#include <sys/param.h>
#include <sys/errno.h>
#include <sys/linker.h>
#include <sys/module.h>
#include <sys/mount.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
#include <sys/time.h>
#include <sys/ucred.h>
#include <sys/vnode.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <nfs/nfssvc.h>
#include <rpc/rpc.h>
#include <fs/nfs/rpcv2.h>
#include <fs/nfs/nfsproto.h>
#include <fs/nfs/nfskpiport.h>
#include <fs/nfs/nfs.h>
#include <fs/nfs/nfsid.h>
#include <ctype.h>
#include <err.h>
#include <grp.h>
#include <netdb.h>
#include <pwd.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
static void cleanup_term(int);
static void usage(void);
static void nfsuserdsrv(struct svc_req *, SVCXPRT *);
static bool_t xdr_getid(XDR *, caddr_t);
static bool_t xdr_getname(XDR *, caddr_t);
static bool_t xdr_retval(XDR *, caddr_t);
static int nfsbind_localhost(void);
#define MAXNAME 1024
#define MAXNFSUSERD 20
#define DEFNFSUSERD 4
#define MAXUSERMAX 100000
#define MINUSERMAX 10
#define DEFUSERMAX 200
#define DEFUSERTIMEOUT (1 * 60)
struct info {
long id;
long retval;
char name[MAXNAME + 1];
};
u_char *dnsname = "default.domain";
u_char *defaultuser = "nobody";
uid_t defaultuid = 65534;
u_char *defaultgroup = "nogroup";
gid_t defaultgid = 65533;
int verbose = 0, im_a_server = 0, nfsuserdcnt = -1, forcestart = 0;
int defusertimeout = DEFUSERTIMEOUT, manage_gids = 0;
pid_t servers[MAXNFSUSERD];
static struct sockaddr_storage fromip;
#ifdef INET6
static struct in6_addr in6loopback = IN6ADDR_LOOPBACK_INIT;
#endif
int
main(int argc, char *argv[])
{
int i, j;
int error, fnd_dup, len, mustfreeai = 0, start_uidpos;
struct nfsd_idargs nid;
struct passwd *pwd;
struct group *grp;
int sock, one = 1;
SVCXPRT *udptransp;
struct nfsuserd_args nargs;
sigset_t signew;
char hostname[MAXHOSTNAMELEN + 1], *cp;
struct addrinfo *aip, hints;
static uid_t check_dups[MAXUSERMAX];
gid_t grps[NGROUPS];
int ngroup;
#ifdef INET
struct sockaddr_in *sin;
#endif
#ifdef INET6
struct sockaddr_in6 *sin6;
#endif
int jailed, s;
size_t jailed_size;
if (modfind("nfscommon") < 0) {
if (kldload("nfscommon") < 0 ||
modfind("nfscommon") < 0)
errx(1, "Experimental nfs subsystem is not available");
}
if (gethostname(hostname, MAXHOSTNAMELEN) == 0) {
if ((cp = strchr(hostname, '.')) != NULL &&
*(cp + 1) != '\0') {
dnsname = cp + 1;
} else {
memset((void *)&hints, 0, sizeof (hints));
hints.ai_flags = AI_CANONNAME;
error = getaddrinfo(hostname, NULL, &hints, &aip);
if (error == 0) {
if (aip->ai_canonname != NULL &&
(cp = strchr(aip->ai_canonname, '.')) != NULL
&& *(cp + 1) != '\0') {
dnsname = cp + 1;
mustfreeai = 1;
} else {
freeaddrinfo(aip);
}
}
}
}
s = -1;
#ifdef INET6
s = socket(PF_INET6, SOCK_DGRAM, 0);
if (s >= 0) {
fromip.ss_family = AF_INET6;
fromip.ss_len = sizeof(struct sockaddr_in6);
sin6 = (struct sockaddr_in6 *)&fromip;
sin6->sin6_addr = in6loopback;
close(s);
}
#endif
#ifdef INET
if (s < 0) {
s = socket(PF_INET, SOCK_DGRAM, 0);
if (s >= 0) {
fromip.ss_family = AF_INET;
fromip.ss_len = sizeof(struct sockaddr_in);
sin = (struct sockaddr_in *)&fromip;
sin->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
close(s);
}
}
#endif
if (s < 0)
err(1, "Can't create a inet/inet6 socket");
nid.nid_usermax = DEFUSERMAX;
nid.nid_usertimeout = defusertimeout;
argc--;
argv++;
while (argc >= 1) {
if (!strcmp(*argv, "-domain")) {
if (argc == 1)
usage();
argc--;
argv++;
strncpy(hostname, *argv, MAXHOSTNAMELEN);
hostname[MAXHOSTNAMELEN] = '\0';
dnsname = hostname;
} else if (!strcmp(*argv, "-verbose")) {
verbose = 1;
} else if (!strcmp(*argv, "-force")) {
forcestart = 1;
} else if (!strcmp(*argv, "-manage-gids")) {
manage_gids = 1;
} else if (!strcmp(*argv, "-usermax")) {
if (argc == 1)
usage();
argc--;
argv++;
i = atoi(*argv);
if (i < MINUSERMAX || i > MAXUSERMAX) {
fprintf(stderr,
"usermax %d out of range %d<->%d\n", i,
MINUSERMAX, MAXUSERMAX);
usage();
}
nid.nid_usermax = i;
} else if (!strcmp(*argv, "-usertimeout")) {
if (argc == 1)
usage();
argc--;
argv++;
i = atoi(*argv);
if (i < 0 || i > 100000) {
fprintf(stderr,
"usertimeout %d out of range 0<->100000\n",
i);
usage();
}
nid.nid_usertimeout = defusertimeout = i * 60;
} else if (nfsuserdcnt == -1) {
nfsuserdcnt = atoi(*argv);
if (nfsuserdcnt < 1)
usage();
if (nfsuserdcnt > MAXNFSUSERD) {
warnx("nfsuserd count %d; reset to %d",
nfsuserdcnt, DEFNFSUSERD);
nfsuserdcnt = DEFNFSUSERD;
}
} else {
usage();
}
argc--;
argv++;
}
if (nfsuserdcnt < 1)
nfsuserdcnt = DEFNFSUSERD;
while (*dnsname == '.')
dnsname++;
if (*dnsname == '\0')
errx(1, "Domain name all '.'");
len = strlen(dnsname);
cp = dnsname + len - 1;
while (*cp == '.') {
*cp = '\0';
len--;
cp--;
}
for (i = 0; i < len; i++) {
if (!isascii(dnsname[i]))
errx(1, "Domain name has non-ascii char");
if (isupper(dnsname[i]))
dnsname[i] = tolower(dnsname[i]);
}
if (forcestart && nfssvc(NFSSVC_NFSUSERDDELPORT, NULL) < 0)
errx(1, "Can't do nfssvc() to delete the port");
if (verbose)
fprintf(stderr,
"nfsuserd: domain=%s usermax=%d usertimeout=%d\n",
dnsname, nid.nid_usermax, nid.nid_usertimeout);
for (i = 0; i < nfsuserdcnt; i++)
servers[i] = (pid_t)-1;
nargs.nuserd_family = fromip.ss_family;
if ((sock = socket(nargs.nuserd_family, SOCK_DGRAM, IPPROTO_UDP)) < 0)
err(1, "cannot create udp socket");
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
if ((udptransp = svcudp_create(sock)) == NULL)
err(1, "Can't set up socket");
if (!svc_register(udptransp, RPCPROG_NFSUSERD, RPCNFSUSERD_VERS,
nfsuserdsrv, 0))
err(1, "Can't register nfsuserd");
nargs.nuserd_port = htons(udptransp->xp_port);
#ifdef DEBUG
printf("portnum=0x%x\n", nargs.nuserd_port);
#else
if (nfssvc(NFSSVC_NFSUSERDPORT | NFSSVC_NEWSTRUCT, &nargs) < 0) {
if (errno == EPERM) {
jailed = 0;
jailed_size = sizeof(jailed);
sysctlbyname("security.jail.jailed", &jailed,
&jailed_size, NULL, 0);
if (jailed != 0) {
fprintf(stderr, "Cannot start nfsuserd. "
"allow.nfsd might not be configured\n");
} else {
fprintf(stderr, "Cannot start nfsuserd "
"when already running.");
fprintf(stderr, " If not running, "
"use the -force option.\n");
}
} else {
fprintf(stderr, "Can't do nfssvc() to add port\n");
}
exit(1);
}
#endif
pwd = getpwnam(defaultuser);
if (pwd)
nid.nid_uid = pwd->pw_uid;
else
nid.nid_uid = defaultuid;
grp = getgrnam(defaultgroup);
if (grp)
nid.nid_gid = grp->gr_gid;
else
nid.nid_gid = defaultgid;
nid.nid_name = dnsname;
nid.nid_namelen = strlen(nid.nid_name);
nid.nid_ngroup = 0;
nid.nid_grps = NULL;
nid.nid_flag = NFSID_INITIALIZE;
#ifdef DEBUG
printf("Initialize uid=%d gid=%d dns=%s\n", nid.nid_uid, nid.nid_gid,
nid.nid_name);
#else
error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
if (error)
errx(1, "Can't initialize nfs user/groups");
#endif
i = 0;
setgrent();
while (i < nid.nid_usermax && (grp = getgrent())) {
nid.nid_gid = grp->gr_gid;
nid.nid_name = grp->gr_name;
nid.nid_namelen = strlen(grp->gr_name);
nid.nid_ngroup = 0;
nid.nid_grps = NULL;
nid.nid_flag = NFSID_ADDGID;
#ifdef DEBUG
printf("add gid=%d name=%s\n", nid.nid_gid, nid.nid_name);
#else
error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
if (error)
errx(1, "Can't add group %s", grp->gr_name);
#endif
i++;
}
endgrent();
start_uidpos = i;
setpwent();
while (i < nid.nid_usermax && (pwd = getpwent())) {
fnd_dup = 0;
for (j = 0; j < (i - start_uidpos); j++)
if (check_dups[j] == pwd->pw_uid) {
fnd_dup = 1;
break;
}
if (fnd_dup != 0)
continue;
check_dups[i - start_uidpos] = pwd->pw_uid;
nid.nid_uid = pwd->pw_uid;
nid.nid_name = pwd->pw_name;
nid.nid_namelen = strlen(pwd->pw_name);
if (manage_gids != 0) {
ngroup = NGROUPS;
if (getgrouplist(pwd->pw_name, pwd->pw_gid, grps,
&ngroup) < 0) {
syslog(LOG_ERR,
"Group list of user '%s' too big",
pwd->pw_name);
ngroup = NGROUPS;
}
nid.nid_ngroup = ngroup;
nid.nid_grps = grps;
} else {
nid.nid_ngroup = 0;
nid.nid_grps = NULL;
}
nid.nid_flag = NFSID_ADDUID;
#ifdef DEBUG
printf("add uid=%d name=%s\n", nid.nid_uid, nid.nid_name);
#else
error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
if (error)
errx(1, "Can't add user %s", pwd->pw_name);
#endif
i++;
}
endpwent();
if (mustfreeai)
freeaddrinfo(aip);
#ifdef DEBUG
exit(0);
#endif
sigemptyset(&signew);
sigaddset(&signew, SIGUSR1);
sigaddset(&signew, SIGCHLD);
sigprocmask(SIG_BLOCK, &signew, NULL);
daemon(0, 0);
(void)signal(SIGHUP, SIG_IGN);
(void)signal(SIGINT, SIG_IGN);
(void)signal(SIGQUIT, SIG_IGN);
(void)signal(SIGTERM, SIG_IGN);
(void)signal(SIGUSR1, cleanup_term);
(void)signal(SIGCHLD, cleanup_term);
openlog("nfsuserd:", LOG_PID, LOG_DAEMON);
for (i = 0; i < nfsuserdcnt; i++) {
servers[i] = fork();
if (servers[i] == 0) {
im_a_server = 1;
setproctitle("server");
sigemptyset(&signew);
sigaddset(&signew, SIGUSR1);
sigprocmask(SIG_UNBLOCK, &signew, NULL);
svc_run();
syslog(LOG_ERR, "nfsuserd died: %m");
exit(1);
} else if (servers[i] < 0) {
syslog(LOG_ERR, "fork: %m");
}
}
setproctitle("master");
sigemptyset(&signew);
while (1)
sigsuspend(&signew);
}
static void
nfsuserdsrv(struct svc_req *rqstp, SVCXPRT *transp)
{
struct passwd *pwd;
struct group *grp;
int error;
#if defined(INET) || defined(INET6)
u_short sport;
int ret;
#endif
struct info info;
struct nfsd_idargs nid;
gid_t grps[NGROUPS];
int ngroup;
#ifdef INET
struct sockaddr_in *fromsin, *sin;
#endif
#ifdef INET6
struct sockaddr_in6 *fromsin6, *sin6;
char buf[INET6_ADDRSTRLEN];
#endif
if (rqstp->rq_proc != NULLPROC) {
switch (fromip.ss_family) {
#ifdef INET
case AF_INET:
if (transp->xp_rtaddr.len < sizeof(*sin)) {
syslog(LOG_ERR, "xp_rtaddr too small");
svcerr_weakauth(transp);
return;
}
sin = (struct sockaddr_in *)transp->xp_rtaddr.buf;
fromsin = (struct sockaddr_in *)&fromip;
sport = ntohs(sin->sin_port);
if (sport >= IPPORT_RESERVED) {
syslog(LOG_ERR, "not a reserved port#");
svcerr_weakauth(transp);
return;
}
ret = 1;
if (sin->sin_addr.s_addr != fromsin->sin_addr.s_addr)
ret = nfsbind_localhost();
if (ret == 0 || sin->sin_addr.s_addr !=
fromsin->sin_addr.s_addr) {
syslog(LOG_ERR, "bad from ip %s",
inet_ntoa(sin->sin_addr));
svcerr_weakauth(transp);
return;
}
break;
#endif
#ifdef INET6
case AF_INET6:
if (transp->xp_rtaddr.len < sizeof(*sin6)) {
syslog(LOG_ERR, "xp_rtaddr too small");
svcerr_weakauth(transp);
return;
}
sin6 = (struct sockaddr_in6 *)transp->xp_rtaddr.buf;
fromsin6 = (struct sockaddr_in6 *)&fromip;
sport = ntohs(sin6->sin6_port);
if (sport >= IPV6PORT_RESERVED) {
syslog(LOG_ERR, "not a reserved port#");
svcerr_weakauth(transp);
return;
}
ret = 1;
if (!IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr,
&fromsin6->sin6_addr))
ret = nfsbind_localhost();
if (ret == 0 || !IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr,
&fromsin6->sin6_addr)) {
if (inet_ntop(AF_INET6, &sin6->sin6_addr, buf,
INET6_ADDRSTRLEN) != NULL)
syslog(LOG_ERR, "bad from ip %s", buf);
else
syslog(LOG_ERR, "bad from ip6 addr");
svcerr_weakauth(transp);
return;
}
break;
#endif
}
}
switch (rqstp->rq_proc) {
case NULLPROC:
if (!svc_sendreply(transp, (xdrproc_t)xdr_void, NULL))
syslog(LOG_ERR, "Can't send reply");
return;
case RPCNFSUSERD_GETUID:
if (!svc_getargs(transp, (xdrproc_t)xdr_getid,
(caddr_t)&info)) {
svcerr_decode(transp);
return;
}
pwd = getpwuid((uid_t)info.id);
info.retval = 0;
if (pwd != NULL) {
nid.nid_usertimeout = defusertimeout;
nid.nid_uid = pwd->pw_uid;
nid.nid_name = pwd->pw_name;
if (manage_gids != 0) {
ngroup = NGROUPS;
if (getgrouplist(pwd->pw_name, pwd->pw_gid,
grps, &ngroup) < 0) {
syslog(LOG_ERR,
"Group list of user '%s' too big",
pwd->pw_name);
ngroup = NGROUPS;
}
nid.nid_ngroup = ngroup;
nid.nid_grps = grps;
} else {
nid.nid_ngroup = 0;
nid.nid_grps = NULL;
}
} else {
nid.nid_usertimeout = 5;
nid.nid_uid = (uid_t)info.id;
nid.nid_name = defaultuser;
nid.nid_ngroup = 0;
nid.nid_grps = NULL;
}
nid.nid_namelen = strlen(nid.nid_name);
nid.nid_flag = NFSID_ADDUID;
error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
if (error) {
info.retval = error;
syslog(LOG_ERR, "Can't add user %s\n", pwd->pw_name);
} else if (verbose) {
syslog(LOG_ERR,"Added uid=%d name=%s\n",
nid.nid_uid, nid.nid_name);
}
if (!svc_sendreply(transp, (xdrproc_t)xdr_retval,
(caddr_t)&info))
syslog(LOG_ERR, "Can't send reply");
return;
case RPCNFSUSERD_GETGID:
if (!svc_getargs(transp, (xdrproc_t)xdr_getid,
(caddr_t)&info)) {
svcerr_decode(transp);
return;
}
grp = getgrgid((gid_t)info.id);
info.retval = 0;
if (grp != NULL) {
nid.nid_usertimeout = defusertimeout;
nid.nid_gid = grp->gr_gid;
nid.nid_name = grp->gr_name;
} else {
nid.nid_usertimeout = 5;
nid.nid_gid = (gid_t)info.id;
nid.nid_name = defaultgroup;
}
nid.nid_namelen = strlen(nid.nid_name);
nid.nid_ngroup = 0;
nid.nid_grps = NULL;
nid.nid_flag = NFSID_ADDGID;
error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
if (error) {
info.retval = error;
syslog(LOG_ERR, "Can't add group %s\n",
grp->gr_name);
} else if (verbose) {
syslog(LOG_ERR,"Added gid=%d name=%s\n",
nid.nid_gid, nid.nid_name);
}
if (!svc_sendreply(transp, (xdrproc_t)xdr_retval,
(caddr_t)&info))
syslog(LOG_ERR, "Can't send reply");
return;
case RPCNFSUSERD_GETUSER:
if (!svc_getargs(transp, (xdrproc_t)xdr_getname,
(caddr_t)&info)) {
svcerr_decode(transp);
return;
}
pwd = getpwnam(info.name);
info.retval = 0;
if (pwd != NULL) {
nid.nid_usertimeout = defusertimeout;
nid.nid_uid = pwd->pw_uid;
nid.nid_name = pwd->pw_name;
} else {
nid.nid_usertimeout = 5;
nid.nid_uid = defaultuid;
nid.nid_name = info.name;
}
nid.nid_namelen = strlen(nid.nid_name);
nid.nid_ngroup = 0;
nid.nid_grps = NULL;
nid.nid_flag = NFSID_ADDUSERNAME;
error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
if (error) {
info.retval = error;
syslog(LOG_ERR, "Can't add user %s\n", pwd->pw_name);
} else if (verbose) {
syslog(LOG_ERR,"Added uid=%d name=%s\n",
nid.nid_uid, nid.nid_name);
}
if (!svc_sendreply(transp, (xdrproc_t)xdr_retval,
(caddr_t)&info))
syslog(LOG_ERR, "Can't send reply");
return;
case RPCNFSUSERD_GETGROUP:
if (!svc_getargs(transp, (xdrproc_t)xdr_getname,
(caddr_t)&info)) {
svcerr_decode(transp);
return;
}
grp = getgrnam(info.name);
info.retval = 0;
if (grp != NULL) {
nid.nid_usertimeout = defusertimeout;
nid.nid_gid = grp->gr_gid;
nid.nid_name = grp->gr_name;
} else {
nid.nid_usertimeout = 5;
nid.nid_gid = defaultgid;
nid.nid_name = info.name;
}
nid.nid_namelen = strlen(nid.nid_name);
nid.nid_ngroup = 0;
nid.nid_grps = NULL;
nid.nid_flag = NFSID_ADDGROUPNAME;
error = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
if (error) {
info.retval = error;
syslog(LOG_ERR, "Can't add group %s\n",
grp->gr_name);
} else if (verbose) {
syslog(LOG_ERR,"Added gid=%d name=%s\n",
nid.nid_gid, nid.nid_name);
}
if (!svc_sendreply(transp, (xdrproc_t)xdr_retval,
(caddr_t)&info))
syslog(LOG_ERR, "Can't send reply");
return;
default:
svcerr_noproc(transp);
return;
};
}
static bool_t
xdr_getid(XDR *xdrsp, caddr_t cp)
{
struct info *ifp = (struct info *)cp;
return (xdr_long(xdrsp, &ifp->id));
}
static bool_t
xdr_getname(XDR *xdrsp, caddr_t cp)
{
struct info *ifp = (struct info *)cp;
long len;
if (!xdr_long(xdrsp, &len))
return (0);
if (len > MAXNAME)
return (0);
if (!xdr_opaque(xdrsp, ifp->name, len))
return (0);
ifp->name[len] = '\0';
return (1);
}
static bool_t
xdr_retval(XDR *xdrsp, caddr_t cp)
{
struct info *ifp = (struct info *)cp;
long val;
val = ifp->retval;
return (xdr_long(xdrsp, &val));
}
static void
cleanup_term(int signo __unused)
{
int i, cnt;
if (im_a_server)
exit(0);
cnt = 0;
for (i = 0; i < nfsuserdcnt; i++) {
if (servers[i] != (pid_t)-1) {
cnt++;
kill(servers[i], SIGUSR1);
}
}
for (i = 0; i < cnt; i++)
wait3(NULL, 0, NULL);
if (nfssvc(NFSSVC_NFSUSERDDELPORT, NULL) < 0) {
syslog(LOG_ERR, "Can't do nfssvc() to delete the port\n");
exit(1);
}
exit(0);
}
static int
nfsbind_localhost(void)
{
#ifdef INET
struct sockaddr_in sin;
#endif
#ifdef INET6
struct sockaddr_in6 sin6;
#endif
socklen_t slen;
int ret, s;
switch (fromip.ss_family) {
#ifdef INET6
case AF_INET6:
s = socket(PF_INET6, SOCK_DGRAM, 0);
if (s < 0)
return (0);
memset(&sin6, 0, sizeof(sin6));
sin6.sin6_len = sizeof(sin6);
sin6.sin6_family = AF_INET6;
sin6.sin6_addr = in6loopback;
sin6.sin6_port = 0;
ret = bind(s, (struct sockaddr *)&sin6, sizeof(sin6));
if (ret < 0) {
close(s);
return (0);
}
break;
#endif
#ifdef INET
case AF_INET:
s = socket(PF_INET, SOCK_DGRAM, 0);
if (s < 0)
return (0);
memset(&sin, 0, sizeof(sin));
sin.sin_len = sizeof(sin);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sin.sin_port = 0;
ret = bind(s, (struct sockaddr *)&sin, sizeof(sin));
if (ret < 0) {
close(s);
return (0);
}
break;
#endif
}
memset(&fromip, 0, sizeof(fromip));
slen = sizeof(fromip);
ret = getsockname(s, (struct sockaddr *)&fromip, &slen);
close(s);
if (ret < 0)
return (0);
return (1);
}
static void
usage(void)
{
errx(1,
"usage: nfsuserd [-usermax cache_size] [-usertimeout minutes] [-verbose] [-manage-gids] [-domain domain_name] [n]");
}
