Commit 408b87a0 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] knfsd: NGROUPS fixes

From: Neil Brown <neilb@cse.unsw.edu.au>

Tidy up new groups handling in nfsd.

Set up the group_info structure when decoding the RPC packet instead of in
nfsd.
parent 272c5ac4
...@@ -15,35 +15,21 @@ ...@@ -15,35 +15,21 @@
int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
{ {
struct svc_cred *cred = &rqstp->rq_cred; struct svc_cred *cred = &rqstp->rq_cred;
struct group_info *group_info;
int ngroups;
int i; int i;
int ret; int ret;
ngroups = 0;
if (!(exp->ex_flags & NFSEXP_ALLSQUASH)) {
for (i = 0; i < SVC_CRED_NGROUPS; i++) {
if (cred->cr_groups[i] == (gid_t)NOGROUP)
break;
ngroups++;
}
}
group_info = groups_alloc(ngroups);
if (group_info == NULL)
return -ENOMEM;
if (exp->ex_flags & NFSEXP_ALLSQUASH) { if (exp->ex_flags & NFSEXP_ALLSQUASH) {
cred->cr_uid = exp->ex_anon_uid; cred->cr_uid = exp->ex_anon_uid;
cred->cr_gid = exp->ex_anon_gid; cred->cr_gid = exp->ex_anon_gid;
cred->cr_groups[0] = NOGROUP; cred->cr_group_info->ngroups = 0;
} else if (exp->ex_flags & NFSEXP_ROOTSQUASH) { } else if (exp->ex_flags & NFSEXP_ROOTSQUASH) {
if (!cred->cr_uid) if (!cred->cr_uid)
cred->cr_uid = exp->ex_anon_uid; cred->cr_uid = exp->ex_anon_uid;
if (!cred->cr_gid) if (!cred->cr_gid)
cred->cr_gid = exp->ex_anon_gid; cred->cr_gid = exp->ex_anon_gid;
for (i = 0; i < SVC_CRED_NGROUPS; i++) for (i = 0; i < cred->cr_group_info->ngroups; i++)
if (!cred->cr_groups[i]) if (!GROUP_AT(cred->cr_group_info, i))
cred->cr_groups[i] = exp->ex_anon_gid; GROUP_AT(cred->cr_group_info, i) = exp->ex_anon_gid;
} }
if (cred->cr_uid != (uid_t) -1) if (cred->cr_uid != (uid_t) -1)
...@@ -55,23 +41,12 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) ...@@ -55,23 +41,12 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
else else
current->fsgid = exp->ex_anon_gid; current->fsgid = exp->ex_anon_gid;
for (i = 0; i < SVC_CRED_NGROUPS; i++) { ret = set_current_groups(cred->cr_group_info);
gid_t group = cred->cr_groups[i]; if ((cred->cr_uid)) {
if (group == (gid_t) NOGROUP) cap_t(current->cap_effective) &= ~CAP_NFSD_MASK;
break; } else {
GROUP_AT(group_info, i) = group; cap_t(current->cap_effective) |= (CAP_NFSD_MASK &
current->cap_permitted);
} }
ret = set_current_groups(group_info);
if (ret == 0) {
if ((cred->cr_uid)) {
cap_t(current->cap_effective) &= ~CAP_NFSD_MASK;
} else {
cap_t(current->cap_effective) |= (CAP_NFSD_MASK &
current->cap_permitted);
}
}
put_group_info(group_info);
return ret; return ret;
} }
...@@ -193,6 +193,8 @@ alloc_client(struct xdr_netobj name) ...@@ -193,6 +193,8 @@ alloc_client(struct xdr_netobj name)
static inline void static inline void
free_client(struct nfs4_client *clp) free_client(struct nfs4_client *clp)
{ {
if (clp->cl_cred.cr_group_info)
put_group_info(clp->cl_cred.cr_group_info);
kfree(clp->cl_name.data); kfree(clp->cl_name.data);
kfree(clp); kfree(clp);
} }
...@@ -240,12 +242,11 @@ copy_clid(struct nfs4_client *target, struct nfs4_client *source) { ...@@ -240,12 +242,11 @@ copy_clid(struct nfs4_client *target, struct nfs4_client *source) {
static void static void
copy_cred(struct svc_cred *target, struct svc_cred *source) { copy_cred(struct svc_cred *target, struct svc_cred *source) {
int i;
target->cr_uid = source->cr_uid; target->cr_uid = source->cr_uid;
target->cr_gid = source->cr_gid; target->cr_gid = source->cr_gid;
for(i = 0; i < SVC_CRED_NGROUPS; i++) target->cr_group_info = source->cr_group_info;
target->cr_groups[i] = source->cr_groups[i]; get_group_info(target->cr_group_info);
} }
static int static int
......
...@@ -165,7 +165,11 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access) ...@@ -165,7 +165,11 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
} }
/* Set user creds for this exportpoint */ /* Set user creds for this exportpoint */
nfsd_setuser(rqstp, exp); error = nfsd_setuser(rqstp, exp);
if (error) {
error = nfserrno(error);
goto out;
}
/* /*
* Look up the dentry using the NFS file handle. * Look up the dentry using the NFS file handle.
......
...@@ -20,7 +20,7 @@ ...@@ -20,7 +20,7 @@
struct svc_cred { struct svc_cred {
uid_t cr_uid; uid_t cr_uid;
gid_t cr_gid; gid_t cr_gid;
gid_t cr_groups[SVC_CRED_NGROUPS]; struct group_info *cr_group_info;
}; };
struct svc_rqst; /* forward decl */ struct svc_rqst; /* forward decl */
......
...@@ -357,7 +357,9 @@ svcauth_null_accept(struct svc_rqst *rqstp, u32 *authp) ...@@ -357,7 +357,9 @@ svcauth_null_accept(struct svc_rqst *rqstp, u32 *authp)
/* Signal that mapping to nobody uid/gid is required */ /* Signal that mapping to nobody uid/gid is required */
rqstp->rq_cred.cr_uid = (uid_t) -1; rqstp->rq_cred.cr_uid = (uid_t) -1;
rqstp->rq_cred.cr_gid = (gid_t) -1; rqstp->rq_cred.cr_gid = (gid_t) -1;
rqstp->rq_cred.cr_groups[0] = NOGROUP; rqstp->rq_cred.cr_group_info = groups_alloc(0);
if (rqstp->rq_cred.cr_group_info == NULL)
return SVC_DROP; /* kmalloc failure - client must retry */
/* Put NULL verifier */ /* Put NULL verifier */
svc_putu32(resv, RPC_AUTH_NULL); svc_putu32(resv, RPC_AUTH_NULL);
...@@ -424,6 +426,9 @@ svcauth_unix_accept(struct svc_rqst *rqstp, u32 *authp) ...@@ -424,6 +426,9 @@ svcauth_unix_accept(struct svc_rqst *rqstp, u32 *authp)
int rv=0; int rv=0;
struct ip_map key, *ipm; struct ip_map key, *ipm;
cred->cr_group_info = NULL;
rqstp->rq_client = NULL;
if ((len -= 3*4) < 0) if ((len -= 3*4) < 0)
return SVC_GARBAGE; return SVC_GARBAGE;
...@@ -440,13 +445,11 @@ svcauth_unix_accept(struct svc_rqst *rqstp, u32 *authp) ...@@ -440,13 +445,11 @@ svcauth_unix_accept(struct svc_rqst *rqstp, u32 *authp)
slen = ntohl(svc_getu32(argv)); /* gids length */ slen = ntohl(svc_getu32(argv)); /* gids length */
if (slen > 16 || (len -= (slen + 2)*4) < 0) if (slen > 16 || (len -= (slen + 2)*4) < 0)
goto badcred; goto badcred;
cred->cr_group_info = groups_alloc(slen);
if (cred->cr_group_info == NULL)
return SVC_DROP;
for (i = 0; i < slen; i++) for (i = 0; i < slen; i++)
if (i < SVC_CRED_NGROUPS) GROUP_AT(cred->cr_group_info, i) = ntohl(svc_getu32(argv));
cred->cr_groups[i] = ntohl(svc_getu32(argv));
else
svc_getu32(argv);
if (i < SVC_CRED_NGROUPS)
cred->cr_groups[i] = NOGROUP;
if (svc_getu32(argv) != RPC_AUTH_NULL || svc_getu32(argv) != 0) { if (svc_getu32(argv) != RPC_AUTH_NULL || svc_getu32(argv) != 0) {
*authp = rpc_autherr_badverf; *authp = rpc_autherr_badverf;
...@@ -460,7 +463,6 @@ svcauth_unix_accept(struct svc_rqst *rqstp, u32 *authp) ...@@ -460,7 +463,6 @@ svcauth_unix_accept(struct svc_rqst *rqstp, u32 *authp)
ipm = ip_map_lookup(&key, 0); ipm = ip_map_lookup(&key, 0);
rqstp->rq_client = NULL;
if (ipm) if (ipm)
switch (cache_check(&ip_map_cache, &ipm->h, &rqstp->rq_chandle)) { switch (cache_check(&ip_map_cache, &ipm->h, &rqstp->rq_chandle)) {
case -EAGAIN: case -EAGAIN:
...@@ -501,6 +503,9 @@ svcauth_unix_release(struct svc_rqst *rqstp) ...@@ -501,6 +503,9 @@ svcauth_unix_release(struct svc_rqst *rqstp)
if (rqstp->rq_client) if (rqstp->rq_client)
auth_domain_put(rqstp->rq_client); auth_domain_put(rqstp->rq_client);
rqstp->rq_client = NULL; rqstp->rq_client = NULL;
if (rqstp->rq_cred.cr_group_info)
put_group_info(rqstp->rq_cred.cr_group_info);
rqstp->rq_cred.cr_group_info = NULL;
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment