1b9cbc85dSRick Macklem.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ 2b9cbc85dSRick Macklem.\" Authors: Doug Rabson <dfr@rabson.org> 3b9cbc85dSRick Macklem.\" Developed with Red Inc: Alfred Perlstein <alfred@FreeBSD.org> 4b9cbc85dSRick Macklem.\" 5b9cbc85dSRick Macklem.\" Redistribution and use in source and binary forms, with or without 6b9cbc85dSRick Macklem.\" modification, are permitted provided that the following conditions 7b9cbc85dSRick Macklem.\" are met: 8b9cbc85dSRick Macklem.\" 1. Redistributions of source code must retain the above copyright 9b9cbc85dSRick Macklem.\" notice, this list of conditions and the following disclaimer. 10b9cbc85dSRick Macklem.\" 2. Redistributions in binary form must reproduce the above copyright 11b9cbc85dSRick Macklem.\" notice, this list of conditions and the following disclaimer in the 12b9cbc85dSRick Macklem.\" documentation and/or other materials provided with the distribution. 13b9cbc85dSRick Macklem.\" 14b9cbc85dSRick Macklem.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15b9cbc85dSRick Macklem.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16b9cbc85dSRick Macklem.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17b9cbc85dSRick Macklem.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18b9cbc85dSRick Macklem.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19b9cbc85dSRick Macklem.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20b9cbc85dSRick Macklem.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21b9cbc85dSRick Macklem.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22b9cbc85dSRick Macklem.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23b9cbc85dSRick Macklem.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24b9cbc85dSRick Macklem.\" SUCH DAMAGE. 25b9cbc85dSRick Macklem.\" 26b9cbc85dSRick Macklem.\" $FreeBSD$ 27b9cbc85dSRick Macklem.\" 28b9cbc85dSRick Macklem.\" Modified from gssd.8 for rpc.tlsservd.8 by Rick Macklem. 29*d94358e2SRick Macklem.Dd May 17, 2022 30b9cbc85dSRick Macklem.Dt RPC.TLSSERVD 8 31b9cbc85dSRick Macklem.Os 32b9cbc85dSRick Macklem.Sh NAME 33b9cbc85dSRick Macklem.Nm rpc.tlsservd 34b9cbc85dSRick Macklem.Nd "Sun RPC over TLS Server Daemon" 35b9cbc85dSRick Macklem.Sh SYNOPSIS 36b9cbc85dSRick Macklem.Nm 37*d94358e2SRick Macklem.Op Fl C Ar available_ciphers 38b9cbc85dSRick Macklem.Op Fl D Ar certdir 39b9cbc85dSRick Macklem.Op Fl d 40b9cbc85dSRick Macklem.Op Fl h 41b9cbc85dSRick Macklem.Op Fl l Ar CAfile 42b9cbc85dSRick Macklem.Op Fl m 43b9cbc85dSRick Macklem.Op Fl n Ar domain 44b9cbc85dSRick Macklem.Op Fl p Ar CApath 45b9cbc85dSRick Macklem.Op Fl r Ar CRLfile 46b9cbc85dSRick Macklem.Op Fl u 47b9cbc85dSRick Macklem.Op Fl v 48b9cbc85dSRick Macklem.Op Fl W 49b9cbc85dSRick Macklem.Op Fl w 50b9cbc85dSRick Macklem.Sh DESCRIPTION 51b9cbc85dSRick MacklemThe 52b9cbc85dSRick Macklem.Nm 53b9cbc85dSRick Macklemprogram provides support for the server side of the kernel Sun RPC over TLS 54b9cbc85dSRick Macklemimplementation. 55b9cbc85dSRick MacklemThis daemon must be running to allow the kernel RPC to perform the TLS 56b9cbc85dSRick Macklemhandshake after a TCP client has sent the STARTTLS Null RPC request to 57b9cbc85dSRick Macklemthe server. 58b9cbc85dSRick MacklemThis daemon requires that the kernel be built with 59b9cbc85dSRick Macklem.Dq options KERNEL_TLS 60b9cbc85dSRick Macklemand be running on an architecture such as 61b9cbc85dSRick Macklem.Dq amd64 62b9cbc85dSRick Macklemthat supports a direct map (not i386) with 63b9cbc85dSRick Macklem.Xr ktls 4 64b9cbc85dSRick Macklemenabled. 65b9cbc85dSRick MacklemNote that the 66b9cbc85dSRick Macklem.Fl tls 67b9cbc85dSRick Macklemoption in the 68b9cbc85dSRick Macklem.Xr exports 5 69b9cbc85dSRick Macklemfile specifies that the client must use RPC over TLS. 70b9cbc85dSRick MacklemThe 71b9cbc85dSRick Macklem.Fl tlscert 72b9cbc85dSRick Macklemoption in the 73b9cbc85dSRick Macklem.Xr exports 5 74b9cbc85dSRick Macklemfile specifies that the client must provide a certificate 75b9cbc85dSRick Macklemthat verifies. 76b9cbc85dSRick MacklemThe 77b9cbc85dSRick Macklem.Fl tlscertuser 78b9cbc85dSRick Macklemoption in the 79b9cbc85dSRick Macklem.Xr exports 5 80b9cbc85dSRick Macklemfile specifies that the client must provide a certificate 81b9cbc85dSRick Macklemthat verifies and has a otherName:1.3.6.1.4.1.2238.1.1.1;UTF8: field of 82b9cbc85dSRick MacklemsubjectAltName of the form 83b9cbc85dSRick Macklem.Dq user@domain 84b9cbc85dSRick Macklemwhere 85b9cbc85dSRick Macklem.Dq domain 86b9cbc85dSRick Macklemmatches the one for this server and 87b9cbc85dSRick Macklem.Dq user 88b9cbc85dSRick Macklemis a valid user name that maps to a <uid, gid_list>. 89b9cbc85dSRick MacklemFor the latter two cases, the 90b9cbc85dSRick Macklem.Fl m 91b9cbc85dSRick Macklemand either the 92b9cbc85dSRick Macklem.Fl l 93b9cbc85dSRick Macklemor 94b9cbc85dSRick Macklem.Fl p 95b9cbc85dSRick Macklemoptions must be specified. 96b9cbc85dSRick MacklemThe 97b9cbc85dSRick Macklem.Fl tlscertuser 98b9cbc85dSRick Macklemoption also requires that the 99b9cbc85dSRick Macklem.Fl u 100b9cbc85dSRick Macklemoption on this daemon be specified. 101b9cbc85dSRick Macklem.Pp 102b9cbc85dSRick MacklemAlso, if the IP address used by the client cannot be trusted, 103b9cbc85dSRick Macklemthe rules in 104b9cbc85dSRick Macklem.Xr exports 5 105b9cbc85dSRick Macklemcannot be applied safely. 106b9cbc85dSRick MacklemAs such, the 107b9cbc85dSRick Macklem.Fl h 108b9cbc85dSRick Macklemoption can be used along with 109b9cbc85dSRick Macklem.Fl m 110b9cbc85dSRick Macklemand either the 111b9cbc85dSRick Macklem.Fl l 112b9cbc85dSRick Macklemor 113b9cbc85dSRick Macklem.Fl p 114b9cbc85dSRick Macklemoptions to require that the client certificate have the correct 115b9cbc85dSRick MacklemFully Qualified Domain Name (FQDN) in it. 116b9cbc85dSRick Macklem.Pp 117b9cbc85dSRick MacklemA certificate and associated key must exist in /etc/rpc.tlsservd 118b9cbc85dSRick Macklem(or the 119b9cbc85dSRick Macklem.Dq certdir 120b9cbc85dSRick Macklemspecified by the 121b9cbc85dSRick Macklem.Fl D 122b9cbc85dSRick Macklemoption) 123b9cbc85dSRick Macklemin files named 124b9cbc85dSRick Macklem.Dq cert.pem 125b9cbc85dSRick Macklemand 126b9cbc85dSRick Macklem.Dq certkey.pem . 127b9cbc85dSRick Macklem.Pp 128b9cbc85dSRick MacklemIf a SIGHUP signal is sent to the daemon it will reload the 129b9cbc85dSRick Macklem.Dq CRLfile 130b9cbc85dSRick Macklemand will shut down any extant connections that presented certificates 131b9cbc85dSRick Macklemduring TLS handshake that have been revoked. 132b9cbc85dSRick MacklemIf the 133b9cbc85dSRick Macklem.Fl r 134b9cbc85dSRick Macklemoption was not specified, the SIGHUP signal will be ignored. 135b9cbc85dSRick Macklem.Pp 136b9cbc85dSRick MacklemThe daemon will log failed certificate verifications via 137b9cbc85dSRick Macklem.Xr syslogd 8 138b9cbc85dSRick Macklemusing LOG_INFO | LOG_DAEMON when the 139b9cbc85dSRick Macklem.Fl m 140b9cbc85dSRick Macklemoption has been specified. 141b9cbc85dSRick Macklem.Pp 142b9cbc85dSRick MacklemThe options are as follows: 143b9cbc85dSRick Macklem.Bl -tag -width indent 144*d94358e2SRick Macklem.It Fl C Ar available_ciphers , Fl Fl ciphers= Ns Ar available_ciphers 145*d94358e2SRick MacklemSpecify which ciphers are available during TLS handshake. 146*d94358e2SRick MacklemIf this option is specified, 147*d94358e2SRick Macklem.Dq SSL_CTX_set_ciphersuites() 148*d94358e2SRick Macklemwill be called with 149*d94358e2SRick Macklem.Dq available_ciphers 150*d94358e2SRick Macklemas the argument. 151*d94358e2SRick MacklemIf this option is not specified, the cipher will be chosen by 152*d94358e2SRick Macklem.Xr ssl 7 , 153*d94358e2SRick Macklemwhich should be adequate for most cases. 154*d94358e2SRick MacklemThe format for the available ciphers is a simple 155*d94358e2SRick Macklem.So 156*d94358e2SRick Macklem: 157*d94358e2SRick Macklem.Sc 158*d94358e2SRick Macklemseparated list, in order of preference. 159*d94358e2SRick MacklemThe command 160*d94358e2SRick Macklem.Dq openssl ciphers -s -tls1_3 161*d94358e2SRick Macklemlists available ciphers. 162b9cbc85dSRick Macklem.It Fl D Ar certdir , Fl Fl certdir= Ns Ar certdir 163b9cbc85dSRick MacklemUse 164b9cbc85dSRick Macklem.Dq certdir 165b9cbc85dSRick Mackleminstead of /etc/rpc.tlsservd as the location for the 166b9cbc85dSRick Macklemcertificate in a file called 167b9cbc85dSRick Macklem.Dq cert.pem 168b9cbc85dSRick Macklemand associated key in 169b9cbc85dSRick Macklem.Dq certkey.pem . 170b9cbc85dSRick Macklem.It Fl d , Fl Fl debuglevel 171b9cbc85dSRick MacklemRun in debug mode. 172b9cbc85dSRick MacklemIn this mode, 173b9cbc85dSRick Macklem.Nm 174b9cbc85dSRick Macklemwill not fork when it starts. 175b9cbc85dSRick Macklem.It Fl h , Fl Fl checkhost 176b9cbc85dSRick MacklemThis option specifies that the client must provide a certificate 177b9cbc85dSRick Macklemthat both verifies and has a FQDN that matches the reverse 178b9cbc85dSRick MacklemDNS name for the IP address that 179b9cbc85dSRick Macklemthe client uses to connect to the server. 180b9cbc85dSRick MacklemThe FQDN should be 181b9cbc85dSRick Macklemin the DNS field of the subjectAltName, but is also allowed 182b9cbc85dSRick Macklemto be in the CN field of the 183b9cbc85dSRick MacklemsubjectName in the certificate. 184b9cbc85dSRick MacklemBy default, a wildcard "*" in the FQDN is not allowed. 185b9cbc85dSRick MacklemWith this option, a failure to verify the client certificate 186b9cbc85dSRick Macklemor match the FQDN will result in the 187b9cbc85dSRick Macklemserver sending AUTH_REJECTEDCRED replies to all client RPCs. 188b9cbc85dSRick MacklemThis option requires the 189b9cbc85dSRick Macklem.Fl m 190b9cbc85dSRick Macklemand either the 191b9cbc85dSRick Macklem.Fl l 192b9cbc85dSRick Macklemor 193b9cbc85dSRick Macklem.Fl p 194b9cbc85dSRick Macklemoptions. 195b9cbc85dSRick Macklem.It Fl l Ar CAfile , Fl Fl verifylocs= Ns Ar CAfile 196b9cbc85dSRick MacklemThis option specifies the path name of a CA certificate(s) file 197b9cbc85dSRick Macklemin pem format, which is used to verify client certificates and to 198b9cbc85dSRick Macklemset the list of CA(s) sent to the client so that it knows which 199b9cbc85dSRick Macklemcertificate to send to the server during the TLS handshake. 200b9cbc85dSRick MacklemThis path name is used in 201b9cbc85dSRick Macklem.Dq SSL_CTX_load_verify_locations(ctx,CAfile,NULL) 202b9cbc85dSRick Macklemand 203b9cbc85dSRick Macklem.Dq SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)) 204b9cbc85dSRick Macklemopenssl library calls. 205b9cbc85dSRick MacklemNote that this is a path name for the file and is not assumed to be 206b9cbc85dSRick Macklemin 207b9cbc85dSRick Macklem.Dq certdir . 208b9cbc85dSRick MacklemEither this option or the 209b9cbc85dSRick Macklem.Fl p 210b9cbc85dSRick Macklemoption must be specified when the 211b9cbc85dSRick Macklem.Fl m 212b9cbc85dSRick Macklemoption is specified so that the daemon can verify the client's 213b9cbc85dSRick Macklemcertificate. 214b9cbc85dSRick Macklem.It Fl m , Fl Fl mutualverf 215b9cbc85dSRick MacklemThis option specifies that the server is to request a certificate 216b9cbc85dSRick Macklemfrom the client during the TLS handshake. 217b9cbc85dSRick MacklemIt does not require that the client provide a certificate. 218b9cbc85dSRick MacklemIt should be specified unless no client doing RPC over TLS is 219b9cbc85dSRick Macklemrequired to have a certificate. 220b9cbc85dSRick MacklemFor NFS, either the 221b9cbc85dSRick Macklem.Xr exports 5 222b9cbc85dSRick Macklemoption 223b9cbc85dSRick Macklem.Fl tlscert 224b9cbc85dSRick Macklemor 225b9cbc85dSRick Macklem.Fl tlscertuser 226b9cbc85dSRick Macklemmay be used to require a client to provide a certificate 227b9cbc85dSRick Macklemthat verifies. 228b9cbc85dSRick MacklemSee 229b9cbc85dSRick Macklem.Xr exports 5 . 230b9cbc85dSRick Macklem.It Fl n Ar domain , Fl Fl domain= Ns Ar domain 231b9cbc85dSRick MacklemThis option specifies what the 232b9cbc85dSRick Macklem.Dq domain 233b9cbc85dSRick Macklemis for use with the 234b9cbc85dSRick Macklem.Fl u 235b9cbc85dSRick Macklemoption, overriding the domain taken from the 236b9cbc85dSRick Macklem.Xr gethostname 2 237b9cbc85dSRick Macklemof the server this daemon is running on. 238b9cbc85dSRick MacklemIf you have specified the 239b9cbc85dSRick Macklem.Fl domain 240b9cbc85dSRick Macklemcommand line option for 241b9cbc85dSRick Macklem.Xr nfsuserd 8 242b9cbc85dSRick Macklemthen you should specify this option with the same 243b9cbc85dSRick Macklem.Dq domain 244b9cbc85dSRick Macklemthat was specified for 245b9cbc85dSRick Macklem.Xr nfsuserd 8 . 246b9cbc85dSRick MacklemThis option is only meaningful when used with the 247b9cbc85dSRick Macklem.Fl u 248b9cbc85dSRick Macklemoption. 249b9cbc85dSRick Macklem.It Fl p Ar CApath , Fl Fl verifydir= Ns Ar CApath 250b9cbc85dSRick MacklemThis option is similar to the 251b9cbc85dSRick Macklem.Fl l 252b9cbc85dSRick Macklemoption, but specifies the path of a directory with CA 253b9cbc85dSRick Macklemcertificates in it. 254b9cbc85dSRick MacklemWhen this option is used, 255b9cbc85dSRick Macklem.Dq SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file()) 256b9cbc85dSRick Macklemis not called, so a list of CA names might not be passed 257b9cbc85dSRick Macklemto the client during the TLS handshake. 258b9cbc85dSRick Macklem.It Fl r Ar CRLfile , Fl Fl crl= Ns Ar CRLfile 259b9cbc85dSRick MacklemThis option specifies a Certificate Revocation List (CRL) file 260b9cbc85dSRick Macklemthat is to be loaded into the verify certificate store and 261b9cbc85dSRick Macklemchecked during verification. 262b9cbc85dSRick MacklemThis option is only meaningful when either the 263b9cbc85dSRick Macklem.Fl l 264b9cbc85dSRick Macklemor 265b9cbc85dSRick Macklem.Fl p 266b9cbc85dSRick Macklemhave been specified. 267b9cbc85dSRick Macklem.It Fl u , Fl Fl certuser 268b9cbc85dSRick MacklemThis option specifies that if the client provides a certificate 269b9cbc85dSRick Macklemthat both verifies and has a subjectAltName with an otherName 270b9cbc85dSRick Macklemcomponent of the form 271b9cbc85dSRick Macklem.Dq otherName:1.3.6.1.4.1.2238.1.1.1;UTF8:user@domain 272b9cbc85dSRick Macklemwhere 273b9cbc85dSRick Macklem.Dq domain 274b9cbc85dSRick Macklemmatches the one for this server, 275b9cbc85dSRick Macklemthen the daemon will attempt to map 276b9cbc85dSRick Macklem.Dq user 277b9cbc85dSRick Macklemin the above 278b9cbc85dSRick Macklemto a user credential <uid, gid_list>. 279b9cbc85dSRick MacklemThere should only be one of these otherName components for each 280b9cbc85dSRick Macklem.Dq domain . 281b9cbc85dSRick MacklemIf 282b9cbc85dSRick Macklem.Dq user 283b9cbc85dSRick Macklemis a valid username in the password database, 284b9cbc85dSRick Macklemthen the <uid, gid_list> for 285b9cbc85dSRick Macklem.Dq user 286b9cbc85dSRick Macklemwill be used for all 287b9cbc85dSRick MacklemRPCs on the mount instead of the credentials in the RPC request 288b9cbc85dSRick Macklemheader. 289b9cbc85dSRick MacklemThis option requires the 290b9cbc85dSRick Macklem.Fl m 291b9cbc85dSRick Macklemand either the 292b9cbc85dSRick Macklem.Fl l 293b9cbc85dSRick Macklemor 294b9cbc85dSRick Macklem.Fl p 295b9cbc85dSRick Macklemoptions. 296b9cbc85dSRick MacklemUse of this option might not conform to RFC-NNNN, which does 297b9cbc85dSRick Macklemnot allow certificates to be used for user authentication. 298b9cbc85dSRick Macklem.It Fl v , Fl Fl verbose 299b9cbc85dSRick MacklemRun in verbose mode. 300b9cbc85dSRick MacklemIn this mode, 301b9cbc85dSRick Macklem.Nm 302b9cbc85dSRick Macklemwill log activity messages to 303b9cbc85dSRick Macklem.Xr syslogd 8 304b9cbc85dSRick Macklemusing LOG_INFO | LOG_DAEMON or to 305b9cbc85dSRick Macklemstderr, if the 306b9cbc85dSRick Macklem.Fl d 307b9cbc85dSRick Macklemoption has also been specified. 308b9cbc85dSRick Macklem.It Fl W , Fl Fl multiwild 309b9cbc85dSRick MacklemThis option is used with the 310b9cbc85dSRick Macklem.Fl h 311b9cbc85dSRick Macklemoption to allow use of a wildcard 312b9cbc85dSRick Macklem.Dq * 313b9cbc85dSRick Macklemthat matches multiple 314b9cbc85dSRick Macklemcomponents of the reverse DNS name for the client's IP 315b9cbc85dSRick Macklemaddress. 316b9cbc85dSRick MacklemFor example, the FQDN 317b9cbc85dSRick Macklem.Dq *.uoguelph.ca 318b9cbc85dSRick Macklemwould match both 319b9cbc85dSRick Macklem.Dq laptop21.uoguelph.ca 320b9cbc85dSRick Macklemand 321b9cbc85dSRick Macklem.Dq laptop3.cis.uoguelph.ca . 322b9cbc85dSRick Macklem.It Fl w , Fl Fl singlewild 323b9cbc85dSRick MacklemSimilar to 324b9cbc85dSRick Macklem.Fl W 325b9cbc85dSRick Macklembut allows the wildcard 326b9cbc85dSRick Macklem.Dq * 327b9cbc85dSRick Macklemto match a single component of the reverse DNS name. 328b9cbc85dSRick MacklemFor example, the FQDN 329b9cbc85dSRick Macklem.Dq *.uoguelph.ca 330b9cbc85dSRick Macklemwould match 331b9cbc85dSRick Macklem.Dq laptop21.uoguelph.ca 332b9cbc85dSRick Macklembut not 333b9cbc85dSRick Macklem.Dq laptop3.cis.uoguelph.ca . 334b9cbc85dSRick MacklemOnly one of the 335b9cbc85dSRick Macklem.Fl W 336b9cbc85dSRick Macklemand 337b9cbc85dSRick Macklem.Fl w 338b9cbc85dSRick Macklemoptions is allowed. 339b9cbc85dSRick Macklem.El 340b9cbc85dSRick Macklem.Sh EXIT STATUS 341b9cbc85dSRick Macklem.Ex -std 342b9cbc85dSRick Macklem.Sh SEE ALSO 343b9cbc85dSRick Macklem.Xr openssl 1 , 344b9cbc85dSRick Macklem.Xr ktls 4 , 345b9cbc85dSRick Macklem.Xr exports 5 , 346*d94358e2SRick Macklem.Xr ssl 7 , 347b9cbc85dSRick Macklem.Xr mount_nfs 8 , 348b9cbc85dSRick Macklem.Xr nfsuserd 8 , 349b9cbc85dSRick Macklem.Xr rpc.tlsclntd 8 , 350b9cbc85dSRick Macklem.Xr syslogd 8 351b9cbc85dSRick Macklem.Sh STANDARDS 352b9cbc85dSRick MacklemThe implementation is based on the specification in 353b9cbc85dSRick Macklem.Rs 354b9cbc85dSRick Macklem.%B "RFC NNNN" 355b9cbc85dSRick Macklem.%T "Towards Remote Procedure Call Encryption By Default" 356b9cbc85dSRick Macklem.Re 357b9cbc85dSRick Macklem.Sh HISTORY 358b9cbc85dSRick MacklemThe 359b9cbc85dSRick Macklem.Nm 360b9cbc85dSRick Macklemmanual page first appeared in 361b9cbc85dSRick Macklem.Fx 13.0 . 362b9cbc85dSRick Macklem.Sh BUGS 363b9cbc85dSRick MacklemThis daemon cannot be safely shut down and restarted if there are 364b9cbc85dSRick Macklemany active RPC-over-TLS connections. 365b9cbc85dSRick MacklemDoing so will orphan the KERNEL_TLS connections, so that they 366b9cbc85dSRick Macklemcan no longer do upcalls successfully, since the 367b9cbc85dSRick Macklem.Dq SSL * 368b9cbc85dSRick Macklemstructures in userspace have been lost. 369