aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@citi.umich.edu>2007-07-17 07:04:46 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-07-17 13:23:07 -0400
commit3ab4d8b1215d61736e2a9a26bea7cc2e6b029e3d (patch)
tree6b256e44c4ed5295dfd55eef8641093b91692559 /net
parent0989a7889695831e49e2c53c1884f52645516a90 (diff)
knfsd: nfsd: set rq_client to ip-address-determined-domain
We want it to be possible for users to restrict exports both by IP address and by pseudoflavor. The pseudoflavor information has previously been passed using special auth_domains stored in the rq_client field. After the preceding patch that stored the pseudoflavor in rq_pflavor, that's now superfluous; so now we use rq_client for the ip information, as auth_null and auth_unix do. However, we keep around the special auth_domain in the rq_gssclient field for backwards compatibility purposes, so we can still do upcalls using the old "gss/pseudoflavor" auth_domain if upcalls using the unix domain to give us an appropriate export. This allows us to continue supporting old mountd. In fact, for this first patch, we always use the "gss/pseudoflavor" auth_domain (and only it) if it is available; thus rq_client is ignored in the auth_gss case, and this patch on its own makes no change in behavior; that will be left to later patches. Note on idmap: I'm almost tempted to just replace the auth_domain in the idmap upcall by a dummy value--no version of idmapd has ever used it, and it's unlikely anyone really wants to perform idmapping differently depending on the where the client is (they may want to perform *credential* mapping differently, but that's a different matter--the idmapper just handles id's used in getattr and setattr). But I'm updating the idmapd code anyway, just out of general backwards-compatibility paranoia. Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'net')
-rw-r--r--net/sunrpc/auth_gss/svcauth_gss.c21
-rw-r--r--net/sunrpc/svcauth_unix.c4
2 files changed, 21 insertions, 4 deletions
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 7a3e1758bea1..e4b3de08b040 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -913,10 +913,23 @@ svcauth_gss_set_client(struct svc_rqst *rqstp)
913 struct gss_svc_data *svcdata = rqstp->rq_auth_data; 913 struct gss_svc_data *svcdata = rqstp->rq_auth_data;
914 struct rsc *rsci = svcdata->rsci; 914 struct rsc *rsci = svcdata->rsci;
915 struct rpc_gss_wire_cred *gc = &svcdata->clcred; 915 struct rpc_gss_wire_cred *gc = &svcdata->clcred;
916 int stat;
916 917
917 rqstp->rq_client = find_gss_auth_domain(rsci->mechctx, gc->gc_svc); 918 /*
918 if (rqstp->rq_client == NULL) 919 * A gss export can be specified either by:
920 * export *(sec=krb5,rw)
921 * or by
922 * export gss/krb5(rw)
923 * The latter is deprecated; but for backwards compatibility reasons
924 * the nfsd code will still fall back on trying it if the former
925 * doesn't work; so we try to make both available to nfsd, below.
926 */
927 rqstp->rq_gssclient = find_gss_auth_domain(rsci->mechctx, gc->gc_svc);
928 if (rqstp->rq_gssclient == NULL)
919 return SVC_DENIED; 929 return SVC_DENIED;
930 stat = svcauth_unix_set_client(rqstp);
931 if (stat == SVC_DROP)
932 return stat;
920 return SVC_OK; 933 return SVC_OK;
921} 934}
922 935
@@ -1088,7 +1101,6 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
1088 svc_putnl(resv, GSS_SEQ_WIN); 1101 svc_putnl(resv, GSS_SEQ_WIN);
1089 if (svc_safe_putnetobj(resv, &rsip->out_token)) 1102 if (svc_safe_putnetobj(resv, &rsip->out_token))
1090 goto drop; 1103 goto drop;
1091 rqstp->rq_client = NULL;
1092 } 1104 }
1093 goto complete; 1105 goto complete;
1094 case RPC_GSS_PROC_DESTROY: 1106 case RPC_GSS_PROC_DESTROY:
@@ -1319,6 +1331,9 @@ out_err:
1319 if (rqstp->rq_client) 1331 if (rqstp->rq_client)
1320 auth_domain_put(rqstp->rq_client); 1332 auth_domain_put(rqstp->rq_client);
1321 rqstp->rq_client = NULL; 1333 rqstp->rq_client = NULL;
1334 if (rqstp->rq_gssclient)
1335 auth_domain_put(rqstp->rq_gssclient);
1336 rqstp->rq_gssclient = NULL;
1322 if (rqstp->rq_cred.cr_group_info) 1337 if (rqstp->rq_cred.cr_group_info)
1323 put_group_info(rqstp->rq_cred.cr_group_info); 1338 put_group_info(rqstp->rq_cred.cr_group_info);
1324 rqstp->rq_cred.cr_group_info = NULL; 1339 rqstp->rq_cred.cr_group_info = NULL;
diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c
index d9fdf2e4d242..411479411b21 100644
--- a/net/sunrpc/svcauth_unix.c
+++ b/net/sunrpc/svcauth_unix.c
@@ -638,7 +638,7 @@ static int unix_gid_find(uid_t uid, struct group_info **gip,
638 } 638 }
639} 639}
640 640
641static int 641int
642svcauth_unix_set_client(struct svc_rqst *rqstp) 642svcauth_unix_set_client(struct svc_rqst *rqstp)
643{ 643{
644 struct sockaddr_in *sin = svc_addr_in(rqstp); 644 struct sockaddr_in *sin = svc_addr_in(rqstp);
@@ -673,6 +673,8 @@ svcauth_unix_set_client(struct svc_rqst *rqstp)
673 return SVC_OK; 673 return SVC_OK;
674} 674}
675 675
676EXPORT_SYMBOL(svcauth_unix_set_client);
677
676static int 678static int
677svcauth_null_accept(struct svc_rqst *rqstp, __be32 *authp) 679svcauth_null_accept(struct svc_rqst *rqstp, __be32 *authp)
678{ 680{