From: Steve Dickson <SteveD@redhat.com>
To: tigran.mkrtchyan@desy.de
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH 2/2] nfsidmap: Allow a particular key to be revoked.
Date: Thu, 17 Nov 2011 16:36:31 -0500 [thread overview]
Message-ID: <4EC57E5F.4040906@RedHat.com> (raw)
In-Reply-To: <CAGue13q8FhAcQxp-nT5k1sbQndy=qxaKrAxzuyFF2cA-mPB7tw@mail.gmail.com>
On 11/17/2011 03:34 PM, Tigran Mkrtchyan wrote:
> On Thu, Nov 17, 2011 at 9:26 PM, Steve Dickson <steved@redhat.com> wrote:
>> Introducing three new command line arguments
>> that allow particular keys to be revoke
>>
>> -u will remove a uid key
>> -g will revoke a gid key
>> -r will revoke both the uid and gid keys
>>
>> The user name has also needs to be supply
>> with these new flags.
>>
>> Signed-off-by: Steve Dickson <steved@redhat.com>
>> ---
>> utils/nfsidmap/nfsidmap.c | 84 ++++++++++++++++++++++++++++++++++++++++--
>> utils/nfsidmap/nfsidmap.man | 23 ++++++++++--
>> 2 files changed, 99 insertions(+), 8 deletions(-)
>>
>> diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
>> index 2625dc1..7b64cd4 100644
>> --- a/utils/nfsidmap/nfsidmap.c
>> +++ b/utils/nfsidmap/nfsidmap.c
>> @@ -13,7 +13,7 @@
>> #include "xlog.h"
>>
>> int verbose = 0;
>> -char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
>> +char *usage="Usage: %s [-v] [[-u|-g|-r key]] | [-c [keyring]] | [[-t timeout] key desc]";
>>
>> #define MAX_ID_LEN 11
>> #define IDMAP_NAMESZ 128
>> @@ -22,6 +22,9 @@ char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
>> #define DEFAULT_KEYRING "id_resolver"
>> #define PROCKEYS "/proc/keys"
>>
>> +#define UIDKEYS 0x1
>> +#define GIDKEYS 0x2
>> +
>> /*
>> * Find either a user or group id based on the name@domain string
>> */
>> @@ -130,6 +133,63 @@ static int keyring_clear(char *keyring)
>> xlog_err("'%s' keyring was not found.", keyring);
>> return 1;
>> }
>> +/*
>> + * Revoke a key
>> + */
>> +static int key_revoke(char *keystr, int keymask)
>> +{
>> + FILE *fp;
>> + char buf[BUFSIZ], *ptr;
>> + key_serial_t key;
>> + int mask;
>> +
>> + xlog_syslog(0);
>> +
>> + if ((fp = fopen(PROCKEYS, "r")) == NULL) {
>
> May be not critical, but you never closing fp.
Fair enough.... Its good practice to close things
you open.. I'll add it to the re-spin...
steved.
>
> Tigran.
>
>> + xlog_err("fopen(%s) failed: %m", PROCKEYS);
>> + return 1;
>> + }
>> +
>> + while(fgets(buf, BUFSIZ, fp) != NULL) {
>> + if (strstr(buf, "keyring") != NULL)
>> + continue;
>> +
>> + mask = 0;
>> + if ((ptr = strstr(buf, "uid:")) != NULL)
>> + mask = UIDKEYS;
>> + else if ((ptr = strstr(buf, "gid:")) != NULL)
>> + mask = GIDKEYS;
>> + else
>> + continue;
>> +
>> + if ((keymask & mask) == 0)
>> + continue;
>> +
>> + if (strncmp(ptr+4, keystr, strlen(keystr)) != NULL)
>> + continue;
>> +
>> + if (verbose) {
>> + *(strchr(buf, '\n')) = '\0';
>> + xlog_warn("revoking '%s'", buf);
>> + }
>> + /*
>> + * The key is the first arugment in the string
>> + */
>> + *(strchr(buf, ' ')) = '\0';
>> + sscanf(buf, "%x", &key);
>> +
>> + if (keyctl_revoke(key) < 0) {
>> + xlog_err("keyctl_revoke(0x%x) failed: %m", key);
>> + return 1;
>> + }
>> +
>> + keymask &= ~mask;
>> + if (keymask == 0)
>> + return 0;
>> + }
>> + xlog_err("'%s' key was not found.", keystr);
>> + return 1;
>> +}
>>
>> int main(int argc, char **argv)
>> {
>> @@ -139,8 +199,8 @@ int main(int argc, char **argv)
>> int rc = 1, opt;
>> int timeout = 600;
>> key_serial_t key;
>> - char *progname, *keyring = NULL;
>> - int clearring;
>> + char *progname, *keyring = NULL, *keystr = NULL;
>> + int clearring, keymask = 0;
>>
>> /* Set the basename */
>> if ((progname = strrchr(argv[0], '/')) != NULL)
>> @@ -150,8 +210,20 @@ int main(int argc, char **argv)
>>
>> xlog_open(progname);
>>
>> - while ((opt = getopt(argc, argv, "ct:v")) != -1) {
>> + while ((opt = getopt(argc, argv, "u:g:r:ct:v")) != -1) {
>> switch (opt) {
>> + case 'u':
>> + keymask = UIDKEYS;
>> + keystr = strdup(optarg);
>> + break;
>> + case 'g':
>> + keymask = GIDKEYS;
>> + keystr = strdup(optarg);
>> + break;
>> + case 'r':
>> + keymask = GIDKEYS|UIDKEYS;
>> + keystr = strdup(optarg);
>> + break;
>> case 'c':
>> clearring++;
>> break;
>> @@ -167,6 +239,10 @@ int main(int argc, char **argv)
>> }
>> }
>>
>> + if (keystr) {
>> + rc = key_revoke(keystr, keymask);
>> + return rc;
>> + }
>> if (clearring) {
>> keyring = ((argc - optind) ? argv[optind] : NULL);
>> rc = keyring_clear(keyring);
>> diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
>> index db65a1f..216afd1 100644
>> --- a/utils/nfsidmap/nfsidmap.man
>> +++ b/utils/nfsidmap/nfsidmap.man
>> @@ -6,7 +6,11 @@
>> .SH NAME
>> nfsidmap \- The NFS idmapper upcall program
>> .SH SYNOPSIS
>> -.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
>> +.B "nfsidmap [-v] [-t timeout] key desc"
>> +.br
>> +.B "nfsidmap [-v] [-c [keyring]]"
>> +.br
>> +.B "nfsidmap [-v] [-u|-g|-r user]"
>> .SH DESCRIPTION
>> The file
>> .I /usr/sbin/nfsidmap
>> @@ -18,9 +22,11 @@ is called by /sbin/request-key, and will perform the translation and
>> initialize a key with the resulting information.
>> .PP
>> .I nfsidmap
>> -can also used to clear the keyring of all the keys.
>> -This is useful when all the mappings have failed to due to an DNS outage
>> -or some other error resulting in all the cached uid/gid to be invalid.
>> +can also used to clear the keyring of all the keys or
>> +revoke one particular key.
>> +This is useful when the id mappings have failed to due
>> +to a lookup error resulting in all the cached uids/gids to be set
>> +to the user id nobody.
>> .SH OPTIONS
>> .TP
>> .B -c [keyring]
>> @@ -28,10 +34,19 @@ Clear the keyring of all the keys. If a
>> keyring is not supplied the default
>> keyring 'id_resolver' will be used.
>> .TP
>> +.B -g user
>> +Revoke the gid key of the given user.
>> +.TP
>> +.B -r user
>> +Revoke both the uid and gid key of the given user.
>> +.TP
>> .B -t timeout
>> Set the expiration timer, in seconds, on the key.
>> The default is 600 seconds (10 mins).
>> .TP
>> +.B -u user
>> +Revoke the uid key of the given user.
>> +.TP
>> .B -v
>> Increases the verbosity of the output to syslog
>> (can be specified multiple times).
>> --
>> 1.7.7
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
next prev parent reply other threads:[~2011-11-17 21:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-17 20:26 [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have failed Steve Dickson
2011-11-17 20:26 ` [PATCH 1/2] nfsidmap: Allow all keys to clear on the keyring Steve Dickson
2011-11-17 20:36 ` Tigran Mkrtchyan
2011-11-17 21:36 ` Steve Dickson
2011-11-17 20:26 ` [PATCH 2/2] nfsidmap: Allow a particular key to be revoked Steve Dickson
2011-11-17 20:34 ` Tigran Mkrtchyan
2011-11-17 21:36 ` Steve Dickson [this message]
-- strict thread matches above, loose matches on Subject: below --
2011-11-17 21:51 [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 2) Steve Dickson
2011-11-17 21:51 ` [PATCH 2/2] nfsidmap: Allow a particular key to be revoked Steve Dickson
2011-11-23 15:24 [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3) Steve Dickson
2011-11-23 15:24 ` [PATCH 2/2] nfsidmap: Allow a particular key to be revoked Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EC57E5F.4040906@RedHat.com \
--to=steved@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=tigran.mkrtchyan@desy.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.