From: Neil Brown <neilb@suse.de>
To: Steve Dickson <SteveD@redhat.com>
Cc: linux-nfs@vger.kernel.org, Chuck Lever <chuck.lever@oracle.com>
Subject: [PATCH 3/3] gssd: add -N option to use root credentials as machine credentials.
Date: Mon, 03 Jun 2013 11:00:22 +1000 [thread overview]
Message-ID: <20130603010022.20080.88360.stgit@notabene.brown> (raw)
In-Reply-To: <20130603005219.20080.1927.stgit@notabene.brown>
Since linux-3.7, the kernel asks explicitly for machine credentials
rather than root credentials to authenticate state management requests.
This causes a regression for people who do not have machine
credentials configured and were using "gssd -n" to instruct gssd to
disable the default mapping of using machine credentials to authorise
accesses by 'root'.
This patch adds '-N' flag which instruct gssd explicitly to use 'root'
credentials whenever 'machine' credentials are requested. Thus
gssd -n -N
provides the same service that
gssd -n
used to.
In summary:
Credentials used for different request types and different gssd flags:
Request type: | "gssd" "gssd -n" "gssd -N" "gssd -nN"
|
machine | machine machine root root
|
root | machine root machine root
Signed-off-by: NeilBrown <neilb@suse.de>
---
utils/gssd/gssd.c | 9 ++++++---
utils/gssd/gssd.h | 1 +
utils/gssd/gssd.man | 13 ++++++++++++-
utils/gssd/gssd_proc.c | 12 +++++++-----
4 files changed, 26 insertions(+), 9 deletions(-)
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index 8ee478b..7a405b6 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -61,6 +61,7 @@ char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR ":" GSSD_USER_CRED_DIR;
char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
int use_memcache = 0;
int root_uses_machine_creds = 1;
+int machine_uses_root_creds = 0;
unsigned int context_timeout = 0;
char *preferred_realm = NULL;
@@ -68,8 +69,7 @@ void
sig_die(int signal)
{
/* destroy krb5 machine creds */
- if (root_uses_machine_creds)
- gssd_destroy_krb5_machine_creds();
+ gssd_destroy_krb5_machine_creds();
printerr(1, "exiting on signal %d\n", signal);
exit(0);
}
@@ -102,7 +102,7 @@ main(int argc, char *argv[])
char *progname;
memset(ccachesearch, 0, sizeof(ccachesearch));
- while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:R:")) != -1) {
+ while ((opt = getopt(argc, argv, "DfvrlmNnMp:k:d:t:R:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
@@ -116,6 +116,9 @@ main(int argc, char *argv[])
case 'n':
root_uses_machine_creds = 0;
break;
+ case 'N':
+ machine_uses_root_creds = 1;
+ break;
case 'v':
verbosity++;
break;
diff --git a/utils/gssd/gssd.h b/utils/gssd/gssd.h
index 86472a1..5057440 100644
--- a/utils/gssd/gssd.h
+++ b/utils/gssd/gssd.h
@@ -65,6 +65,7 @@ extern char keytabfile[PATH_MAX];
extern char *ccachesearch[];
extern int use_memcache;
extern int root_uses_machine_creds;
+extern int machine_uses_root_creds;
extern unsigned int context_timeout;
extern char *preferred_realm;
diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index ac13fd4..0a06e8c 100644
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -8,7 +8,7 @@
rpc.gssd \- RPCSEC_GSS daemon
.SH SYNOPSIS
.B rpc.gssd
-.RB [ \-DfMnlvr ]
+.RB [ \-DfMnNlvr ]
.RB [ \-k
.IR keytab ]
.RB [ \-p
@@ -227,6 +227,17 @@ in the foreground and sends output to stderr (as opposed to syslogd)
When specified, UID 0 is forced to obtain user credentials
which are used instead of the local system's machine credentials.
.TP
+.B -N
+With NFSv4, some requests to the server need to authenticated
+as coming from "the machine" rather than from any particular user.
+These requests will normally be authenticated using the "machine
+credentials" even if
+.B -n
+is set. Adding
+.B -N
+causes these requests to use the credentials of UID 0 in place of the
+machine credentials.
+.TP
.BI "-k " keytab
Tells
.B rpc.gssd
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index b7e2bbb..f9d6f51 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -988,7 +988,8 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
/*
* If "service" is specified, then the kernel is indicating that
* we must use machine credentials for this request. (Regardless
- * of the uid value or the setting of root_uses_machine_creds.)
+ * of the uid value or the setting of root_uses_machine_creds,
+ * though setting machine_uses_root_creds can override this)
* If the service value is "*", then any service name can be used.
* Otherwise, it specifies the service name that should be used.
* (For now, the values of service will only be "*" or "nfs".)
@@ -1008,8 +1009,9 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
*/
printerr(2, "%s: service is '%s'\n", __func__,
service ? service : "<null>");
- if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0 &&
- service == NULL)) {
+ if (uid != 0 ||
+ (!root_uses_machine_creds && !service) ||
+ ( machine_uses_root_creds && service)) {
/* Tell krb5 gss which credentials cache to use */
/* Try first to acquire credentials directly via GSSAPI */
err = gssd_acquire_user_cred(uid, &gss_cred);
@@ -1028,8 +1030,8 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname,
}
}
if (create_resp != 0) {
- if (uid == 0 && (root_uses_machine_creds == 1 ||
- service != NULL)) {
+ if ((uid == 0 && root_uses_machine_creds) ||
+ (service != NULL && !machine_uses_root_creds)) {
int nocache = 0;
int success = 0;
do {
next prev parent reply other threads:[~2013-06-03 1:01 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-03 1:00 [PATCH 0/3] Various gssd fixes including machine-credential issue Neil Brown
2013-06-03 1:00 ` [PATCH 1/3] krb5_utils: remove redundant array size Neil Brown
2013-07-01 16:05 ` Steve Dickson
2013-06-03 1:00 ` Neil Brown [this message]
2013-07-01 16:23 ` [PATCH 3/3] gssd: add -N option to use root credentials as machine credentials Steve Dickson
2013-07-01 21:35 ` NeilBrown
2013-06-03 1:00 ` [PATCH 2/3] krb5_util: don't give up on machine credential if hostname not available Neil Brown
2013-07-01 16:22 ` Steve Dickson
2013-07-01 21:56 ` NeilBrown
2013-07-02 12:29 ` Steve Dickson
2013-07-02 12:29 ` Steve Dickson
2013-06-03 2:01 ` [PATCH 0/3] Various gssd fixes including machine-credential issue Chuck Lever
2013-06-03 2:23 ` NeilBrown
2013-06-03 2:45 ` Chuck Lever
2013-06-03 3:01 ` NeilBrown
2013-06-03 4:32 ` Chuck Lever
2013-06-03 23:30 ` NeilBrown
2013-06-04 1:13 ` Chuck Lever
2013-06-04 19:16 ` Chuck Lever
2013-06-05 1:26 ` NeilBrown
2013-06-05 15:37 ` Chuck Lever
2013-06-05 17:14 ` Chuck Lever
2013-06-05 23:53 ` NeilBrown
2013-06-05 23:43 ` NeilBrown
2013-06-12 6:12 ` NeilBrown
2013-06-12 16:01 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130603010022.20080.88360.stgit@notabene.brown \
--to=neilb@suse.de \
--cc=SteveD@redhat.com \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).