Home
My Posts

Archive
Login
Signup

Recent Posts

Free subdomains

Want your own xyz.kpaste.net sub-domain for your community? Just type the address into your browser address bar (foo.xyz.kpaste.net is also supported).

Suggestions/Bugs?

Email us at . Try to include as much info as possible.

About

Pastebin is a tool for collaborative debugging or editing.

 

msnfs41client: Remove "insecure" NFS export requirement, /etc/ksh.kshrc+misc, 2024-03-27
Posted by Anonymous on Wed 27th Mar 2024 16:43
raw | new post

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting: None Bash C C++ CSS Diff HTML mIRC Script Perl PHP Python Smarty XML ---------------------------- ABAP Actionscript ADA Apache Log AppleScript APT sources.list ASM ASP AutoIT Bash C C# C++ C++ (with QT) CSS Diff HTML INI (Config Files) Java Javascript Lua Make mIRC Script MySQL NSIS Perl PHP Python Q(uick)BASIC robots Ruby Ruby on Rails SDLBasic Smarty SQL TCL Text VB.NET Visual BASIC Visual Fox Pro Visual Prolog Windows Registry Files XML Xorg.conf

To highlight particular lines, prefix each line with {%HIGHLIGHT}
From 9c5fb530ae6653bc0e4a8681cee237d06e8be9ff Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Wed, 27 Mar 2024 16:23:05 +0100 Subject: [PATCH 1/4] libtirpc: Support for Win32 privileged port reservation (TCP port < 1024) Add support for Win32 (privileged) TCP port reservation via |SIO_ACQUIRE_PORT_RESERVATION|/|SIO_ASSOCIATE_PORT_RESERVATION|, so we can use a TCP port < 1024. This allows us to use NFS server export WITHOUT the "insecure" export option. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- cygwin/README.bintarball.txt | 18 ++-- libtirpc/src/bindresvport.c | 174 ++++++++++++++++++++++++++++++----- 2 files changed, 156 insertions(+), 36 deletions(-) diff --git a/cygwin/README.bintarball.txt b/cygwin/README.bintarball.txt index b1b66e0..9fa5222 100644 --- a/cygwin/README.bintarball.txt +++ b/cygwin/README.bintarball.txt @@ -129,10 +129,6 @@ $ (set -o xtrace ; cd / && tar -tf ~/download/${bintarball.base_filename}.tar.bz $ /sbin/msnfs41client run_daemon # Mount a filesystem and use it -# - requires that NFSv4 server accepts connections from a TCP port -# number > 1024, which can be archived on Linux with the "insecure" -# export option in /etc/exports, or "resvport" on Solaris/Illumos -# (see nfs(5)) $ /sbin/nfs_mount -o rw N 10.49.20.110:/net_tmpfs2 Successfully mounted '10.49.20.110@2049' to drive 'N:' $ cd /cygdrive/n/ @@ -230,15 +226,15 @@ $ /sbin/nfs_mount A::EVERYONE@:rtcy ---- snip ---- -- nfs_mount only works when the NFSv4 server allows connections from - ports >= 1024, as Windows does not allow the Windows NFSv4 client - to use a "privileged port" (i.e. TCP port number < 1024)). +- nfs_mount.exe vs. reserved ports: By default the NFSv4 server on Solaris, Illumos, Linux etc. only accepts connections if the NFSv4 client uses a - "privileged (TCP) port", i.e. a port number < 1024. - This can be worked around by using the "insecure" export option in - Linux /etc/exports, which allows connections from ports >= 1024, - and for Solaris/Illumos see nfs(5), option "resvport". + "privileged (TCP) port", i.e. using a TCP port number < 1024. + If nfsd.exe/nfsd_debug.exe is started without the Windows priviledge + to use reserved ports, then a mount attempt can fail. + This can be worked around on the NFSv4 server side - on Linux using + the "insecure" export option in /etc/exports and on Solaris/Illumos + using export option "resvport" (see nfs(5)). # diff --git a/libtirpc/src/bindresvport.c b/libtirpc/src/bindresvport.c index 01d1921..bf92ff6 100644 --- a/libtirpc/src/bindresvport.c +++ b/libtirpc/src/bindresvport.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2009, Sun Microsystems, Inc. + * Copyright (c) 2024, Roland Mainz <roland.mainz@nrubsig.org> * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -32,20 +33,30 @@ * Copyright (c) 1987 by Sun Microsystems, Inc. * * Portions Copyright(C) 1996, Jason Downs. All rights reserved. + * Portions Copyright(C) 2024, Roland Mainz <roland.mainz@nrubsig.org> */ #include <wintirpc.h> #include <sys/types.h> -//#include <sys/socket.h> - -//#include <netinet/in.h> +#ifndef _WIN32 +#include <sys/socket.h> +#include <netinet/in.h> +#endif #include <errno.h> #include <string.h> -//#include <unistd.h> +#ifndef _WIN32 +#include <unistd.h> +#endif #include <rpc/rpc.h> +#ifdef _WIN32 +#include <winsock2.h> +#include <mstcpip.h> +#include <ws2ipdef.h> +#endif + /* * Bind a socket to a privileged IP port */ @@ -139,18 +150,147 @@ bindresvport_sa(sd, sa) return (res); } +#elif defined(_WIN32) + +#define STARTPORT 600 +#define ENDPORT (IPPORT_RESERVED - 1) +#define NPORTS (ENDPORT - STARTPORT + 1) + +/* Debug */ +#if 0 +#define BRP_D(x) x #else -/*---------------------- -#if defined(_WIN32) +#define BRP_D(x) +#endif + +/* fixme: not threadsafe, we should use |portnum_lock| */ +static int bindresvport_sa_last_n = 0; int bindresvport_sa(int sd, struct sockaddr *sa) { - fprintf(stderr, "Do-nothing bindresvport_sa!\n"); - return 0; + int res = 1; + int ioctlres; + int lasterr; + SOCKET sd_sock; + int currport; + int n; + + INET_PORT_RANGE portRange; + INET_PORT_RESERVATION_INSTANCE portRes; + DWORD bytesReturned; + + BRP_D((void)fprintf(stdout, + "--> bindresvport_sa(sd=%d,sa=0x%p): " + "bindresvport_sa_last_n=%d\n", + sd, sa, bindresvport_sa_last_n)); + + sd_sock = _get_osfhandle(sd); + + for (n = 0 ; n < NPORTS ; n++) { + currport = ((n+bindresvport_sa_last_n)%NPORTS)+STARTPORT; + + portRange.StartPort = htons(currport); + portRange.NumberOfPorts = 1; + + (void)memset(&portRes, 0, sizeof(portRes)); + bytesReturned = 0; + + BRP_D((void)fprintf(stdout, + "bindresvport_sa(sd=%d,sa=0x%p): " + "trying n=%d, bindresvport_sa_last_n=%d, port=%d ...\n", + sd, sa, n, bindresvport_sa_last_n, + (int)ntohs(portRange.StartPort))); + ioctlres = WSAIoctl(sd_sock, + SIO_ACQUIRE_PORT_RESERVATION, + (LPVOID)&portRange, + sizeof(INET_PORT_RANGE), + (LPVOID)&portRes, + sizeof(INET_PORT_RESERVATION_INSTANCE), + &bytesReturned, NULL, NULL); + lasterr = WSAGetLastError(); + + if ((ioctlres != 0) && (lasterr == WSAEADDRINUSE)) { + BRP_D((void)fprintf(stderr, + "bindresvport_sa(sd=%d,sa=0x%p): " + "port=%d in use, trying next port...\n", + sd, sa, currport)); + continue; + } + + if (ioctlres != 0) { + warnx("bindresvport_sa(sd=%d,sa=0x%p): " + "SIO_ACQUIRE_PORT_RESERVATION failed " + "with error = %d\n", + sd, sa, lasterr); + res = 1; + bindresvport_sa_last_n = n+1; + goto out; + } + + /* Success */ + bindresvport_sa_last_n = n+1; + break; + } + + if (n == NPORTS) { + warnx("bindresvport_sa(sd=%d,sa=0x%p): " + "n(=%d) == NPORTS(=%d), " + "no reserved port available\n", n, NPORTS); + res = 1; + goto out; + } + + BRP_D((void)fprintf(stdout, "bindresvport_sa(sd=%d,sa=0x%p): " + "SIO_ACQUIRE_PORT_RESERVATION succeeded, " + "bytesReturned = %u, StartPort=%d, NumberOfPorts=%d, " + "Token=0x%llx\n", + sd, sa, bytesReturned, (int)ntohs(portRes.StartPort), + portRes.NumberOfPorts, (long long)portRes.Token)); + + bytesReturned = 0; + ioctlres = WSAIoctl(sd_sock, SIO_ASSOCIATE_PORT_RESERVATION, + (LPVOID)&portRes.Token, sizeof(ULONG64), NULL, 0, + &bytesReturned, NULL, NULL); + lasterr = WSAGetLastError(); + if (ioctlres != 0) { + warnx("bindresvport_sa(sd=%d,sa=0x%p): " + "WSAIoctl(SIO_ASSOCIATE_PORT_RESERVATION) " + "failed with error = %d\n", + sd, sa, lasterr); + res = 1; + goto out; + } + + BRP_D((void)fprintf(stdout, "bindresvport_sa(sd=%d,sa=0x%p): " + "WSAIoctl(SIO_ASSOCIATE_PORT_RESERVATION) succeeded, " + "bytesReturned = %u\n", + sd, sa, bytesReturned)); + res = 0; + + /* + * FIXME: We should call |SIO_RELEASE_PORT_RESERVATION|, + * but we cannot do that while |sd| is open and using the + * reservation. + * So basically we to store the token, and then use a second + * socket, with matching protocol&co attributes, just to + * release the reservation. + * + * A possible solution might be to derive a "control socket" + * from |sd|, and do the reservation ioctl using that socket. + * + * For now we ignore this, and assume noone will do more + * than |NPORTS| { mount, umount }-sequences during + * nfsd.exe/nfsd_debug.exe lifetime + */ +out: + BRP_D((void)fprintf(stdout, + "<-- bindresvport_sa(sd=%d,sa=0x%p) returning res=%d\n", + sd, sa, res)); + return res; } #else --------------------------*/ + #define IP_PORTRANGE 19 #define IP_PORTRANGE_LOW 2 @@ -174,29 +314,16 @@ bindresvport_sa(sd, sa) int proto, portrange, portlow; u_int16_t *portp; socklen_t salen; -#ifdef _WIN32 - WSAPROTOCOL_INFO proto_info; - int proto_info_size = sizeof(proto_info); -#endif if (sa == NULL) { salen = sizeof(myaddr); sa = (struct sockaddr *)&myaddr; -#ifdef _WIN32 - memset(sa, 0, salen); - if (error = wintirpc_getsockopt(sd, SOL_SOCKET, SO_PROTOCOL_INFO, (char *)&proto_info, &proto_info_size) == SOCKET_ERROR) { - int sockerr = WSAGetLastError(); - return -1; - } - af = proto_info.iAddressFamily; -#else if (wintirpc_getsockname(sd, sa, &salen) == -1) return -1; /* errno is correctly set */ af = sa->sa_family; memset(sa, 0, salen); -#endif } else af = sa->sa_family; @@ -268,7 +395,4 @@ bindresvport_sa(sd, sa) #endif return (error); } -/* -#endif -*/ #endif \ No newline at end of file -- 2.43.0 From a569d097ddc20a90e9694fd14d0d1f61ca6a86ce Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Wed, 27 Mar 2024 16:28:25 +0100 Subject: [PATCH 2/4] cygwin: Makefile should use "sync" use "sync" when finishing the "build", "installdest" etc targets, so fast turnarounds followed with a Windows kernel crash do not corrupt the scripts&binaries we just installed. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- cygwin/Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cygwin/Makefile b/cygwin/Makefile index 792d512..bf3c5ba 100644 --- a/cygwin/Makefile +++ b/cygwin/Makefile @@ -32,6 +32,7 @@ build: MSBuild.exe '$(shell cygpath -w "$(PROJECT_BASEDIR_DIR)/build.vc19/nfs41-client.sln")' -t:Build -p:Configuration=Release -p:Platform=x64 MSBuild.exe '$(shell cygpath -w "$(PROJECT_BASEDIR_DIR)/build.vc19/nfs41-client.sln")' -t:Build -p:Configuration=Debug -p:Platform=x64 (cd "$(PROJECT_BASEDIR_DIR)/tests/winfsinfo1" && make all) + sync # # clean target @@ -114,6 +115,7 @@ installdest: $(VS_BUILD_DIR)/nfsd.exe \ @printf '\n' @printf "\n#\n# Now use\n# $$ cd '%s' && ./msnfs41client install #\n# to install the kernel driver as Admin\n#\n" \ "$(DESTDIR)/cygdrive/c/cygwin64/sbin/" + sync bintarball: installdest set -o errexit ; set -o xtrace ; \ @@ -133,6 +135,7 @@ bintarball: installdest printf "\n#\n# tarball is ready now\n#\n" ; \ ls -l "$(DESTDIR)/$${base_filename}.tar.bz2" ; \ ls -l "$(DESTDIR)/$${base_filename}.readme" + sync # # clean destdir/, but only if nfsd*.exe does not use it right now -- 2.43.0 From a25b4b222c0f70d2992a083cd7a0a4a05eb2eecb Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Wed, 27 Mar 2024 16:53:52 +0100 Subject: [PATCH 3/4] cygwin: ksh93 should have Cygwin-like /etc/ksh.kshrc which sets PS1 ksh93 should have Cygwin-like /etc/ksh.kshrc which sets PS1 Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- cygwin/Makefile | 2 ++ cygwin/cygwin_ksh93/ksh.kshrc | 8 ++++++++ cygwin/cygwin_ksh93/ksh93.cygport | 2 +- 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 cygwin/cygwin_ksh93/ksh.kshrc diff --git a/cygwin/Makefile b/cygwin/Makefile index bf3c5ba..a2fcd24 100644 --- a/cygwin/Makefile +++ b/cygwin/Makefile @@ -63,6 +63,7 @@ installdest: $(VS_BUILD_DIR)/nfsd.exe \ # /usr/lib is a bind mount to C:/cygwin64/lib, so copy library data to /cygdrive/c/cygwin64/lib mkdir -p $(DESTDIR)/cygdrive/c/cygwin64/lib mkdir -p $(DESTDIR)/cygdrive/c/cygwin64/lib/msnfs41client + mkdir -p $(DESTDIR)/cygdrive/c/cygwin64/etc mkdir -p $(DESTDIR)/cygdrive/c/cygwin64/usr/src/msnfs41client mkdir -p $(DESTDIR)/cygdrive/c/cygwin64/usr/share/man/man1 cp -r $(VS_BUILD_DIR)/nfsd.exe $(DESTDIR)/cygdrive/c/cygwin64/sbin/nfsd_debug.exe @@ -99,6 +100,7 @@ installdest: $(VS_BUILD_DIR)/nfsd.exe \ @ printf "# Package ksh93&co (if available) since Cygwin does not ship with it yet\n" [[ -x /usr/bin/ksh93.exe ]] && cp /usr/bin/ksh93.exe $(DESTDIR)/cygdrive/c/cygwin64/bin/ksh93.exe [[ -x /usr/bin/shcomp.exe ]] && cp /usr/bin/shcomp.exe $(DESTDIR)/cygdrive/c/cygwin64/bin/shcomp.exe + cp $(PROJECT_BASEDIR_DIR)/cygwin/cygwin_ksh93/ksh.kshrc $(DESTDIR)/cygdrive/c/cygwin64/etc/ksh.kshrc @ printf '# Packaging libs\n' ldd $$(find $(DESTDIR)/cygdrive/c/cygwin64/sbin/ -iname \*.exe -o -iname \*.dll) | \ while read dummy1 dummy2 dllfile dummy3 ; do \ diff --git a/cygwin/cygwin_ksh93/ksh.kshrc b/cygwin/cygwin_ksh93/ksh.kshrc new file mode 100644 index 0000000..5e12602 --- /dev/null +++ b/cygwin/cygwin_ksh93/ksh.kshrc @@ -0,0 +1,8 @@ +# +# /etc/ksh.kshrc+~/.kshrc are sourced only for interactive shells +# + +# default prompt +PS1=$'\E[1;32m$(/usr/bin/logname)@$(/usr/bin/hostname) \E[1;33m${PWD/~(Sl-r)$HOME/"~"}\E[0m\n$ ' +# default editor mode +set -o gmacs diff --git a/cygwin/cygwin_ksh93/ksh93.cygport b/cygwin/cygwin_ksh93/ksh93.cygport index 9913330..b8d13fe 100644 --- a/cygwin/cygwin_ksh93/ksh93.cygport +++ b/cygwin/cygwin_ksh93/ksh93.cygport @@ -259,7 +259,7 @@ src_compile() { printf '#\n# /etc/ksh.kshrc+~/.kshrc are sourced only for interactive shells\n#\n\n' printf '# default prompt\n' - printf 'PS1=%q\n' $'\E[32m$(/usr/bin/logname)@$(/usr/bin/hostname) \E[33m${PWD/~(Sl-r)$HOME/"~"}\E[0m\n$ ' + printf 'PS1=%q\n' $'\E[1;32m$(/usr/bin/logname)@$(/usr/bin/hostname) \E[1;33m${PWD/~(Sl-r)$HOME/"~"}\E[0m\n$ ' printf '# default editor mode\n' printf 'set -o gmacs\n' } >${S}/etc_ksh_kshrc -- 2.43.0 From 3b247f24697b93440e05372ba6ceac17657049f3 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Wed, 27 Mar 2024 17:34:40 +0100 Subject: [PATCH 4/4] cygwin: Add comments about UNC+ACL support to bintarball README Add comments about UNC+ACL support to cygwin bintarball README Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- cygwin/README.bintarball.txt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cygwin/README.bintarball.txt b/cygwin/README.bintarball.txt index 9fa5222..cc275d1 100644 --- a/cygwin/README.bintarball.txt +++ b/cygwin/README.bintarball.txt @@ -39,12 +39,18 @@ NFSv4.1 client and filesystem driver for Windows 10/11 - UNC paths - IPv6 support in UNC paths + - /sbin/nfs_mount prints UNC paths in Win32+Cygwin formats + - Cygwin bash+ksh93 support UNC paths, e.g. + cd //derfwnb4966@2049/nfs4/bigdisk/mysqldb4/ - IPv6 support - IPv6 address within '[', ']' (will be converted to *.ipv6-literal.net) - Windows ACLs + - Win32 C:\Windows\system32\icacls.exe + - Cygwin /usr/bin/setfacl+/usr/bin/getfacl + - Windows Explorer ACL dialog - SFU/Cygwin support, including: - uid/gid -- 2.43.0

Title:

Privacy: Public Private

How long should your post be retained?

15 mins an hour a day a week a month forever

All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at