1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2014 Nexenta Systems, Inc. All rights reserved. 24 */ 25 26 /* 27 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 28 * Use is subject to license terms. 29 */ 30 31 #include <stdio.h> 32 #include <stdlib.h> 33 #include <sys/types.h> 34 #include <string.h> 35 #include <sys/param.h> 36 #include <sys/stat.h> 37 #include <sys/file.h> 38 #include <sys/time.h> 39 #include <sys/errno.h> 40 #include <rpcsvc/mount.h> 41 #include <sys/pathconf.h> 42 #include <sys/systeminfo.h> 43 #include <sys/utsname.h> 44 #include <arpa/inet.h> 45 #include <signal.h> 46 #include <syslog.h> 47 #include <locale.h> 48 #include <unistd.h> 49 #include <thread.h> 50 #include <netdir.h> 51 #include <nfs/auth.h> 52 #include <sharefs/share.h> 53 #include <alloca.h> 54 #include "../lib/sharetab.h" 55 #include "mountd.h" 56 57 static void 58 nfsauth_access(auth_req *argp, auth_res *result) 59 { 60 struct netconfig *nconf; 61 struct nd_hostservlist *clnames = NULL; 62 struct netbuf nbuf; 63 struct share *sh; 64 char tmp[MAXIPADDRLEN]; 65 char *host = NULL; 66 67 result->auth_perm = NFSAUTH_DENIED; 68 69 /* 70 * Convert the client's address to a hostname 71 */ 72 nconf = getnetconfigent(argp->req_netid); 73 if (nconf == NULL) { 74 syslog(LOG_ERR, "No netconfig entry for %s", argp->req_netid); 75 return; 76 } 77 78 nbuf.len = argp->req_client.n_len; 79 nbuf.buf = argp->req_client.n_bytes; 80 81 if (nbuf.len == 0 || nbuf.buf == NULL) 82 goto done; 83 84 if (netdir_getbyaddr(nconf, &clnames, &nbuf)) { 85 host = &tmp[0]; 86 if (strcmp(nconf->nc_protofmly, NC_INET) == 0) { 87 struct sockaddr_in *sa; 88 89 /* LINTED pointer alignment */ 90 sa = (struct sockaddr_in *)nbuf.buf; 91 (void) inet_ntoa_r(sa->sin_addr, tmp); 92 } else if (strcmp(nconf->nc_protofmly, NC_INET6) == 0) { 93 struct sockaddr_in6 *sa; 94 /* LINTED pointer */ 95 sa = (struct sockaddr_in6 *)nbuf.buf; 96 (void) inet_ntop(AF_INET6, sa->sin6_addr.s6_addr, 97 tmp, INET6_ADDRSTRLEN); 98 } 99 clnames = anon_client(host); 100 } 101 /* 102 * Both netdir_getbyaddr() and anon_client() can return a NULL 103 * clnames. This has been seen when the DNS entry for the client 104 * name does not have the correct format or a reverse lookup DNS 105 * entry cannot be found for the client's IP address. 106 */ 107 if (clnames == NULL) { 108 syslog(LOG_ERR, "Could not find DNS entry for %s", 109 argp->req_netid); 110 goto done; 111 } 112 113 /* 114 * Now find the export 115 */ 116 sh = findentry(argp->req_path); 117 if (sh == NULL) { 118 syslog(LOG_ERR, "%s not exported", argp->req_path); 119 goto done; 120 } 121 122 result->auth_perm = check_client(sh, &nbuf, clnames, argp->req_flavor, 123 argp->req_clnt_uid, argp->req_clnt_gid, argp->req_clnt_gids.len, 124 argp->req_clnt_gids.val, &result->auth_srv_uid, 125 &result->auth_srv_gid, &result->auth_srv_gids.len, 126 &result->auth_srv_gids.val); 127 128 sharefree(sh); 129 130 if (result->auth_perm == NFSAUTH_DENIED) { 131 syslog(LOG_ERR, "%s denied access to %s", 132 clnames->h_hostservs[0].h_host, argp->req_path); 133 } 134 135 done: 136 freenetconfigent(nconf); 137 if (clnames) 138 netdir_free(clnames, ND_HOSTSERVLIST); 139 } 140 141 void 142 nfsauth_func(void *cookie, char *dataptr, size_t arg_size, 143 door_desc_t *dp, uint_t n_desc) 144 145 { 146 nfsauth_arg_t *ap; 147 nfsauth_res_t res = {0}; 148 XDR xdrs_a; 149 XDR xdrs_r; 150 size_t rbsz; 151 caddr_t rbuf; 152 varg_t varg = {0}; 153 154 /* 155 * Decode the inbound door data, so we can look at the cmd. 156 */ 157 xdrmem_create(&xdrs_a, dataptr, arg_size, XDR_DECODE); 158 if (!xdr_varg(&xdrs_a, &varg)) { 159 /* 160 * If the arguments can't be decoded, bail. 161 */ 162 if (varg.vers == V_ERROR) 163 syslog(LOG_ERR, gettext("Arg version mismatch")); 164 res.stat = NFSAUTH_DR_DECERR; 165 goto encres; 166 } 167 168 /* 169 * Now set the args pointer to the proper version of the args 170 */ 171 switch (varg.vers) { 172 case V_PROTO: 173 ap = &varg.arg_u.arg; 174 break; 175 176 /* Additional arguments versions go here */ 177 178 default: 179 syslog(LOG_ERR, gettext("Invalid args version")); 180 res.stat = NFSAUTH_DR_DECERR; 181 goto encres; 182 } 183 184 /* 185 * Call the specified cmd 186 */ 187 switch (ap->cmd) { 188 case NFSAUTH_ACCESS: 189 nfsauth_access(&ap->areq, &res.ares); 190 res.stat = NFSAUTH_DR_OKAY; 191 break; 192 default: 193 res.stat = NFSAUTH_DR_BADCMD; 194 break; 195 } 196 197 encres: 198 /* 199 * Free space used to decode the args 200 */ 201 xdr_free(xdr_varg, (char *)&varg); 202 xdr_destroy(&xdrs_a); 203 204 /* 205 * Encode the results before passing thru door. 206 */ 207 rbsz = xdr_sizeof(xdr_nfsauth_res, &res); 208 if (rbsz == 0) 209 goto failed; 210 rbuf = alloca(rbsz); 211 212 xdrmem_create(&xdrs_r, rbuf, rbsz, XDR_ENCODE); 213 if (!xdr_nfsauth_res(&xdrs_r, &res)) { 214 xdr_destroy(&xdrs_r); 215 failed: 216 xdr_free(xdr_nfsauth_res, (char *)&res); 217 /* 218 * return only the status code 219 */ 220 res.stat = NFSAUTH_DR_EFAIL; 221 rbsz = sizeof (uint_t); 222 rbuf = (caddr_t)&res.stat; 223 224 goto out; 225 } 226 xdr_destroy(&xdrs_r); 227 xdr_free(xdr_nfsauth_res, (char *)&res); 228 229 out: 230 (void) door_return((char *)rbuf, rbsz, NULL, 0); 231 (void) door_return(NULL, 0, NULL, 0); 232 /* NOTREACHED */ 233 } 234