FreeBSD Bugzilla – Attachment 183835 Details for
Bug 205193
jail accessing NFSv4 mount causes syslog spam
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
make nfsuserd use an AF_LOCAL socket
nfsuserd-aflocal.patch (text/plain), 7.68 KB, created by
Rick Macklem
on 2017-06-27 11:36:31 UTC
(
hide
)
Description:
make nfsuserd use an AF_LOCAL socket
Filename:
MIME Type:
Creator:
Rick Macklem
Created:
2017-06-27 11:36:31 UTC
Size:
7.68 KB
patch
obsolete
>--- usr.sbin/nfsuserd/nfsuserd.c.sav 2017-06-26 16:12:14.095091000 -0400 >+++ usr.sbin/nfsuserd/nfsuserd.c 2017-06-27 07:13:14.996262000 -0400 >@@ -35,6 +35,7 @@ __FBSDID("$FreeBSD: head/usr.sbin/nfsuse > #include <sys/mount.h> > #include <sys/socket.h> > #include <sys/socketvar.h> >+#include <sys/stat.h> > #include <sys/time.h> > #include <sys/ucred.h> > #include <sys/vnode.h> >@@ -43,6 +44,7 @@ __FBSDID("$FreeBSD: head/usr.sbin/nfsuse > #include <nfs/nfssvc.h> > > #include <rpc/rpc.h> >+#include <rpc/rpc_com.h> > > #include <fs/nfs/rpcv2.h> > #include <fs/nfs/nfsproto.h> >@@ -73,9 +75,10 @@ static bool_t xdr_getid(XDR *, caddr_t); > static bool_t xdr_getname(XDR *, caddr_t); > static bool_t xdr_retval(XDR *, caddr_t); > >+#ifndef _PATH_NFSUSERDSOCK >+#define _PATH_NFSUSERDSOCK "/var/run/nfsuserd.sock" >+#endif > #define MAXNAME 1024 >-#define MAXNFSUSERD 20 >-#define DEFNFSUSERD 4 > #define MAXUSERMAX 100000 > #define MINUSERMAX 10 > #define DEFUSERMAX 200 >@@ -93,7 +96,7 @@ u_char *defaultgroup = "nogroup"; > gid_t defaultgid = 65533; > int verbose = 0, im_a_slave = 0, nfsuserdcnt = -1, forcestart = 0; > int defusertimeout = DEFUSERTIMEOUT, manage_gids = 0; >-pid_t slaves[MAXNFSUSERD]; >+pid_t slavepid; > > int > main(int argc, char *argv[]) >@@ -103,15 +106,15 @@ main(int argc, char *argv[]) > struct nfsd_idargs nid; > struct passwd *pwd; > struct group *grp; >- int sock, one = 1; >- SVCXPRT *udptransp; >- u_short portnum; >+ int oldmask, sock; >+ SVCXPRT *xprt; > sigset_t signew; > char hostname[MAXHOSTNAMELEN + 1], *cp; > struct addrinfo *aip, hints; > static uid_t check_dups[MAXUSERMAX]; > gid_t grps[NGROUPS]; > int ngroup; >+ struct sockaddr_un sun; > > if (modfind("nfscommon") < 0) { > /* Not present in kernel, try loading it */ >@@ -191,22 +194,16 @@ main(int argc, char *argv[]) > } > nid.nid_usertimeout = defusertimeout = i * 60; > } else if (nfsuserdcnt == -1) { >+ /* nfsuserdcnt is no longer used. */ > nfsuserdcnt = atoi(*argv); > if (nfsuserdcnt < 1) > usage(); >- if (nfsuserdcnt > MAXNFSUSERD) { >- warnx("nfsuserd count %d; reset to %d", >- nfsuserdcnt, DEFNFSUSERD); >- nfsuserdcnt = DEFNFSUSERD; >- } > } else { > usage(); > } > argc--; > argv++; > } >- if (nfsuserdcnt < 1) >- nfsuserdcnt = DEFNFSUSERD; > > /* > * Strip off leading and trailing '.'s in domain name and map >@@ -242,49 +239,44 @@ main(int argc, char *argv[]) > "nfsuserd: domain=%s usermax=%d usertimeout=%d\n", > dnsname, nid.nid_usermax, nid.nid_usertimeout); > >- for (i = 0; i < nfsuserdcnt; i++) >- slaves[i] = (pid_t)-1; >+ slavepid = (pid_t)-1; > >- /* >- * Set up the service port to accept requests via UDP from >- * localhost (127.0.0.1). >- */ >- if ((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) >- err(1, "cannot create udp socket"); >+ memset(&sun, 0, sizeof sun); >+ sun.sun_family = AF_LOCAL; >+ unlink(_PATH_NFSUSERDSOCK); >+ strcpy(sun.sun_path, _PATH_NFSUSERDSOCK); >+ sun.sun_len = SUN_LEN(&sun); >+ sock = socket(AF_LOCAL, SOCK_STREAM, 0); >+ if (sock < 0) >+ err(1, "Can't create local nfsuserd socket"); >+ oldmask = umask(S_IXUSR | S_IRWXG | S_IRWXO); >+ if (bind(sock, (struct sockaddr *)&sun, sun.sun_len) < 0) >+ err(1, "Can't bind local nfsuserd socket"); >+ umask(oldmask); >+ if (listen(sock, SOMAXCONN) < 0) >+ err(1, "Can't listen on local nfsuserd socket"); >+ xprt = svc_vc_create(sock, RPC_MAXDATASIZE, RPC_MAXDATASIZE); >+ if (xprt == NULL) >+ err(1, "Can't create transport for local nfsuserd socket"); >+ if (!svc_reg(xprt, RPCPROG_NFSUSERD, RPCNFSUSERD_VERS, nfsuserdsrv, >+ NULL)) >+ err(1, "Can't register service for local nfsuserd socket"); > > /* >- * Not sure what this does, so I'll leave it here for now. >+ * Tell the kernel what the socket's path is. > */ >- setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); >- >- if ((udptransp = svcudp_create(sock)) == NULL) >- err(1, "Can't set up socket"); >- >- /* >- * By not specifying a protocol, it is linked into the >- * dispatch queue, but not registered with portmapper, >- * which is just what I want. >- */ >- if (!svc_register(udptransp, RPCPROG_NFSUSERD, RPCNFSUSERD_VERS, >- nfsuserdsrv, 0)) >- err(1, "Can't register nfsuserd"); >- >- /* >- * Tell the kernel what my port# is. >- */ >- portnum = htons(udptransp->xp_port); > #ifdef DEBUG >- printf("portnum=0x%x\n", portnum); >+ printf("sockpath=%s\n", _PATH_NFSUSERDSOCK); > #else >- if (nfssvc(NFSSVC_NFSUSERDPORT, (caddr_t)&portnum) < 0) { >+ if (nfssvc(NFSSVC_NFSUSERDPORT | NFSSVC_NEWSTRUCT, _PATH_NFSUSERDSOCK) >+ < 0) { > if (errno == EPERM) { > fprintf(stderr, > "Can't start nfsuserd when already running"); > fprintf(stderr, > " If not running, use the -force option.\n"); >- } else { >- fprintf(stderr, "Can't do nfssvc() to add port\n"); >- } >+ } else >+ fprintf(stderr, "Can't do nfssvc() to add socket\n"); > exit(1); > } > #endif >@@ -413,28 +405,25 @@ main(int argc, char *argv[]) > openlog("nfsuserd:", LOG_PID, LOG_DAEMON); > > /* >- * Fork off the slave daemons that do the work. All the master >- * does is kill them off and cleanup. >+ * Fork off the slave daemon to do the work. All the master >+ * does is kill the slave off and cleanup. > */ >- for (i = 0; i < nfsuserdcnt; i++) { >- slaves[i] = fork(); >- if (slaves[i] == 0) { >- im_a_slave = 1; >- setproctitle("slave"); >- sigemptyset(&signew); >- sigaddset(&signew, SIGUSR1); >- sigprocmask(SIG_UNBLOCK, &signew, NULL); >- >- /* >- * and away we go. >- */ >- svc_run(); >- syslog(LOG_ERR, "nfsuserd died: %m"); >- exit(1); >- } else if (slaves[i] < 0) { >- syslog(LOG_ERR, "fork: %m"); >- } >- } >+ slavepid = fork(); >+ if (slavepid == 0) { >+ im_a_slave = 1; >+ setproctitle("slave"); >+ sigemptyset(&signew); >+ sigaddset(&signew, SIGUSR1); >+ sigprocmask(SIG_UNBLOCK, &signew, NULL); >+ >+ /* >+ * and away we go. >+ */ >+ svc_run(); >+ syslog(LOG_ERR, "nfsuserd died: %m"); >+ exit(1); >+ } else if (slavepid < 0) >+ syslog(LOG_ERR, "fork: %m"); > > /* > * Just wait for SIGUSR1 or a child to die and then... >@@ -455,28 +444,11 @@ nfsuserdsrv(struct svc_req *rqstp, SVCXP > struct passwd *pwd; > struct group *grp; > int error; >- u_short sport; > struct info info; > struct nfsd_idargs nid; >- u_int32_t saddr; > gid_t grps[NGROUPS]; > int ngroup; > >- /* >- * Only handle requests from 127.0.0.1 on a reserved port number. >- * (Since a reserved port # at localhost implies a client with >- * local root, there won't be a security breach. This is about >- * the only case I can think of where a reserved port # means >- * something.) >- */ >- sport = ntohs(transp->xp_raddr.sin_port); >- saddr = ntohl(transp->xp_raddr.sin_addr.s_addr); >- if ((rqstp->rq_proc != NULLPROC && sport >= IPPORT_RESERVED) || >- saddr != 0x7f000001) { >- syslog(LOG_ERR, "req from ip=0x%x port=%d\n", saddr, sport); >- svcerr_weakauth(transp); >- return; >- } > switch (rqstp->rq_proc) { > case NULLPROC: > if (!svc_sendreply(transp, (xdrproc_t)xdr_void, NULL)) >@@ -683,7 +655,7 @@ xdr_retval(XDR *xdrsp, caddr_t cp) > static void > cleanup_term(int signo __unused) > { >- int i, cnt; >+ int cnt; > > if (im_a_slave) > exit(0); >@@ -693,17 +665,15 @@ cleanup_term(int signo __unused) > * As the Governor of California might say, "Terminate them". > */ > cnt = 0; >- for (i = 0; i < nfsuserdcnt; i++) { >- if (slaves[i] != (pid_t)-1) { >- cnt++; >- kill(slaves[i], SIGUSR1); >- } >+ if (slavepid != (pid_t)-1) { >+ cnt++; >+ kill(slavepid, SIGUSR1); > } > > /* >- * and wait for them to die >+ * and wait for the slave to die > */ >- for (i = 0; i < cnt; i++) >+ if (cnt > 0) > wait3(NULL, 0, NULL); > > /* >@@ -721,5 +691,5 @@ usage(void) > { > > errx(1, >- "usage: nfsuserd [-usermax cache_size] [-usertimeout minutes] [-verbose] [-manage-gids] [-domain domain_name] [n]"); >+ "usage: nfsuserd [-usermax cache_size] [-usertimeout minutes] [-verbose] [-manage-gids] [-domain domain_name]"); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=183835">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 205193
:
164098
|
164099
|
164134
|
183835
|
202117