The current mount, umount and showmount code uses
authunix_create_default to get an auth handle. The one provided by glibc
returned a truncated list of groups when there were more than 16 groups.
libtirpc however currently does an abort() in this case, which causes
the program to crash and dump core.
nfs-utils just uses these auth handles for the MNT protocol, so the
group list doesn't make a lot of difference here. Add a new function
that creates an auth handle with a supplemental gids list that consists
only of the primary gid. Have nfs-utils use that function anywhere that
it currently uses authunix_create_default. Also, have the caller
properly check for a NULL return from that function.
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
Reviewed-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
---
support/include/nfsrpc.h | 3 +++
support/nfs/rpc_socket.c | 25 +++++++++++++++++++++++++
utils/mount/network.c | 15 ++++++++++++---
utils/showmount/showmount.c | 8 +++++++-
4 files changed, 47 insertions(+), 4 deletions(-)
diff --git a/support/include/nfsrpc.h b/support/include/nfsrpc.h
index 4db35ab..6ebefca 100644
--- a/support/include/nfsrpc.h
+++ b/support/include/nfsrpc.h
@@ -160,4 +160,7 @@ extern int nfs_rpc_ping(const struct sockaddr *sap,
const unsigned short protocol,
const struct timeval *timeout);
+/* create AUTH_SYS handle with no supplemental groups */
+extern AUTH * nfs_authsys_create(void);
+
#endif /* !__NFS_UTILS_NFSRPC_H */
diff --git a/support/nfs/rpc_socket.c b/support/nfs/rpc_socket.c
index 0e20824..a08f1f2 100644
--- a/support/nfs/rpc_socket.c
+++ b/support/nfs/rpc_socket.c
@@ -557,3 +557,28 @@ rpcprog_t nfs_getrpcbyname(const rpcprog_t program, const char *table[])
return program;
}
+
+/**
+ * nfs_authsys_create - get an AUTH_SYS authentication handle for current user
+ *
+ * Returns an AUTH handle or NULL on error
+ *
+ * AUTH_SYS doesn't allow more than 16 gids in the supplemental group list.
+ * If there are more than that, trying to determine which ones to include
+ * in the list is problematic. This function creates an auth handle that
+ * only has the primary gid in the supplemental gids list. It's intended to
+ * be used for protocols where credentials really don't matter much (the MNT
+ * protocol, for instance).
+ */
+AUTH *
+nfs_authsys_create(void)
+{
+ char machname[MAXHOSTNAMELEN + 1];
+ uid_t uid = geteuid();
+ gid_t gid = getegid();
+
+ if (gethostname(machname, sizeof(machname)) == -1)
+ return NULL;
+
+ return authunix_create(machname, uid, gid, 1, &gid);
+}
diff --git a/utils/mount/network.c b/utils/mount/network.c
index 8dc183a..c541257 100644
--- a/utils/mount/network.c
+++ b/utils/mount/network.c
@@ -857,7 +857,14 @@ int nfs_advise_umount(const struct sockaddr *sap, const socklen_t salen,
return 0;
}
- client->cl_auth = authunix_create_default();
+ client->cl_auth = nfs_authsys_create();
+ if (client->cl_auth == NULL) {
+ if (verbose)
+ nfs_error(_("%s: Failed to create RPC auth handle"),
+ progname);
+ CLNT_DESTROY(client);
+ return 0;
+ }
res = CLNT_CALL(client, MOUNTPROC_UMNT,
(xdrproc_t)xdr_dirpath, (caddr_t)argp,
@@ -957,8 +964,10 @@ CLIENT *mnt_openclnt(clnt_addr_t *mnt_server, int *msock)
}
if (clnt) {
/* try to mount hostname:dirname */
- clnt->cl_auth = authunix_create_default();
- return clnt;
+ clnt->cl_auth = nfs_authsys_create();
+ if (clnt->cl_auth)
+ return clnt;
+ CLNT_DESTROY(clnt);
}
return NULL;
}
diff --git a/utils/showmount/showmount.c b/utils/showmount/showmount.c
index f567093..394f528 100644
--- a/utils/showmount/showmount.c
+++ b/utils/showmount/showmount.c
@@ -194,7 +194,13 @@ int main(int argc, char **argv)
}
mclient = nfs_get_mount_client(hostname, mount_vers_tbl[vers]);
- mclient->cl_auth = authunix_create_default();
+ mclient->cl_auth = nfs_authsys_create();
+ if (mclient->cl_auth == NULL) {
+ fprintf(stderr, "%s: unable to create RPC auth handle.\n",
+ program_name);
+ clnt_destroy(mclient);
+ exit(1);
+ }
total_timeout.tv_sec = TOTAL_TIMEOUT;
total_timeout.tv_usec = 0;
--
1.6.6
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
