4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
26 #include "metad_local.h"
36 extern void nc_perror(const char *msg
);
40 sigalarmhandler(int sig
)
47 * check for trusted host and user
51 struct svc_req
*rqstp
/* RPC stuff */
54 struct authsys_parms
*sys_credp
;
55 SVCXPRT
*transp
= rqstp
->rq_xprt
;
56 struct netconfig
*nconfp
= NULL
;
57 struct nd_hostservlist
*hservlistp
= NULL
;
64 sys_credp
= (struct authsys_parms
*)rqstp
->rq_clntcred
;
65 assert(sys_credp
!= NULL
);
66 if (sys_credp
->aup_uid
!= 0)
70 if (transp
->xp_netid
== NULL
) {
71 md_eprintf("transp->xp_netid == NULL\n");
74 if ((nconfp
= getnetconfigent(transp
->xp_netid
)) == NULL
) {
76 nc_perror("getnetconfigent(transp->xp_netid)");
80 if ((__netdir_getbyaddr_nosrv(nconfp
, &hservlistp
, &transp
->xp_rtaddr
)
81 != 0) || (hservlistp
== NULL
)) {
83 netdir_perror("netdir_getbyaddr(transp->xp_rtaddr)");
89 for (i
= 0; (i
< hservlistp
->h_cnt
); ++i
) {
90 struct nd_hostserv
*hservp
= &hservlistp
->h_hostservs
[i
];
91 char *hostname
= hservp
->h_host
;
93 inplace
= strdup(hostname
);
96 if (strcmp(hostname
, mynode()) == 0) {
101 /* check for remote root access */
102 if (ruserok(hostname
, 1, "root", "root") == 0) {
107 sdssc_cm_nm2nid(inplace
);
108 if (strcmp(inplace
, hostname
)) {
111 * If the names are now different it indicates
112 * that hostname was converted to a nodeid. This
113 * will only occur if hostname is part of the same
114 * cluster that the current node is in.
115 * If the machine is not running in a cluster than
116 * sdssc_cm_nm2nid is a noop which leaves inplace
124 /* cleanup, return success */
128 if (hservlistp
!= NULL
)
129 netdir_free(hservlistp
, ND_HOSTSERVLIST
);
136 * check for user in local group 14
147 /* get user info, check default GID */
148 if ((pwp
= getpwuid(uid
)) == NULL
)
150 if (pwp
->pw_gid
== METAD_GID
)
154 if ((grp
= getgrgid(METAD_GID
)) == NULL
)
156 for (namep
= grp
->gr_mem
; ((*namep
!= NULL
) && (**namep
!= '\0'));
158 if (strcmp(*namep
, pwp
->pw_name
) == 0)
169 struct svc_req
*rqstp
, /* RPC stuff */
170 int amode
, /* R_OK | W_OK */
171 md_error_t
*ep
/* returned status */
174 static mutex_t mx
= DEFAULTMUTEX
;
175 struct authsys_parms
*sys_credp
;
177 /* for read, anything is OK */
178 if (! (amode
& W_OK
))
181 /* single thread (not really needed if daemon stays single threaded) */
182 (void) mutex_lock(&mx
);
184 /* check for remote root or METAD_GID */
186 sys_credp
= (struct authsys_parms
*)rqstp
->rq_clntcred
;
187 if ((check_gid14(sys_credp
->aup_uid
) == 0) ||
188 (check_host(rqstp
) == 0)) {
189 (void) mutex_unlock(&mx
);
194 (void) mutex_unlock(&mx
);
195 return (mdsyserror(ep
, EACCES
, "rpc.metad"));
201 * if can't authenticate return < 0
202 * any other error return > 0
206 struct svc_req
*rqstp
, /* RPC stuff */
207 int amode
, /* R_OK | W_OK */
208 md_error_t
*ep
/* returned status */
213 if (sdssc_bind_library() == SDSSC_ERROR
) {
214 (void) mdsyserror(ep
, EACCES
, "can't bind to cluster library");
219 * if we have no rpc service info, we must have been
220 * called recursively from within the daemon
230 transp
= rqstp
->rq_xprt
;
231 assert(transp
!= NULL
);
237 switch (rqstp
->rq_cred
.oa_flavor
) {
242 if (check_sys(rqstp
, amode
, ep
) != 0)
243 return (1); /* error */
247 /* can't authenticate anything else */
249 svcerr_weakauth(transp
);
250 return (-1); /* weak authentication */
256 if (md_init_daemon("rpc.metad", ep
) != 0)
257 return (1); /* error */
270 svc_fini(md_error_t
*ep
)
277 int amode
, /* R_OK | W_OK */
278 md_setkey_t
*cl_sk
, /* clients idea of set locked */
279 md_error_t
*ep
/* returned status */
287 svc_sk
= svc_get_setkey(cl_sk
->sk_setno
);
289 /* The set is not locked */
290 if (svc_sk
== NULL
) {
291 if ((amode
& W_OK
) == W_OK
) {
292 (void) mddserror(ep
, MDE_DS_WRITEWITHSULK
,
293 cl_sk
->sk_setno
, mynode(), NULL
, cl_sk
->sk_setname
);
299 /* The set is locked, do we have the key? */
300 if (cl_sk
->sk_key
.tv_sec
== svc_sk
->sk_key
.tv_sec
&&
301 cl_sk
->sk_key
.tv_usec
== svc_sk
->sk_key
.tv_usec
)
304 (void) mddserror(ep
, MDE_DS_SETLOCKED
, MD_SET_BAD
, mynode(),
305 svc_sk
->sk_host
, svc_sk
->sk_setname
);