mirror of
https://github.com/torvalds/linux.git
synced 2024-11-24 05:02:12 +00:00
3db38ed768
Adjusts for ReST markup and moves under keys security devel index. Cc: David Howells <dhowells@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
76 lines
3.3 KiB
Plaintext
76 lines
3.3 KiB
Plaintext
|
|
=========
|
|
ID Mapper
|
|
=========
|
|
Id mapper is used by NFS to translate user and group ids into names, and to
|
|
translate user and group names into ids. Part of this translation involves
|
|
performing an upcall to userspace to request the information. There are two
|
|
ways NFS could obtain this information: placing a call to /sbin/request-key
|
|
or by placing a call to the rpc.idmap daemon.
|
|
|
|
NFS will attempt to call /sbin/request-key first. If this succeeds, the
|
|
result will be cached using the generic request-key cache. This call should
|
|
only fail if /etc/request-key.conf is not configured for the id_resolver key
|
|
type, see the "Configuring" section below if you wish to use the request-key
|
|
method.
|
|
|
|
If the call to /sbin/request-key fails (if /etc/request-key.conf is not
|
|
configured with the id_resolver key type), then the idmapper will ask the
|
|
legacy rpc.idmap daemon for the id mapping. This result will be stored
|
|
in a custom NFS idmap cache.
|
|
|
|
|
|
===========
|
|
Configuring
|
|
===========
|
|
The file /etc/request-key.conf will need to be modified so /sbin/request-key can
|
|
direct the upcall. The following line should be added:
|
|
|
|
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
|
|
#====== ======= =============== =============== ===============================
|
|
create id_resolver * * /usr/sbin/nfs.idmap %k %d 600
|
|
|
|
This will direct all id_resolver requests to the program /usr/sbin/nfs.idmap.
|
|
The last parameter, 600, defines how many seconds into the future the key will
|
|
expire. This parameter is optional for /usr/sbin/nfs.idmap. When the timeout
|
|
is not specified, nfs.idmap will default to 600 seconds.
|
|
|
|
id mapper uses for key descriptions:
|
|
uid: Find the UID for the given user
|
|
gid: Find the GID for the given group
|
|
user: Find the user name for the given UID
|
|
group: Find the group name for the given GID
|
|
|
|
You can handle any of these individually, rather than using the generic upcall
|
|
program. If you would like to use your own program for a uid lookup then you
|
|
would edit your request-key.conf so it look similar to this:
|
|
|
|
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
|
|
#====== ======= =============== =============== ===============================
|
|
create id_resolver uid:* * /some/other/program %k %d 600
|
|
create id_resolver * * /usr/sbin/nfs.idmap %k %d 600
|
|
|
|
Notice that the new line was added above the line for the generic program.
|
|
request-key will find the first matching line and corresponding program. In
|
|
this case, /some/other/program will handle all uid lookups and
|
|
/usr/sbin/nfs.idmap will handle gid, user, and group lookups.
|
|
|
|
See <file:Documentation/security/keys/request-key.rst> for more information
|
|
about the request-key function.
|
|
|
|
|
|
=========
|
|
nfs.idmap
|
|
=========
|
|
nfs.idmap is designed to be called by request-key, and should not be run "by
|
|
hand". This program takes two arguments, a serialized key and a key
|
|
description. The serialized key is first converted into a key_serial_t, and
|
|
then passed as an argument to keyctl_instantiate (both are part of keyutils.h).
|
|
|
|
The actual lookups are performed by functions found in nfsidmap.h. nfs.idmap
|
|
determines the correct function to call by looking at the first part of the
|
|
description string. For example, a uid lookup description will appear as
|
|
"uid:user@domain".
|
|
|
|
nfs.idmap will return 0 if the key was instantiated, and non-zero otherwise.
|