int
main (int argc, char **argv)
{
int nthreads;
int fail;
if (argc > 2)
{
fprintf (stderr, "%s [num-threads]\n", argv[0]);
exit (1);
}
if (argc == 1)
nthreads = 4;
else
nthreads = atoi (argv[1]);
if (!nthreads)
nthreads = 4;
authserver = getauth ();
maptime_map (0, 0, &mapped_time);
main_address.sin_family = AF_INET;
main_address.sin_port = htons (NFS_PORT);
main_address.sin_addr.s_addr = INADDR_ANY;
pmap_address.sin_family = AF_INET;
pmap_address.sin_port = htons (PMAPPORT);
pmap_address.sin_addr.s_addr = INADDR_ANY;
main_udp_socket = socket (PF_INET, SOCK_DGRAM, 0);
pmap_udp_socket = socket (PF_INET, SOCK_DGRAM, 0);
fail = bind (main_udp_socket, (struct sockaddr *)&main_address,
sizeof (struct sockaddr_in));
if (fail)
error (1, errno, "Binding NFS socket");
fail = bind (pmap_udp_socket, (struct sockaddr *)&pmap_address,
sizeof (struct sockaddr_in));
if (fail)
error (1, errno, "Binding PMAP socket");
init_filesystems ();
cthread_detach (cthread_fork ((cthread_fn_t) server_loop,
(any_t)(intptr_t) pmap_udp_socket));
while (nthreads--)
cthread_detach (cthread_fork ((cthread_fn_t) server_loop,
(any_t)(intptr_t) main_udp_socket));
for (;;)
{
sleep (1);
scan_fhs ();
scan_creds ();
scan_replies ();
}
}
void
netfs_init ()
{
netfs_protid_class = ports_create_class (netfs_release_protid, 0);
netfs_control_class = ports_create_class (0, 0);
netfs_port_bucket = ports_create_bucket ();
netfs_auth_server_port = getauth ();
mach_port_allocate (mach_task_self (), MACH_PORT_RIGHT_RECEIVE,
&netfs_fsys_identity);
}
error_t
setup_auth_target (void)
{
static auth_t auth;
static mach_msg_type_name_t authType = MACH_MSG_TYPE_COPY_SEND;
if (MACH_PORT_VALID (auth))
mach_port_deallocate (mach_task_self (), auth);
auth = getauth ();
if (! MACH_PORT_VALID (auth))
return errno;
return setup (auth, authType);
}
// XXX - MAJOR DEADLOCK PROBLEMS HERE
// XXX - should never call getpw* or getgr*
void
sfsserv::sfs_idnums (svccb *sbp)
{
if (!getauth (sbp->getaui ())) {
sbp->reject (AUTH_REJECTEDCRED);
return;
}
::sfs_idnames *argp = sbp->Xtmpl getarg< ::sfs_idnames> ();
::sfs_idnums res = { -1, -1 };
if (argp->uidname.present)
if (struct passwd *p = getpwnam (argp->uidname.name->cstr ()))
res.uid = p->pw_uid;
if (argp->gidname.present)
if (struct group *g = getgrnam (argp->gidname.name->cstr ()))
res.gid = g->gr_gid;
sbp->reply (&res);
}
// XXX - MAJOR DEADLOCK PROBLEMS HERE
// XXX - should never call getpw* or getgr*
void
sfsserv::sfs_idnames (svccb *sbp)
{
if (!getauth (sbp->getaui ())) {
sbp->reject (AUTH_REJECTEDCRED);
return;
}
::sfs_idnums *argp = sbp->Xtmpl getarg< ::sfs_idnums> ();
::sfs_idnames res;
if (argp->uid != -1)
if (struct passwd *p = getpwuid (argp->uid)) {
res.uidname.set_present (true);
*res.uidname.name = p->pw_name;
}
if (argp->gid != -1)
if (struct group *g = getgrgid (argp->gid)) {
res.gidname.set_present (true);
*res.gidname.name = g->gr_name;
}
sbp->reply (&res);
}
error_t
fshelp_start_translator (fshelp_open_fn_t underlying_open_fn,
void *cookie, char *name, char *argz,
int argz_len, int timeout, fsys_t *control)
{
mach_port_t ports[INIT_PORT_MAX];
mach_port_t fds[STDERR_FILENO + 1];
int ints[INIT_INT_MAX];
int i;
error_t err;
for (i = 0; i < INIT_PORT_MAX; i++)
ports[i] = MACH_PORT_NULL;
for (i = 0; i < STDERR_FILENO + 1; i++)
fds[i] = MACH_PORT_NULL;
memset (ints, 0, INIT_INT_MAX * sizeof(int));
ports[INIT_PORT_CWDIR] = getcwdir ();
ports[INIT_PORT_CRDIR] = getcrdir ();
ports[INIT_PORT_AUTH] = getauth ();
fds[STDERR_FILENO] = getdport (STDERR_FILENO);
err = fshelp_start_translator_long (underlying_open_fn, cookie,
name, argz, argz_len,
fds, MACH_MSG_TYPE_COPY_SEND,
STDERR_FILENO + 1,
ports, MACH_MSG_TYPE_COPY_SEND,
INIT_PORT_MAX,
ints, INIT_INT_MAX,
geteuid (),
timeout, control);
for (i = 0; i < INIT_PORT_MAX; i++)
mach_port_deallocate (mach_task_self (), ports[i]);
for (i = 0; i <= STDERR_FILENO; i++)
mach_port_deallocate (mach_task_self (), fds[i]);
return err;
}
PROTO int cmdauthinfo(char *args)
{
char subcmd[17], subcmdargs[65];
USER *newuser;
PROFILE *oldprf;
PROFILE *newprf;
int change_profile;
AUTHRESULT *authres;
sscanf (args, "%16[^\r\n\t ] %64[^\r\n]", subcmd, subcmdargs);
if ( client->authenticated )
return swriteclient(client, MSG_AUTH_TWICE);
if (!strcasecmp(subcmd,"user"))
{
if (client->authenticated && strncmp(client->username, subcmdargs, 64))
return swriteclient (client, MSG_AUTH_TWICE);
if ( client->vhost->AddSuffix[0] != '\0' ) {
snprintf(client->username, MAX_USERPASS-1, "%s@%s", subcmdargs, client->vhost->AddSuffix);
} else {
strncpy(client->username, subcmdargs, MAX_USERPASS-1);
}
} else if ( !strcasecmp(subcmd, "pass") ) {
strncpy(client->password, subcmdargs, MAX_USERPASS-1);
} else {
return swriteclient(client, MSG_AUTH_UNKNOWN);
}
if ( client->username[0] == 0 || client->password[0] == 0 )
return swriteclient(client, MSG_MOREAUTHREQ);
client->auth = getauth(client->username);
if ( (authres=new_authresult(client)) == NULL )
return swriteclient(client, MSG_AUTH_NOMEM);
void (*authmod)() = find_auth_mod(client->auth->auth->lib);
if (!authmod) {
CLEARPASS
syslog(LOG_ERR, "Can't find authmap: %s", client->auth->auth->lib);
swriteclient(client, MSG_AUTH_ERR);
return 0;
}
client->authenticated = 0;
(*authmod)(authres, &cfg, client->auth->auth->args);
CLEARPASS
if ( authres->authenticated == true )
{
semlock_lock(master->semid);
client->authenticated++;
if ( authres->logname != NULL )
strcpy(client->logname, authres->logname);
/* auth module specified profile */
if ( authres->profile != NULL )
{
if ( (newprf = find_user_profile(client->username)) == NULL )
if ( (newprf=getprofile(authres->profile)) == NULL )
{
client->authenticated--;
semlock_unlock(master->semid);
syslog(LOG_ERR, "Missing profile information from authenticator, rejecting user %s",
authres->username);
swriteclient(client, MSG_AUTH_ERR);
free_authresult(authres);
return 0;
}
} else {
newprf = client->auth->profile;
}
PROFILE *p;
if ( (p = prof_iplookup(newprf, client->addr.sin_addr)) != NULL )
newprf = p;
if ( ! nullstr(newprf->Disabled) )
{
client->authenticated--;
semlock_unlock(master->semid);
if ( cfg.LogAuthInfo )
syslog(LOG_NOTICE, "%s: authinfo login: %s result: 480 %s",
client->hostname, authres->username, newprf->Disabled);
return writeclient(client, "482 %s", newprf->Disabled);
}
/* Check and verify we are allowed in our new profile */
change_profile = 0;
oldprf = client->profile;
if ( client->profile != newprf )
{
if ( newprf->connections > newprf->MaxConnections )
{
client->authenticated--;
semlock_unlock(master->semid);
if ( cfg.LogAuthInfo )
syslog(LOG_NOTICE, "%s: authinfo login: %s result: %s",
client->hostname, authres->username, MSG_AUTH_TOOMANYCON);
return swriteclient(client, MSG_AUTH_TOOMANYCON);
}
else if ( newprf->numusers > newprf->MaxUsers )
{
client->authenticated--;
semlock_unlock(master->semid);
if ( cfg.LogAuthInfo )
syslog(LOG_NOTICE, "%s: authinfo login: %s result: %s",
client->hostname, authres->username, MSG_AUTH_TOOMANYUSR);
return swriteclient(client, MSG_AUTH_TOOMANYUSR);
} else {
change_profile = 1;
}
}
/* Find our other connections from this user to see if we are allowed */
newuser = find_user(client->username, newprf);
if ( newuser != client->user && newuser != NULL )
{
if ( newuser->connections > newprf->MaxUserConcurrent )
{
client->authenticated--;
drop_user(newuser->id, newprf);
semlock_unlock(master->semid);
sleep(cfg.RetryDelay);
if ( cfg.LogAuthInfo )
syslog(LOG_NOTICE, "%s: authinfo login: %s result: %s",
client->hostname, authres->username, MSG_AUTH_USERFULL);
free_authresult(authres);
return swriteclient(client, MSG_AUTH_USERFULL);
}
}
if ( newuser == NULL )
syslog(LOG_ERR, "newuser == NULL");
/* check number of different connected hosts from new user */
int maxhosts = newprf->ASMaxHosts;
int maxconns = newprf->ASMaxConns;
if ( maxconns > 0 || maxhosts > 0 ) {
char httpresult[2048];
semlock_unlock(master->semid);
if ( ! check_http_accountsharing(client->username, client->hostname, maxhosts, maxconns, newprf->Name, httpresult) ) {
syslog(LOG_DEBUG, "HTTP account sharing returned false. maxhosts=%d, maxconns=%d, user=%s, host=%s, newprf=%s, result=%s",
maxhosts, maxconns, client->username, client->hostname, newprf->Name, httpresult);
semlock_lock(master->semid);
client->authenticated--;
drop_user(newuser->id, newprf);
semlock_unlock(master->semid);
sleep(cfg.RetryDelay);
free_authresult(authres);
return writeclient(client, "482 %s", httpresult);
}
semlock_lock(master->semid);
}
if ( change_profile == 1 )
{
if ( client->profile->connections == 0 )
syslog(LOG_ERR, "Trying to drop 0 connections profile from auth: %s", client->profile->Name);
else
client->profile->connections--;
client->profile = newprf;
client->profile->connections++;
}
drop_user(client->user->id, oldprf);
client->user = newuser;
client->user->bytesleft = authres->bytes; // client->initbytes;
client->posting = authres->posting;
if ( authres->userkbit > 0 )
client->user->MaxUserBPS = authres->userkbit * 1000 / 8;
else
client->user->MaxUserBPS = client->profile->MaxUserBPS;
if ( authres->timeleft > 0 ) {
client->user->timeleft = authres->timeleft;
}
if ( authres->readpat ) {
strcpy(client->user->readpat, authres->readpat);
}
if ( authres->postpat ) {
strcpy(client->user->postpat, authres->postpat);
}
// syslog(LOG_DEBUG, "%s: assigning-change %s userkey %s", client->hostname, client->profile->Name, client->user->key);
/* init ratelimiter */
init_ratelimiter(client);
semlock_unlock(master->semid);
}
if ( cfg.LogAuthInfo )
syslog(LOG_NOTICE, "%s: authinfo login: %s result: %s",
client->hostname, authres->username, authres->message ? authres->message : "UNKNOWN");
swriteclient(client, authres->message ? authres->message : MSG_AUTH_ERR);
free_authresult(authres);
return 0;
}
int
main(int argc, char *argv[])
{
error_t err;
task_t task;
mach_port_t msgport;
int pid = -1;
auth_t auth = getauth ();
process_t proc = getproc ();
struct ugids ugids = UGIDS_INIT;
int show_eff = 0, show_avail = 0, show_uids = 0, show_gids = 0, terse = 0;
int show_names = 0, show_values = 0;
/* Print the given id vectors, using NAME for the prompt. */
void print_ids (struct idvec *uids, struct idvec *gids, char *name)
{
if (show_uids)
{
if (name && show_gids)
printf ("%s uids: ", name);
else if (show_gids)
printf ("uids: ");
else if (name)
printf ("%s: ", name);
printf ("%s\n",
idvec_uids_rep (uids, show_values, show_names, " "));
}
if (show_gids)
{
if (name && show_uids)
printf ("%s gids: ", name);
else if (show_uids)
printf ("gids: ");
else if (name)
printf ("%s: ", name);
printf ("%s\n", idvec_gids_rep (gids, show_values, show_names, " "));
}
}
/* Parse a command line option. */
error_t parse_opt (int key, char *arg, struct argp_state *state)
{
switch (key)
{
case 'e': show_eff = 1; break;
case 'a': show_avail = 1; break;
case 'u': show_uids = 1; break;
case 'g': show_gids = 1; break;
case 'n': show_names = 1; break;
case 'v': show_values = 1; break;
case 't': terse = 1; break;
case ARGP_KEY_ARG:
if (state->arg_num == 0)
{
pid = atoi (arg);
break;
}
default:
return ARGP_ERR_UNKNOWN;
}
return 0;
}
struct argp argp = {options, parse_opt, args_doc, doc};
argp_parse (&argp, argc, argv, 0, 0, 0);
if (!show_eff && !show_avail)
show_eff = show_avail = 1;
if (!show_uids && !show_gids)
show_uids = show_gids = 1;
if (!show_names && !show_values)
show_names = show_values = 1;
if (pid < 0)
/* We get our parent's authentication instead of our own because this
program is usually installed setuid. This should work even if it's
not installed setuid, using the auth port as authentication to the
msg_get_init_port rpc. */
pid = getppid ();
/* Get a msgport for PID, to which we can send requests. */
err = proc_getmsgport (proc, pid, &msgport);
if (err)
error (5, err, "%d: Cannot get process msgport", pid);
/* Try to get the task port to use as authentication. */
err = proc_pid2task (proc, pid, &task);
/* Now fetch the auth port; if we couldn't get the task port to use for
authentication, we try the (old) auth port instead. */
if (err)
err = msg_get_init_port (msgport, auth, INIT_PORT_AUTH, &auth);
else
err = msg_get_init_port (msgport, task, INIT_PORT_AUTH, &auth);
if (err)
error (6, err, "%d: Cannot get process authentication", pid);
mach_port_deallocate (mach_task_self (), msgport);
mach_port_deallocate (mach_task_self (), task);
/* Get the ids that AUTH represents. */
err = ugids_merge_auth (&ugids, auth);
if (err)
error (10, err, "Cannot get authentication ids");
/* Print them. */
if (terse)
/* Short output format. */
{
/* Since we use ugids_rep to format the output, just clear any fields
we don't want to show. */
if (! show_eff)
{
idvec_clear (&ugids.eff_uids);
idvec_clear (&ugids.eff_gids);
}
if (! show_avail)
{
idvec_clear (&ugids.avail_uids);
idvec_clear (&ugids.avail_gids);
}
if (! show_uids)
{
idvec_clear (&ugids.eff_uids);
idvec_clear (&ugids.avail_uids);
}
if (! show_gids)
{
idvec_clear (&ugids.eff_gids);
idvec_clear (&ugids.avail_gids);
}
printf ("%s\n", ugids_rep (&ugids, show_values, show_names, 0, " ","="));
}
else
/* Long output format */
{
if (show_eff)
print_ids (&ugids.eff_uids, &ugids.eff_gids,
show_avail ? "effective" : 0);
if (show_avail)
print_ids (&ugids.avail_uids, &ugids.avail_gids,
show_eff ? "available" : 0);
}
return 0;
}
