[PATCH] nfs-utils: add and use nfs_authsys_create

[PATCH] nfs-utils: add and use nfs_authsys_create

[Jeff Layton]

The current mount, umount and showmount code uses
authunix_create_default to get an auth handle. The one provided by glibc
returned a truncated list of groups when there were more than 16 groups.
libtirpc however currently does an abort() in this case, which causes
the program to crash and dump core.

nfs-utils just uses these auth handles for the MNT protocol, so the
group list doesn't make a lot of difference here. Add a new function
that creates an auth handle with a supplemental gids list that consists
only of the primary gid. Have nfs-utils use that function anywhere that
it currently uses authunix_create_default. Also, have the caller
properly check for a NULL return from that function.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
---
 support/include/nfsrpc.h    |    3 +++
 support/nfs/rpc_socket.c    |   21 +++++++++++++++++++++
 utils/mount/network.c       |   15 ++++++++++++---
 utils/showmount/showmount.c |    8 +++++++-
 4 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/support/include/nfsrpc.h b/support/include/nfsrpc.h
index 4db35ab..6ebefca 100644
--- a/support/include/nfsrpc.h
+++ b/support/include/nfsrpc.h
@@ -160,4 +160,7 @@ extern int		nfs_rpc_ping(const struct sockaddr *sap,
 				const unsigned short protocol,
 				const struct timeval *timeout);
 
+/* create AUTH_SYS handle with no supplemental groups */
+extern AUTH *			 nfs_authsys_create(void);
+
 #endif	/* !__NFS_UTILS_NFSRPC_H */
diff --git a/support/nfs/rpc_socket.c b/support/nfs/rpc_socket.c
index 0e20824..aa6a205 100644
--- a/support/nfs/rpc_socket.c
+++ b/support/nfs/rpc_socket.c
@@ -557,3 +557,24 @@ rpcprog_t nfs_getrpcbyname(const rpcprog_t program, const char *table[])
 
 	return program;
 }
+
+/*
+ * AUTH_SYS doesn't allow more than 16 gids in the supplemental group list.
+ * If there are more than that, trying to determine which ones to include
+ * in the list is problematic. This function creates an auth handle that
+ * only has the primary gid in the supplemental gids list. It's intended to
+ * be used for protocols where credentials really don't matter much (the MNT
+ * protocol, for instance).
+ */
+AUTH *
+nfs_authsys_create(void)
+{
+	char machname[MAXHOSTNAMELEN + 1];
+	uid_t	uid = geteuid();
+	gid_t	gid = getegid();
+
+	if (gethostname(machname, sizeof(machname)) == -1)
+		return NULL;
+
+	return authsys_create(machname, uid, gid, 1, &gid);
+}
diff --git a/utils/mount/network.c b/utils/mount/network.c
index 8dc183a..c541257 100644
--- a/utils/mount/network.c
+++ b/utils/mount/network.c
@@ -857,7 +857,14 @@ int nfs_advise_umount(const struct sockaddr *sap, const socklen_t salen,
 		return 0;
 	}
 
-	client->cl_auth = authunix_create_default();
+	client->cl_auth = nfs_authsys_create();
+	if (client->cl_auth == NULL) {
+		if (verbose)
+			nfs_error(_("%s: Failed to create RPC auth handle"),
+				progname);
+		CLNT_DESTROY(client);
+		return 0;
+	}
 
 	res = CLNT_CALL(client, MOUNTPROC_UMNT,
 			(xdrproc_t)xdr_dirpath, (caddr_t)argp,
@@ -957,8 +964,10 @@ CLIENT *mnt_openclnt(clnt_addr_t *mnt_server, int *msock)
 	}
 	if (clnt) {
 		/* try to mount hostname:dirname */
-		clnt->cl_auth = authunix_create_default();
-		return clnt;
+		clnt->cl_auth = nfs_authsys_create();
+		if (clnt->cl_auth)
+			return clnt;
+		CLNT_DESTROY(clnt);
 	}
 	return NULL;
 }
diff --git a/utils/showmount/showmount.c b/utils/showmount/showmount.c
index f567093..394f528 100644
--- a/utils/showmount/showmount.c
+++ b/utils/showmount/showmount.c
@@ -194,7 +194,13 @@ int main(int argc, char **argv)
 	}
 
 	mclient = nfs_get_mount_client(hostname, mount_vers_tbl[vers]);
-	mclient->cl_auth = authunix_create_default();
+	mclient->cl_auth = nfs_authsys_create();
+	if (mclient->cl_auth == NULL) {
+		fprintf(stderr, "%s: unable to create RPC auth handle.\n",
+				program_name);
+		clnt_destroy(mclient);
+		exit(1);
+	}
 	total_timeout.tv_sec = TOTAL_TIMEOUT;
 	total_timeout.tv_usec = 0;
 
-- 
1.6.6

Re: [PATCH] nfs-utils: add and use nfs_authsys_create

[Jeff Layton]

On Fri, 19 Feb 2010 18:05:28 -0500
Jeff Layton <jlayton@redhat.com> wrote:

> The current mount, umount and showmount code uses
> authunix_create_default to get an auth handle. The one provided by glibc
> returned a truncated list of groups when there were more than 16 groups.
> libtirpc however currently does an abort() in this case, which causes
> the program to crash and dump core.
> 
> nfs-utils just uses these auth handles for the MNT protocol, so the
> group list doesn't make a lot of difference here. Add a new function
> that creates an auth handle with a supplemental gids list that consists
> only of the primary gid. Have nfs-utils use that function anywhere that
> it currently uses authunix_create_default. Also, have the caller
> properly check for a NULL return from that function.
> 
> Signed-off-by: Jeff Layton <jlayton@redhat.com>

My apologies -- I mistakenly sent out an earlier version of this patch
instead of the latest. I just sent the right version of this patch as
"try #2".

-- 
Jeff Layton <jlayton@redhat.com>

Re: [PATCH] nfs-utils: add and use nfs_authsys_create

[Steve Dickson]

On 02/19/2010 06:05 PM, Jeff Layton wrote:
> The current mount, umount and showmount code uses
> authunix_create_default to get an auth handle. The one provided by glibc
> returned a truncated list of groups when there were more than 16 groups.
> libtirpc however currently does an abort() in this case, which causes
> the program to crash and dump core.
> 
> nfs-utils just uses these auth handles for the MNT protocol, so the
> group list doesn't make a lot of difference here. Add a new function
> that creates an auth handle with a supplemental gids list that consists
> only of the primary gid. Have nfs-utils use that function anywhere that
> it currently uses authunix_create_default. Also, have the caller
> properly check for a NULL return from that function.
> 
> Signed-off-by: Jeff Layton <jlayton@redhat.com>
> ---
>  support/include/nfsrpc.h    |    3 +++
>  support/nfs/rpc_socket.c    |   21 +++++++++++++++++++++
>  utils/mount/network.c       |   15 ++++++++++++---
>  utils/showmount/showmount.c |    8 +++++++-
>  4 files changed, 43 insertions(+), 4 deletions(-)
> 
>
Committed...

steved.

Re: [PATCH] nfs-utils: add and use nfs_authsys_create

[Steve Dickson]

On 02/19/2010 06:05 PM, Jeff Layton wrote:
> The current mount, umount and showmount code uses
> authunix_create_default to get an auth handle. The one provided by glibc
> returned a truncated list of groups when there were more than 16 groups.
> libtirpc however currently does an abort() in this case, which causes
> the program to crash and dump core.
> 
> nfs-utils just uses these auth handles for the MNT protocol, so the
> group list doesn't make a lot of difference here. Add a new function
> that creates an auth handle with a supplemental gids list that consists
> only of the primary gid. Have nfs-utils use that function anywhere that
> it currently uses authunix_create_default. Also, have the caller
> properly check for a NULL return from that function.
> 
> Signed-off-by: Jeff Layton <jlayton@redhat.com>
> ---
>  support/include/nfsrpc.h    |    3 +++
>  support/nfs/rpc_socket.c    |   21 +++++++++++++++++++++
>  utils/mount/network.c       |   15 ++++++++++++---
>  utils/showmount/showmount.c |    8 +++++++-
>  4 files changed, 43 insertions(+), 4 deletions(-)
> 
> diff --git a/support/include/nfsrpc.h b/support/include/nfsrpc.h
> index 4db35ab..6ebefca 100644
> --- a/support/include/nfsrpc.h
> +++ b/support/include/nfsrpc.h
> @@ -160,4 +160,7 @@ extern int		nfs_rpc_ping(const struct sockaddr *sap,
>  				const unsigned short protocol,
>  				const struct timeval *timeout);
>  
> +/* create AUTH_SYS handle with no supplemental groups */
> +extern AUTH *			 nfs_authsys_create(void);
> +
>  #endif	/* !__NFS_UTILS_NFSRPC_H */
> diff --git a/support/nfs/rpc_socket.c b/support/nfs/rpc_socket.c
> index 0e20824..aa6a205 100644
> --- a/support/nfs/rpc_socket.c
> +++ b/support/nfs/rpc_socket.c
> @@ -557,3 +557,24 @@ rpcprog_t nfs_getrpcbyname(const rpcprog_t program, const char *table[])
>  
>  	return program;
>  }
> +
> +/*
> + * AUTH_SYS doesn't allow more than 16 gids in the supplemental group list.
> + * If there are more than that, trying to determine which ones to include
> + * in the list is problematic. This function creates an auth handle that
> + * only has the primary gid in the supplemental gids list. It's intended to
> + * be used for protocols where credentials really don't matter much (the MNT
> + * protocol, for instance).
> + */
> +AUTH *
> +nfs_authsys_create(void)
> +{
> +	char machname[MAXHOSTNAMELEN + 1];
> +	uid_t	uid = geteuid();
> +	gid_t	gid = getegid();
> +
> +	if (gethostname(machname, sizeof(machname)) == -1)
> +		return NULL;
> +
> +	return authsys_create(machname, uid, gid, 1, &gid);
> +}
The following patch is needed to fix regression when tirpc is
disabled:

steved.

Author: Steve Dickson <steved@redhat.com>
Date:   Mon Mar 8 10:24:44 2010 -0500

    Use authunix_create() instead of authsys_create() to fix regression.
    
    Commit 409b8 introduced a regression when the --disable-tirpc
    configuration flag is set. The authsys_create() interface, which
    was introduced, does not exist in the legacy glibc library.
    
    Since the authsys_create() interface is a redefined of the
    authunix_create() interface, which is defined in glibc, using
    authunix_create() resolves the regression,
    
    Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/support/nfs/rpc_socket.c b/support/nfs/rpc_socket.c
index aa6a205..c14efe8 100644
--- a/support/nfs/rpc_socket.c
+++ b/support/nfs/rpc_socket.c
@@ -576,5 +576,5 @@ nfs_authsys_create(void)
        if (gethostname(machname, sizeof(machname)) == -1)
                return NULL;
 
-       return authsys_create(machname, uid, gid, 1, &gid);
+       return authunix_create(machname, uid, gid, 1, &gid);
 }

Re: [PATCH] nfs-utils: add and use nfs_authsys_create

[Jeff Layton]

On Mon, 08 Mar 2010 10:36:36 -0500
Steve Dickson <SteveD@redhat.com> wrote:

> 
> 
> On 02/19/2010 06:05 PM, Jeff Layton wrote:
> > The current mount, umount and showmount code uses
> > authunix_create_default to get an auth handle. The one provided by glibc
> > returned a truncated list of groups when there were more than 16 groups.
> > libtirpc however currently does an abort() in this case, which causes
> > the program to crash and dump core.
> > 
> > nfs-utils just uses these auth handles for the MNT protocol, so the
> > group list doesn't make a lot of difference here. Add a new function
> > that creates an auth handle with a supplemental gids list that consists
> > only of the primary gid. Have nfs-utils use that function anywhere that
> > it currently uses authunix_create_default. Also, have the caller
> > properly check for a NULL return from that function.
> > 
> > Signed-off-by: Jeff Layton <jlayton@redhat.com>
> > ---
> >  support/include/nfsrpc.h    |    3 +++
> >  support/nfs/rpc_socket.c    |   21 +++++++++++++++++++++
> >  utils/mount/network.c       |   15 ++++++++++++---
> >  utils/showmount/showmount.c |    8 +++++++-
> >  4 files changed, 43 insertions(+), 4 deletions(-)
> > 
> > diff --git a/support/include/nfsrpc.h b/support/include/nfsrpc.h
> > index 4db35ab..6ebefca 100644
> > --- a/support/include/nfsrpc.h
> > +++ b/support/include/nfsrpc.h
> > @@ -160,4 +160,7 @@ extern int		nfs_rpc_ping(const struct sockaddr *sap,
> >  				const unsigned short protocol,
> >  				const struct timeval *timeout);
> >  
> > +/* create AUTH_SYS handle with no supplemental groups */
> > +extern AUTH *			 nfs_authsys_create(void);
> > +
> >  #endif	/* !__NFS_UTILS_NFSRPC_H */
> > diff --git a/support/nfs/rpc_socket.c b/support/nfs/rpc_socket.c
> > index 0e20824..aa6a205 100644
> > --- a/support/nfs/rpc_socket.c
> > +++ b/support/nfs/rpc_socket.c
> > @@ -557,3 +557,24 @@ rpcprog_t nfs_getrpcbyname(const rpcprog_t program, const char *table[])
> >  
> >  	return program;
> >  }
> > +
> > +/*
> > + * AUTH_SYS doesn't allow more than 16 gids in the supplemental group list.
> > + * If there are more than that, trying to determine which ones to include
> > + * in the list is problematic. This function creates an auth handle that
> > + * only has the primary gid in the supplemental gids list. It's intended to
> > + * be used for protocols where credentials really don't matter much (the MNT
> > + * protocol, for instance).
> > + */
> > +AUTH *
> > +nfs_authsys_create(void)
> > +{
> > +	char machname[MAXHOSTNAMELEN + 1];
> > +	uid_t	uid = geteuid();
> > +	gid_t	gid = getegid();
> > +
> > +	if (gethostname(machname, sizeof(machname)) == -1)
> > +		return NULL;
> > +
> > +	return authsys_create(machname, uid, gid, 1, &gid);
> > +}
> The following patch is needed to fix regression when tirpc is
> disabled:
> 
> steved.
> 
> Author: Steve Dickson <steved@redhat.com>
> Date:   Mon Mar 8 10:24:44 2010 -0500
> 
>     Use authunix_create() instead of authsys_create() to fix regression.
>     
>     Commit 409b8 introduced a regression when the --disable-tirpc
>     configuration flag is set. The authsys_create() interface, which
>     was introduced, does not exist in the legacy glibc library.
>     
>     Since the authsys_create() interface is a redefined of the
>     authunix_create() interface, which is defined in glibc, using
>     authunix_create() resolves the regression,
>     
>     Signed-off-by: Steve Dickson <steved@redhat.com>
> 
> diff --git a/support/nfs/rpc_socket.c b/support/nfs/rpc_socket.c
> index aa6a205..c14efe8 100644
> --- a/support/nfs/rpc_socket.c
> +++ b/support/nfs/rpc_socket.c
> @@ -576,5 +576,5 @@ nfs_authsys_create(void)
>         if (gethostname(machname, sizeof(machname)) == -1)
>                 return NULL;
>  
> -       return authsys_create(machname, uid, gid, 1, &gid);
> +       return authunix_create(machname, uid, gid, 1, &gid);
>  }
> 

Acked-by: Jeff Layton <jlayton@redhat.com>

Re: [PATCH] nfs-utils: add and use nfs_authsys_create

[Steve Dickson]

On 03/08/2010 10:40 AM, Jeff Layton wrote:
> On Mon, 08 Mar 2010 10:36:36 -0500
> Steve Dickson <SteveD@redhat.com> wrote:
> 
>>
>>
>> On 02/19/2010 06:05 PM, Jeff Layton wrote:
>>> The current mount, umount and showmount code uses
>>> authunix_create_default to get an auth handle. The one provided by glibc
>>> returned a truncated list of groups when there were more than 16 groups.
>>> libtirpc however currently does an abort() in this case, which causes
>>> the program to crash and dump core.
>>>
>>> nfs-utils just uses these auth handles for the MNT protocol, so the
>>> group list doesn't make a lot of difference here. Add a new function
>>> that creates an auth handle with a supplemental gids list that consists
>>> only of the primary gid. Have nfs-utils use that function anywhere that
>>> it currently uses authunix_create_default. Also, have the caller
>>> properly check for a NULL return from that function.
>>>
>>> Signed-off-by: Jeff Layton <jlayton@redhat.com>
>>> ---
>>>  support/include/nfsrpc.h    |    3 +++
>>>  support/nfs/rpc_socket.c    |   21 +++++++++++++++++++++
>>>  utils/mount/network.c       |   15 ++++++++++++---
>>>  utils/showmount/showmount.c |    8 +++++++-
>>>  4 files changed, 43 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/support/include/nfsrpc.h b/support/include/nfsrpc.h
>>> index 4db35ab..6ebefca 100644
>>> --- a/support/include/nfsrpc.h
>>> +++ b/support/include/nfsrpc.h
>>> @@ -160,4 +160,7 @@ extern int		nfs_rpc_ping(const struct sockaddr *sap,
>>>  				const unsigned short protocol,
>>>  				const struct timeval *timeout);
>>>  
>>> +/* create AUTH_SYS handle with no supplemental groups */
>>> +extern AUTH *			 nfs_authsys_create(void);
>>> +
>>>  #endif	/* !__NFS_UTILS_NFSRPC_H */
>>> diff --git a/support/nfs/rpc_socket.c b/support/nfs/rpc_socket.c
>>> index 0e20824..aa6a205 100644
>>> --- a/support/nfs/rpc_socket.c
>>> +++ b/support/nfs/rpc_socket.c
>>> @@ -557,3 +557,24 @@ rpcprog_t nfs_getrpcbyname(const rpcprog_t program, const char *table[])
>>>  
>>>  	return program;
>>>  }
>>> +
>>> +/*
>>> + * AUTH_SYS doesn't allow more than 16 gids in the supplemental group list.
>>> + * If there are more than that, trying to determine which ones to include
>>> + * in the list is problematic. This function creates an auth handle that
>>> + * only has the primary gid in the supplemental gids list. It's intended to
>>> + * be used for protocols where credentials really don't matter much (the MNT
>>> + * protocol, for instance).
>>> + */
>>> +AUTH *
>>> +nfs_authsys_create(void)
>>> +{
>>> +	char machname[MAXHOSTNAMELEN + 1];
>>> +	uid_t	uid = geteuid();
>>> +	gid_t	gid = getegid();
>>> +
>>> +	if (gethostname(machname, sizeof(machname)) == -1)
>>> +		return NULL;
>>> +
>>> +	return authsys_create(machname, uid, gid, 1, &gid);
>>> +}
>> The following patch is needed to fix regression when tirpc is
>> disabled:
>>
>> steved.
>>
>> Author: Steve Dickson <steved@redhat.com>
>> Date:   Mon Mar 8 10:24:44 2010 -0500
>>
>>     Use authunix_create() instead of authsys_create() to fix regression.
>>     
>>     Commit 409b8 introduced a regression when the --disable-tirpc
>>     configuration flag is set. The authsys_create() interface, which
>>     was introduced, does not exist in the legacy glibc library.
>>     
>>     Since the authsys_create() interface is a redefined of the
>>     authunix_create() interface, which is defined in glibc, using
>>     authunix_create() resolves the regression,
>>     
>>     Signed-off-by: Steve Dickson <steved@redhat.com>
>>
>> diff --git a/support/nfs/rpc_socket.c b/support/nfs/rpc_socket.c
>> index aa6a205..c14efe8 100644
>> --- a/support/nfs/rpc_socket.c
>> +++ b/support/nfs/rpc_socket.c
>> @@ -576,5 +576,5 @@ nfs_authsys_create(void)
>>         if (gethostname(machname, sizeof(machname)) == -1)
>>                 return NULL;
>>  
>> -       return authsys_create(machname, uid, gid, 1, &gid);
>> +       return authunix_create(machname, uid, gid, 1, &gid);
>>  }
>>
> 
> Acked-by: Jeff Layton <jlayton@redhat.com>
Committed.... 

steved.