[PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 2)

[PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 2)

[Steve Dickson]

In working with the new idmapper, it became very apparent that
keys created from bad id mapping were very persistent and were
not easy disposed of. Unlike with rpc.idmapd, to git rid 
of bad id mapping one just needed to restart the daemon. 

So I've added some functionality to the nfsidmap command
that will allow admins to:

    - remove all the keys on the keyring.
    - remove a particular key from the keying.

The intention is to allow admins a way to clean up the id
name space when name resolution mechanisms, like NIS or LDAP, 
fail and leave a large number (or small number) of id mapping 
pointing to nobody. 

Note, for the second patch to work, there need to be a small 
kernel patch that will change the per-key permissions to
allow root to revoke them.

Version 2:
- Added the fclose() calls as requested by the code review

Steve Dickson (2):
  nfsidmap: Allow all keys to clear on the keyring
  nfsidmap: Allow a particular key to be revoked.

 utils/nfsidmap/nfsidmap.c   |  145 +++++++++++++++++++++++++++++++++++++++++--
 utils/nfsidmap/nfsidmap.man |   27 ++++++++-
 2 files changed, 166 insertions(+), 6 deletions(-)

-- 
1.7.7

[PATCH 1/2] nfsidmap: Allow all keys to clear on the keyring

[Steve Dickson]

Introduce the '-c [keyring]' command line argument
which will clear the giving keyring of the keys.
If a keyring not supplied the default 'id_resolver'
keyring will be used.

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 utils/nfsidmap/nfsidmap.c   |   65 +++++++++++++++++++++++++++++++++++++++---
 utils/nfsidmap/nfsidmap.man |   14 ++++++++-
 2 files changed, 72 insertions(+), 7 deletions(-)

diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
index 6a09f38..84a57fe 100644
--- a/utils/nfsidmap/nfsidmap.c
+++ b/utils/nfsidmap/nfsidmap.c
@@ -13,12 +13,14 @@
 #include "xlog.h"
 
 int verbose = 0;
-char *usage="Usage: %s [-v] [-t timeout] key desc";
+char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
 
 #define MAX_ID_LEN   11
 #define IDMAP_NAMESZ 128
 #define USER  1
 #define GROUP 0
+#define DEFAULT_KEYRING "id_resolver"
+#define PROCKEYS "/proc/keys"
 
 /*
  * Find either a user or group id based on the name@domain string
@@ -87,6 +89,50 @@ int name_lookup(char *id, key_serial_t key, int type)
 out:
 	return rc;
 }
+/*
+ * Clear all the keys on the given keyring
+ */
+static int keyring_clear(char *keyring)
+{
+	FILE *fp;
+	char buf[BUFSIZ];
+	key_serial_t key;
+
+	xlog_syslog(0);
+	if (keyring == NULL)
+		keyring = DEFAULT_KEYRING;
+
+	if ((fp = fopen(PROCKEYS, "r")) == NULL) {
+		xlog_err("fopen(%s) failed: %m", PROCKEYS);
+		return 1;
+	}
+
+	while(fgets(buf, BUFSIZ, fp) != NULL) {
+		if (strstr(buf, "keyring") == NULL)
+			continue;
+		if (strstr(buf, keyring) == NULL)
+			continue;
+		if (verbose) {
+			*(strchr(buf, '\n')) = '\0';
+			xlog_warn("clearing '%s'", buf);
+		}
+		/*
+		 * The key is the first arugment in the string
+		 */
+		*(strchr(buf, ' ')) = '\0';
+		sscanf(buf, "%x", &key);
+		if (keyctl_clear(key) < 0) {
+			xlog_err("keyctl_clear(0x%x) failed: %m", key);
+			fclose(fp);
+			return 1;
+		}
+		fclose(fp);
+		return 0;
+	}
+	xlog_err("'%s' keyring was not found.", keyring);
+	fclose(fp);
+	return 1;
+}
 
 int main(int argc, char **argv)
 {
@@ -96,7 +142,8 @@ int main(int argc, char **argv)
 	int rc = 1, opt;
 	int timeout = 600;
 	key_serial_t key;
-	char *progname;
+	char *progname, *keyring = NULL;
+	int clearring;
 
 	/* Set the basename */
 	if ((progname = strrchr(argv[0], '/')) != NULL)
@@ -105,11 +152,12 @@ int main(int argc, char **argv)
 		progname = argv[0];
 
 	xlog_open(progname);
-	xlog_syslog(1);
-	xlog_stderr(0);
 
-	while ((opt = getopt(argc, argv, "t:v")) != -1) {
+	while ((opt = getopt(argc, argv, "ct:v")) != -1) {
 		switch (opt) {
+		case 'c':
+			clearring++;
+			break;
 		case 'v':
 			verbose++;
 			break;
@@ -122,6 +170,13 @@ int main(int argc, char **argv)
 		}
 	}
 
+	if (clearring) {
+		keyring = ((argc - optind) ? argv[optind] : NULL);
+		rc = keyring_clear(keyring);
+		return rc;		
+	}
+
+	xlog_stderr(0);
 	if ((argc - optind) != 2) {
 		xlog_err("Bad arg count. Check /etc/request-key.conf");
 		xlog_warn(usage, progname);
diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
index c67aab6..db65a1f 100644
--- a/utils/nfsidmap/nfsidmap.man
+++ b/utils/nfsidmap/nfsidmap.man
@@ -6,7 +6,7 @@
 .SH NAME
 nfsidmap \- The NFS idmapper upcall program
 .SH SYNOPSIS
-.B "nfsidmap [-v] [-t timeout] key desc"
+.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
 .SH DESCRIPTION
 The file
 .I /usr/sbin/nfsidmap
@@ -14,10 +14,20 @@ is used by the NFS idmapper to translate user and group ids into names, and to
 translate user and group names into ids. Idmapper uses request-key to perform
 the upcall and cache the result.
 .I /usr/sbin/nfsidmap
-should only be called by request-key, and will perform the translation and
+is called by /sbin/request-key, and will perform the translation and
 initialize a key with the resulting information.
+.PP
+.I nfsidmap
+can also used to clear the keyring of all the keys.  
+This is useful when all the mappings have failed to due to an DNS outage
+or some other error resulting in all the cached uid/gid to be invalid.
 .SH OPTIONS
 .TP
+.B -c [keyring]
+Clear the keyring of all the keys. If a
+keyring is not supplied the default 
+keyring 'id_resolver' will be used.
+.TP
 .B -t timeout
 Set the expiration timer, in seconds, on the key.
 The default is 600 seconds (10 mins).
-- 
1.7.7

Re: [PATCH 1/2] nfsidmap: Allow all keys to clear on the keyring

[J. Bruce Fields]

On Thu, Nov 17, 2011 at 04:51:35PM -0500, Steve Dickson wrote:
> Introduce the '-c [keyring]' command line argument
> which will clear the giving keyring of the keys.
> If a keyring not supplied the default 'id_resolver'
> keyring will be used.

Is there any reason why an idmapping command should touch any keyring
other than an id_resolver keyring?

If not I'd be inclined to leave that option out.

> +#define DEFAULT_KEYRING "id_resolver"
> +#define PROCKEYS "/proc/keys"
...
> +	if ((fp = fopen(PROCKEYS, "r")) == NULL) {
> +		xlog_err("fopen(%s) failed: %m", PROCKEYS);
> +		return 1;
> +	}
> +
> +	while(fgets(buf, BUFSIZ, fp) != NULL) {
> +		if (strstr(buf, "keyring") == NULL)
> +			continue;
> +		if (strstr(buf, keyring) == NULL)
> +			continue;

Is grepping through /proc/keys really the right way to find this
keyring?  Documentation/security/keys.txt would have me believe that
this sort of thing should work even with KEYS_DEBUG_PROC_KEYS not
defined.  Maybe we want something like keyctl_search() ??

--b.

> +		if (verbose) {
> +			*(strchr(buf, '\n')) = '\0';
> +			xlog_warn("clearing '%s'", buf);
> +		}
> +		/*
> +		 * The key is the first arugment in the string
> +		 */
> +		*(strchr(buf, ' ')) = '\0';
> +		sscanf(buf, "%x", &key);
> +		if (keyctl_clear(key) < 0) {
> +			xlog_err("keyctl_clear(0x%x) failed: %m", key);
> +			fclose(fp);
> +			return 1;
> +		}
> +		fclose(fp);
> +		return 0;
> +	}
> +	xlog_err("'%s' keyring was not found.", keyring);
> +	fclose(fp);
> +	return 1;
> +}
>  
>  int main(int argc, char **argv)
>  {
> @@ -96,7 +142,8 @@ int main(int argc, char **argv)
>  	int rc = 1, opt;
>  	int timeout = 600;
>  	key_serial_t key;
> -	char *progname;
> +	char *progname, *keyring = NULL;
> +	int clearring;
>  
>  	/* Set the basename */
>  	if ((progname = strrchr(argv[0], '/')) != NULL)
> @@ -105,11 +152,12 @@ int main(int argc, char **argv)
>  		progname = argv[0];
>  
>  	xlog_open(progname);
> -	xlog_syslog(1);
> -	xlog_stderr(0);
>  
> -	while ((opt = getopt(argc, argv, "t:v")) != -1) {
> +	while ((opt = getopt(argc, argv, "ct:v")) != -1) {
>  		switch (opt) {
> +		case 'c':
> +			clearring++;
> +			break;
>  		case 'v':
>  			verbose++;
>  			break;
> @@ -122,6 +170,13 @@ int main(int argc, char **argv)
>  		}
>  	}
>  
> +	if (clearring) {
> +		keyring = ((argc - optind) ? argv[optind] : NULL);
> +		rc = keyring_clear(keyring);
> +		return rc;		
> +	}
> +
> +	xlog_stderr(0);
>  	if ((argc - optind) != 2) {
>  		xlog_err("Bad arg count. Check /etc/request-key.conf");
>  		xlog_warn(usage, progname);
> diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
> index c67aab6..db65a1f 100644
> --- a/utils/nfsidmap/nfsidmap.man
> +++ b/utils/nfsidmap/nfsidmap.man
> @@ -6,7 +6,7 @@
>  .SH NAME
>  nfsidmap \- The NFS idmapper upcall program
>  .SH SYNOPSIS
> -.B "nfsidmap [-v] [-t timeout] key desc"
> +.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
>  .SH DESCRIPTION
>  The file
>  .I /usr/sbin/nfsidmap
> @@ -14,10 +14,20 @@ is used by the NFS idmapper to translate user and group ids into names, and to
>  translate user and group names into ids. Idmapper uses request-key to perform
>  the upcall and cache the result.
>  .I /usr/sbin/nfsidmap
> -should only be called by request-key, and will perform the translation and
> +is called by /sbin/request-key, and will perform the translation and
>  initialize a key with the resulting information.
> +.PP
> +.I nfsidmap
> +can also used to clear the keyring of all the keys.  
> +This is useful when all the mappings have failed to due to an DNS outage
> +or some other error resulting in all the cached uid/gid to be invalid.
>  .SH OPTIONS
>  .TP
> +.B -c [keyring]
> +Clear the keyring of all the keys. If a
> +keyring is not supplied the default 
> +keyring 'id_resolver' will be used.
> +.TP
>  .B -t timeout
>  Set the expiration timer, in seconds, on the key.
>  The default is 600 seconds (10 mins).
> -- 
> 1.7.7
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2] nfsidmap: Allow all keys to clear on the keyring

[Steve Dickson]

On 11/22/2011 03:53 PM, J. Bruce Fields wrote:
> On Thu, Nov 17, 2011 at 04:51:35PM -0500, Steve Dickson wrote:
>> Introduce the '-c [keyring]' command line argument
>> which will clear the giving keyring of the keys.
>> If a keyring not supplied the default 'id_resolver'
>> keyring will be used.
> 
> Is there any reason why an idmapping command should touch any keyring
> other than an id_resolver keyring?
> 
> If not I'd be inclined to leave that option out.
I'm all for making it simpler... 

> 
>> +#define DEFAULT_KEYRING "id_resolver"
>> +#define PROCKEYS "/proc/keys"
> ...
>> +	if ((fp = fopen(PROCKEYS, "r")) == NULL) {
>> +		xlog_err("fopen(%s) failed: %m", PROCKEYS);
>> +		return 1;
>> +	}
>> +
>> +	while(fgets(buf, BUFSIZ, fp) != NULL) {
>> +		if (strstr(buf, "keyring") == NULL)
>> +			continue;
>> +		if (strstr(buf, keyring) == NULL)
>> +			continue;
> 
> Is grepping through /proc/keys really the right way to find this
> keyring?  
This was how David suggested I do it... 
 
> Documentation/security/keys.txt would have me believe that
> this sort of thing should work even with KEYS_DEBUG_PROC_KEYS not
> defined.  Maybe we want something like keyctl_search() ??
Well the first argument to keyctl_search is the serial number 
of the keyring. I believe the only way to get number is from
/proc/keys.

steved.

> 
> --b.
> 
>> +		if (verbose) {
>> +			*(strchr(buf, '\n')) = '\0';
>> +			xlog_warn("clearing '%s'", buf);
>> +		}
>> +		/*
>> +		 * The key is the first arugment in the string
>> +		 */
>> +		*(strchr(buf, ' ')) = '\0';
>> +		sscanf(buf, "%x", &key);
>> +		if (keyctl_clear(key) < 0) {
>> +			xlog_err("keyctl_clear(0x%x) failed: %m", key);
>> +			fclose(fp);
>> +			return 1;
>> +		}
>> +		fclose(fp);
>> +		return 0;
>> +	}
>> +	xlog_err("'%s' keyring was not found.", keyring);
>> +	fclose(fp);
>> +	return 1;
>> +}
>>  
>>  int main(int argc, char **argv)
>>  {
>> @@ -96,7 +142,8 @@ int main(int argc, char **argv)
>>  	int rc = 1, opt;
>>  	int timeout = 600;
>>  	key_serial_t key;
>> -	char *progname;
>> +	char *progname, *keyring = NULL;
>> +	int clearring;
>>  
>>  	/* Set the basename */
>>  	if ((progname = strrchr(argv[0], '/')) != NULL)
>> @@ -105,11 +152,12 @@ int main(int argc, char **argv)
>>  		progname = argv[0];
>>  
>>  	xlog_open(progname);
>> -	xlog_syslog(1);
>> -	xlog_stderr(0);
>>  
>> -	while ((opt = getopt(argc, argv, "t:v")) != -1) {
>> +	while ((opt = getopt(argc, argv, "ct:v")) != -1) {
>>  		switch (opt) {
>> +		case 'c':
>> +			clearring++;
>> +			break;
>>  		case 'v':
>>  			verbose++;
>>  			break;
>> @@ -122,6 +170,13 @@ int main(int argc, char **argv)
>>  		}
>>  	}
>>  
>> +	if (clearring) {
>> +		keyring = ((argc - optind) ? argv[optind] : NULL);
>> +		rc = keyring_clear(keyring);
>> +		return rc;		
>> +	}
>> +
>> +	xlog_stderr(0);
>>  	if ((argc - optind) != 2) {
>>  		xlog_err("Bad arg count. Check /etc/request-key.conf");
>>  		xlog_warn(usage, progname);
>> diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
>> index c67aab6..db65a1f 100644
>> --- a/utils/nfsidmap/nfsidmap.man
>> +++ b/utils/nfsidmap/nfsidmap.man
>> @@ -6,7 +6,7 @@
>>  .SH NAME
>>  nfsidmap \- The NFS idmapper upcall program
>>  .SH SYNOPSIS
>> -.B "nfsidmap [-v] [-t timeout] key desc"
>> +.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
>>  .SH DESCRIPTION
>>  The file
>>  .I /usr/sbin/nfsidmap
>> @@ -14,10 +14,20 @@ is used by the NFS idmapper to translate user and group ids into names, and to
>>  translate user and group names into ids. Idmapper uses request-key to perform
>>  the upcall and cache the result.
>>  .I /usr/sbin/nfsidmap
>> -should only be called by request-key, and will perform the translation and
>> +is called by /sbin/request-key, and will perform the translation and
>>  initialize a key with the resulting information.
>> +.PP
>> +.I nfsidmap
>> +can also used to clear the keyring of all the keys.  
>> +This is useful when all the mappings have failed to due to an DNS outage
>> +or some other error resulting in all the cached uid/gid to be invalid.
>>  .SH OPTIONS
>>  .TP
>> +.B -c [keyring]
>> +Clear the keyring of all the keys. If a
>> +keyring is not supplied the default 
>> +keyring 'id_resolver' will be used.
>> +.TP
>>  .B -t timeout
>>  Set the expiration timer, in seconds, on the key.
>>  The default is 600 seconds (10 mins).
>> -- 
>> 1.7.7
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/2] nfsidmap: Allow a particular key to be revoked.

[Steve Dickson]

Introducing three new command line arguments
that allow particular keys to be revoke

  -u will remove a uid key
  -g will revoke a gid key
  -r will revoke both the uid and gid keys

The user name has also needs to be supply
with these new flags.

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 utils/nfsidmap/nfsidmap.c   |   88 +++++++++++++++++++++++++++++++++++++++++--
 utils/nfsidmap/nfsidmap.man |   23 +++++++++--
 2 files changed, 103 insertions(+), 8 deletions(-)

diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
index 84a57fe..33ba9e7 100644
--- a/utils/nfsidmap/nfsidmap.c
+++ b/utils/nfsidmap/nfsidmap.c
@@ -13,7 +13,7 @@
 #include "xlog.h"
 
 int verbose = 0;
-char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
+char *usage="Usage: %s [-v] [[-u|-g|-r key]] | [-c [keyring]] | [[-t timeout] key desc]";
 
 #define MAX_ID_LEN   11
 #define IDMAP_NAMESZ 128
@@ -22,6 +22,9 @@ char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
 #define DEFAULT_KEYRING "id_resolver"
 #define PROCKEYS "/proc/keys"
 
+#define UIDKEYS 0x1
+#define GIDKEYS 0x2
+
 /*
  * Find either a user or group id based on the name@domain string
  */
@@ -133,6 +136,67 @@ static int keyring_clear(char *keyring)
 	fclose(fp);
 	return 1;
 }
+/*
+ * Revoke a key 
+ */
+static int key_revoke(char *keystr, int keymask)
+{
+	FILE *fp;
+	char buf[BUFSIZ], *ptr;
+	key_serial_t key;
+	int mask;
+
+	xlog_syslog(0);
+
+	if ((fp = fopen(PROCKEYS, "r")) == NULL) {
+		xlog_err("fopen(%s) failed: %m", PROCKEYS);
+		return 1;
+	}
+
+	while(fgets(buf, BUFSIZ, fp) != NULL) {
+		if (strstr(buf, "keyring") != NULL)
+			continue;
+
+		mask = 0;
+		if ((ptr = strstr(buf, "uid:")) != NULL)
+			mask = UIDKEYS;
+		else if ((ptr = strstr(buf, "gid:")) != NULL)
+			mask = GIDKEYS;
+		else 
+			continue;
+
+		if ((keymask & mask) == 0)
+			continue;
+
+		if (strncmp(ptr+4, keystr, strlen(keystr)) != NULL)
+			continue;
+
+		if (verbose) {
+			*(strchr(buf, '\n')) = '\0';
+			xlog_warn("revoking '%s'", buf);
+		}
+		/*
+		 * The key is the first arugment in the string
+		 */
+		*(strchr(buf, ' ')) = '\0';
+		sscanf(buf, "%x", &key);
+
+		if (keyctl_revoke(key) < 0) {
+			xlog_err("keyctl_revoke(0x%x) failed: %m", key);
+			fclose(fp);
+			return 1;
+		}
+
+		keymask &= ~mask;
+		if (keymask == 0) {
+			fclose(fp);
+			return 0;
+		}
+	}
+	xlog_err("'%s' key was not found.", keystr);
+	fclose(fp);
+	return 1;
+}
 
 int main(int argc, char **argv)
 {
@@ -142,8 +206,8 @@ int main(int argc, char **argv)
 	int rc = 1, opt;
 	int timeout = 600;
 	key_serial_t key;
-	char *progname, *keyring = NULL;
-	int clearring;
+	char *progname, *keyring = NULL, *keystr = NULL;
+	int clearring, keymask = 0;
 
 	/* Set the basename */
 	if ((progname = strrchr(argv[0], '/')) != NULL)
@@ -153,8 +217,20 @@ int main(int argc, char **argv)
 
 	xlog_open(progname);
 
-	while ((opt = getopt(argc, argv, "ct:v")) != -1) {
+	while ((opt = getopt(argc, argv, "u:g:r:ct:v")) != -1) {
 		switch (opt) {
+		case 'u':
+			keymask = UIDKEYS;
+			keystr = strdup(optarg);
+			break;
+		case 'g':
+			keymask = GIDKEYS;
+			keystr = strdup(optarg);
+			break;
+		case 'r':
+			keymask = GIDKEYS|UIDKEYS;
+			keystr = strdup(optarg);
+			break;
 		case 'c':
 			clearring++;
 			break;
@@ -170,6 +246,10 @@ int main(int argc, char **argv)
 		}
 	}
 
+	if (keystr) {
+		rc = key_revoke(keystr, keymask);
+		return rc;		
+	}
 	if (clearring) {
 		keyring = ((argc - optind) ? argv[optind] : NULL);
 		rc = keyring_clear(keyring);
diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
index db65a1f..216afd1 100644
--- a/utils/nfsidmap/nfsidmap.man
+++ b/utils/nfsidmap/nfsidmap.man
@@ -6,7 +6,11 @@
 .SH NAME
 nfsidmap \- The NFS idmapper upcall program
 .SH SYNOPSIS
-.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
+.B "nfsidmap [-v] [-t timeout] key desc"
+.br
+.B "nfsidmap [-v] [-c [keyring]]"
+.br
+.B "nfsidmap [-v] [-u|-g|-r user]"
 .SH DESCRIPTION
 The file
 .I /usr/sbin/nfsidmap
@@ -18,9 +22,11 @@ is called by /sbin/request-key, and will perform the translation and
 initialize a key with the resulting information.
 .PP
 .I nfsidmap
-can also used to clear the keyring of all the keys.  
-This is useful when all the mappings have failed to due to an DNS outage
-or some other error resulting in all the cached uid/gid to be invalid.
+can also used to clear the keyring of all the keys or 
+revoke one particular key.  
+This is useful when the id mappings have failed to due 
+to a lookup error resulting in all the cached uids/gids to be set 
+to the user id nobody.
 .SH OPTIONS
 .TP
 .B -c [keyring]
@@ -28,10 +34,19 @@ Clear the keyring of all the keys. If a
 keyring is not supplied the default 
 keyring 'id_resolver' will be used.
 .TP
+.B -g user
+Revoke the gid key of the given user.
+.TP
+.B -r user
+Revoke both the uid and gid key of the given user.
+.TP
 .B -t timeout
 Set the expiration timer, in seconds, on the key.
 The default is 600 seconds (10 mins).
 .TP
+.B -u user
+Revoke the uid key of the given user.
+.TP
 .B -v
 Increases the verbosity of the output to syslog 
 (can be specified multiple times).
-- 
1.7.7

Re: [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 2)

[J. Bruce Fields]

On Thu, Nov 17, 2011 at 04:51:34PM -0500, Steve Dickson wrote:
> In working with the new idmapper, it became very apparent that
> keys created from bad id mapping were very persistent and were
> not easy disposed of. Unlike with rpc.idmapd, to git rid 
> of bad id mapping one just needed to restart the daemon. 
> 
> So I've added some functionality to the nfsidmap command

I wonder whether the nfsidmap command is the right place to do that.
Currently it's only ever invoked by the kernel, and it seems a little
odd to use the same command as an admin tool as well.  But I don't have
a different suggestion.

Also, just out of curiosity: when were you typically running into this
problem?  And if it was changing some sort of name-mapping
configuration, is there some way to get this invoked automatically when
that configuration changes?

--b.

> that will allow admins to:
> 
>     - remove all the keys on the keyring.
>     - remove a particular key from the keying.
> 
> The intention is to allow admins a way to clean up the id
> name space when name resolution mechanisms, like NIS or LDAP, 
> fail and leave a large number (or small number) of id mapping 
> pointing to nobody. 
> 
> Note, for the second patch to work, there need to be a small 
> kernel patch that will change the per-key permissions to
> allow root to revoke them.
> 
> Version 2:
> - Added the fclose() calls as requested by the code review
> 
> Steve Dickson (2):
>   nfsidmap: Allow all keys to clear on the keyring
>   nfsidmap: Allow a particular key to be revoked.
> 
>  utils/nfsidmap/nfsidmap.c   |  145 +++++++++++++++++++++++++++++++++++++++++--
>  utils/nfsidmap/nfsidmap.man |   27 ++++++++-
>  2 files changed, 166 insertions(+), 6 deletions(-)
> 
> -- 
> 1.7.7
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 2)

[Steve Dickson]

On 11/22/2011 03:55 PM, J. Bruce Fields wrote:
> On Thu, Nov 17, 2011 at 04:51:34PM -0500, Steve Dickson wrote:
>> In working with the new idmapper, it became very apparent that
>> keys created from bad id mapping were very persistent and were
>> not easy disposed of. Unlike with rpc.idmapd, to git rid 
>> of bad id mapping one just needed to restart the daemon. 
>>
>> So I've added some functionality to the nfsidmap command
> 
> I wonder whether the nfsidmap command is the right place to do that.
> Currently it's only ever invoked by the kernel, and it seems a little
> odd to use the same command as an admin tool as well.  But I don't have
> a different suggestion.
Keeping all the "key management" stuff in one place makes sense to me.
  
> 
> Also, just out of curiosity: when were you typically running into this
> problem?  And if it was changing some sort of name-mapping
> configuration, is there some way to get this invoked automatically when
> that configuration changes?
Mostly syntax errors in /etc/request-key.conf and when a mapping
didn't happen due to a bug in libnfsidmap... 

Also naming resolution mechanisms are not perfect... there will 
be errors that will cause mapping failures.

What really caught my eye was with rpc.idmapd, to clear bad mappings,
you just restart the daemon. Now that rpc.idmapd will no longer 
need to run on the client (which is a good thing), I wanted to give
the admins some type of mechanism to clean up bad mappings.

steved.
 
> 
> --b.
> 
>> that will allow admins to:
>>
>>     - remove all the keys on the keyring.
>>     - remove a particular key from the keying.
>>
>> The intention is to allow admins a way to clean up the id
>> name space when name resolution mechanisms, like NIS or LDAP, 
>> fail and leave a large number (or small number) of id mapping 
>> pointing to nobody. 
>>
>> Note, for the second patch to work, there need to be a small 
>> kernel patch that will change the per-key permissions to
>> allow root to revoke them.
>>
>> Version 2:
>> - Added the fclose() calls as requested by the code review
>>
>> Steve Dickson (2):
>>   nfsidmap: Allow all keys to clear on the keyring
>>   nfsidmap: Allow a particular key to be revoked.
>>
>>  utils/nfsidmap/nfsidmap.c   |  145 +++++++++++++++++++++++++++++++++++++++++--
>>  utils/nfsidmap/nfsidmap.man |   27 ++++++++-
>>  2 files changed, 166 insertions(+), 6 deletions(-)
>>
>> -- 
>> 1.7.7
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3)

[Steve Dickson]

In working with the new idmapper, it became very apparent that
keys created from bad id mapping were very persistent and were
not easy disposed of. Unlike with rpc.idmapd, to git rid 
of bad id mapping one just needed to restart the daemon. 

So I've added some functionality to the nfsidmap command
that will allow admins to:

    - remove all the keys on the keyring.
    - remove a particular key from the keying.

The intention is to allow admins a way to clean up the id
name space when name resolution mechanisms, like NIS or LDAP, 
fail and leave a large number (or small number) of id mapping 
pointing to nobody. 

Note, for the second patch to work, there need to be a small 
kernel patch that will change the per-key permissions to
allow root to revoke them.

Version 2:
- Added the fclose() calls as requested by the code review
Version 3:
- Confined the -c flag to only remove keys from the id_resolver keyring.

Steve Dickson (2):
  nfsidmap: Allow keys to be cleared from the keyring
  nfsidmap: Allow a particular key to be revoked.

 utils/nfsidmap/nfsidmap.c   |  148 +++++++++++++++++++++++++++++++++++++++++--
 utils/nfsidmap/nfsidmap.man |   25 +++++++-
 2 files changed, 167 insertions(+), 6 deletions(-)

-- 
1.7.7

[PATCH 2/2] nfsidmap: Allow a particular key to be revoked.

[Steve Dickson]

Introducing three new command line arguments
that allow particular keys to be revoke

  -u will remove a uid key
  -g will revoke a gid key
  -r will revoke both the uid and gid keys

A user name has also needs to be supply with
these new flags.

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 utils/nfsidmap/nfsidmap.c   |   88 +++++++++++++++++++++++++++++++++++++++++--
 utils/nfsidmap/nfsidmap.man |   19 ++++++++-
 2 files changed, 100 insertions(+), 7 deletions(-)

diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
index cec2cb3..c6b730b 100644
--- a/utils/nfsidmap/nfsidmap.c
+++ b/utils/nfsidmap/nfsidmap.c
@@ -13,7 +13,7 @@
 #include "xlog.h"
 
 int verbose = 0;
-char *usage="Usage: %s [-v] [-c || [-t timeout] key desc]";
+char *usage="Usage: %s [-v] [-c || [-u|-g|-r key] || [-t timeout] key desc]";
 
 #define MAX_ID_LEN   11
 #define IDMAP_NAMESZ 128
@@ -26,6 +26,9 @@ char *usage="Usage: %s [-v] [-c || [-t timeout] key desc]";
 #endif
 
 
+#define UIDKEYS 0x1
+#define GIDKEYS 0x2
+
 /*
  * Find either a user or group id based on the name@domain string
  */
@@ -137,6 +140,67 @@ static int keyring_clear(char *keyring)
 	fclose(fp);
 	return 1;
 }
+/*
+ * Revoke a key 
+ */
+static int key_revoke(char *keystr, int keymask)
+{
+	FILE *fp;
+	char buf[BUFSIZ], *ptr;
+	key_serial_t key;
+	int mask;
+
+	xlog_syslog(0);
+
+	if ((fp = fopen(PROCKEYS, "r")) == NULL) {
+		xlog_err("fopen(%s) failed: %m", PROCKEYS);
+		return 1;
+	}
+
+	while(fgets(buf, BUFSIZ, fp) != NULL) {
+		if (strstr(buf, "keyring") != NULL)
+			continue;
+
+		mask = 0;
+		if ((ptr = strstr(buf, "uid:")) != NULL)
+			mask = UIDKEYS;
+		else if ((ptr = strstr(buf, "gid:")) != NULL)
+			mask = GIDKEYS;
+		else 
+			continue;
+
+		if ((keymask & mask) == 0)
+			continue;
+
+		if (strncmp(ptr+4, keystr, strlen(keystr)) != NULL)
+			continue;
+
+		if (verbose) {
+			*(strchr(buf, '\n')) = '\0';
+			xlog_warn("revoking '%s'", buf);
+		}
+		/*
+		 * The key is the first arugment in the string
+		 */
+		*(strchr(buf, ' ')) = '\0';
+		sscanf(buf, "%x", &key);
+
+		if (keyctl_revoke(key) < 0) {
+			xlog_err("keyctl_revoke(0x%x) failed: %m", key);
+			fclose(fp);
+			return 1;
+		}
+
+		keymask &= ~mask;
+		if (keymask == 0) {
+			fclose(fp);
+			return 0;
+		}
+	}
+	xlog_err("'%s' key was not found.", keystr);
+	fclose(fp);
+	return 1;
+}
 
 int main(int argc, char **argv)
 {
@@ -146,8 +210,8 @@ int main(int argc, char **argv)
 	int rc = 1, opt;
 	int timeout = 600;
 	key_serial_t key;
-	char *progname;
-	int clearring;
+	char *progname, *keystr = NULL;
+	int clearring, keymask = 0;
 
 	/* Set the basename */
 	if ((progname = strrchr(argv[0], '/')) != NULL)
@@ -157,8 +221,20 @@ int main(int argc, char **argv)
 
 	xlog_open(progname);
 
-	while ((opt = getopt(argc, argv, "ct:v")) != -1) {
+	while ((opt = getopt(argc, argv, "u:g:r:ct:v")) != -1) {
 		switch (opt) {
+		case 'u':
+			keymask = UIDKEYS;
+			keystr = strdup(optarg);
+			break;
+		case 'g':
+			keymask = GIDKEYS;
+			keystr = strdup(optarg);
+			break;
+		case 'r':
+			keymask = GIDKEYS|UIDKEYS;
+			keystr = strdup(optarg);
+			break;
 		case 'c':
 			clearring++;
 			break;
@@ -174,6 +250,10 @@ int main(int argc, char **argv)
 		}
 	}
 
+	if (keystr) {
+		rc = key_revoke(keystr, keymask);
+		return rc;		
+	}
 	if (clearring) {
 		rc = keyring_clear(DEFAULT_KEYRING);
 		return rc;		
diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
index 9badb3f..3a3a523 100644
--- a/utils/nfsidmap/nfsidmap.man
+++ b/utils/nfsidmap/nfsidmap.man
@@ -9,6 +9,8 @@ nfsidmap \- The NFS idmapper upcall program
 .B "nfsidmap [-v] [-t timeout] key desc"
 .br
 .B "nfsidmap [-v] [-c]"
+.br
+.B "nfsidmap [-v] [-u|-g|-r user]"
 .SH DESCRIPTION
 The file
 .I /usr/sbin/nfsidmap
@@ -20,18 +22,29 @@ is called by /sbin/request-key, and will perform the translation and
 initialize a key with the resulting information.
 .PP
 .I nfsidmap
-can also used to clear the keyring of all the keys.  
-This is useful when all the mappings have failed to due to an DNS outage
-or some other error resulting in all the cached uid/gid to be invalid.
+can also used to clear the keyring of all the keys or 
+revoke one particular key.  
+This is useful when the id mappings have failed to due 
+to a lookup error resulting in all the cached uids/gids to be set 
+to the user id nobody.
 .SH OPTIONS
 .TP
 .B -c 
 Clear the keyring of all the keys.
 .TP
+.B -g user
+Revoke the gid key of the given user.
+.TP
+.B -r user
+Revoke both the uid and gid key of the given user.
+.TP
 .B -t timeout
 Set the expiration timer, in seconds, on the key.
 The default is 600 seconds (10 mins).
 .TP
+.B -u user
+Revoke the uid key of the given user.
+.TP
 .B -v
 Increases the verbosity of the output to syslog 
 (can be specified multiple times).
-- 
1.7.7

[PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have failed

[Steve Dickson]

In working with the new idmapper, it became very apparent that
keys created from bad id mapping were very persistent and were
not easy disposed of. Unlike with rpc.idmapd, to git rid 
of bad id mapping one just needed to restart the daemon. 

So I've added some functionality to the nfsidmap command
that will allow admins to:

    - remove all the keys on the keyring.
    - remove a particular key from the keying.

The intention is to allow admins a way to clean up the id
name space when name resolution mechanisms, like NIS or LDAP, 
fail and leave a large number (or small number) of id mapping 
pointing to nobody. 

Note, for the second patch to work, there need to be a small 
kernel patch that will change the per-key permissions to
allow root to revoke them.

Steve Dickson (2):
  nfsidmap: Allow all keys to clear on the keyring
  nfsidmap: Allow a particular key to be revoked.

 utils/nfsidmap/nfsidmap.c   |  138 +++++++++++++++++++++++++++++++++++++++++--
 utils/nfsidmap/nfsidmap.man |   27 ++++++++-
 2 files changed, 159 insertions(+), 6 deletions(-)

-- 
1.7.7

[PATCH 2/2] nfsidmap: Allow a particular key to be revoked.

[Steve Dickson]

Introducing three new command line arguments
that allow particular keys to be revoke

  -u will remove a uid key
  -g will revoke a gid key
  -r will revoke both the uid and gid keys

The user name has also needs to be supply
with these new flags.

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 utils/nfsidmap/nfsidmap.c   |   84 ++++++++++++++++++++++++++++++++++++++++--
 utils/nfsidmap/nfsidmap.man |   23 ++++++++++--
 2 files changed, 99 insertions(+), 8 deletions(-)

diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
index 2625dc1..7b64cd4 100644
--- a/utils/nfsidmap/nfsidmap.c
+++ b/utils/nfsidmap/nfsidmap.c
@@ -13,7 +13,7 @@
 #include "xlog.h"
 
 int verbose = 0;
-char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
+char *usage="Usage: %s [-v] [[-u|-g|-r key]] | [-c [keyring]] | [[-t timeout] key desc]";
 
 #define MAX_ID_LEN   11
 #define IDMAP_NAMESZ 128
@@ -22,6 +22,9 @@ char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
 #define DEFAULT_KEYRING "id_resolver"
 #define PROCKEYS "/proc/keys"
 
+#define UIDKEYS 0x1
+#define GIDKEYS 0x2
+
 /*
  * Find either a user or group id based on the name@domain string
  */
@@ -130,6 +133,63 @@ static int keyring_clear(char *keyring)
 	xlog_err("'%s' keyring was not found.", keyring);
 	return 1;
 }
+/*
+ * Revoke a key 
+ */
+static int key_revoke(char *keystr, int keymask)
+{
+	FILE *fp;
+	char buf[BUFSIZ], *ptr;
+	key_serial_t key;
+	int mask;
+
+	xlog_syslog(0);
+
+	if ((fp = fopen(PROCKEYS, "r")) == NULL) {
+		xlog_err("fopen(%s) failed: %m", PROCKEYS);
+		return 1;
+	}
+
+	while(fgets(buf, BUFSIZ, fp) != NULL) {
+		if (strstr(buf, "keyring") != NULL)
+			continue;
+
+		mask = 0;
+		if ((ptr = strstr(buf, "uid:")) != NULL)
+			mask = UIDKEYS;
+		else if ((ptr = strstr(buf, "gid:")) != NULL)
+			mask = GIDKEYS;
+		else 
+			continue;
+
+		if ((keymask & mask) == 0)
+			continue;
+
+		if (strncmp(ptr+4, keystr, strlen(keystr)) != NULL)
+			continue;
+
+		if (verbose) {
+			*(strchr(buf, '\n')) = '\0';
+			xlog_warn("revoking '%s'", buf);
+		}
+		/*
+		 * The key is the first arugment in the string
+		 */
+		*(strchr(buf, ' ')) = '\0';
+		sscanf(buf, "%x", &key);
+
+		if (keyctl_revoke(key) < 0) {
+			xlog_err("keyctl_revoke(0x%x) failed: %m", key);
+			return 1;
+		}
+
+		keymask &= ~mask;
+		if (keymask == 0)
+			return 0;
+	}
+	xlog_err("'%s' key was not found.", keystr);
+	return 1;
+}
 
 int main(int argc, char **argv)
 {
@@ -139,8 +199,8 @@ int main(int argc, char **argv)
 	int rc = 1, opt;
 	int timeout = 600;
 	key_serial_t key;
-	char *progname, *keyring = NULL;
-	int clearring;
+	char *progname, *keyring = NULL, *keystr = NULL;
+	int clearring, keymask = 0;
 
 	/* Set the basename */
 	if ((progname = strrchr(argv[0], '/')) != NULL)
@@ -150,8 +210,20 @@ int main(int argc, char **argv)
 
 	xlog_open(progname);
 
-	while ((opt = getopt(argc, argv, "ct:v")) != -1) {
+	while ((opt = getopt(argc, argv, "u:g:r:ct:v")) != -1) {
 		switch (opt) {
+		case 'u':
+			keymask = UIDKEYS;
+			keystr = strdup(optarg);
+			break;
+		case 'g':
+			keymask = GIDKEYS;
+			keystr = strdup(optarg);
+			break;
+		case 'r':
+			keymask = GIDKEYS|UIDKEYS;
+			keystr = strdup(optarg);
+			break;
 		case 'c':
 			clearring++;
 			break;
@@ -167,6 +239,10 @@ int main(int argc, char **argv)
 		}
 	}
 
+	if (keystr) {
+		rc = key_revoke(keystr, keymask);
+		return rc;		
+	}
 	if (clearring) {
 		keyring = ((argc - optind) ? argv[optind] : NULL);
 		rc = keyring_clear(keyring);
diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
index db65a1f..216afd1 100644
--- a/utils/nfsidmap/nfsidmap.man
+++ b/utils/nfsidmap/nfsidmap.man
@@ -6,7 +6,11 @@
 .SH NAME
 nfsidmap \- The NFS idmapper upcall program
 .SH SYNOPSIS
-.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
+.B "nfsidmap [-v] [-t timeout] key desc"
+.br
+.B "nfsidmap [-v] [-c [keyring]]"
+.br
+.B "nfsidmap [-v] [-u|-g|-r user]"
 .SH DESCRIPTION
 The file
 .I /usr/sbin/nfsidmap
@@ -18,9 +22,11 @@ is called by /sbin/request-key, and will perform the translation and
 initialize a key with the resulting information.
 .PP
 .I nfsidmap
-can also used to clear the keyring of all the keys.  
-This is useful when all the mappings have failed to due to an DNS outage
-or some other error resulting in all the cached uid/gid to be invalid.
+can also used to clear the keyring of all the keys or 
+revoke one particular key.  
+This is useful when the id mappings have failed to due 
+to a lookup error resulting in all the cached uids/gids to be set 
+to the user id nobody.
 .SH OPTIONS
 .TP
 .B -c [keyring]
@@ -28,10 +34,19 @@ Clear the keyring of all the keys. If a
 keyring is not supplied the default 
 keyring 'id_resolver' will be used.
 .TP
+.B -g user
+Revoke the gid key of the given user.
+.TP
+.B -r user
+Revoke both the uid and gid key of the given user.
+.TP
 .B -t timeout
 Set the expiration timer, in seconds, on the key.
 The default is 600 seconds (10 mins).
 .TP
+.B -u user
+Revoke the uid key of the given user.
+.TP
 .B -v
 Increases the verbosity of the output to syslog 
 (can be specified multiple times).
-- 
1.7.7

Re: [PATCH 2/2] nfsidmap: Allow a particular key to be revoked.

[Tigran Mkrtchyan]

On Thu, Nov 17, 2011 at 9:26 PM, Steve Dickson <steved@redhat.com> wrote:
> Introducing three new command line arguments
> that allow particular keys to be revoke
>
>  -u will remove a uid key
>  -g will revoke a gid key
>  -r will revoke both the uid and gid keys
>
> The user name has also needs to be supply
> with these new flags.
>
> Signed-off-by: Steve Dickson <steved@redhat.com>
> ---
>  utils/nfsidmap/nfsidmap.c   |   84 ++++++++++++++++++++++++++++++++++++++++--
>  utils/nfsidmap/nfsidmap.man |   23 ++++++++++--
>  2 files changed, 99 insertions(+), 8 deletions(-)
>
> diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
> index 2625dc1..7b64cd4 100644
> --- a/utils/nfsidmap/nfsidmap.c
> +++ b/utils/nfsidmap/nfsidmap.c
> @@ -13,7 +13,7 @@
>  #include "xlog.h"
>
>  int verbose = 0;
> -char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
> +char *usage="Usage: %s [-v] [[-u|-g|-r key]] | [-c [keyring]] | [[-t timeout] key desc]";
>
>  #define MAX_ID_LEN   11
>  #define IDMAP_NAMESZ 128
> @@ -22,6 +22,9 @@ char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
>  #define DEFAULT_KEYRING "id_resolver"
>  #define PROCKEYS "/proc/keys"
>
> +#define UIDKEYS 0x1
> +#define GIDKEYS 0x2
> +
>  /*
>  * Find either a user or group id based on the name@domain string
>  */
> @@ -130,6 +133,63 @@ static int keyring_clear(char *keyring)
>        xlog_err("'%s' keyring was not found.", keyring);
>        return 1;
>  }
> +/*
> + * Revoke a key
> + */
> +static int key_revoke(char *keystr, int keymask)
> +{
> +       FILE *fp;
> +       char buf[BUFSIZ], *ptr;
> +       key_serial_t key;
> +       int mask;
> +
> +       xlog_syslog(0);
> +
> +       if ((fp = fopen(PROCKEYS, "r")) == NULL) {

May be not critical, but you never closing fp.

Tigran.

> +               xlog_err("fopen(%s) failed: %m", PROCKEYS);
> +               return 1;
> +       }
> +
> +       while(fgets(buf, BUFSIZ, fp) != NULL) {
> +               if (strstr(buf, "keyring") != NULL)
> +                       continue;
> +
> +               mask = 0;
> +               if ((ptr = strstr(buf, "uid:")) != NULL)
> +                       mask = UIDKEYS;
> +               else if ((ptr = strstr(buf, "gid:")) != NULL)
> +                       mask = GIDKEYS;
> +               else
> +                       continue;
> +
> +               if ((keymask & mask) == 0)
> +                       continue;
> +
> +               if (strncmp(ptr+4, keystr, strlen(keystr)) != NULL)
> +                       continue;
> +
> +               if (verbose) {
> +                       *(strchr(buf, '\n')) = '\0';
> +                       xlog_warn("revoking '%s'", buf);
> +               }
> +               /*
> +                * The key is the first arugment in the string
> +                */
> +               *(strchr(buf, ' ')) = '\0';
> +               sscanf(buf, "%x", &key);
> +
> +               if (keyctl_revoke(key) < 0) {
> +                       xlog_err("keyctl_revoke(0x%x) failed: %m", key);
> +                       return 1;
> +               }
> +
> +               keymask &= ~mask;
> +               if (keymask == 0)
> +                       return 0;
> +       }
> +       xlog_err("'%s' key was not found.", keystr);
> +       return 1;
> +}
>
>  int main(int argc, char **argv)
>  {
> @@ -139,8 +199,8 @@ int main(int argc, char **argv)
>        int rc = 1, opt;
>        int timeout = 600;
>        key_serial_t key;
> -       char *progname, *keyring = NULL;
> -       int clearring;
> +       char *progname, *keyring = NULL, *keystr = NULL;
> +       int clearring, keymask = 0;
>
>        /* Set the basename */
>        if ((progname = strrchr(argv[0], '/')) != NULL)
> @@ -150,8 +210,20 @@ int main(int argc, char **argv)
>
>        xlog_open(progname);
>
> -       while ((opt = getopt(argc, argv, "ct:v")) != -1) {
> +       while ((opt = getopt(argc, argv, "u:g:r:ct:v")) != -1) {
>                switch (opt) {
> +               case 'u':
> +                       keymask = UIDKEYS;
> +                       keystr = strdup(optarg);
> +                       break;
> +               case 'g':
> +                       keymask = GIDKEYS;
> +                       keystr = strdup(optarg);
> +                       break;
> +               case 'r':
> +                       keymask = GIDKEYS|UIDKEYS;
> +                       keystr = strdup(optarg);
> +                       break;
>                case 'c':
>                        clearring++;
>                        break;
> @@ -167,6 +239,10 @@ int main(int argc, char **argv)
>                }
>        }
>
> +       if (keystr) {
> +               rc = key_revoke(keystr, keymask);
> +               return rc;
> +       }
>        if (clearring) {
>                keyring = ((argc - optind) ? argv[optind] : NULL);
>                rc = keyring_clear(keyring);
> diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
> index db65a1f..216afd1 100644
> --- a/utils/nfsidmap/nfsidmap.man
> +++ b/utils/nfsidmap/nfsidmap.man
> @@ -6,7 +6,11 @@
>  .SH NAME
>  nfsidmap \- The NFS idmapper upcall program
>  .SH SYNOPSIS
> -.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
> +.B "nfsidmap [-v] [-t timeout] key desc"
> +.br
> +.B "nfsidmap [-v] [-c [keyring]]"
> +.br
> +.B "nfsidmap [-v] [-u|-g|-r user]"
>  .SH DESCRIPTION
>  The file
>  .I /usr/sbin/nfsidmap
> @@ -18,9 +22,11 @@ is called by /sbin/request-key, and will perform the translation and
>  initialize a key with the resulting information.
>  .PP
>  .I nfsidmap
> -can also used to clear the keyring of all the keys.
> -This is useful when all the mappings have failed to due to an DNS outage
> -or some other error resulting in all the cached uid/gid to be invalid.
> +can also used to clear the keyring of all the keys or
> +revoke one particular key.
> +This is useful when the id mappings have failed to due
> +to a lookup error resulting in all the cached uids/gids to be set
> +to the user id nobody.
>  .SH OPTIONS
>  .TP
>  .B -c [keyring]
> @@ -28,10 +34,19 @@ Clear the keyring of all the keys. If a
>  keyring is not supplied the default
>  keyring 'id_resolver' will be used.
>  .TP
> +.B -g user
> +Revoke the gid key of the given user.
> +.TP
> +.B -r user
> +Revoke both the uid and gid key of the given user.
> +.TP
>  .B -t timeout
>  Set the expiration timer, in seconds, on the key.
>  The default is 600 seconds (10 mins).
>  .TP
> +.B -u user
> +Revoke the uid key of the given user.
> +.TP
>  .B -v
>  Increases the verbosity of the output to syslog
>  (can be specified multiple times).
> --
> 1.7.7
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH 2/2] nfsidmap: Allow a particular key to be revoked.

[Steve Dickson]

On 11/17/2011 03:34 PM, Tigran Mkrtchyan wrote:
> On Thu, Nov 17, 2011 at 9:26 PM, Steve Dickson <steved@redhat.com> wrote:
>> Introducing three new command line arguments
>> that allow particular keys to be revoke
>>
>>  -u will remove a uid key
>>  -g will revoke a gid key
>>  -r will revoke both the uid and gid keys
>>
>> The user name has also needs to be supply
>> with these new flags.
>>
>> Signed-off-by: Steve Dickson <steved@redhat.com>
>> ---
>>  utils/nfsidmap/nfsidmap.c   |   84 ++++++++++++++++++++++++++++++++++++++++--
>>  utils/nfsidmap/nfsidmap.man |   23 ++++++++++--
>>  2 files changed, 99 insertions(+), 8 deletions(-)
>>
>> diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
>> index 2625dc1..7b64cd4 100644
>> --- a/utils/nfsidmap/nfsidmap.c
>> +++ b/utils/nfsidmap/nfsidmap.c
>> @@ -13,7 +13,7 @@
>>  #include "xlog.h"
>>
>>  int verbose = 0;
>> -char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
>> +char *usage="Usage: %s [-v] [[-u|-g|-r key]] | [-c [keyring]] | [[-t timeout] key desc]";
>>
>>  #define MAX_ID_LEN   11
>>  #define IDMAP_NAMESZ 128
>> @@ -22,6 +22,9 @@ char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
>>  #define DEFAULT_KEYRING "id_resolver"
>>  #define PROCKEYS "/proc/keys"
>>
>> +#define UIDKEYS 0x1
>> +#define GIDKEYS 0x2
>> +
>>  /*
>>  * Find either a user or group id based on the name@domain string
>>  */
>> @@ -130,6 +133,63 @@ static int keyring_clear(char *keyring)
>>        xlog_err("'%s' keyring was not found.", keyring);
>>        return 1;
>>  }
>> +/*
>> + * Revoke a key
>> + */
>> +static int key_revoke(char *keystr, int keymask)
>> +{
>> +       FILE *fp;
>> +       char buf[BUFSIZ], *ptr;
>> +       key_serial_t key;
>> +       int mask;
>> +
>> +       xlog_syslog(0);
>> +
>> +       if ((fp = fopen(PROCKEYS, "r")) == NULL) {
> 
> May be not critical, but you never closing fp.
Fair enough.... Its good practice to close things
you open.. I'll add it to the re-spin...

steved.

> 
> Tigran.
> 
>> +               xlog_err("fopen(%s) failed: %m", PROCKEYS);
>> +               return 1;
>> +       }
>> +
>> +       while(fgets(buf, BUFSIZ, fp) != NULL) {
>> +               if (strstr(buf, "keyring") != NULL)
>> +                       continue;
>> +
>> +               mask = 0;
>> +               if ((ptr = strstr(buf, "uid:")) != NULL)
>> +                       mask = UIDKEYS;
>> +               else if ((ptr = strstr(buf, "gid:")) != NULL)
>> +                       mask = GIDKEYS;
>> +               else
>> +                       continue;
>> +
>> +               if ((keymask & mask) == 0)
>> +                       continue;
>> +
>> +               if (strncmp(ptr+4, keystr, strlen(keystr)) != NULL)
>> +                       continue;
>> +
>> +               if (verbose) {
>> +                       *(strchr(buf, '\n')) = '\0';
>> +                       xlog_warn("revoking '%s'", buf);
>> +               }
>> +               /*
>> +                * The key is the first arugment in the string
>> +                */
>> +               *(strchr(buf, ' ')) = '\0';
>> +               sscanf(buf, "%x", &key);
>> +
>> +               if (keyctl_revoke(key) < 0) {
>> +                       xlog_err("keyctl_revoke(0x%x) failed: %m", key);
>> +                       return 1;
>> +               }
>> +
>> +               keymask &= ~mask;
>> +               if (keymask == 0)
>> +                       return 0;
>> +       }
>> +       xlog_err("'%s' key was not found.", keystr);
>> +       return 1;
>> +}
>>
>>  int main(int argc, char **argv)
>>  {
>> @@ -139,8 +199,8 @@ int main(int argc, char **argv)
>>        int rc = 1, opt;
>>        int timeout = 600;
>>        key_serial_t key;
>> -       char *progname, *keyring = NULL;
>> -       int clearring;
>> +       char *progname, *keyring = NULL, *keystr = NULL;
>> +       int clearring, keymask = 0;
>>
>>        /* Set the basename */
>>        if ((progname = strrchr(argv[0], '/')) != NULL)
>> @@ -150,8 +210,20 @@ int main(int argc, char **argv)
>>
>>        xlog_open(progname);
>>
>> -       while ((opt = getopt(argc, argv, "ct:v")) != -1) {
>> +       while ((opt = getopt(argc, argv, "u:g:r:ct:v")) != -1) {
>>                switch (opt) {
>> +               case 'u':
>> +                       keymask = UIDKEYS;
>> +                       keystr = strdup(optarg);
>> +                       break;
>> +               case 'g':
>> +                       keymask = GIDKEYS;
>> +                       keystr = strdup(optarg);
>> +                       break;
>> +               case 'r':
>> +                       keymask = GIDKEYS|UIDKEYS;
>> +                       keystr = strdup(optarg);
>> +                       break;
>>                case 'c':
>>                        clearring++;
>>                        break;
>> @@ -167,6 +239,10 @@ int main(int argc, char **argv)
>>                }
>>        }
>>
>> +       if (keystr) {
>> +               rc = key_revoke(keystr, keymask);
>> +               return rc;
>> +       }
>>        if (clearring) {
>>                keyring = ((argc - optind) ? argv[optind] : NULL);
>>                rc = keyring_clear(keyring);
>> diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
>> index db65a1f..216afd1 100644
>> --- a/utils/nfsidmap/nfsidmap.man
>> +++ b/utils/nfsidmap/nfsidmap.man
>> @@ -6,7 +6,11 @@
>>  .SH NAME
>>  nfsidmap \- The NFS idmapper upcall program
>>  .SH SYNOPSIS
>> -.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
>> +.B "nfsidmap [-v] [-t timeout] key desc"
>> +.br
>> +.B "nfsidmap [-v] [-c [keyring]]"
>> +.br
>> +.B "nfsidmap [-v] [-u|-g|-r user]"
>>  .SH DESCRIPTION
>>  The file
>>  .I /usr/sbin/nfsidmap
>> @@ -18,9 +22,11 @@ is called by /sbin/request-key, and will perform the translation and
>>  initialize a key with the resulting information.
>>  .PP
>>  .I nfsidmap
>> -can also used to clear the keyring of all the keys.
>> -This is useful when all the mappings have failed to due to an DNS outage
>> -or some other error resulting in all the cached uid/gid to be invalid.
>> +can also used to clear the keyring of all the keys or
>> +revoke one particular key.
>> +This is useful when the id mappings have failed to due
>> +to a lookup error resulting in all the cached uids/gids to be set
>> +to the user id nobody.
>>  .SH OPTIONS
>>  .TP
>>  .B -c [keyring]
>> @@ -28,10 +34,19 @@ Clear the keyring of all the keys. If a
>>  keyring is not supplied the default
>>  keyring 'id_resolver' will be used.
>>  .TP
>> +.B -g user
>> +Revoke the gid key of the given user.
>> +.TP
>> +.B -r user
>> +Revoke both the uid and gid key of the given user.
>> +.TP
>>  .B -t timeout
>>  Set the expiration timer, in seconds, on the key.
>>  The default is 600 seconds (10 mins).
>>  .TP
>> +.B -u user
>> +Revoke the uid key of the given user.
>> +.TP
>>  .B -v
>>  Increases the verbosity of the output to syslog
>>  (can be specified multiple times).
>> --
>> 1.7.7
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>