* [PATCH 1/2] nfsidmap: Allow keys to be cleared from the keyring
2011-11-23 15:24 [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3) Steve Dickson
@ 2011-11-23 15:24 ` Steve Dickson
2011-11-23 15:24 ` [PATCH 2/2] nfsidmap: Allow a particular key to be revoked Steve Dickson
2011-12-05 14:45 ` [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3) Steve Dickson
2 siblings, 0 replies; 4+ messages in thread
From: Steve Dickson @ 2011-11-23 15:24 UTC (permalink / raw)
To: Linux NFS Mailing List
Added the '-c' command line argument that will
clear all the keys from the keyring.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
utils/nfsidmap/nfsidmap.c | 66 ++++++++++++++++++++++++++++++++++++++++--
utils/nfsidmap/nfsidmap.man | 12 +++++++-
2 files changed, 73 insertions(+), 5 deletions(-)
diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
index 6a09f38..cec2cb3 100644
--- a/utils/nfsidmap/nfsidmap.c
+++ b/utils/nfsidmap/nfsidmap.c
@@ -13,13 +13,19 @@
#include "xlog.h"
int verbose = 0;
-char *usage="Usage: %s [-v] [-t timeout] key desc";
+char *usage="Usage: %s [-v] [-c || [-t timeout] key desc]";
#define MAX_ID_LEN 11
#define IDMAP_NAMESZ 128
#define USER 1
#define GROUP 0
+#define PROCKEYS "/proc/keys"
+#ifndef DEFAULT_KEYRING
+#define DEFAULT_KEYRING "id_resolver"
+#endif
+
+
/*
* Find either a user or group id based on the name@domain string
*/
@@ -87,6 +93,50 @@ int name_lookup(char *id, key_serial_t key, int type)
out:
return rc;
}
+/*
+ * Clear all the keys on the given keyring
+ */
+static int keyring_clear(char *keyring)
+{
+ FILE *fp;
+ char buf[BUFSIZ];
+ key_serial_t key;
+
+ xlog_syslog(0);
+ if (keyring == NULL)
+ keyring = DEFAULT_KEYRING;
+
+ if ((fp = fopen(PROCKEYS, "r")) == NULL) {
+ xlog_err("fopen(%s) failed: %m", PROCKEYS);
+ return 1;
+ }
+
+ while(fgets(buf, BUFSIZ, fp) != NULL) {
+ if (strstr(buf, "keyring") == NULL)
+ continue;
+ if (strstr(buf, keyring) == NULL)
+ continue;
+ if (verbose) {
+ *(strchr(buf, '\n')) = '\0';
+ xlog_warn("clearing '%s'", buf);
+ }
+ /*
+ * The key is the first arugment in the string
+ */
+ *(strchr(buf, ' ')) = '\0';
+ sscanf(buf, "%x", &key);
+ if (keyctl_clear(key) < 0) {
+ xlog_err("keyctl_clear(0x%x) failed: %m", key);
+ fclose(fp);
+ return 1;
+ }
+ fclose(fp);
+ return 0;
+ }
+ xlog_err("'%s' keyring was not found.", keyring);
+ fclose(fp);
+ return 1;
+}
int main(int argc, char **argv)
{
@@ -97,6 +147,7 @@ int main(int argc, char **argv)
int timeout = 600;
key_serial_t key;
char *progname;
+ int clearring;
/* Set the basename */
if ((progname = strrchr(argv[0], '/')) != NULL)
@@ -105,11 +156,12 @@ int main(int argc, char **argv)
progname = argv[0];
xlog_open(progname);
- xlog_syslog(1);
- xlog_stderr(0);
- while ((opt = getopt(argc, argv, "t:v")) != -1) {
+ while ((opt = getopt(argc, argv, "ct:v")) != -1) {
switch (opt) {
+ case 'c':
+ clearring++;
+ break;
case 'v':
verbose++;
break;
@@ -122,6 +174,12 @@ int main(int argc, char **argv)
}
}
+ if (clearring) {
+ rc = keyring_clear(DEFAULT_KEYRING);
+ return rc;
+ }
+
+ xlog_stderr(0);
if ((argc - optind) != 2) {
xlog_err("Bad arg count. Check /etc/request-key.conf");
xlog_warn(usage, progname);
diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
index c67aab6..9badb3f 100644
--- a/utils/nfsidmap/nfsidmap.man
+++ b/utils/nfsidmap/nfsidmap.man
@@ -7,6 +7,8 @@
nfsidmap \- The NFS idmapper upcall program
.SH SYNOPSIS
.B "nfsidmap [-v] [-t timeout] key desc"
+.br
+.B "nfsidmap [-v] [-c]"
.SH DESCRIPTION
The file
.I /usr/sbin/nfsidmap
@@ -14,10 +16,18 @@ is used by the NFS idmapper to translate user and group ids into names, and to
translate user and group names into ids. Idmapper uses request-key to perform
the upcall and cache the result.
.I /usr/sbin/nfsidmap
-should only be called by request-key, and will perform the translation and
+is called by /sbin/request-key, and will perform the translation and
initialize a key with the resulting information.
+.PP
+.I nfsidmap
+can also used to clear the keyring of all the keys.
+This is useful when all the mappings have failed to due to an DNS outage
+or some other error resulting in all the cached uid/gid to be invalid.
.SH OPTIONS
.TP
+.B -c
+Clear the keyring of all the keys.
+.TP
.B -t timeout
Set the expiration timer, in seconds, on the key.
The default is 600 seconds (10 mins).
--
1.7.7
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] nfsidmap: Allow a particular key to be revoked.
2011-11-23 15:24 [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3) Steve Dickson
2011-11-23 15:24 ` [PATCH 1/2] nfsidmap: Allow keys to be cleared from the keyring Steve Dickson
@ 2011-11-23 15:24 ` Steve Dickson
2011-12-05 14:45 ` [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3) Steve Dickson
2 siblings, 0 replies; 4+ messages in thread
From: Steve Dickson @ 2011-11-23 15:24 UTC (permalink / raw)
To: Linux NFS Mailing List
Introducing three new command line arguments
that allow particular keys to be revoke
-u will remove a uid key
-g will revoke a gid key
-r will revoke both the uid and gid keys
A user name has also needs to be supply with
these new flags.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
utils/nfsidmap/nfsidmap.c | 88 +++++++++++++++++++++++++++++++++++++++++--
utils/nfsidmap/nfsidmap.man | 19 ++++++++-
2 files changed, 100 insertions(+), 7 deletions(-)
diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
index cec2cb3..c6b730b 100644
--- a/utils/nfsidmap/nfsidmap.c
+++ b/utils/nfsidmap/nfsidmap.c
@@ -13,7 +13,7 @@
#include "xlog.h"
int verbose = 0;
-char *usage="Usage: %s [-v] [-c || [-t timeout] key desc]";
+char *usage="Usage: %s [-v] [-c || [-u|-g|-r key] || [-t timeout] key desc]";
#define MAX_ID_LEN 11
#define IDMAP_NAMESZ 128
@@ -26,6 +26,9 @@ char *usage="Usage: %s [-v] [-c || [-t timeout] key desc]";
#endif
+#define UIDKEYS 0x1
+#define GIDKEYS 0x2
+
/*
* Find either a user or group id based on the name@domain string
*/
@@ -137,6 +140,67 @@ static int keyring_clear(char *keyring)
fclose(fp);
return 1;
}
+/*
+ * Revoke a key
+ */
+static int key_revoke(char *keystr, int keymask)
+{
+ FILE *fp;
+ char buf[BUFSIZ], *ptr;
+ key_serial_t key;
+ int mask;
+
+ xlog_syslog(0);
+
+ if ((fp = fopen(PROCKEYS, "r")) == NULL) {
+ xlog_err("fopen(%s) failed: %m", PROCKEYS);
+ return 1;
+ }
+
+ while(fgets(buf, BUFSIZ, fp) != NULL) {
+ if (strstr(buf, "keyring") != NULL)
+ continue;
+
+ mask = 0;
+ if ((ptr = strstr(buf, "uid:")) != NULL)
+ mask = UIDKEYS;
+ else if ((ptr = strstr(buf, "gid:")) != NULL)
+ mask = GIDKEYS;
+ else
+ continue;
+
+ if ((keymask & mask) == 0)
+ continue;
+
+ if (strncmp(ptr+4, keystr, strlen(keystr)) != NULL)
+ continue;
+
+ if (verbose) {
+ *(strchr(buf, '\n')) = '\0';
+ xlog_warn("revoking '%s'", buf);
+ }
+ /*
+ * The key is the first arugment in the string
+ */
+ *(strchr(buf, ' ')) = '\0';
+ sscanf(buf, "%x", &key);
+
+ if (keyctl_revoke(key) < 0) {
+ xlog_err("keyctl_revoke(0x%x) failed: %m", key);
+ fclose(fp);
+ return 1;
+ }
+
+ keymask &= ~mask;
+ if (keymask == 0) {
+ fclose(fp);
+ return 0;
+ }
+ }
+ xlog_err("'%s' key was not found.", keystr);
+ fclose(fp);
+ return 1;
+}
int main(int argc, char **argv)
{
@@ -146,8 +210,8 @@ int main(int argc, char **argv)
int rc = 1, opt;
int timeout = 600;
key_serial_t key;
- char *progname;
- int clearring;
+ char *progname, *keystr = NULL;
+ int clearring, keymask = 0;
/* Set the basename */
if ((progname = strrchr(argv[0], '/')) != NULL)
@@ -157,8 +221,20 @@ int main(int argc, char **argv)
xlog_open(progname);
- while ((opt = getopt(argc, argv, "ct:v")) != -1) {
+ while ((opt = getopt(argc, argv, "u:g:r:ct:v")) != -1) {
switch (opt) {
+ case 'u':
+ keymask = UIDKEYS;
+ keystr = strdup(optarg);
+ break;
+ case 'g':
+ keymask = GIDKEYS;
+ keystr = strdup(optarg);
+ break;
+ case 'r':
+ keymask = GIDKEYS|UIDKEYS;
+ keystr = strdup(optarg);
+ break;
case 'c':
clearring++;
break;
@@ -174,6 +250,10 @@ int main(int argc, char **argv)
}
}
+ if (keystr) {
+ rc = key_revoke(keystr, keymask);
+ return rc;
+ }
if (clearring) {
rc = keyring_clear(DEFAULT_KEYRING);
return rc;
diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
index 9badb3f..3a3a523 100644
--- a/utils/nfsidmap/nfsidmap.man
+++ b/utils/nfsidmap/nfsidmap.man
@@ -9,6 +9,8 @@ nfsidmap \- The NFS idmapper upcall program
.B "nfsidmap [-v] [-t timeout] key desc"
.br
.B "nfsidmap [-v] [-c]"
+.br
+.B "nfsidmap [-v] [-u|-g|-r user]"
.SH DESCRIPTION
The file
.I /usr/sbin/nfsidmap
@@ -20,18 +22,29 @@ is called by /sbin/request-key, and will perform the translation and
initialize a key with the resulting information.
.PP
.I nfsidmap
-can also used to clear the keyring of all the keys.
-This is useful when all the mappings have failed to due to an DNS outage
-or some other error resulting in all the cached uid/gid to be invalid.
+can also used to clear the keyring of all the keys or
+revoke one particular key.
+This is useful when the id mappings have failed to due
+to a lookup error resulting in all the cached uids/gids to be set
+to the user id nobody.
.SH OPTIONS
.TP
.B -c
Clear the keyring of all the keys.
.TP
+.B -g user
+Revoke the gid key of the given user.
+.TP
+.B -r user
+Revoke both the uid and gid key of the given user.
+.TP
.B -t timeout
Set the expiration timer, in seconds, on the key.
The default is 600 seconds (10 mins).
.TP
+.B -u user
+Revoke the uid key of the given user.
+.TP
.B -v
Increases the verbosity of the output to syslog
(can be specified multiple times).
--
1.7.7
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3)
2011-11-23 15:24 [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3) Steve Dickson
2011-11-23 15:24 ` [PATCH 1/2] nfsidmap: Allow keys to be cleared from the keyring Steve Dickson
2011-11-23 15:24 ` [PATCH 2/2] nfsidmap: Allow a particular key to be revoked Steve Dickson
@ 2011-12-05 14:45 ` Steve Dickson
2 siblings, 0 replies; 4+ messages in thread
From: Steve Dickson @ 2011-12-05 14:45 UTC (permalink / raw)
To: Linux NFS Mailing List
On 11/23/2011 10:24 AM, Steve Dickson wrote:
> In working with the new idmapper, it became very apparent that
> keys created from bad id mapping were very persistent and were
> not easy disposed of. Unlike with rpc.idmapd, to git rid
> of bad id mapping one just needed to restart the daemon.
>
> So I've added some functionality to the nfsidmap command
> that will allow admins to:
>
> - remove all the keys on the keyring.
> - remove a particular key from the keying.
>
> The intention is to allow admins a way to clean up the id
> name space when name resolution mechanisms, like NIS or LDAP,
> fail and leave a large number (or small number) of id mapping
> pointing to nobody.
>
> Note, for the second patch to work, there need to be a small
> kernel patch that will change the per-key permissions to
> allow root to revoke them.
>
> Version 2:
> - Added the fclose() calls as requested by the code review
> Version 3:
> - Confined the -c flag to only remove keys from the id_resolver keyring.
Committed...
steved.
>
> Steve Dickson (2):
> nfsidmap: Allow keys to be cleared from the keyring
> nfsidmap: Allow a particular key to be revoked.
>
> utils/nfsidmap/nfsidmap.c | 148 +++++++++++++++++++++++++++++++++++++++++--
> utils/nfsidmap/nfsidmap.man | 25 +++++++-
> 2 files changed, 167 insertions(+), 6 deletions(-)
>
^ permalink raw reply [flat|nested] 4+ messages in thread