[PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3)

[PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3)

[Steve Dickson]

In working with the new idmapper, it became very apparent that
keys created from bad id mapping were very persistent and were
not easy disposed of. Unlike with rpc.idmapd, to git rid 
of bad id mapping one just needed to restart the daemon. 

So I've added some functionality to the nfsidmap command
that will allow admins to:

    - remove all the keys on the keyring.
    - remove a particular key from the keying.

The intention is to allow admins a way to clean up the id
name space when name resolution mechanisms, like NIS or LDAP, 
fail and leave a large number (or small number) of id mapping 
pointing to nobody. 

Note, for the second patch to work, there need to be a small 
kernel patch that will change the per-key permissions to
allow root to revoke them.

Version 2:
- Added the fclose() calls as requested by the code review
Version 3:
- Confined the -c flag to only remove keys from the id_resolver keyring.

Steve Dickson (2):
  nfsidmap: Allow keys to be cleared from the keyring
  nfsidmap: Allow a particular key to be revoked.

 utils/nfsidmap/nfsidmap.c   |  148 +++++++++++++++++++++++++++++++++++++++++--
 utils/nfsidmap/nfsidmap.man |   25 +++++++-
 2 files changed, 167 insertions(+), 6 deletions(-)

-- 
1.7.7

[PATCH 1/2] nfsidmap: Allow keys to be cleared from the keyring

[Steve Dickson]

Added the '-c' command line argument that will
clear all the keys from the keyring.

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 utils/nfsidmap/nfsidmap.c   |   66 ++++++++++++++++++++++++++++++++++++++++--
 utils/nfsidmap/nfsidmap.man |   12 +++++++-
 2 files changed, 73 insertions(+), 5 deletions(-)

diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
index 6a09f38..cec2cb3 100644
--- a/utils/nfsidmap/nfsidmap.c
+++ b/utils/nfsidmap/nfsidmap.c
@@ -13,13 +13,19 @@
 #include "xlog.h"
 
 int verbose = 0;
-char *usage="Usage: %s [-v] [-t timeout] key desc";
+char *usage="Usage: %s [-v] [-c || [-t timeout] key desc]";
 
 #define MAX_ID_LEN   11
 #define IDMAP_NAMESZ 128
 #define USER  1
 #define GROUP 0
 
+#define PROCKEYS "/proc/keys"
+#ifndef DEFAULT_KEYRING
+#define DEFAULT_KEYRING "id_resolver"
+#endif
+
+
 /*
  * Find either a user or group id based on the name@domain string
  */
@@ -87,6 +93,50 @@ int name_lookup(char *id, key_serial_t key, int type)
 out:
 	return rc;
 }
+/*
+ * Clear all the keys on the given keyring
+ */
+static int keyring_clear(char *keyring)
+{
+	FILE *fp;
+	char buf[BUFSIZ];
+	key_serial_t key;
+
+	xlog_syslog(0);
+	if (keyring == NULL)
+		keyring = DEFAULT_KEYRING;
+
+	if ((fp = fopen(PROCKEYS, "r")) == NULL) {
+		xlog_err("fopen(%s) failed: %m", PROCKEYS);
+		return 1;
+	}
+
+	while(fgets(buf, BUFSIZ, fp) != NULL) {
+		if (strstr(buf, "keyring") == NULL)
+			continue;
+		if (strstr(buf, keyring) == NULL)
+			continue;
+		if (verbose) {
+			*(strchr(buf, '\n')) = '\0';
+			xlog_warn("clearing '%s'", buf);
+		}
+		/*
+		 * The key is the first arugment in the string
+		 */
+		*(strchr(buf, ' ')) = '\0';
+		sscanf(buf, "%x", &key);
+		if (keyctl_clear(key) < 0) {
+			xlog_err("keyctl_clear(0x%x) failed: %m", key);
+			fclose(fp);
+			return 1;
+		}
+		fclose(fp);
+		return 0;
+	}
+	xlog_err("'%s' keyring was not found.", keyring);
+	fclose(fp);
+	return 1;
+}
 
 int main(int argc, char **argv)
 {
@@ -97,6 +147,7 @@ int main(int argc, char **argv)
 	int timeout = 600;
 	key_serial_t key;
 	char *progname;
+	int clearring;
 
 	/* Set the basename */
 	if ((progname = strrchr(argv[0], '/')) != NULL)
@@ -105,11 +156,12 @@ int main(int argc, char **argv)
 		progname = argv[0];
 
 	xlog_open(progname);
-	xlog_syslog(1);
-	xlog_stderr(0);
 
-	while ((opt = getopt(argc, argv, "t:v")) != -1) {
+	while ((opt = getopt(argc, argv, "ct:v")) != -1) {
 		switch (opt) {
+		case 'c':
+			clearring++;
+			break;
 		case 'v':
 			verbose++;
 			break;
@@ -122,6 +174,12 @@ int main(int argc, char **argv)
 		}
 	}
 
+	if (clearring) {
+		rc = keyring_clear(DEFAULT_KEYRING);
+		return rc;		
+	}
+
+	xlog_stderr(0);
 	if ((argc - optind) != 2) {
 		xlog_err("Bad arg count. Check /etc/request-key.conf");
 		xlog_warn(usage, progname);
diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
index c67aab6..9badb3f 100644
--- a/utils/nfsidmap/nfsidmap.man
+++ b/utils/nfsidmap/nfsidmap.man
@@ -7,6 +7,8 @@
 nfsidmap \- The NFS idmapper upcall program
 .SH SYNOPSIS
 .B "nfsidmap [-v] [-t timeout] key desc"
+.br
+.B "nfsidmap [-v] [-c]"
 .SH DESCRIPTION
 The file
 .I /usr/sbin/nfsidmap
@@ -14,10 +16,18 @@ is used by the NFS idmapper to translate user and group ids into names, and to
 translate user and group names into ids. Idmapper uses request-key to perform
 the upcall and cache the result.
 .I /usr/sbin/nfsidmap
-should only be called by request-key, and will perform the translation and
+is called by /sbin/request-key, and will perform the translation and
 initialize a key with the resulting information.
+.PP
+.I nfsidmap
+can also used to clear the keyring of all the keys.  
+This is useful when all the mappings have failed to due to an DNS outage
+or some other error resulting in all the cached uid/gid to be invalid.
 .SH OPTIONS
 .TP
+.B -c 
+Clear the keyring of all the keys.
+.TP
 .B -t timeout
 Set the expiration timer, in seconds, on the key.
 The default is 600 seconds (10 mins).
-- 
1.7.7

[PATCH 2/2] nfsidmap: Allow a particular key to be revoked.

[Steve Dickson]

Introducing three new command line arguments
that allow particular keys to be revoke

  -u will remove a uid key
  -g will revoke a gid key
  -r will revoke both the uid and gid keys

A user name has also needs to be supply with
these new flags.

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 utils/nfsidmap/nfsidmap.c   |   88 +++++++++++++++++++++++++++++++++++++++++--
 utils/nfsidmap/nfsidmap.man |   19 ++++++++-
 2 files changed, 100 insertions(+), 7 deletions(-)

diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
index cec2cb3..c6b730b 100644
--- a/utils/nfsidmap/nfsidmap.c
+++ b/utils/nfsidmap/nfsidmap.c
@@ -13,7 +13,7 @@
 #include "xlog.h"
 
 int verbose = 0;
-char *usage="Usage: %s [-v] [-c || [-t timeout] key desc]";
+char *usage="Usage: %s [-v] [-c || [-u|-g|-r key] || [-t timeout] key desc]";
 
 #define MAX_ID_LEN   11
 #define IDMAP_NAMESZ 128
@@ -26,6 +26,9 @@ char *usage="Usage: %s [-v] [-c || [-t timeout] key desc]";
 #endif
 
 
+#define UIDKEYS 0x1
+#define GIDKEYS 0x2
+
 /*
  * Find either a user or group id based on the name@domain string
  */
@@ -137,6 +140,67 @@ static int keyring_clear(char *keyring)
 	fclose(fp);
 	return 1;
 }
+/*
+ * Revoke a key 
+ */
+static int key_revoke(char *keystr, int keymask)
+{
+	FILE *fp;
+	char buf[BUFSIZ], *ptr;
+	key_serial_t key;
+	int mask;
+
+	xlog_syslog(0);
+
+	if ((fp = fopen(PROCKEYS, "r")) == NULL) {
+		xlog_err("fopen(%s) failed: %m", PROCKEYS);
+		return 1;
+	}
+
+	while(fgets(buf, BUFSIZ, fp) != NULL) {
+		if (strstr(buf, "keyring") != NULL)
+			continue;
+
+		mask = 0;
+		if ((ptr = strstr(buf, "uid:")) != NULL)
+			mask = UIDKEYS;
+		else if ((ptr = strstr(buf, "gid:")) != NULL)
+			mask = GIDKEYS;
+		else 
+			continue;
+
+		if ((keymask & mask) == 0)
+			continue;
+
+		if (strncmp(ptr+4, keystr, strlen(keystr)) != NULL)
+			continue;
+
+		if (verbose) {
+			*(strchr(buf, '\n')) = '\0';
+			xlog_warn("revoking '%s'", buf);
+		}
+		/*
+		 * The key is the first arugment in the string
+		 */
+		*(strchr(buf, ' ')) = '\0';
+		sscanf(buf, "%x", &key);
+
+		if (keyctl_revoke(key) < 0) {
+			xlog_err("keyctl_revoke(0x%x) failed: %m", key);
+			fclose(fp);
+			return 1;
+		}
+
+		keymask &= ~mask;
+		if (keymask == 0) {
+			fclose(fp);
+			return 0;
+		}
+	}
+	xlog_err("'%s' key was not found.", keystr);
+	fclose(fp);
+	return 1;
+}
 
 int main(int argc, char **argv)
 {
@@ -146,8 +210,8 @@ int main(int argc, char **argv)
 	int rc = 1, opt;
 	int timeout = 600;
 	key_serial_t key;
-	char *progname;
-	int clearring;
+	char *progname, *keystr = NULL;
+	int clearring, keymask = 0;
 
 	/* Set the basename */
 	if ((progname = strrchr(argv[0], '/')) != NULL)
@@ -157,8 +221,20 @@ int main(int argc, char **argv)
 
 	xlog_open(progname);
 
-	while ((opt = getopt(argc, argv, "ct:v")) != -1) {
+	while ((opt = getopt(argc, argv, "u:g:r:ct:v")) != -1) {
 		switch (opt) {
+		case 'u':
+			keymask = UIDKEYS;
+			keystr = strdup(optarg);
+			break;
+		case 'g':
+			keymask = GIDKEYS;
+			keystr = strdup(optarg);
+			break;
+		case 'r':
+			keymask = GIDKEYS|UIDKEYS;
+			keystr = strdup(optarg);
+			break;
 		case 'c':
 			clearring++;
 			break;
@@ -174,6 +250,10 @@ int main(int argc, char **argv)
 		}
 	}
 
+	if (keystr) {
+		rc = key_revoke(keystr, keymask);
+		return rc;		
+	}
 	if (clearring) {
 		rc = keyring_clear(DEFAULT_KEYRING);
 		return rc;		
diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
index 9badb3f..3a3a523 100644
--- a/utils/nfsidmap/nfsidmap.man
+++ b/utils/nfsidmap/nfsidmap.man
@@ -9,6 +9,8 @@ nfsidmap \- The NFS idmapper upcall program
 .B "nfsidmap [-v] [-t timeout] key desc"
 .br
 .B "nfsidmap [-v] [-c]"
+.br
+.B "nfsidmap [-v] [-u|-g|-r user]"
 .SH DESCRIPTION
 The file
 .I /usr/sbin/nfsidmap
@@ -20,18 +22,29 @@ is called by /sbin/request-key, and will perform the translation and
 initialize a key with the resulting information.
 .PP
 .I nfsidmap
-can also used to clear the keyring of all the keys.  
-This is useful when all the mappings have failed to due to an DNS outage
-or some other error resulting in all the cached uid/gid to be invalid.
+can also used to clear the keyring of all the keys or 
+revoke one particular key.  
+This is useful when the id mappings have failed to due 
+to a lookup error resulting in all the cached uids/gids to be set 
+to the user id nobody.
 .SH OPTIONS
 .TP
 .B -c 
 Clear the keyring of all the keys.
 .TP
+.B -g user
+Revoke the gid key of the given user.
+.TP
+.B -r user
+Revoke both the uid and gid key of the given user.
+.TP
 .B -t timeout
 Set the expiration timer, in seconds, on the key.
 The default is 600 seconds (10 mins).
 .TP
+.B -u user
+Revoke the uid key of the given user.
+.TP
 .B -v
 Increases the verbosity of the output to syslog 
 (can be specified multiple times).
-- 
1.7.7

Re: [PATCH 0/2] nfsidmap: Allow admins to clean up id mappings that have (ver 3)

[Steve Dickson]

On 11/23/2011 10:24 AM, Steve Dickson wrote:
> In working with the new idmapper, it became very apparent that
> keys created from bad id mapping were very persistent and were
> not easy disposed of. Unlike with rpc.idmapd, to git rid 
> of bad id mapping one just needed to restart the daemon. 
> 
> So I've added some functionality to the nfsidmap command
> that will allow admins to:
> 
>     - remove all the keys on the keyring.
>     - remove a particular key from the keying.
> 
> The intention is to allow admins a way to clean up the id
> name space when name resolution mechanisms, like NIS or LDAP, 
> fail and leave a large number (or small number) of id mapping 
> pointing to nobody. 
> 
> Note, for the second patch to work, there need to be a small 
> kernel patch that will change the per-key permissions to
> allow root to revoke them.
> 
> Version 2:
> - Added the fclose() calls as requested by the code review
> Version 3:
> - Confined the -c flag to only remove keys from the id_resolver keyring.
Committed...

steved.
> 
> Steve Dickson (2):
>   nfsidmap: Allow keys to be cleared from the keyring
>   nfsidmap: Allow a particular key to be revoked.
> 
>  utils/nfsidmap/nfsidmap.c   |  148 +++++++++++++++++++++++++++++++++++++++++--
>  utils/nfsidmap/nfsidmap.man |   25 +++++++-
>  2 files changed, 167 insertions(+), 6 deletions(-)
>