Re: [PATCH 3/6] nfsidmap: List cached ID mapping results

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Dickson <SteveD@redhat.com>
To: Chuck Lever <chuck.lever@oracle.com>, linux-nfs@vger.kernel.org
Cc: dhowells@redhat.com
Subject: Re: [PATCH 3/6] nfsidmap: List cached ID mapping results
Date: Tue, 4 Aug 2015 09:29:49 -0400	[thread overview]
Message-ID: <55C0BE4D.4060709@RedHat.com> (raw)
In-Reply-To: <20150731221355.50685.82639.stgit@seurat.1015granger.net>

Hello,

On 07/31/2015 06:13 PM, Chuck Lever wrote:
> User space can see the keys, but not their contents.
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
>  utils/nfsidmap/nfsidmap.c   |   85 ++++++++++++++++++++++++++++++++++++++++++-
>  utils/nfsidmap/nfsidmap.man |   15 ++++++++
>  2 files changed, 98 insertions(+), 2 deletions(-)
> 
> diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
> index 44b8b4b..ed397c6 100644
> --- a/utils/nfsidmap/nfsidmap.c
> +++ b/utils/nfsidmap/nfsidmap.c
> @@ -108,6 +108,81 @@ static int display_default_domain(void)
>  	return EXIT_SUCCESS;
>  }
>  
> +static void list_key(key_serial_t key)
> +{
> +	char *buffer, *c;
> +	int rc;
> +
> +	rc = keyctl_describe_alloc(key, &buffer);
> +	if (rc < 0) {
> +		switch (errno) {
> +		case EKEYEXPIRED:
> +			printf("Expired key not displayed\n");
> +			break;
> +		default:
> +			xlog_err("Failed to describe key: %m");
> +		}
> +		return;
> +	}
> +
> +	c = strrchr(buffer, ';');
> +	if (!c) {
> +		xlog_err("Unparsable key not displayed\n");
> +		goto out_free;
> +	}
> +	printf("  %s\n", ++c);
> +
> +out_free:
> +	free(buffer);
> +}
> +
> +static void list_keys(const char *ring_name, key_serial_t ring_id)
> +{
> +	key_serial_t *key;
> +	void *keylist;
> +	int count;
> +
> +	count = keyctl_read_alloc(ring_id, &keylist);
> +	if (count < 0) {
> +		xlog_err("Failed to read keyring %s: %m", ring_name);
> +		return;
> +	}
> +	count /= (int)sizeof(*key);
> +
> +	switch (count) {
> +	case 0:
> +		printf("No %s keys found.\n", ring_name);
> +		break;
> +	case 1:
> +		printf("1 %s key found:\n", ring_name);
> +		break;
> +	default:
> +		printf("%u %s keys found:\n", count, ring_name);
> +	}
> +
> +	for (key = keylist; count--; key++)
> +		list_key(*key);
> +
> +	free(keylist);
> +}
> +
> +/*
> + * List all keys on a keyring
> + */
> +static int list_keyring(const char *keyring)
> +{
> +	key_serial_t key;
> +
> +	key = find_key_by_type_and_desc("keyring", keyring, 0);
> +	if (key == -1) {
> +		xlog_err("'%s' keyring was not found.", keyring);
> +		return EXIT_FAILURE;
> +	}
> +
> +	list_keys(keyring, key);
> +	return EXIT_SUCCESS;
> +}
> +
>  /*
>   * Find either a user or group id based on the name@domain string
>   */
> @@ -277,7 +352,7 @@ int main(int argc, char **argv)
>  	int timeout = 600;
>  	key_serial_t key;
>  	char *progname, *keystr = NULL;
> -	int clearing = 0, keymask = 0, display = 0;
> +	int clearing = 0, keymask = 0, display = 0, list = 0;
>  
>  	/* Set the basename */
>  	if ((progname = strrchr(argv[0], '/')) != NULL)
> @@ -287,11 +362,14 @@ int main(int argc, char **argv)
>  
>  	xlog_open(progname);
>  
> -	while ((opt = getopt(argc, argv, "du:g:r:ct:v")) != -1) {
> +	while ((opt = getopt(argc, argv, "du:g:r:ct:vl")) != -1) {
>  		switch (opt) {
>  		case 'd':
>  			display++;
>  			break;
> +		case 'l':
> +			list++;
> +			break;
>  		case 'u':
>  			keymask = UIDKEYS;
>  			keystr = strdup(optarg);
> @@ -328,6 +406,9 @@ int main(int argc, char **argv)
>  
>  	if (display)
>  		return display_default_domain();
> +	else if (list)
> +		return list_keyring(DEFAULT_KEYRING);
> +
Just curious as to why the else clause... Are you
thinking it does not make sense to display the 
domain and list out the key ring?

steved.

>  	if (keystr) {
>  		rc = key_invalidate(keystr, keymask);
>  		return rc;		
> diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
> index 04ddff6..0275bdf 100644
> --- a/utils/nfsidmap/nfsidmap.man
> +++ b/utils/nfsidmap/nfsidmap.man
> @@ -13,6 +13,8 @@ nfsidmap \- The NFS idmapper upcall program
>  .B "nfsidmap [-v] [-u|-g|-r user]"
>  .br
>  .B "nfsidmap -d"
> +.br
> +.B "nfsidmap -l"
>  .SH DESCRIPTION
>  The NFSv4 protocol represents the local system's UID and GID values
>  on the wire as strings of the form
> @@ -50,6 +52,13 @@ can also clear cached ID map results in the kernel,
>  or revoke one particular key.
>  An incorrect cached key can result in file and directory ownership
>  reverting to "nobody" on NFSv4 mount points.
> +.PP
> +In addition, the
> +.B -d
> +and
> +.B -l
> +options are available to help diagnose misconfigurations.
> +They have no effect on the keyring containing ID mapping results.
>  .SH OPTIONS
>  .TP
>  .B -c 
> @@ -62,6 +71,12 @@ Display the system's effective NFSv4 domain name on
>  .B -g user
>  Revoke the gid key of the given user.
>  .TP
> +.B -l
> +Display on
> +.I stdout
> +all keys currently in the keyring used to cache ID mapping results.
> +These keys are visible only to the superuser.
> +.TP
>  .B -r user
>  Revoke both the uid and gid key of the given user.
>  .TP
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

next prev parent reply	other threads:[~2015-08-04 13:29 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-31 22:13 [PATCH 0/6] nfsidmap enhancements Chuck Lever
2015-07-31 22:13 ` [PATCH 1/6] nfsidmap: Display the effective NFSv4 domain name Chuck Lever
2015-07-31 22:13 ` [PATCH 2/6] nfsidmap: Use find_key_by_type_and_desc() if available Chuck Lever
2015-07-31 22:13 ` [PATCH 3/6] nfsidmap: List cached ID mapping results Chuck Lever
2015-08-04 13:29   ` Steve Dickson [this message]
2015-08-04 14:15     ` Chuck Lever
2015-08-04 14:30       ` Chuck Lever
2015-07-31 22:14 ` [PATCH 4/6] nfsidmap: Fix error handling in id_lookup() Chuck Lever
2015-07-31 22:14 ` [PATCH 5/6] nfsidmap: Fix error handling in name_lookup() Chuck Lever
2015-07-31 22:14 ` [PATCH 6/6] nfsidmap: Clean up other exit status cases Chuck Lever

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55C0BE4D.4060709@RedHat.com \
    --to=steved@redhat.com \
    --cc=chuck.lever@oracle.com \
    --cc=dhowells@redhat.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.