Re: [PATCH 1/2] nfsidmap: Allow all keys to clear on the keyring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 17, 2011 at 04:51:35PM -0500, Steve Dickson wrote:
> Introduce the '-c [keyring]' command line argument
> which will clear the giving keyring of the keys.
> If a keyring not supplied the default 'id_resolver'
> keyring will be used.

Is there any reason why an idmapping command should touch any keyring
other than an id_resolver keyring?

If not I'd be inclined to leave that option out.

> +#define DEFAULT_KEYRING "id_resolver"
> +#define PROCKEYS "/proc/keys"
...
> +	if ((fp = fopen(PROCKEYS, "r")) == NULL) {
> +		xlog_err("fopen(%s) failed: %m", PROCKEYS);
> +		return 1;
> +	}
> +
> +	while(fgets(buf, BUFSIZ, fp) != NULL) {
> +		if (strstr(buf, "keyring") == NULL)
> +			continue;
> +		if (strstr(buf, keyring) == NULL)
> +			continue;

Is grepping through /proc/keys really the right way to find this
keyring?  Documentation/security/keys.txt would have me believe that
this sort of thing should work even with KEYS_DEBUG_PROC_KEYS not
defined.  Maybe we want something like keyctl_search() ??

--b.

> +		if (verbose) {
> +			*(strchr(buf, '\n')) = '\0';
> +			xlog_warn("clearing '%s'", buf);
> +		}
> +		/*
> +		 * The key is the first arugment in the string
> +		 */
> +		*(strchr(buf, ' ')) = '\0';
> +		sscanf(buf, "%x", &key);
> +		if (keyctl_clear(key) < 0) {
> +			xlog_err("keyctl_clear(0x%x) failed: %m", key);
> +			fclose(fp);
> +			return 1;
> +		}
> +		fclose(fp);
> +		return 0;
> +	}
> +	xlog_err("'%s' keyring was not found.", keyring);
> +	fclose(fp);
> +	return 1;
> +}
>  
>  int main(int argc, char **argv)
>  {
> @@ -96,7 +142,8 @@ int main(int argc, char **argv)
>  	int rc = 1, opt;
>  	int timeout = 600;
>  	key_serial_t key;
> -	char *progname;
> +	char *progname, *keyring = NULL;
> +	int clearring;
>  
>  	/* Set the basename */
>  	if ((progname = strrchr(argv[0], '/')) != NULL)
> @@ -105,11 +152,12 @@ int main(int argc, char **argv)
>  		progname = argv[0];
>  
>  	xlog_open(progname);
> -	xlog_syslog(1);
> -	xlog_stderr(0);
>  
> -	while ((opt = getopt(argc, argv, "t:v")) != -1) {
> +	while ((opt = getopt(argc, argv, "ct:v")) != -1) {
>  		switch (opt) {
> +		case 'c':
> +			clearring++;
> +			break;
>  		case 'v':
>  			verbose++;
>  			break;
> @@ -122,6 +170,13 @@ int main(int argc, char **argv)
>  		}
>  	}
>  
> +	if (clearring) {
> +		keyring = ((argc - optind) ? argv[optind] : NULL);
> +		rc = keyring_clear(keyring);
> +		return rc;		
> +	}
> +
> +	xlog_stderr(0);
>  	if ((argc - optind) != 2) {
>  		xlog_err("Bad arg count. Check /etc/request-key.conf");
>  		xlog_warn(usage, progname);
> diff --git a/utils/nfsidmap/nfsidmap.man b/utils/nfsidmap/nfsidmap.man
> index c67aab6..db65a1f 100644
> --- a/utils/nfsidmap/nfsidmap.man
> +++ b/utils/nfsidmap/nfsidmap.man
> @@ -6,7 +6,7 @@
>  .SH NAME
>  nfsidmap \- The NFS idmapper upcall program
>  .SH SYNOPSIS
> -.B "nfsidmap [-v] [-t timeout] key desc"
> +.B "nfsidmap [-v] [-c [keyring]] [-t timeout] key desc"
>  .SH DESCRIPTION
>  The file
>  .I /usr/sbin/nfsidmap
> @@ -14,10 +14,20 @@ is used by the NFS idmapper to translate user and group ids into names, and to
>  translate user and group names into ids. Idmapper uses request-key to perform
>  the upcall and cache the result.
>  .I /usr/sbin/nfsidmap
> -should only be called by request-key, and will perform the translation and
> +is called by /sbin/request-key, and will perform the translation and
>  initialize a key with the resulting information.
> +.PP
> +.I nfsidmap
> +can also used to clear the keyring of all the keys.  
> +This is useful when all the mappings have failed to due to an DNS outage
> +or some other error resulting in all the cached uid/gid to be invalid.
>  .SH OPTIONS
>  .TP
> +.B -c [keyring]
> +Clear the keyring of all the keys. If a
> +keyring is not supplied the default 
> +keyring 'id_resolver' will be used.
> +.TP
>  .B -t timeout
>  Set the expiration timer, in seconds, on the key.
>  The default is 600 seconds (10 mins).
> -- 
> 1.7.7
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux