Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tighten up diod configuration and initialization #133

Merged
merged 10 commits into from
Jan 29, 2025
Merged

tighten up diod configuration and initialization #133

merged 10 commits into from
Jan 29, 2025

Conversation

garlick
Copy link
Member

@garlick garlick commented Jan 21, 2025

This tidies up the initialization code in the diod mainline and causes some of its critical choices to be logged so it's more obvious how it will be operating. For example, systemd status diod shows the following on my system:

$ systemctl status diod
● diod.service - 9P File Server
     Loaded: loaded (/lib/systemd/system/diod.service; enabled; vendor preset: enable>
     Active: active (running) since Mon 2025-01-20 19:17:11 PST; 12min ago
   Main PID: 3914040 (diod)
      Tasks: 10 (limit: 76971)
     Memory: 664.0K
        CPU: 2ms
     CGroup: /system.slice/diod.service
             └─3914040 /usr/sbin/diod

Jan 20 19:17:11 system76-pc systemd[1]: Starting 9P File Server...
Jan 20 19:17:11 system76-pc systemd[1]: Started 9P File Server.
Jan 20 19:17:11 system76-pc diod[3914040]: Listening on 0.0.0.0:564
Jan 20 19:17:11 system76-pc diod[3914040]: Anyone can attach and access files as themselves
Jan 20 19:17:11 system76-pc diod[3914040]: MUNGE authentication is required

Versus when I start diod manually as a regular user:

$ ./diod -E -l 0.0.0.0:88888
Listening on 0.0.0.0:88888
Only garlick can attach and access files as garlick
MUNGE authentication is required

In addition, the handling of some configure outcomes was a bit loose. For example, if munge wasn't found, authentication was silently disabled. This fixes those issues.

garlick added 10 commits January 20, 2025 09:02
@garlick
diod: don't cache effective uid
cce7b2d 
Problem: diod caches the result of geteuid (), which requires a reader
of the code to mentally track whether the euid changed since it was
cached.

There is likely no benefit in avoiding repeated calls to geteuid ().
Just do that.
@garlick
diod: log user transition and simplify code
d093411 
Problem: when diod starts, it may not be clear whether it is running as
root or not.  Also the code for making the transition is a over-complicated.

Log a message after the transition.

To simplify
- use getpwnam() and getpwuid() instead of thread-safe versions
- short-circuit no-op transition from root to root
- drop an unused parameter from the internal function.
- improve inline comments.
@garlick
diod: use setgroups() on linux for transition
06e325b 
Problem: when diod drops root and loads the credentials of another
user, it calls SYS_setgroups (per-thread) instead of setgroups()
(per-process) on Linux, but this call should be for the whole process.

Use setgroups().
@garlick
diod: log access policy
4684e5c 
Problem: when diod starts, it may not be clear which access policy
has been enacted.

Log it.
@garlick
build: adjust multi-user configuration options
a474d34 
Problem: the --enable-impersonation=TYPE arguments and platform defaults
are a little complex for this niche case.

Replace with two binary options:
 --disable-multiuser  to disable multi-user support
 --with-ganesha-kmod  to use FreeBSD nfs-ganesha-kmod for multi-user support

At this point FreeBSD users making a server-only multi-user build would use
  configure --disable-diodmount --with-ganesha-kmod
@garlick
diod: refactor startup logic for clarity
fb4a588 
Problem: diod's three distinct modes of operation (allsquash, runasuser,
and multiuser) are hard to discern in diod's startup logic.

Refactor this code so that initialization occurs in distinct sections.
@garlick
diod: make multi-user initialization errors fatal
45ae4ac 
Problem: if multi-user mode is selected and diod is configured with
--disable-multiuser or if ganesha initialization fails, the server
still starts, which could lead to privilege escalation for clients.

Make those errors fatal.
@garlick
diod: require --no-auth if not build with munge
4b04d68 
Problem: If diod is configured to require authentication, but
was built without munge support, it still runs.

Make that a fatal error.
Log a message if users will be allowed to connect without authentication.
@garlick
build: don't just warn if munge is missing
729830b 
Problem: if munge is not found by configure, diod is silently
built without authentication support.

Make that a hard error unless configured with --disable-auth.
Also, use pkg-config to find munge.

Drop a GPL_LICENSED declaration in front of the munge.h include
directive.  The munge license has changed to LGPL and this is no
longer necessary.
@garlick
build: don't just warn if libcap is missing
9126275 
Problem: if libcap is not found by configure but multi-user is
enabled, diod runs without it, leading to test failures noted
in chaos#103.

Make that a hard error unless configured with --disable-multiuser.
Also, use pkg-config to find libcap.

Don't build the libnpfs/capability unit test if multi-user is disabled.
@garlick garlick changed the title tighten up diod initialization tighten up diod configuration and initialization Jan 22, 2025
grondo
grondo approved these changes Jan 29, 2025
View reviewed changes
Copy link
Member

@grondo grondo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@garlick
Copy link
Member Author

garlick commented Jan 29, 2025

Thanks!

@mergify mergify bot merged commit ecc22bf into chaos:master Jan 29, 2025
6 checks passed
@garlick garlick deleted the diod_init branch January 29, 2025 05:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grondo grondo grondo approved these changes

Assignees
No one assigned
Labels
merge-when-passing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@garlick @grondo