On Thu, Nov 17, 2011 at 04:51:35PM -0500, Steve Dickson wrote:
> Introduce the '-c [keyring]' command line argument
> which will clear the giving keyring of the keys.
> If a keyring not supplied the default 'id_resolver'
> keyring will be used.
Is there any reason why an idmapping command should touch any keyring
other than an id_resolver keyring?
If not I'd be inclined to leave that option out.
> +#define DEFAULT_KEYRING "id_resolver"
> +#define PROCKEYS "/proc/keys"
...
> + if ((fp = fopen(PROCKEYS, "r")) == NULL) {
> + xlog_err("fopen(%s) failed: %m", PROCKEYS);
> + return 1;
> + }
> +
> + while(fgets(buf, BUFSIZ, fp) != NULL) {
> + if (strstr(buf, "keyring") == NULL)
> + continue;
> + if (strstr(buf, keyring) == NULL)
> + continue;
Is grepping through /proc/keys really the right way to find this
keyring? Documentation/security/keys.txt would have me believe that
this sort of thing should work even with KEYS_DEBUG_PROC_KEYS not
defined. Maybe we want something like keyctl_search() ??
--b.
> + if (verbose) {
> + *(strchr(buf, '\n')) = '\0';
> + xlog_warn("clearing '%s'", buf);
> + }
> + /*
> + * The key is the first arugment in the string
> + */
> + *(strchr(buf, ' ')) = '\0';
> + sscanf(buf, "%x", &key);
> + if (keyctl_clear(key) < 0) {
> + xlog_err("keyctl_clear(0x%x) failed: %m", key);
> + fclose(fp);
> + return 1;
> + }
> + fclose(fp);
> + return 0;
> + }
> + xlog_err("'%s' keyring was not found.", keyring);
> + fclose(fp);
> + return 1;
> +}
>
> int main(int argc, char **argv)
> {
> @@ -96,7 +142,8 @@ int main(int argc, char **argv)
> int rc = 1, opt;
> int timeout = 600;
> key_serial_t key;
> - char *progname;
> + char *progname, *keyring = NULL;
> + int clearring;
>
> /* Set the basename */
> if ((progname = strrchr(argv[0], '/')) != NULL)
> @@ -105,11 +152,12 @@ int main(int argc, char **argv)
> progname = argv[0];
>
> xlog_open(progname);
> - xlog_syslog(1);
> - xlog_stderr(0);
>
> - while ((opt = getopt(argc, argv, "t:v")) != -1) {
> + while ((opt = getopt(argc, argv, "ct:v")) != -1) {
> switch (opt) {
> + case 'c':
> + clearring++;
> + break;
> case 'v':
> verbose++;
> break;
> @@ -122,6 +170,13 @@ int main(int argc, char **argv)
> }
> }
>
> + if (clearring) {
> + keyring = ((argc - optind) ? argv[optind] : NULL);
> + rc = keyring_clear(keyring);
> + return rc;
> + }
> +
> + xlog_stderr(0);
> if ((argc - optind) != 2) {
> xlog_err("Bad arg count. Check /etc/request-key.conf");
> xlog_warn(usage, progname);
> diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
> index c67aab6..db65a1f 100644
> --- a/utils/nfsidmap/nfsidmap.man
> +++ b/utils/nfsidmap/nfsidmap.man
> @@ -6,7 +6,7 @@
> .SH NAME
> nfsidmap \- The NFS idmapper upcall program
> .SH SYNOPSIS
> -.B "nfsidmap [-v] [-t timeout] key desc"
> +.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
> .SH DESCRIPTION
> The file
> .I /usr/sbin/nfsidmap
> @@ -14,10 +14,20 @@ is used by the NFS idmapper to translate user and group ids into names, and to
> translate user and group names into ids. Idmapper uses request-key to perform
> the upcall and cache the result.
> .I /usr/sbin/nfsidmap
> -should only be called by request-key, and will perform the translation and
> +is called by /sbin/request-key, and will perform the translation and
> initialize a key with the resulting information.
> +.PP
> +.I nfsidmap
> +can also used to clear the keyring of all the keys.
> +This is useful when all the mappings have failed to due to an DNS outage
> +or some other error resulting in all the cached uid/gid to be invalid.
> .SH OPTIONS
> .TP
> +.B -c [keyring]
> +Clear the keyring of all the keys. If a
> +keyring is not supplied the default
> +keyring 'id_resolver' will be used.
> +.TP
> .B -t timeout
> Set the expiration timer, in seconds, on the key.
> The default is 600 seconds (10 mins).
> --
> 1.7.7
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
