xref: /titanic_50/usr/src/cmd/fs.d/nfs/mountd/nfsauth.c (revision 7b07063d906859b2be1e88791f801b3c96e432f6)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
24  */
25 
26 /*
27  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
28  * Use is subject to license terms.
29  */
30 
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <sys/types.h>
34 #include <string.h>
35 #include <sys/param.h>
36 #include <sys/stat.h>
37 #include <sys/file.h>
38 #include <sys/time.h>
39 #include <sys/errno.h>
40 #include <rpcsvc/mount.h>
41 #include <sys/pathconf.h>
42 #include <sys/systeminfo.h>
43 #include <sys/utsname.h>
44 #include <arpa/inet.h>
45 #include <signal.h>
46 #include <syslog.h>
47 #include <locale.h>
48 #include <unistd.h>
49 #include <thread.h>
50 #include <netdir.h>
51 #include <nfs/auth.h>
52 #include <sharefs/share.h>
53 #include <alloca.h>
54 #include "../lib/sharetab.h"
55 #include "mountd.h"
56 
57 static void
58 nfsauth_access(auth_req *argp, auth_res *result)
59 {
60 	struct netconfig *nconf;
61 	struct nd_hostservlist *clnames = NULL;
62 	struct netbuf nbuf;
63 	struct share *sh;
64 	char tmp[MAXIPADDRLEN];
65 	char *host = NULL;
66 
67 	result->auth_perm = NFSAUTH_DENIED;
68 
69 	/*
70 	 * Convert the client's address to a hostname
71 	 */
72 	nconf = getnetconfigent(argp->req_netid);
73 	if (nconf == NULL) {
74 		syslog(LOG_ERR, "No netconfig entry for %s", argp->req_netid);
75 		return;
76 	}
77 
78 	nbuf.len = argp->req_client.n_len;
79 	nbuf.buf = argp->req_client.n_bytes;
80 
81 	if (nbuf.len == 0 || nbuf.buf == NULL)
82 		goto done;
83 
84 	if (netdir_getbyaddr(nconf, &clnames, &nbuf)) {
85 		host = &tmp[0];
86 		if (strcmp(nconf->nc_protofmly, NC_INET) == 0) {
87 			struct sockaddr_in *sa;
88 
89 			/* LINTED pointer alignment */
90 			sa = (struct sockaddr_in *)nbuf.buf;
91 			(void) inet_ntoa_r(sa->sin_addr, tmp);
92 		} else if (strcmp(nconf->nc_protofmly, NC_INET6) == 0) {
93 			struct sockaddr_in6 *sa;
94 			/* LINTED pointer */
95 			sa = (struct sockaddr_in6 *)nbuf.buf;
96 			(void) inet_ntop(AF_INET6, sa->sin6_addr.s6_addr,
97 			    tmp, INET6_ADDRSTRLEN);
98 		}
99 		clnames = anon_client(host);
100 	}
101 	/*
102 	 * Both netdir_getbyaddr() and anon_client() can return a NULL
103 	 * clnames.  This has been seen when the DNS entry for the client
104 	 * name does not have the correct format or a reverse lookup DNS
105 	 * entry cannot be found for the client's IP address.
106 	 */
107 	if (clnames == NULL) {
108 		syslog(LOG_ERR, "Could not find DNS entry for %s",
109 		    argp->req_netid);
110 		goto done;
111 	}
112 
113 	/*
114 	 * Now find the export
115 	 */
116 	sh = findentry(argp->req_path);
117 	if (sh == NULL) {
118 		syslog(LOG_ERR, "%s not exported", argp->req_path);
119 		goto done;
120 	}
121 
122 	result->auth_perm = check_client(sh, &nbuf, clnames, argp->req_flavor,
123 	    argp->req_clnt_uid, argp->req_clnt_gid, argp->req_clnt_gids.len,
124 	    argp->req_clnt_gids.val, &result->auth_srv_uid,
125 	    &result->auth_srv_gid, &result->auth_srv_gids.len,
126 	    &result->auth_srv_gids.val);
127 
128 	sharefree(sh);
129 
130 	if (result->auth_perm == NFSAUTH_DENIED) {
131 		syslog(LOG_ERR, "%s denied access to %s",
132 		    clnames->h_hostservs[0].h_host, argp->req_path);
133 	}
134 
135 done:
136 	freenetconfigent(nconf);
137 	if (clnames)
138 		netdir_free(clnames, ND_HOSTSERVLIST);
139 }
140 
141 void
142 nfsauth_func(void *cookie, char *dataptr, size_t arg_size,
143 	door_desc_t *dp, uint_t n_desc)
144 
145 {
146 	nfsauth_arg_t	*ap;
147 	nfsauth_res_t	 res = {0};
148 	XDR		 xdrs_a;
149 	XDR		 xdrs_r;
150 	size_t		 rbsz;
151 	caddr_t		 rbuf;
152 	varg_t		 varg = {0};
153 
154 	/*
155 	 * Decode the inbound door data, so we can look at the cmd.
156 	 */
157 	xdrmem_create(&xdrs_a, dataptr, arg_size, XDR_DECODE);
158 	if (!xdr_varg(&xdrs_a, &varg)) {
159 		/*
160 		 * If the arguments can't be decoded, bail.
161 		 */
162 		if (varg.vers == V_ERROR)
163 			syslog(LOG_ERR, gettext("Arg version mismatch"));
164 		res.stat = NFSAUTH_DR_DECERR;
165 		goto encres;
166 	}
167 
168 	/*
169 	 * Now set the args pointer to the proper version of the args
170 	 */
171 	switch (varg.vers) {
172 	case V_PROTO:
173 		ap = &varg.arg_u.arg;
174 		break;
175 
176 	/* Additional arguments versions go here */
177 
178 	default:
179 		syslog(LOG_ERR, gettext("Invalid args version"));
180 		res.stat = NFSAUTH_DR_DECERR;
181 		goto encres;
182 	}
183 
184 	/*
185 	 * Call the specified cmd
186 	 */
187 	switch (ap->cmd) {
188 	case NFSAUTH_ACCESS:
189 		nfsauth_access(&ap->areq, &res.ares);
190 		res.stat = NFSAUTH_DR_OKAY;
191 		break;
192 	default:
193 		res.stat = NFSAUTH_DR_BADCMD;
194 		break;
195 	}
196 
197 encres:
198 	/*
199 	 * Free space used to decode the args
200 	 */
201 	xdr_free(xdr_varg, (char *)&varg);
202 	xdr_destroy(&xdrs_a);
203 
204 	/*
205 	 * Encode the results before passing thru door.
206 	 */
207 	rbsz = xdr_sizeof(xdr_nfsauth_res, &res);
208 	if (rbsz == 0)
209 		goto failed;
210 	rbuf = alloca(rbsz);
211 
212 	xdrmem_create(&xdrs_r, rbuf, rbsz, XDR_ENCODE);
213 	if (!xdr_nfsauth_res(&xdrs_r, &res)) {
214 		xdr_destroy(&xdrs_r);
215 failed:
216 		xdr_free(xdr_nfsauth_res, (char *)&res);
217 		/*
218 		 * return only the status code
219 		 */
220 		res.stat = NFSAUTH_DR_EFAIL;
221 		rbsz = sizeof (uint_t);
222 		rbuf = (caddr_t)&res.stat;
223 
224 		goto out;
225 	}
226 	xdr_destroy(&xdrs_r);
227 	xdr_free(xdr_nfsauth_res, (char *)&res);
228 
229 out:
230 	(void) door_return((char *)rbuf, rbsz, NULL, 0);
231 	(void) door_return(NULL, 0, NULL, 0);
232 	/* NOTREACHED */
233 }
234