Hey Steve,
This patch is simply for testing. It is not anywhere near something we’d ask for inclusion in nfs-utils.
If and when we want something like this, we’ll post something appropriate.
-dros
On Oct 23, 2013, at 10:30 AM, Steve Dickson <SteveD@xxxxxxxxxx> wrote:
> Hello.
>
> After read this these recent threads about this, we may or may not end up with this
> type of daemon, personally I hope we don't... ;-) But if we do...
>
> On 22/10/13 10:22, andros@xxxxxxxxxx wrote:
>> From: Weston Andros Adamson <dros@xxxxxxxxxx>
>>
>> this is an experimental daemon that watches for krb credential cache files
>> being created and deleted and creates or removes the mapping in the user
>> keyring.
>>
>> this replaces the wrappers for kinit and kdestroy as they are no longer needed -
>> users can go ahead using kinit/kdestroy and existing pam modules.
>>
>> if this is the way we want to go, this should probably end up as a processes
>> forked from gssd and not its own daemon.
>>
>> Signed-off-by: Weston Andros Adamson <dros@xxxxxxxxxx>
>> ---
>> configure.ac | 1 +
>> utils/Makefile.am | 2 +-
>> utils/gsskeyd/gsskeyd.c | 328 ++++++++++++++++++++++++++++++++++++++++++++++++
>> 3 files changed, 330 insertions(+), 1 deletion(-)
>> create mode 100644 utils/gsskeyd/gsskeyd.c
>>
>> diff --git a/configure.ac b/configure.ac
>> index d3ad854..a8e75ac 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -497,6 +497,7 @@ AC_CONFIG_FILES([
>> utils/nfsdcltrack/Makefile
>> utils/exportfs/Makefile
>> utils/gssd/Makefile
>> + utils/gsskeyd/Makefile
>> utils/idmapd/Makefile
>> utils/mount/Makefile
>> utils/mountd/Makefile
>> diff --git a/utils/Makefile.am b/utils/Makefile.am
>> index b892dc8..943ae2d 100644
>> --- a/utils/Makefile.am
>> +++ b/utils/Makefile.am
>> @@ -14,7 +14,7 @@ OPTDIRS += blkmapd
>> endif
>>
>> if CONFIG_GSS
>> -OPTDIRS += gssd
>> +OPTDIRS += gssd gsskeyd
>> endif
>>
>> if CONFIG_MOUNT
>> diff --git a/utils/gsskeyd/gsskeyd.c b/utils/gsskeyd/gsskeyd.c
>> new file mode 100644
>> index 0000000..6d598fa
>> --- /dev/null
>> +++ b/utils/gsskeyd/gsskeyd.c
>> @@ -0,0 +1,328 @@
>> +#include <stdio.h>
>> +#include <stdlib.h>
>> +#include <limits.h>
>> +#include <assert.h>
>> +#include <keyutils.h>
>> +#include <err.h>
>> +#include <errno.h>
>> +#include <string.h>
>> +
>> +#include <sys/inotify.h>
>> +#include <sys/errno.h>
>> +#include <sys/select.h>
>> +#include <sys/param.h>
>> +#include <sys/time.h>
>> +#include <sys/types.h>
>> +#include <sys/wait.h>
>> +#include <sys/queue.h>
>> +#include <sys/uio.h>
>> +#include <unistd.h>
>> +
>> +#define MAX_EVENT_SIZE (sizeof(struct inotify_event) + NAME_MAX + 1)
>> +
>> +//#define DEBUG_TRACE
>> +
>> +#ifdef DEBUG_TRACE
>> +#define TRACE(X...) do { fprintf(stderr, "_trace_: " X); } while (0)
>> +#else
>> +#define TRACE(X...)
>> +#endif
> Please do not make debugging a compile decision. Go ahead and
> use a '-d' or '-vvvv' (which each 'v' add more logging) flags to
> make it a run time decision... Having to recompile to debug is
> something that never made much sense to me...
>
> Secondly, you please use the existing xlog() interface to do your
> error/warning/debugging logging... Having all logging going through
> on interface is a good thing... IMHO...
>
> steved.
>> +
>> +/* .25 second timeouts to select */
>> +#define SELECT_INTERVAL_TV { 0, 250000 }
>> +
>> +/* .5 seconds to collect list of unique file names that had events */
>> +#define COLLECT_INTERVAL_TV { 0, 500000 }
>> +
>> +struct watchdir {
>> + char dir[MAXPATHLEN];
>> + int wd;
>> + LIST_ENTRY(watchdir) entry;
>> +};
>> +
>> +LIST_HEAD(watchdir_list, watchdir);
>> +
>> +struct update {
>> + char dir[MAXPATHLEN];
>> + char name[MAXPATHLEN];
>> + int is_remove;
>> + LIST_ENTRY(update) entry;
>> +};
>> +
>> +LIST_HEAD(update_list, update);
>> +
>> +struct updates {
>> + struct update_list list;
>> + struct timeval first;
>> +};
>> +
>> +void
>> +watchdir_add(struct watchdir_list *watchdirs, int notify, char *dir)
>> +{
>> + struct watchdir *w;
>> +
>> + w = calloc(1, sizeof(struct watchdir));
>> + assert(w != NULL);
>> +
>> + strncpy(w->dir, dir, MAXPATHLEN);
>> +
>> + w->wd = inotify_add_watch(notify, dir,
>> + IN_CREATE | IN_DELETE | IN_MOVED_FROM | IN_MOVED_TO );
>> + //| IN_MODIFY
>> +
>> + if (w->wd < 0)
>> + perror("inotify_add_watch");
>> +
>> + LIST_INSERT_HEAD(watchdirs, w, entry);
>> +
>> + TRACE("WATCH(%d): %s\n", w->wd, w->dir);
>> +}
>> +
>> +/*
>> + * XXX maybe use hash when there is more than one watchdir?
>> + */
>> +struct watchdir *
>> +watchdir_lookup(struct watchdir_list *watchdirs, int wd)
>> +{
>> + struct watchdir *w;
>> +
>> + LIST_FOREACH(w, watchdirs, entry) {
>> + if (wd == w->wd)
>> + return w;
>> + }
>> +
>> + return NULL;
>> +}
>> +
>> +static void
>> +update_set_type(struct update *u, struct inotify_event *e)
>> +{
>> + if (e->mask & (IN_DELETE | IN_MOVED_FROM))
>> + u->is_remove = 1;
>> + else
>> + u->is_remove = 0;
>> +}
>> +
>> +void
>> +updates_add(struct updates *updates, struct watchdir_list *watchdirs, struct inotify_event *e)
>> +{
>> + struct update *u;
>> + struct watchdir *w;
>> +
>> +
>> + w = watchdir_lookup(watchdirs, e->wd);
>> + assert(w != NULL);
>> +
>> + TRACE("updates_add: %s/%s\n", w->dir, e->name);
>> +
>> + LIST_FOREACH(u, &updates->list, entry) {
>> + if (strncmp(w->dir, u->dir, MAXPATHLEN) == 0 &&
>> + strncmp(e->name, u->name, MAXPATHLEN) == 0) {
>> + update_set_type(u, e);
>> + return;
>> + }
>> + }
>> +
>> + u = calloc(1, sizeof(struct update));
>> + strncpy(u->dir, w->dir, MAXPATHLEN);
>> + strncpy(u->name, e->name, MAXPATHLEN);
>> + update_set_type(u, e);
>> +
>> + LIST_INSERT_HEAD(&updates->list, u, entry);
>> +
>> + if (!timerisset(&updates->first)) {
>> + if (gettimeofday(&updates->first, NULL) < 0)
>> + perror("gettimeofday");
>> + }
>> +}
>> +
>> +void
>> +print_event_mask(FILE *fp, uint32_t mask)
>> +{
>> +#define _print_if_found(X, S) do { \
>> + if (mask & (X)) { \
>> + fprintf(fp, S); \
>> + } \
>> + } while(0)
>> +
>> + _print_if_found(IN_ACCESS, "access");
>> + _print_if_found(IN_ATTRIB, "attrib");
>> + _print_if_found(IN_CLOSE_WRITE, "close write");
>> + _print_if_found(IN_CLOSE_NOWRITE, "close nowrite");
>> + _print_if_found(IN_CREATE, "create");
>> + _print_if_found(IN_DELETE, "delete");
>> + _print_if_found(IN_DELETE_SELF, "delete self");
>> + _print_if_found(IN_MODIFY, "modify");
>> + _print_if_found(IN_MOVE_SELF, "move self");
>> + _print_if_found(IN_MOVED_FROM, "moved from");
>> + _print_if_found(IN_MOVED_TO, "moved to");
>> + _print_if_found(IN_OPEN, "open");
>> +}
>> +
>> +static int
>> +manage_gss_ctx_keyring_mapping(struct update *u)
>> +{
>> + char buf[MAXPATHLEN];
>> + int status;
>> + uid_t uid;
>> + pid_t pid;
>> + key_serial_t key;
>> + long res;
>> +
>> + snprintf(buf, MAXPATHLEN, "%s/%s", u->dir, u->name);
>> +
>> + if (sscanf(u->name, "krb5cc_%u", &uid) <= 0)
>> + perror("parsing krb5cc uid");
>> +
>> + if ((pid = fork()) < 0)
>> + perror("fork");
>> +
>> + if (pid == 0) {
>> + if (setuid(uid) < 0)
>> + perror("setuid");
>> +
>> + if (u->is_remove) {
>> + fprintf(stderr, "remove gss ctx mapping for uid %u\n",
>> + uid);
>> + key = request_key("gss-ctx", "_nfstgt_", NULL,
>> + KEY_SPEC_USER_KEYRING);
>> + if (key > 0) {
>> + res = keyctl_unlink(key, KEY_SPEC_USER_KEYRING);
>> + if (res < 0)
>> + warn("keyctl_unlink failed");
>> + } else
>> + warn("request_key failed");
>> + } else {
>> + fprintf(stderr, "add gss ctx mapping for uid=%u\n",
>> + uid);
>> + snprintf(buf, MAXPATHLEN, "FILE:%s/%s",
>> + u->dir, u->name);
>> + key = add_key("gss-ctx", "_nfstgt_", buf,
>> + MAXPATHLEN, KEY_SPEC_USER_KEYRING);
>> +
>> + if (key < 0)
>> + warn("add_key failed");
>> + }
>> +
>> + exit(0);
>> + } else {
>> + waitpid(pid, &status, 0);
>> +
>> + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
>> + return WEXITSTATUS(status);
>> + }
>> + }
>> +
>> + return 0;
>> +}
>> +
>> +void
>> +parse_events(int notify, struct watchdir_list *watchdirs, struct updates *updates)
>> +{
>> + ssize_t nread, pos;
>> + unsigned char buf[MAX_EVENT_SIZE * 100];
>> + struct inotify_event *e;
>> +
>> + for (;;) {
>> + nread = read(notify, buf, sizeof(buf));
>> +
>> + if (nread <= 0) {
>> + TRACE("read returns %d, errno %u\n", nread, errno);
>> + break;
>> + }
>> +
>> + TRACE("Read %d bytes\n", nread);
>> +
>> + pos = 0;
>> + while (pos < nread) {
>> + assert((nread - pos) >=
>> + (ssize_t)sizeof(struct inotify_event));
>> + e = (struct inotify_event *)(buf + pos);
>> + pos += sizeof(struct inotify_event) + e->len;
>> +
>> +#ifdef DEBUG_TRACE
>> + TRACE("EVENT on %s: ", e->name);
>> + print_event_mask(stderr, e->mask);
>> + fprintf(stderr, "\n");
>> +#endif
>> +
>> + if (strlen(e->name) >= strlen("krb5cc_") &&
>> + strncmp("krb5cc_", e->name, strlen("krb5cc_")) != 0)
>> + TRACE("skip file: %s\n", e->name);
>> + else
>> + updates_add(updates, watchdirs, e);
>> + }
>> + assert(pos == nread);
>> + }
>> +}
>> +
>> +void
>> +handle_events(struct updates *updates)
>> +{
>> + struct update *u;
>> + struct timeval now, diff, collection_interval = COLLECT_INTERVAL_TV;
>> +
>> + if (!timerisset(&updates->first))
>> + return;
>> +
>> + if (gettimeofday(&now, NULL) < 0)
>> + perror("gettimeofday");
>> +
>> + timersub(&now, &updates->first, &diff);
>> +
>> + if (!(diff.tv_sec >= collection_interval.tv_sec &&
>> + diff.tv_usec >= collection_interval.tv_usec)) {
>> + TRACE("it's been %u s %u ms - waiting longer...\n",
>> + diff.tv_sec, diff.tv_usec);
>> + return;
>> + }
>> +
>> + while (!LIST_EMPTY(&updates->list)) {
>> + u = updates->list.lh_first;
>> +
>> + TRACE("handle krb5 cc file: %s\n", u->name);
>> + manage_gss_ctx_keyring_mapping(u);
>> + LIST_REMOVE(u, entry);
>> + }
>> +
>> + timerclear(&updates->first);
>> +}
>> +
>> +
>> +int
>> +main(int argc, char **argv)
>> +{
>> + fd_set readfds;
>> + int notify;
>> + int res;
>> + struct timeval timeo, select_interval = SELECT_INTERVAL_TV;
>> + struct watchdir_list watchdirs;
>> + struct updates updates;
>> +
>> + LIST_INIT(&watchdirs);
>> +
>> + notify = inotify_init1(IN_NONBLOCK);
>> + if (notify < 0)
>> + perror("inotify_init1");
>> +
>> + watchdir_add(&watchdirs, notify, "/tmp");
>> +
>> + LIST_INIT(&updates.list);
>> + timerclear(&updates.first);
>> +
>> + for (;;) {
>> + FD_ZERO(&readfds);
>> + FD_SET(notify, &readfds);
>> + memcpy(&timeo, &select_interval, sizeof(struct timeval));
>> +
>> + res = select(notify + 1, &readfds, NULL, NULL, &timeo);
>> +
>> + if (res < 0)
>> + perror("error calling select");
>> +
>> + if (FD_ISSET(notify, &readfds))
>> + parse_events(notify, &watchdirs, &updates);
>> +
>> + handle_events(&updates);
>> + }
>> +}
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
