2 * Copyright (c) 2009 Rick Macklem, University of Guelph
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
31 #include <sys/param.h>
32 #include <sys/errno.h>
33 #include <sys/linker.h>
34 #include <sys/module.h>
35 #include <sys/mount.h>
36 #include <sys/socket.h>
37 #include <sys/socketvar.h>
39 #include <sys/ucred.h>
40 #include <sys/vnode.h>
43 #include <nfs/nfssvc.h>
47 #include <fs/nfs/rpcv2.h>
48 #include <fs/nfs/nfsproto.h>
49 #include <fs/nfs/nfskpiport.h>
50 #include <fs/nfs/nfs.h>
65 * This program loads the password and group databases into the kernel
69 static void cleanup_term(int);
70 static void usage(void);
71 static void nfsuserdsrv(struct svc_req *, SVCXPRT *);
72 static bool_t xdr_getid(XDR *, caddr_t);
73 static bool_t xdr_getname(XDR *, caddr_t);
74 static bool_t xdr_retval(XDR *, caddr_t);
77 #define MAXNFSUSERD 20
79 #define MAXUSERMAX 100000
81 #define DEFUSERMAX 200
82 #define DEFUSERTIMEOUT (1 * 60)
86 char name[MAXNAME + 1];
89 u_char *dnsname = "default.domain";
90 u_char *defaultuser = "nobody";
91 uid_t defaultuid = 65534;
92 u_char *defaultgroup = "nogroup";
93 gid_t defaultgid = 65533;
94 int verbose = 0, im_a_slave = 0, nfsuserdcnt = -1, forcestart = 0;
95 int defusertimeout = DEFUSERTIMEOUT, manage_gids = 0;
96 pid_t slaves[MAXNFSUSERD];
99 main(int argc, char *argv[])
102 int error, fnd_dup, len, mustfreeai = 0, start_uidpos;
103 struct nfsd_idargs nid;
110 char hostname[MAXHOSTNAMELEN + 1], *cp;
111 struct addrinfo *aip, hints;
112 static uid_t check_dups[MAXUSERMAX];
116 if (modfind("nfscommon") < 0) {
117 /* Not present in kernel, try loading it */
118 if (kldload("nfscommon") < 0 ||
119 modfind("nfscommon") < 0)
120 errx(1, "Experimental nfs subsystem is not available");
124 * First, figure out what our domain name and Kerberos Realm
125 * seem to be. Command line args may override these later.
127 if (gethostname(hostname, MAXHOSTNAMELEN) == 0) {
128 if ((cp = strchr(hostname, '.')) != NULL &&
132 memset((void *)&hints, 0, sizeof (hints));
133 hints.ai_flags = AI_CANONNAME;
134 error = getaddrinfo(hostname, NULL, &hints, &aip);
136 if (aip->ai_canonname != NULL &&
137 (cp = strchr(aip->ai_canonname, '.')) != NULL
138 && *(cp + 1) != '\0') {
147 nid.nid_usermax = DEFUSERMAX;
148 nid.nid_usertimeout = defusertimeout;
153 if (!strcmp(*argv, "-domain")) {
158 strncpy(hostname, *argv, MAXHOSTNAMELEN);
159 hostname[MAXHOSTNAMELEN] = '\0';
161 } else if (!strcmp(*argv, "-verbose")) {
163 } else if (!strcmp(*argv, "-force")) {
165 } else if (!strcmp(*argv, "-manage-gids")) {
167 } else if (!strcmp(*argv, "-usermax")) {
173 if (i < MINUSERMAX || i > MAXUSERMAX) {
175 "usermax %d out of range %d<->%d\n", i,
176 MINUSERMAX, MAXUSERMAX);
180 } else if (!strcmp(*argv, "-usertimeout")) {
186 if (i < 0 || i > 100000) {
188 "usertimeout %d out of range 0<->100000\n",
192 nid.nid_usertimeout = defusertimeout = i * 60;
193 } else if (nfsuserdcnt == -1) {
194 nfsuserdcnt = atoi(*argv);
197 if (nfsuserdcnt > MAXNFSUSERD) {
198 warnx("nfsuserd count %d; reset to %d",
199 nfsuserdcnt, DEFNFSUSERD);
200 nfsuserdcnt = DEFNFSUSERD;
209 nfsuserdcnt = DEFNFSUSERD;
212 * Strip off leading and trailing '.'s in domain name and map
213 * alphabetics to lower case.
215 while (*dnsname == '.')
217 if (*dnsname == '\0')
218 errx(1, "Domain name all '.'");
219 len = strlen(dnsname);
220 cp = dnsname + len - 1;
226 for (i = 0; i < len; i++) {
227 if (!isascii(dnsname[i]))
228 errx(1, "Domain name has non-ascii char");
229 if (isupper(dnsname[i]))
230 dnsname[i] = tolower(dnsname[i]);
234 * If the nfsuserd died off ungracefully, this is necessary to
235 * get them to start again.
237 if (forcestart && nfssvc(NFSSVC_NFSUSERDDELPORT, NULL) < 0)
238 errx(1, "Can't do nfssvc() to delete the port");
242 "nfsuserd: domain=%s usermax=%d usertimeout=%d\n",
243 dnsname, nid.nid_usermax, nid.nid_usertimeout);
245 for (i = 0; i < nfsuserdcnt; i++)
246 slaves[i] = (pid_t)-1;
249 * Set up the service port to accept requests via UDP from
250 * localhost (127.0.0.1).
252 if ((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
253 err(1, "cannot create udp socket");
256 * Not sure what this does, so I'll leave it here for now.
258 setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
260 if ((udptransp = svcudp_create(sock)) == NULL)
261 err(1, "Can't set up socket");
264 * By not specifying a protocol, it is linked into the
265 * dispatch queue, but not registered with portmapper,
266 * which is just what I want.
268 if (!svc_register(udptransp, RPCPROG_NFSUSERD, RPCNFSUSERD_VERS,
270 err(1, "Can't register nfsuserd");
273 * Tell the kernel what my port# is.
275 portnum = htons(udptransp->xp_port);
277 printf("portnum=0x%x\n", portnum);
279 if (nfssvc(NFSSVC_NFSUSERDPORT, (caddr_t)&portnum) < 0) {
280 if (errno == EPERM) {
282 "Can't start nfsuserd when already running");
284 " If not running, use the -force option.\n");
286 fprintf(stderr, "Can't do nfssvc() to add port\n");
292 pwd = getpwnam(defaultuser);
294 nid.nid_uid = pwd->pw_uid;
296 nid.nid_uid = defaultuid;
297 grp = getgrnam(defaultgroup);
299 nid.nid_gid = grp->gr_gid;
301 nid.nid_gid = defaultgid;
302 nid.nid_name = dnsname;
303 nid.nid_namelen = strlen(nid.nid_name);
306 nid.nid_flag = NFSID_INITIALIZE;
308 printf("Initialize uid=%d gid=%d dns=%s\n", nid.nid_uid, nid.nid_gid,
311 error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
313 errx(1, "Can't initialize nfs user/groups");
318 * Loop around adding all groups.
321 while (i < nid.nid_usermax && (grp = getgrent())) {
322 nid.nid_gid = grp->gr_gid;
323 nid.nid_name = grp->gr_name;
324 nid.nid_namelen = strlen(grp->gr_name);
327 nid.nid_flag = NFSID_ADDGID;
329 printf("add gid=%d name=%s\n", nid.nid_gid, nid.nid_name);
331 error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
333 errx(1, "Can't add group %s", grp->gr_name);
340 * Loop around adding all users.
344 while (i < nid.nid_usermax && (pwd = getpwent())) {
347 * Yes, this is inefficient, but it is only done once when
348 * the daemon is started and will run in a fraction of a second
349 * for nid_usermax at 10000. If nid_usermax is cranked up to
350 * 100000, it will take several seconds, depending on the CPU.
352 for (j = 0; j < (i - start_uidpos); j++)
353 if (check_dups[j] == pwd->pw_uid) {
354 /* Found another entry for uid, so skip it */
360 check_dups[i - start_uidpos] = pwd->pw_uid;
361 nid.nid_uid = pwd->pw_uid;
362 nid.nid_name = pwd->pw_name;
363 nid.nid_namelen = strlen(pwd->pw_name);
364 if (manage_gids != 0) {
365 /* Get the group list for this user. */
367 if (getgrouplist(pwd->pw_name, pwd->pw_gid, grps,
369 syslog(LOG_ERR, "Group list too small");
370 nid.nid_ngroup = ngroup;
376 nid.nid_flag = NFSID_ADDUID;
378 printf("add uid=%d name=%s\n", nid.nid_uid, nid.nid_name);
380 error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
382 errx(1, "Can't add user %s", pwd->pw_name);
389 * I should feel guilty for not calling this for all the above exit()
390 * upon error cases, but I don't.
399 * Temporarily block SIGUSR1 and SIGCHLD, so slaves[] can't
402 sigemptyset(&signew);
403 sigaddset(&signew, SIGUSR1);
404 sigaddset(&signew, SIGCHLD);
405 sigprocmask(SIG_BLOCK, &signew, NULL);
408 (void)signal(SIGHUP, SIG_IGN);
409 (void)signal(SIGINT, SIG_IGN);
410 (void)signal(SIGQUIT, SIG_IGN);
411 (void)signal(SIGTERM, SIG_IGN);
412 (void)signal(SIGUSR1, cleanup_term);
413 (void)signal(SIGCHLD, cleanup_term);
415 openlog("nfsuserd:", LOG_PID, LOG_DAEMON);
418 * Fork off the slave daemons that do the work. All the master
419 * does is kill them off and cleanup.
421 for (i = 0; i < nfsuserdcnt; i++) {
423 if (slaves[i] == 0) {
425 setproctitle("slave");
426 sigemptyset(&signew);
427 sigaddset(&signew, SIGUSR1);
428 sigprocmask(SIG_UNBLOCK, &signew, NULL);
434 syslog(LOG_ERR, "nfsuserd died: %m");
436 } else if (slaves[i] < 0) {
437 syslog(LOG_ERR, "fork: %m");
442 * Just wait for SIGUSR1 or a child to die and then...
443 * As the Governor of California would say, "Terminate them".
445 setproctitle("master");
446 sigemptyset(&signew);
452 * The nfsuserd rpc service
455 nfsuserdsrv(struct svc_req *rqstp, SVCXPRT *transp)
462 struct nfsd_idargs nid;
468 * Only handle requests from 127.0.0.1 on a reserved port number.
469 * (Since a reserved port # at localhost implies a client with
470 * local root, there won't be a security breach. This is about
471 * the only case I can think of where a reserved port # means
474 sport = ntohs(transp->xp_raddr.sin_port);
475 saddr = ntohl(transp->xp_raddr.sin_addr.s_addr);
476 if ((rqstp->rq_proc != NULLPROC && sport >= IPPORT_RESERVED) ||
477 saddr != 0x7f000001) {
478 syslog(LOG_ERR, "req from ip=0x%x port=%d\n", saddr, sport);
479 svcerr_weakauth(transp);
482 switch (rqstp->rq_proc) {
484 if (!svc_sendreply(transp, (xdrproc_t)xdr_void, NULL))
485 syslog(LOG_ERR, "Can't send reply");
487 case RPCNFSUSERD_GETUID:
488 if (!svc_getargs(transp, (xdrproc_t)xdr_getid,
490 svcerr_decode(transp);
493 pwd = getpwuid((uid_t)info.id);
496 nid.nid_usertimeout = defusertimeout;
497 nid.nid_uid = pwd->pw_uid;
498 nid.nid_name = pwd->pw_name;
499 if (manage_gids != 0) {
500 /* Get the group list for this user. */
502 if (getgrouplist(pwd->pw_name, pwd->pw_gid,
504 syslog(LOG_ERR, "Group list too small");
505 nid.nid_ngroup = ngroup;
512 nid.nid_usertimeout = 5;
513 nid.nid_uid = (uid_t)info.id;
514 nid.nid_name = defaultuser;
518 nid.nid_namelen = strlen(nid.nid_name);
519 nid.nid_flag = NFSID_ADDUID;
520 error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
523 syslog(LOG_ERR, "Can't add user %s\n", pwd->pw_name);
524 } else if (verbose) {
525 syslog(LOG_ERR,"Added uid=%d name=%s\n",
526 nid.nid_uid, nid.nid_name);
528 if (!svc_sendreply(transp, (xdrproc_t)xdr_retval,
530 syslog(LOG_ERR, "Can't send reply");
532 case RPCNFSUSERD_GETGID:
533 if (!svc_getargs(transp, (xdrproc_t)xdr_getid,
535 svcerr_decode(transp);
538 grp = getgrgid((gid_t)info.id);
541 nid.nid_usertimeout = defusertimeout;
542 nid.nid_gid = grp->gr_gid;
543 nid.nid_name = grp->gr_name;
545 nid.nid_usertimeout = 5;
546 nid.nid_gid = (gid_t)info.id;
547 nid.nid_name = defaultgroup;
549 nid.nid_namelen = strlen(nid.nid_name);
552 nid.nid_flag = NFSID_ADDGID;
553 error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
556 syslog(LOG_ERR, "Can't add group %s\n",
558 } else if (verbose) {
559 syslog(LOG_ERR,"Added gid=%d name=%s\n",
560 nid.nid_gid, nid.nid_name);
562 if (!svc_sendreply(transp, (xdrproc_t)xdr_retval,
564 syslog(LOG_ERR, "Can't send reply");
566 case RPCNFSUSERD_GETUSER:
567 if (!svc_getargs(transp, (xdrproc_t)xdr_getname,
569 svcerr_decode(transp);
572 pwd = getpwnam(info.name);
575 nid.nid_usertimeout = defusertimeout;
576 nid.nid_uid = pwd->pw_uid;
577 nid.nid_name = pwd->pw_name;
579 nid.nid_usertimeout = 5;
580 nid.nid_uid = defaultuid;
581 nid.nid_name = info.name;
583 nid.nid_namelen = strlen(nid.nid_name);
586 nid.nid_flag = NFSID_ADDUSERNAME;
587 error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
590 syslog(LOG_ERR, "Can't add user %s\n", pwd->pw_name);
591 } else if (verbose) {
592 syslog(LOG_ERR,"Added uid=%d name=%s\n",
593 nid.nid_uid, nid.nid_name);
595 if (!svc_sendreply(transp, (xdrproc_t)xdr_retval,
597 syslog(LOG_ERR, "Can't send reply");
599 case RPCNFSUSERD_GETGROUP:
600 if (!svc_getargs(transp, (xdrproc_t)xdr_getname,
602 svcerr_decode(transp);
605 grp = getgrnam(info.name);
608 nid.nid_usertimeout = defusertimeout;
609 nid.nid_gid = grp->gr_gid;
610 nid.nid_name = grp->gr_name;
612 nid.nid_usertimeout = 5;
613 nid.nid_gid = defaultgid;
614 nid.nid_name = info.name;
616 nid.nid_namelen = strlen(nid.nid_name);
619 nid.nid_flag = NFSID_ADDGROUPNAME;
620 error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
623 syslog(LOG_ERR, "Can't add group %s\n",
625 } else if (verbose) {
626 syslog(LOG_ERR,"Added gid=%d name=%s\n",
627 nid.nid_gid, nid.nid_name);
629 if (!svc_sendreply(transp, (xdrproc_t)xdr_retval,
631 syslog(LOG_ERR, "Can't send reply");
634 svcerr_noproc(transp);
640 * Xdr routine to get an id number
643 xdr_getid(XDR *xdrsp, caddr_t cp)
645 struct info *ifp = (struct info *)cp;
647 return (xdr_long(xdrsp, &ifp->id));
651 * Xdr routine to get a user name
654 xdr_getname(XDR *xdrsp, caddr_t cp)
656 struct info *ifp = (struct info *)cp;
659 if (!xdr_long(xdrsp, &len))
663 if (!xdr_opaque(xdrsp, ifp->name, len))
665 ifp->name[len] = '\0';
670 * Xdr routine to return the value.
673 xdr_retval(XDR *xdrsp, caddr_t cp)
675 struct info *ifp = (struct info *)cp;
679 return (xdr_long(xdrsp, &val));
683 * cleanup_term() called via SIGUSR1.
686 cleanup_term(int signo __unused)
694 * Ok, so I'm the master.
695 * As the Governor of California might say, "Terminate them".
698 for (i = 0; i < nfsuserdcnt; i++) {
699 if (slaves[i] != (pid_t)-1) {
701 kill(slaves[i], SIGUSR1);
706 * and wait for them to die
708 for (i = 0; i < cnt; i++)
709 wait3(NULL, 0, NULL);
712 * Finally, get rid of the socket
714 if (nfssvc(NFSSVC_NFSUSERDDELPORT, NULL) < 0) {
715 syslog(LOG_ERR, "Can't do nfssvc() to delete the port\n");
726 "usage: nfsuserd [-usermax cache_size] [-usertimeout minutes] [-verbose] [-manage-gids] [-domain domain_name] [n]");
projects / FreeBSD / FreeBSD.git / blob