int flavor; + + ep->ex_numsecflavors = 0; + for (;;) { + cp = strchr(seclist, ':'); + if (cp) { + savedc = *cp; + *cp = '\0'; + } + + if (!strcmp(seclist, "sys")) + flavor = AUTH_SYS; + else if (!strcmp(seclist, "krb5")) + flavor = RPCSEC_GSS_KRB5; + else if (!strcmp(seclist, "krb5i")) + flavor = RPCSEC_GSS_KRB5I; + else if (!strcmp(seclist, "krb5p")) + flavor = RPCSEC_GSS_KRB5P; + else { + if (cp) + *cp = savedc; + syslog(LOG_ERR, "bad sec flavor: %s", seclist); + return (1); + } + if (ep->ex_numsecflavors == MAXSECFLAVORS) { + if (cp) + *cp = savedc; + syslog(LOG_ERR, "too many sec flavors: %s", seclist); + return (1); + } + ep->ex_secflavors[ep->ex_numsecflavors] = flavor; + ep->ex_numsecflavors++; + if (cp) { + *cp = savedc; + seclist = cp + 1; + } else { + break; + } + } + return (0); +} + +/* * Parse the option string and update fields. * Option arguments may either be -<option>=<value> or * -<option> <value> @@ -1859,6 +1927,11 @@ do_opt(cpp, endcpp, ep, grp, has_hostp, ep->ex_indexfile = strdup(cpoptarg); } else if (!strcmp(cpopt, "quiet")) { opt_flags |= OP_QUIET; + } else if (!strcmp(cpopt, "sec")) { + if (parsesec(cpoptarg, ep)) + return (1); + opt_flags |= OP_SEC; + usedarg++; } else { syslog(LOG_ERR, "bad opt %s", cpopt); return (1); @@ -2018,7 +2091,7 @@ do_mount(struct exportlist *ep, struct g int done; char savedc; struct iovec *iov; - int iovlen; + int i, iovlen; int ret; cp = NULL; @@ -2036,6 +2109,13 @@ do_mount(struct exportlist *ep, struct g ai = grp->gr_ptr.gt_addrinfo; else ai = NULL; + eap.ex_numsecflavors = ep->ex_numsecflavors; + for (i = 0; i < eap.ex_numsecflavors; i++) + eap.ex_secflavors[i] = ep->ex_secflavors[i]; + if (eap.ex_numsecflavors == 0) { + eap.ex_numsecflavors = 1; + eap.ex_secflavors[0] = AUTH_SYS; + } done = FALSE; build_iovec(&iov, &iovlen, "fstype", NULL, 0); Modified: user/dfr/gssapi/7/usr.sbin/nfsd/nfsd.c ============================================================================== --- user/dfr/gssapi/7/usr.sbin/nfsd/nfsd.c Tue Nov 4 11:54:26 2008 (r184626) +++ user/dfr/gssapi/7/usr.sbin/nfsd/nfsd.c Tue Nov 4 12:02:01 2008 (r184627) @@ -81,6 +81,7 @@ int debug = 0; #define DEFNFSDCNT 4 pid_t children[MAXNFSDCNT]; /* PIDs of children */ int nfsdcnt; /* number of children */ +int new_syscall; void cleanup(int); void child_cleanup(int); @@ -116,7 +117,7 @@ void usage(void); int main(int argc, char **argv) { - struct nfsd_args nfsdargs; + struct nfsd_addsock_args addsockargs; struct addrinfo *ai_udp, *ai_tcp, *ai_udp6, *ai_tcp6, hints; struct netconfig *nconf_udp, *nconf_tcp, *nconf_udp6, *nconf_tcp6; struct netbuf nb_udp, nb_tcp, nb_udp6, nb_tcp6; @@ -326,23 +327,54 @@ main(int argc, char **argv) openlog("nfsd", LOG_PID, LOG_DAEMON); - /* If we use UDP only, we start the last server below. */ - srvcnt = tcpflag ? nfsdcnt : nfsdcnt - 1; - for (i = 0; i < srvcnt; i++) { - switch ((pid = fork())) { - case -1: + /* + * Figure out if the kernel supports the new-style + * NFSSVC_NFSD. Old kernels will return ENXIO because they + * don't recognise the flag value, new ones will return EINVAL + * because argp is NULL. + */ + new_syscall = FALSE; + if (nfssvc(NFSSVC_NFSD, NULL) < 0 && errno == EINVAL) + new_syscall = TRUE; + new_syscall = FALSE; + + if (!new_syscall) { + /* If we use UDP only, we start the last server below. */ + srvcnt = tcpflag ? nfsdcnt : nfsdcnt - 1; + for (i = 0; i < srvcnt; i++) { + switch ((pid = fork())) { + case -1: + syslog(LOG_ERR, "fork: %m"); + nfsd_exit(1); + case 0: + break; + default: + children[i] = pid; + continue; + } + (void)signal(SIGUSR1, child_cleanup); + setproctitle("server"); + + start_server(0); + } + } else if (tcpflag) { + /* + * For TCP mode, we fork once to start the first + * kernel nfsd thread. The kernel will add more + * threads as needed. + */ + pid = fork(); + if (pid == -1) { syslog(LOG_ERR, "fork: %m"); nfsd_exit(1); - case 0: - break; - default: - children[i] = pid; - continue; } - (void)signal(SIGUSR1, child_cleanup); - setproctitle("server"); - - start_server(0); + if (pid) { + children[0] = pid; + } else { + (void)signal(SIGUSR1, child_cleanup); + setproctitle("server"); + start_server(0); + } } (void)signal(SIGUSR1, cleanup); @@ -378,10 +410,10 @@ main(int argc, char **argv) nfsd_exit(1); } freeaddrinfo(ai_udp); - nfsdargs.sock = sock; - nfsdargs.name = NULL; - nfsdargs.namelen = 0; - if (nfssvc(NFSSVC_ADDSOCK, &nfsdargs) < 0) { + addsockargs.sock = sock; + addsockargs.name = NULL; + addsockargs.namelen = 0; + if (nfssvc(NFSSVC_ADDSOCK, &addsockargs) < 0) { syslog(LOG_ERR, "can't Add UDP socket"); nfsd_exit(1); } @@ -446,10 +478,10 @@ main(int argc, char **argv) nfsd_exit(1); } freeaddrinfo(ai_udp6); - nfsdargs.sock = sock; - nfsdargs.name = NULL; - nfsdargs.namelen = 0; - if (nfssvc(NFSSVC_ADDSOCK, &nfsdargs) < 0) { + addsockargs.sock = sock; + addsockargs.name = NULL; + addsockargs.namelen = 0; + if (nfssvc(NFSSVC_ADDSOCK, &addsockargs) < 0) { syslog(LOG_ERR, "can't add UDP6 socket"); nfsd_exit(1); @@ -676,10 +708,10 @@ main(int argc, char **argv) SO_KEEPALIVE, (char *)&on, sizeof(on)) < 0) syslog(LOG_ERR, "setsockopt SO_KEEPALIVE: %m"); - nfsdargs.sock = msgsock; - nfsdargs.name = (caddr_t)&inetpeer; - nfsdargs.namelen = len; - nfssvc(NFSSVC_ADDSOCK, &nfsdargs); + addsockargs.sock = msgsock; + addsockargs.name = (caddr_t)&inetpeer; + addsockargs.namelen = len; + nfssvc(NFSSVC_ADDSOCK, &addsockargs); (void)close(msgsock); } else if (FD_ISSET(tcpsock, &v6bits)) { len = sizeof(inet6peer); @@ -698,10 +730,10 @@ main(int argc, char **argv) sizeof(on)) < 0) syslog(LOG_ERR, "setsockopt " "SO_KEEPALIVE: %m"); - nfsdargs.sock = msgsock; - nfsdargs.name = (caddr_t)&inet6peer; - nfsdargs.namelen = len; - nfssvc(NFSSVC_ADDSOCK, &nfsdargs); + addsockargs.sock = msgsock; + addsockargs.name = (caddr_t)&inet6peer; + addsockargs.namelen = len; + nfssvc(NFSSVC_ADDSOCK, &addsockargs); (void)close(msgsock); } } @@ -829,12 +861,27 @@ nfsd_exit(int status) void start_server(int master) { + char principal[128]; + char hostname[128]; + struct nfsd_nfsd_args nfsdargs; int status; status = 0; - if (nfssvc(NFSSVC_NFSD, NULL) < 0) { - syslog(LOG_ERR, "nfssvc: %m"); - status = 1; + if (new_syscall) { + gethostname(hostname, sizeof(hostname)); + snprintf(principal, sizeof(principal), "nfs@%s", hostname); + nfsdargs.principal = principal; + nfsdargs.minthreads = nfsdcnt; + nfsdargs.maxthreads = nfsdcnt; + if (nfssvc(NFSSVC_NFSD, &nfsdargs) < 0) { + syslog(LOG_ERR, "nfssvc: %m"); + status = 1; + } + } else { + if (nfssvc(NFSSVC_OLDNFSD, NULL) < 0) { + syslog(LOG_ERR, "nfssvc: %m"); + status = 1; + } } if (master) nfsd_exit(status);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200811041202.mA4C21CG096007>