Commit Graph

160 Commits

Author SHA1 Message Date
Philippe Charnier
a7a7d96c7a Add __unused. Ansi prototypes. 2010-12-20 09:28:28 +00:00
Maxim Konovalov
580a9482a4 o Fix typo: sepcify -> specify.
PR:		docs/148499
Submitted by:	Warren Block
MFC after:	1 week
2010-07-12 04:21:50 +00:00
Rick Macklem
56cfc5ed12 If the "-alldirs" export option was used for the V4: line, mountd
would crash in check_options() since dp == NULL for the V4: line.
This patch moves the check for options allowed on the V4: line to
ahead of where dp is used to avoid this crash.

Reported by:	mamalos AT eng.auth.gr
MFC after:	1 week
2010-05-06 00:24:08 +00:00
Edward Tomasz Napierala
639e19ec07 Description of steps required to setup NFSv4 server is in nfsv4(4);
add reference to exports(5), since that's the obvious starting point
for searching for this.
2009-12-03 19:16:40 +00:00
Doug Rabson
0775314b63 Don't use sys/nfs/rpcv2.h - it is part of the old kernel RPC implementation
and will be removed.
2009-06-24 18:42:21 +00:00
Rick Macklem
73f4ccbd29 When mountd.c parses the nfsv4 root line(s) in /etc/exports, it
allocates data structures that are never linked into the tree or free'd.
As such, mountd would leak memory every time it parsed an nfsv4 root line.
This patch frees up those structures to plug the leak.

Approved by:	kib (mentor)
2009-06-23 21:48:04 +00:00
Brooks Davis
838d985825 Rework the credential code to support larger values of NGROUPS and
NGROUPS_MAX, eliminate ABI dependencies on them, and raise the to 1024
and 1023 respectively.  (Previously they were equal, but under a close
reading of POSIX, NGROUPS_MAX was defined to be too large by 1 since it
is the number of supplemental groups, not total number of groups.)

The bulk of the change consists of converting the struct ucred member
cr_groups from a static array to a pointer.  Do the equivalent in
kinfo_proc.

Introduce new interfaces crcopysafe() and crsetgroups() for duplicating
a process credential before modifying it and for setting group lists
respectively.  Both interfaces take care for the details of allocating
groups array. crsetgroups() takes care of truncating the group list
to the current maximum (NGROUPS) if necessary.  In the future,
crsetgroups() may be responsible for insuring invariants such as sorting
the supplemental groups to allow groupmember() to be implemented as a
binary search.

Because we can not change struct xucred without breaking application
ABIs, we leave it alone and introduce a new XU_NGROUPS value which is
always 16 and is to be used or NGRPS as appropriate for things such as
NFS which need to use no more than 16 groups.  When feasible, truncate
the group list rather than generating an error.

Minor changes:
  - Reduce the number of hand rolled versions of groupmember().
  - Do not assign to both cr_gid and cr_groups[0].
  - Modify ipfw to cache ucreds instead of part of their contents since
    they are immutable once referenced by more than one entity.

Submitted by:	Isilon Systems (initial implementation)
X-MFC after:	never
PR:		bin/113398 kern/133867
2009-06-19 17:10:35 +00:00
Alexander Kabaev
e7733ffa39 Re-do r192913 in less intrusive way. Only do IP_RECVDSTADDR/IP_SENDSRCADDR
dace for UPDv4 sockets bound to INADDR_ANY. Move the code to set
IP_RECVDSTADDR/IP_SENDSRCADDR into svc_dg.c, so that both TLI and non-TLI
users will be using it.

Back out my previous commit to mountd. Turns out the problem was affecting
more than one binary so it needs to me addressed in generic rpc code in
libc in order to fix them all.

Reported by:	lstewart
Tested by:	lstewart
2009-06-18 17:10:43 +00:00
Alexander Kabaev
4b119b6669 The change r192913 has added dependency on IP_RECVDSTADDR being
set for RPC UDP sockets. Mountd uses internal libc fuctions
directly and bypasses generic socket initialization completely,
so we need to set IP_RECVDSTADDR here to match the libc behavior.
2009-06-08 03:15:27 +00:00
Rick Macklem
2179ae1ebf Change the "-4" argument for nfsd and mountd to "-e" to avoid
confusion, since it does not refer to IPv4 nor NFSv4, but to
running the experimental server instead of the regular one.

Approved by:	kib (mentor)
2009-05-28 20:28:13 +00:00
Rick Macklem
bcc1d0716a Modify mountd to handle the experimental nfs server as well as the
regular one. It now takes a "-4" command line argument to force it
to use the experimental server. Otherwise it will use the regular
server unless the experimental server is the only one linked into
the kernel. A third kind of line has been added to /etc/exports,
which is specific to NFSv4 and defines where the NFSv4 tree root is
and can be used to limit access to NFSv4 state handling operations
that do not use any file handle.

Approved by:	kib (mentor)
2009-05-27 22:02:54 +00:00
Doug Rabson
a9148abd9d Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager.  I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.

The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.

To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.

As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.

Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.

The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.

Sponsored by:	Isilon Systems
MFC after:	1 month
2008-11-03 10:38:00 +00:00
Daniel Gerzo
6f8f0226ed - more mark-up fixes
Submitted by:	ru
2008-07-01 19:54:02 +00:00
Daniel Gerzo
408730643b - add some missing words
- we don't have ne(4), replace it with re(4)
- fix markup
- bump date

Submitted by:	ru
MFC after:	3 days
2008-06-30 08:29:02 +00:00
Daniel Gerzo
80d9aed42c - markup fixes
- advise to use rc script to SIGHUP mountd
- add information about possiblity of using /prefix network notation [1]

PR:		docs/124373
Reviewed by:	jhb
Obtained from:	NetBSD [1]
MFC after:	3 days
2008-06-27 16:32:04 +00:00
Craig Rodrigues
55dd132740 Remove hacks which filter out MNT_ROOTFS.
They are no longer needed now that we filter out MNT_ROOTFS
inside the nmount() call in revision 1.267 of vfs_mount.c.

Reviewed by:	rink
2008-03-05 07:55:07 +00:00
Simon L. B. Nielsen
89ca9145fb Use the correct variable to check for a malloc failing. This fixes a
case where mountd would fail to start with "out of memory" logged to
syslog.
2007-10-27 12:24:47 +00:00
Matteo Riondato
d11e36457b Add the -h <bindip> option to mountd, similar to the one in nfsd(8)
-h bindip
Specify specific IP addresses to bind to for TCP and UDP requests.
This option may be specified multiple times.  If no -h option is
specified, mountd will bind to INADDR_ANY.  Note that when specifying
IP addresses with -h, mountd will automatically add 127.0.0.1 and if
IPv6 is enabled, ::1 to the list.

PR:		bin/114097
Reviewed by:	pjd (an eariler version of the patch)
MFC after:	1 week
2007-10-20 11:25:34 +00:00
Pawel Jakub Dawidek
6c90092b5a Fatal error is only when cannot open any of the given exports files. 2007-04-13 10:25:49 +00:00
Pawel Jakub Dawidek
3201fe06ce Grr, committed manual page without the last change - make the comment a bit
prettier.
2007-02-03 00:15:46 +00:00
Pawel Jakub Dawidek
96968c223b Add support for multiple exports files. This will be useful for example for
ZFS, where we have automatically generated /etc/zfs/exports file, which
should not be edited directly.

Discussed with:	rwatson
2007-02-03 00:12:18 +00:00
Craig Rodrigues
37518a88fb If nmount() fails to export a directory, in the syslog() error message,
add the errmsg string returned by nmount().
2007-01-26 13:26:43 +00:00
Craig Rodrigues
09fc9dc689 Ignore SIGPIPE, instead of terminating process.
PR:		81230
Submitted by:	Dmitrij Tejblum <tejblum yandex-team ru>
MFC after:	1 month
2006-11-18 22:43:20 +00:00
Rink Springer
300a6ee829 My previous commit made it impossible to export / over NFS; this small
change fixes this.

Reported by:	Lin Jui-Nan Eric < ericlin dot jnlin at gmail dot com >
Submitted by:	Erik Trulsson < ertr1013 at student dot uu dot se > (commit is inspired by a patch from Erik)
Pointyhat to:	me
Reviewed by:	stable@
Approved by:	imp (mentor)
MFC after:	3 days
2006-10-19 19:46:49 +00:00
Rink Springer
6a5a80bd0f Prevent mountd(8) from resetting mount options when exporting a filesystem.
Approved by:		imp (mentor)
Sponsored by:		Quality Service Provider BV
MFC after:		3 days
2006-10-09 17:38:18 +00:00
Craig Rodrigues
46f8d30f5a In get_exportlist(), properly loop over mounted filesystems.
PR:	bin/99873
Submitted by:	Danny Braniss <danny at cs dot huji dot ac dot il>
2006-07-08 13:49:24 +00:00
Craig Rodrigues
a84ee0d367 For network filesystems (NFS, samba, etc.), do not pass "export" nmount()
parameter to try to delete an NFS export.  It won't work, and will log
a spurious warning to syslog.

Tested by:	Arno J. Klaassen <arno at heho dot snv dot jussieu dot fr>
MFC after:	3 days
2006-06-06 21:56:49 +00:00
Craig Rodrigues
8f716f89cf Do not log "can't delete export" messages if nmount() returns ENOTSUP.
This eliminates spurious log entries for trying to delete exports
for filesystems like devfs and procfs.
2006-05-28 18:59:28 +00:00
Craig Rodrigues
9857865b55 Convert to nmount() and remove hardcoded checks for ufs, msdosfs, ntfs,
and cd9660.

PR:	bin/97642
2006-05-24 11:49:39 +00:00
Craig Rodrigues
6a09faf2cb Convert mountd to nmount(). Remove some hardcoded dependencies
on ufs, cd9660, msdosfs, and ntfs, but not all dependencies.
2006-05-23 17:10:17 +00:00
Giorgos Keramidas
193599122f Note that when -d flag is used, mountd(8) will not detach from the
controlling terminal.

PR:		docs/96660
Submitted by:	Jeff Ito <ijk@speakeasy.net>
MFC after:	1 week
2006-05-02 21:00:43 +00:00
Joseph Koshy
10affec4aa Use ".Pa" for path names.
MFC after:	3 days
2006-01-29 08:44:05 +00:00
Pawel Jakub Dawidek
8b28aef238 Pidfiles should be created with permission preventing users from opening
them for reading. When user can open file for reading, he can also
flock(2) it, which can lead to confusions.

Pointed out by:	green
2005-09-16 11:24:28 +00:00
Pawel Jakub Dawidek
a032b226c8 Use pidfile(3) in mountd(8). There is no need to use /var/run/mountd.lock
anymore.
2005-08-24 19:17:06 +00:00
Hajimu UMEMOTO
4f10131848 NI_WITHSCOPEID cleanup. Neither RFC 2553 nor RFC 3493 defines
NI_WITHSCOPEID, and our getaddrinfo(3) does nothing special
for it, now.
2005-05-13 16:31:11 +00:00
Stefan Farfeleder
18b51f792f Remove unused variables. 2005-04-09 14:59:10 +00:00
Ruslan Ermilov
59a3c79da6 Sort sections. 2005-01-18 20:02:45 +00:00
Poul-Henning Kamp
e71171f31b Also do not send junk mount arguments when removing exports. 2004-12-11 12:51:20 +00:00
Stefan Farfeleder
950cc39559 Pass an array of gid_t rather than an array of int to getgroups().
PR:	56646
2004-10-02 11:40:48 +00:00
Warner Losh
486c8cc4c6 Per letter dated July 22, 1999 remove 3rd clause of Berkeley derived software
(with permission of addtional copyright holders where appropriate)
2004-08-07 04:28:56 +00:00
Ruslan Ermilov
b18b186e57 Markup nits. 2004-06-04 19:23:12 +00:00
Ceri Davies
9af414d156 Correct typo in the last revision. 2004-03-27 14:23:25 +00:00
Ceri Davies
687c7280ef Note that only one webnfs share is allowed per NFS server.
PR:		docs/45371
Submitted by:	Mattias Pantzare <pantzer@ludd.luth.se>,
		Matthew D. Fuller <fullermd@over-yonder.net>
MFC after:	2 days
2004-03-22 21:05:57 +00:00
Mark Murray
16fc3635f7 Make NULL a (void*)0 whereever possible, and fix the warnings(-Werror)
that this provokes. "Wherever possible" means "In the kernel OR NOT
C++" (implying C).

There are places where (void *) pointers are not valid, such as for
function pointers, but in the special case of (void *)0, agreement
settles on it being OK.

Most of the fixes were NULL where an integer zero was needed; many
of the fixes were NULL where ascii <nul> ('\0') was needed, and a
few were just "other".

Tested on: i386 sparc64
2004-03-05 08:10:19 +00:00
Bruce M Simpson
c203da27d5 Add a new option to mountd(8), -p <port>. This allows the user to specify
a known port for use in firewall rulesets; otherwise the port is chosen
at run-time by bindresvport().

MFC after:	1 week
2004-03-04 04:42:52 +00:00
David E. O'Brien
88b3d518bc Be consistent in the EXAMPLES formatting. 2004-01-01 00:59:58 +00:00
Peter Wemm
c903443a2c Rename the 'log' variable rather than -fno-builtin-log 2003-10-30 22:57:43 +00:00
Peter Wemm
389b844652 Use -fno-builtin-log. Fix svc_sendreply() missing required casts.
It is now WARNS=2 clean again.
2003-10-26 05:58:21 +00:00
Robert Watson
7c615cf053 When reporting errors binding IPv6 TCP sockets, don't call them UDP
sockets in the printf.

Fix two minor co-located whitespace glitches.

Product of:	France
2003-07-17 10:11:26 +00:00
David E. O'Brien
052238b16c style.Makefile(5) 2003-04-04 17:49:21 +00:00