Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
nfs-utils.18671
0183-mountd-add-logging-for-authentication-resu...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0183-mountd-add-logging-for-authentication-results-for-ac.patch of Package nfs-utils.18671
From 98b8652192765f19eb4b169641986b0c86733e38 Mon Sep 17 00:00:00 2001 From: NeilBrown <neil@brown.name> Date: Fri, 19 Feb 2021 11:57:02 +1100 Subject: [PATCH] mountd: add logging for authentication results for accesses. When NFSv3 is used to mount a filesystem, success/failure messages are logged by mountd and can be used for auditing. When NFSv4 is used, there is no distinct "MOUNT" request, and nothing is logged. We can instead log authentication requests from the kernel. These will happen regularly - typically every 15 minutes of ongoing access - so they may be too noisy, or might be more useful. As they might not be wanted, make them selectable with the "AUTH" facility in xlog(). Add a "-l" to enable these logs. Alternately "debug = auth" will have the same effect. Signed-off-by: NeilBrown <neil@brown.name> --- utils/mountd/cache.c | 42 +++++++++++++++++++++++++++++------------- utils/mountd/mountd.c | 7 ++++++- utils/mountd/mountd.man | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 74 insertions(+), 14 deletions(-) --- a/utils/mountd/cache.c +++ b/utils/mountd/cache.c @@ -109,6 +109,15 @@ static void auth_unix_ip(FILE *f) client = client_compose(ai); freeaddrinfo(ai); } + if (!client) + xlog(D_AUTH, "failed authentication for IP %s", ipaddr); + else if (!use_ipaddr) + xlog(D_AUTH, "successful authentication for IP %s as %s", + ipaddr, *client ? client : "DEFAULT"); + else + xlog(D_AUTH, "successful authentication for IP %s", + ipaddr); + qword_print(f, "nfsd"); qword_print(f, ipaddr); qword_printtimefrom(f, DEFAULT_TTL); @@ -725,6 +734,8 @@ static void nfsd_fh(FILE *f) if (found) qword_print(f, found_path); qword_eol(f); + if (!found) + xlog(D_AUTH, "denied access to %s", *dom == '$' ? dom+1 : dom); out: if (found_path) free(found_path); @@ -792,20 +803,25 @@ static int dump_to_cache(FILE *f, char * qword_printint(f, exp->e_fsid); write_fsloc(f, exp); write_secinfo(f, exp, flag_mask); - if (exp->e_uuid == NULL || different_fs) { - char u[16]; - if (uuid_by_path(path, 0, 16, u)) { - qword_print(f, "uuid"); - qword_printhex(f, u, 16); - } - } else { - char u[16]; - get_uuid(exp->e_uuid, 16, u); - qword_print(f, "uuid"); - qword_printhex(f, u, 16); - } - } else + if (exp->e_uuid == NULL || different_fs) { + char u[16]; + if (uuid_by_path(path, 0, 16, u)) { + qword_print(f, "uuid"); + qword_printhex(f, u, 16); + } + } else { + char u[16]; + get_uuid(exp->e_uuid, 16, u); + qword_print(f, "uuid"); + qword_printhex(f, u, 16); + } + xlog(D_AUTH, "granted access to %s for %s", + path, *domain == '$' ? domain+1 : domain); + } else { qword_printtimefrom(f, DEFAULT_TTL); + xlog(D_AUTH, "denied access to %s for %s", + path, *domain == '$' ? domain+1 : domain); + } return qword_eol(f); } --- a/utils/mountd/mountd.c +++ b/utils/mountd/mountd.c @@ -69,8 +69,10 @@ static struct option longopts[] = { "reverse-lookup", 0, 0, 'r' }, { "manage-gids", 0, 0, 'g' }, { "no-udp", 0, 0, 'u' }, + { "log-auth", 0, 0, 'l'}, { NULL, 0, 0, 0 } }; +static char shortopts[] = "o:nFd:f:p:P:hH:N:V:vurs:t:gl"; #define NFSVERSBIT(vers) (0x1 << (vers - 1)) #define NFSVERSBIT_ALL (NFSVERSBIT(2) | NFSVERSBIT(3) | NFSVERSBIT(4)) @@ -709,7 +711,7 @@ main(int argc, char **argv) /* Parse the command line options and arguments. */ opterr = 0; - while ((c = getopt_long(argc, argv, "o:nFd:f:p:P:hH:N:V:vurs:t:g", longopts, NULL)) != EOF) + while ((c = getopt_long(argc, argv, shortopts, longopts, NULL)) != EOF) switch (c) { case 'g': manage_gids = 1; @@ -786,6 +788,9 @@ main(int argc, char **argv) case 'u': NFSCTL_UDPUNSET(_rpcprotobits); break; + case 'l': + xlog_sconfig("auth", 1); + break; case 0: break; case '?': --- a/utils/mountd/mountd.man +++ b/utils/mountd/mountd.man @@ -13,6 +13,8 @@ The .B rpc.mountd daemon implements the server side of the NFS MOUNT protocol, an NFS side protocol used by NFS version 2 [RFC1094] and NFS version 3 [RFC1813]. +It also responds to requests from the Linux kernel to authenticate +clients and provides details of access permissions. .PP An NFS server maintains a table of local physical file systems that are accessible to NFS clients. @@ -78,11 +80,44 @@ A client may continue accessing an expor If the client reboots without sending a UMNT request, stale entries remain for that client in .IR /var/lib/nfs/rmtab . +.SS Mounting File Systems with NFSv4 +Version 4 (and later) of NFS does not use a separate NFS MOUNT +protocol. Instead mounting is performed using regular NFS requests +handled by the NFS server in the Linux kernel +.RI ( nfsd ). +When +.I nfsd +needs to confirm if a client has access to a particular filesystem, it +communicates with +.B rpc.mountd +to authenticate the client and to then determine what access that client +has to a given filesystem. .SH OPTIONS .TP .B \-d kind " or " \-\-debug kind Turn on debugging. Valid kinds are: all, auth, call, general and parse. .TP +.BR \-l " or " \-\-log\-auth +Enable logging of responses to authentication and access requests from +nfsd. Each response is then cached by the kernel for 30 minutes, and +will be refreshed after 15 minutes if the relevant client remains +active. +Note that +.B -l +is equivalent to +.B "-d auth" +and so can be enabled in +.B /etc/nfs.conf +with +.B "\[dq]debug = auth\[dq]" +in the +.B "[mountd]" +section. +.IP +.B rpc.mountd +will always log authentication responses to MOUNT requests when NFSv3 is +used, but to get similar logs for NFSv4, this option is required. +.TP .B \-F " or " \-\-foreground Run in foreground (do not daemonize) .TP @@ -272,5 +307,9 @@ table of clients accessing server's expo RFC 1094 - "NFS: Network File System Protocol Specification" .br RFC 1813 - "NFS Version 3 Protocol Specification" +.br +RFC 7530 - "Network File System (NFS) Version 4 Protocol" +.br +RFC 8881 - "Network File System (NFS) Version 4 Minor Version 1 Protocol" .SH AUTHOR Olaf Kirch, H. J. Lu, G. Allan Morris III, and a host of others.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor