Re: [PATCH 1/2] nfsidmap: Allow all keys to clear on the keyring

[Tigran Mkrtchyan <tigran.mkrtchyan@xxxxxxx>]

On Thu, Nov 17, 2011 at 9:26 PM, Steve Dickson <steved@xxxxxxxxxx> wrote:
> Introduce the '-c [keyring]' command line argument
> which will clear the giving keyring of the keys.
> If a keyring not supplied the default 'id_resolver'
> keyring will be used.
>
> Signed-off-by: Steve Dickson <steved@xxxxxxxxxx>
> ---
>  utils/nfsidmap/nfsidmap.c   |   62 +++++++++++++++++++++++++++++++++++++++---
>  utils/nfsidmap/nfsidmap.man |   14 ++++++++-
>  2 files changed, 69 insertions(+), 7 deletions(-)
>
> diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
> index 6a09f38..2625dc1 100644
> --- a/utils/nfsidmap/nfsidmap.c
> +++ b/utils/nfsidmap/nfsidmap.c
> @@ -13,12 +13,14 @@
>  #include "xlog.h"
>
>  int verbose = 0;
> -char *usage="Usage: %s [-v] [-t timeout] key desc";
> +char *usage="Usage: %s [-v] [-c [keyring]] [-t timeout] key desc";
>
>  #define MAX_ID_LEN   11
>  #define IDMAP_NAMESZ 128
>  #define USER  1
>  #define GROUP 0
> +#define DEFAULT_KEYRING "id_resolver"
> +#define PROCKEYS "/proc/keys"
>
>  /*
>  * Find either a user or group id based on the name@domain string
> @@ -87,6 +89,47 @@ int name_lookup(char *id, key_serial_t key, int type)
>  out:
>        return rc;
>  }
> +/*
> + * Clear all the keys on the given keyring
> + */
> +static int keyring_clear(char *keyring)
> +{
> +       FILE *fp;
> +       char buf[BUFSIZ];
> +       key_serial_t key;
> +
> +       xlog_syslog(0);
> +       if (keyring == NULL)
> +               keyring = DEFAULT_KEYRING;
> +
> +       if ((fp = fopen(PROCKEYS, "r")) == NULL) {

The same comment here: fp never closed.

Tigran.
> +               xlog_err("fopen(%s) failed: %m", PROCKEYS);
> +               return 1;
> +       }
> +
> +       while(fgets(buf, BUFSIZ, fp) != NULL) {
> +               if (strstr(buf, "keyring") == NULL)
> +                       continue;
> +               if (strstr(buf, keyring) == NULL)
> +                       continue;
> +               if (verbose) {
> +                       *(strchr(buf, '\n')) = '\0';
> +                       xlog_warn("clearing '%s'", buf);
> +               }
> +               /*
> +                * The key is the first arugment in the string
> +                */
> +               *(strchr(buf, ' ')) = '\0';
> +               sscanf(buf, "%x", &key);
> +               if (keyctl_clear(key) < 0) {
> +                       xlog_err("keyctl_clear(0x%x) failed: %m", key);
> +                       return 1;
> +               }
> +               return 0;
> +       }
> +       xlog_err("'%s' keyring was not found.", keyring);
> +       return 1;
> +}
>
>  int main(int argc, char **argv)
>  {
> @@ -96,7 +139,8 @@ int main(int argc, char **argv)
>        int rc = 1, opt;
>        int timeout = 600;
>        key_serial_t key;
> -       char *progname;
> +       char *progname, *keyring = NULL;
> +       int clearring;
>
>        /* Set the basename */
>        if ((progname = strrchr(argv[0], '/')) != NULL)
> @@ -105,11 +149,12 @@ int main(int argc, char **argv)
>                progname = argv[0];
>
>        xlog_open(progname);
> -       xlog_syslog(1);
> -       xlog_stderr(0);
>
> -       while ((opt = getopt(argc, argv, "t:v")) != -1) {
> +       while ((opt = getopt(argc, argv, "ct:v")) != -1) {
>                switch (opt) {
> +               case 'c':
> +                       clearring++;
> +                       break;
>                case 'v':
>                        verbose++;
>                        break;
> @@ -122,6 +167,13 @@ int main(int argc, char **argv)
>                }
>        }
>
> +       if (clearring) {
> +               keyring = ((argc - optind) ? argv[optind] : NULL);
> +               rc = keyring_clear(keyring);
> +               return rc;
> +       }
> +
> +       xlog_stderr(0);
>        if ((argc - optind) != 2) {
>                xlog_err("Bad arg count. Check /etc/request-key.conf");
>                xlog_warn(usage, progname);
> diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
> index c67aab6..db65a1f 100644
> --- a/utils/nfsidmap/nfsidmap.man
> +++ b/utils/nfsidmap/nfsidmap.man
> @@ -6,7 +6,7 @@
>  .SH NAME
>  nfsidmap \- The NFS idmapper upcall program
>  .SH SYNOPSIS
> -.B "nfsidmap [-v] [-t timeout] key desc"
> +.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
>  .SH DESCRIPTION
>  The file
>  .I /usr/sbin/nfsidmap
> @@ -14,10 +14,20 @@ is used by the NFS idmapper to translate user and group ids into names, and to
>  translate user and group names into ids. Idmapper uses request-key to perform
>  the upcall and cache the result.
>  .I /usr/sbin/nfsidmap
> -should only be called by request-key, and will perform the translation and
> +is called by /sbin/request-key, and will perform the translation and
>  initialize a key with the resulting information.
> +.PP
> +.I nfsidmap
> +can also used to clear the keyring of all the keys.
> +This is useful when all the mappings have failed to due to an DNS outage
> +or some other error resulting in all the cached uid/gid to be invalid.
>  .SH OPTIONS
>  .TP
> +.B -c [keyring]
> +Clear the keyring of all the keys. If a
> +keyring is not supplied the default
> +keyring 'id_resolver' will be used.
> +.TP
>  .B -t timeout
>  Set the expiration timer, in seconds, on the key.
>  The default is 600 seconds (10 mins).
> --
> 1.7.7
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html