From owner-freebsd-current@FreeBSD.ORG Fri Jun 12 19:01:22 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 619FB106566B; Fri, 12 Jun 2009 19:01:22 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id F0B8B8FC1B; Fri, 12 Jun 2009 19:01:21 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAElDMkqDaFvI/2dsb2JhbADRG4QLBQ X-IronPort-AV: E=Sophos;i="4.42,211,1243828800"; d="scan'208";a="38276092" Received: from darling.cs.uoguelph.ca ([131.104.91.200]) by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 12 Jun 2009 15:01:15 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by darling.cs.uoguelph.ca (Postfix) with ESMTP id 455ED940062; Fri, 12 Jun 2009 15:01:15 -0400 (EDT) X-Virus-Scanned: amavisd-new at darling.cs.uoguelph.ca Received: from darling.cs.uoguelph.ca ([127.0.0.1]) by localhost (darling.cs.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHlygKI-BPoh; Fri, 12 Jun 2009 15:01:14 -0400 (EDT) Received: from muncher.cs.uoguelph.ca (muncher.cs.uoguelph.ca [131.104.91.102]) by darling.cs.uoguelph.ca (Postfix) with ESMTP id 17E87940020; Fri, 12 Jun 2009 15:01:14 -0400 (EDT) Received: from localhost (rmacklem@localhost) by muncher.cs.uoguelph.ca (8.11.7p3+Sun/8.11.6) with ESMTP id n5CJ2pe00017; Fri, 12 Jun 2009 15:02:51 -0400 (EDT) X-Authentication-Warning: muncher.cs.uoguelph.ca: rmacklem owned process doing -bs Date: Fri, 12 Jun 2009 15:02:51 -0400 (EDT) From: Rick Macklem X-X-Sender: rmacklem@muncher.cs.uoguelph.ca To: "Bjoern A. Zeeb" In-Reply-To: <20090611170448.M22887@maildrop.int.zabbadoz.net> Message-ID: References: <20090611170448.M22887@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-current@freebsd.org, jamie@freebsd.org Subject: Re: kgssapi won't build, I need prison help X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2009 19:01:22 -0000 On Thu, 11 Jun 2009, Bjoern A. Zeeb wrote: > On Thu, 11 Jun 2009, Rick Macklem wrote: > > Hi, > >> No, I know how to get thrown in prison:-), but I don't know what >> "prison" should be used by the rpcsec_gss server (options KGSSAPI). >> >> options KGSSAPI doesn't build right now. One place is just in need >> of jail.h, but in another, it still uses "hostid". I assume this >> should become pr_hostid, but for what "prison"? (would prison0.pr_host >> be ok?) > > 1) note pr_hostid is unsinged long, ci_hostid is unit32_t. > > 2) I do not know what that code does but ideally it should be from the > same context as being called which might be hard in this case. > > For svc_rpc_gss_find_client you may want to move the check into the > foreach loop as an addition criteria; client seems to know the > context it runs in (cred-> ...) > > For svc_rpc_gss_create_client() I would say you'll have to pass in > the correct context. > How about adding the following patch and then the svc_rpcsec_gss.c code can call getcredhostid(curthread->td_ucred)? Note that this stuff is used by the nfsserver, so the threads are all children of the nfsd daemon. (The credentials in that code are generated by the gssd from a Kerberos principal name like "rick" and consist of a uid + gid list for a remote user.) I have no idea if running the nfsd inside a prison makes any sense. If not, maybe it could just be getcredhostid(NULL) instead? What do you think? rick --- possible patch for jail --- --- sys/jail.h.sav 2009-06-12 13:42:35.000000000 -0400 +++ sys/jail.h 2009-06-12 13:43:09.000000000 -0400 @@ -305,6 +305,7 @@ struct statfs; int jailed(struct ucred *cred); void getcredhostname(struct ucred *cred, char *, size_t); +unsigned long getcredhostid(struct ucred *cred); int prison_allow(struct ucred *, unsigned); int prison_check(struct ucred *cred1, struct ucred *cred2); int prison_canseemount(struct ucred *cred, struct mount *mp); --- kern/kern_jail.c.sav 2009-06-12 13:39:46.000000000 -0400 +++ kern/kern_jail.c 2009-06-12 13:41:58.000000000 -0400 @@ -3221,6 +3221,22 @@ } /* + * Ditto for the hostid. + */ +unsigned long +getcredhostid(struct ucred *cred) +{ + struct prison *pr; + unsigned long ret_hostid; + + pr = (cred != NULL) ? cred->cr_prison : &prison0; + mtx_lock(&pr->pr_mtx); + ret_hostid = pr->pr_hostid; + mtx_unlock(&pr->pr_mtx); + return (ret_hostid); +} + +/* * Determine whether the subject represented by cred can "see" * status of a mount point. * Returns: 0 for permitted, ENOENT otherwise.