| 1 | This patch adds a "name converter" daemon option that allows you |
| 2 | to specify a user-/group- name converter program that converts |
| 3 | between ID numbers and names. This only works in daemon mode, |
| 4 | and is useful for both chroot use (since the converter runs |
| 5 | outside the chroot) or to specify a converter that doesn't use |
| 6 | the normal passwd/group setup. |
| 7 | |
| 8 | The converter must use a null char ('\0') as the line terminator |
| 9 | for input/output on stdin/stdout. A sample converter written in |
| 10 | perl is supplied in the support dir: nameconvert. To use it, |
| 11 | specify this daemon option: |
| 12 | |
| 13 | name converter = /path/nameconvert |
| 14 | |
| 15 | If /path/ is omitted, the script will be found on the $PATH. |
| 16 | |
| 17 | To use this patch, run these commands for a successful build: |
| 18 | |
| 19 | patch -p1 <patches/nameconverter.diff |
| 20 | ./configure (optional if already run) |
| 21 | make |
| 22 | |
| 23 | based-on: 181c9faf928faad08ef095f4667afe460ec3bef6 |
| 24 | diff --git a/clientserver.c b/clientserver.c |
| 25 | --- a/clientserver.c |
| 26 | +++ b/clientserver.c |
| 27 | @@ -67,6 +67,7 @@ extern iconv_t ic_send, ic_recv; |
| 28 | char *auth_user; |
| 29 | int read_only = 0; |
| 30 | int module_id = -1; |
| 31 | +pid_t namecvt_pid = 0; |
| 32 | struct chmod_mode_struct *daemon_chmod_modes; |
| 33 | |
| 34 | /* module_dirlen is the length of the module_dir string when in daemon |
| 35 | @@ -78,6 +79,7 @@ unsigned int module_dirlen = 0; |
| 36 | char *full_module_path; |
| 37 | |
| 38 | static int rl_nulls = 0; |
| 39 | +static int namecvt_fd_req = -1, namecvt_fd_ans = -1; |
| 40 | |
| 41 | #ifdef HAVE_SIGACTION |
| 42 | static struct sigaction sigact; |
| 43 | @@ -643,7 +645,7 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char |
| 44 | log_init(1); |
| 45 | |
| 46 | #ifdef HAVE_PUTENV |
| 47 | - if (*lp_prexfer_exec(i) || *lp_postxfer_exec(i)) { |
| 48 | + if (*lp_prexfer_exec(i) || *lp_postxfer_exec(i) || *lp_name_converter(i)) { |
| 49 | char *modname, *modpath, *hostaddr, *hostname, *username; |
| 50 | int status; |
| 51 | |
| 52 | @@ -732,6 +734,44 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char |
| 53 | set_blocking(fds[1]); |
| 54 | pre_exec_fd = fds[1]; |
| 55 | } |
| 56 | + if (*lp_name_converter(i)) { |
| 57 | + int fds_to[2], fds_from[2]; |
| 58 | + if (pipe(fds_to) < 0 || pipe(fds_from) < 0 |
| 59 | + || (namecvt_pid = fork()) < 0) { |
| 60 | + rsyserr(FLOG, errno, "name-converter exec preparation failed"); |
| 61 | + io_printf(f_out, "@ERROR: name-converter exec preparation failed\n"); |
| 62 | + return -1; |
| 63 | + } |
| 64 | + if (namecvt_pid == 0) { |
| 65 | + char *args[100], *run = lp_name_converter(i); |
| 66 | + int cnt = 0; |
| 67 | + close(fds_to[1]); |
| 68 | + close(fds_from[0]); |
| 69 | + set_blocking(fds_to[0]); |
| 70 | + set_blocking(fds_from[1]); |
| 71 | + close(STDIN_FILENO); |
| 72 | + close(STDOUT_FILENO); |
| 73 | + dup2(fds_to[0], STDIN_FILENO); |
| 74 | + dup2(fds_from[1], STDOUT_FILENO); |
| 75 | + while (cnt+1 < (int)(sizeof args / sizeof (char *))) { |
| 76 | + char *space = strchr(run, ' '); |
| 77 | + args[cnt++] = run; |
| 78 | + if (!space) |
| 79 | + break; |
| 80 | + *space = '\0'; |
| 81 | + run = space + 1; |
| 82 | + } |
| 83 | + args[cnt] = NULL; |
| 84 | + execvp(args[0], args); |
| 85 | + _exit(1); |
| 86 | + } |
| 87 | + close(fds_to[0]); |
| 88 | + close(fds_from[1]); |
| 89 | + set_blocking(fds_to[1]); |
| 90 | + set_blocking(fds_from[0]); |
| 91 | + namecvt_fd_req = fds_to[1]; |
| 92 | + namecvt_fd_ans = fds_from[0]; |
| 93 | + } |
| 94 | umask(0); |
| 95 | } |
| 96 | #endif |
| 97 | @@ -959,6 +999,44 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char |
| 98 | return 0; |
| 99 | } |
| 100 | |
| 101 | +int namecvt_name(const char *cmd, const char *name) |
| 102 | +{ |
| 103 | + char buf[1024]; |
| 104 | + int got, len = snprintf(buf, sizeof buf, "%s %s", cmd, name); |
| 105 | + if (len >= (int)sizeof buf) { |
| 106 | + rprintf(FERROR, "namecvt_name() request was too large.\n"); |
| 107 | + exit_cleanup(RERR_UNSUPPORTED); |
| 108 | + } |
| 109 | + while ((got = write(namecvt_fd_req, buf, len + 1)) != len + 1) { |
| 110 | + if (got < 0 && errno == EINTR) |
| 111 | + continue; |
| 112 | + rprintf(FERROR, "Connection to name-converter failed.\n"); |
| 113 | + exit_cleanup(RERR_SOCKETIO); |
| 114 | + } |
| 115 | + if (!(len = read_arg_from_pipe(namecvt_fd_ans, buf, sizeof buf))) |
| 116 | + return 0; |
| 117 | + return atoi(buf); |
| 118 | +} |
| 119 | + |
| 120 | +const char *namecvt_id(const char *cmd, int id) |
| 121 | +{ |
| 122 | + char buf[1024]; |
| 123 | + int got, len = snprintf(buf, sizeof buf, "%s %d", cmd, id); |
| 124 | + if (len >= (int)sizeof buf) { |
| 125 | + rprintf(FERROR, "namecvt_id() request was too large.\n"); |
| 126 | + exit_cleanup(RERR_UNSUPPORTED); |
| 127 | + } |
| 128 | + while ((got = write(namecvt_fd_req, buf, len + 1)) != len + 1) { |
| 129 | + if (got < 0 && errno == EINTR) |
| 130 | + continue; |
| 131 | + rprintf(FERROR, "Connection to name-converter failed.\n"); |
| 132 | + exit_cleanup(RERR_SOCKETIO); |
| 133 | + } |
| 134 | + if (!(len = read_arg_from_pipe(namecvt_fd_ans, buf, sizeof buf))) |
| 135 | + return NULL; |
| 136 | + return strdup(buf); |
| 137 | +} |
| 138 | + |
| 139 | /* send a list of available modules to the client. Don't list those |
| 140 | with "list = False". */ |
| 141 | static void send_listing(int fd) |
| 142 | diff --git a/loadparm.c b/loadparm.c |
| 143 | --- a/loadparm.c |
| 144 | +++ b/loadparm.c |
| 145 | @@ -121,6 +121,7 @@ typedef struct { |
| 146 | char *log_file; |
| 147 | char *log_format; |
| 148 | char *name; |
| 149 | + char *name_converter; |
| 150 | char *outgoing_chmod; |
| 151 | char *path; |
| 152 | char *postxfer_exec; |
| 153 | @@ -195,6 +196,7 @@ static const all_vars Defaults = { |
| 154 | /* log_file; */ NULL, |
| 155 | /* log_format; */ "%o %h [%a] %m (%u) %f %l", |
| 156 | /* name; */ NULL, |
| 157 | + /* name_converter; */ NULL, |
| 158 | /* outgoing_chmod; */ NULL, |
| 159 | /* path; */ NULL, |
| 160 | /* postxfer_exec; */ NULL, |
| 161 | @@ -337,6 +339,7 @@ static struct parm_struct parm_table[] = |
| 162 | {"max verbosity", P_INTEGER,P_LOCAL, &Vars.l.max_verbosity, NULL,0}, |
| 163 | {"munge symlinks", P_BOOL, P_LOCAL, &Vars.l.munge_symlinks, NULL,0}, |
| 164 | {"name", P_STRING, P_LOCAL, &Vars.l.name, NULL,0}, |
| 165 | + {"name converter", P_STRING, P_LOCAL, &Vars.l.name_converter, NULL,0}, |
| 166 | {"numeric ids", P_BOOL, P_LOCAL, &Vars.l.numeric_ids, NULL,0}, |
| 167 | {"outgoing chmod", P_STRING, P_LOCAL, &Vars.l.outgoing_chmod, NULL,0}, |
| 168 | {"path", P_PATH, P_LOCAL, &Vars.l.path, NULL,0}, |
| 169 | @@ -414,6 +417,7 @@ FN_LOCAL_STRING(lp_outgoing_chmod, outgoing_chmod) |
| 170 | FN_LOCAL_STRING(lp_path, path) |
| 171 | FN_LOCAL_STRING(lp_postxfer_exec, postxfer_exec) |
| 172 | FN_LOCAL_STRING(lp_prexfer_exec, prexfer_exec) |
| 173 | +FN_LOCAL_STRING(lp_name_converter, name_converter) |
| 174 | FN_LOCAL_STRING(lp_refuse_options, refuse_options) |
| 175 | FN_LOCAL_STRING(lp_secrets_file, secrets_file) |
| 176 | FN_LOCAL_STRING(lp_temp_dir, temp_dir) |
| 177 | diff --git a/rsyncd.conf.yo b/rsyncd.conf.yo |
| 178 | --- a/rsyncd.conf.yo |
| 179 | +++ b/rsyncd.conf.yo |
| 180 | @@ -163,10 +163,11 @@ if the module is not read-only). |
| 181 | |
| 182 | When this parameter is enabled, rsync will not attempt to map users and groups |
| 183 | by name (by default), but instead copy IDs as though bf(--numeric-ids) had |
| 184 | -been specified. In order to enable name-mapping, rsync needs to be able to |
| 185 | +been specified. In order to enable name-mapping, rsync needs either the |
| 186 | +bf(name converter) parameter to specify a conversion program, or it needs to |
| 187 | use the standard library functions for looking up names and IDs (i.e. |
| 188 | code(getpwuid()), code(getgrgid()), code(getpwname()), and code(getgrnam())). |
| 189 | -This means the rsync |
| 190 | +The latter choice means the rsync |
| 191 | process in the chroot hierarchy will need to have access to the resources |
| 192 | used by these library functions (traditionally /etc/passwd and |
| 193 | /etc/group, but perhaps additional dynamic libraries as well). |
| 194 | @@ -232,6 +233,27 @@ path elements that rsync believes will allow a symlink to escape the module's |
| 195 | hierarchy. There are tricky ways to work around this, though, so you had |
| 196 | better trust your users if you choose this combination of parameters. |
| 197 | |
| 198 | +dit(bf(name converter)) This parameter lets you specify a |
| 199 | +program that will be run by the rsync daemon (prior to bf(use chroot), if |
| 200 | +that parameter is enabled) to convert user/group names into numbers or visa |
| 201 | +versa. There is a sample perl script in the support directory named |
| 202 | +"nameconvert" that you can use to enable the use of the normal passwd/group |
| 203 | +lookup calls in a chroot daemon (which does not require any extra files |
| 204 | +be placed in the chroot area). This use is configured as follows: |
| 205 | + |
| 206 | +verb( name converter = /path/nameconvert) |
| 207 | + |
| 208 | +You could alternately specify a program that responds to each request using |
| 209 | +a lookup table to find the names and numbers, this allows you to configure |
| 210 | +per-module name conversion. See the support/nameconvert script for the |
| 211 | +details of what requests can be sent to the program. |
| 212 | + |
| 213 | +The program will have access to some of the environment variables that are |
| 214 | +described in the section on bf(pre-xfer exec): bf(RSYNC_MODULE_NAME), |
| 215 | +bf(RSYNC_MODULE_PATH), bf(RSYNC_HOST_ADDR), bf(RSYNC_HOST_NAME), and |
| 216 | +bf(RSYNC_USER_NAME). This is useful if you want to customize the |
| 217 | +conversion using a single program invocation. |
| 218 | + |
| 219 | dit(bf(charset)) This specifies the name of the character set in which the |
| 220 | module's filenames are stored. If the client uses an bf(--iconv) option, |
| 221 | the daemon will use the value of the "charset" parameter regardless of the |
| 222 | diff --git a/support/nameconvert b/support/nameconvert |
| 223 | new file mode 100755 |
| 224 | --- /dev/null |
| 225 | +++ b/support/nameconvert |
| 226 | @@ -0,0 +1,42 @@ |
| 227 | +#!/usr/bin/perl -w |
| 228 | +# This implements a simple protocol to do {user,group}-{name,id} |
| 229 | +# conversions. All input and output consists of simple strings |
| 230 | +# with a terminating null char (or newline for debugging). If |
| 231 | +# the conversion fails, an empty string is returned. |
| 232 | +# |
| 233 | +# The requests can be: |
| 234 | +# |
| 235 | +# uid ID_NUM\0 -> NAME\0 |
| 236 | +# gid ID_NUM\0 -> NAME\0 |
| 237 | +# usr NAME\0 -> ID_NUM\0 |
| 238 | +# grp NAME\0 -> ID_NUM\0 |
| 239 | +# |
| 240 | +# An unknown ID_NUM or NAME results in an empty return value. |
| 241 | +# |
| 242 | +# This is used by an rsync daemon when configured with the |
| 243 | +# "name converter" setting. |
| 244 | + |
| 245 | +use strict; |
| 246 | + |
| 247 | +my $eol = grep(/^--debug$/, @ARGV) ? "\n" : "\0"; |
| 248 | +$/ = $eol; |
| 249 | + |
| 250 | +$| = 1; |
| 251 | + |
| 252 | +while (<STDIN>) { |
| 253 | + chomp; |
| 254 | + my $ans; |
| 255 | + if (/^uid (\d+)$/) { |
| 256 | + $ans = getpwuid($1); |
| 257 | + } elsif (/^gid (\d+)$/) { |
| 258 | + $ans = getgrgid($1); |
| 259 | + } elsif (/^usr (\S+)$/) { |
| 260 | + $ans = getpwnam($1); |
| 261 | + } elsif (/^grp (\S+)$/) { |
| 262 | + $ans = getgrnam($1); |
| 263 | + } else { |
| 264 | + die "Invalid request: $_"; |
| 265 | + } |
| 266 | + $ans = '' unless defined $ans; |
| 267 | + print $ans, $eol; |
| 268 | +} |
| 269 | diff --git a/t_stub.c b/t_stub.c |
| 270 | --- a/t_stub.c |
| 271 | +++ b/t_stub.c |
| 272 | @@ -30,6 +30,7 @@ mode_t orig_umask = 002; |
| 273 | char number_separator = ','; |
| 274 | char *partial_dir; |
| 275 | char *module_dir; |
| 276 | +pid_t namecvt_pid; |
| 277 | filter_rule_list daemon_filter_list; |
| 278 | |
| 279 | void rprintf(UNUSED(enum logcode code), const char *format, ...) |
| 280 | @@ -70,6 +71,11 @@ filter_rule_list daemon_filter_list; |
| 281 | return -1; |
| 282 | } |
| 283 | |
| 284 | + int namecvt_name(UNUSED(const char *cmd), UNUSED(const char *name)) |
| 285 | +{ |
| 286 | + return 0; |
| 287 | +} |
| 288 | + |
| 289 | char *lp_name(UNUSED(int mod)) |
| 290 | { |
| 291 | return NULL; |
| 292 | diff --git a/uidlist.c b/uidlist.c |
| 293 | --- a/uidlist.c |
| 294 | +++ b/uidlist.c |
| 295 | @@ -33,6 +33,7 @@ extern int preserve_uid; |
| 296 | extern int preserve_gid; |
| 297 | extern int preserve_acls; |
| 298 | extern int numeric_ids; |
| 299 | +extern pid_t namecvt_pid; |
| 300 | extern char *usermap; |
| 301 | extern char *groupmap; |
| 302 | |
| 303 | @@ -75,8 +76,12 @@ static struct idlist *add_to_list(struct idlist **root, id_t id, const char *nam |
| 304 | /* turn a uid into a user name */ |
| 305 | static const char *uid_to_name(uid_t uid) |
| 306 | { |
| 307 | - struct passwd *pass = getpwuid(uid); |
| 308 | - if (pass) |
| 309 | + struct passwd *pass; |
| 310 | + |
| 311 | + if (namecvt_pid) |
| 312 | + return namecvt_id("uid", (int)uid); |
| 313 | + |
| 314 | + if ((pass = getpwuid(uid)) != NULL) |
| 315 | return strdup(pass->pw_name); |
| 316 | return NULL; |
| 317 | } |
| 318 | @@ -84,8 +89,12 @@ static const char *uid_to_name(uid_t uid) |
| 319 | /* turn a gid into a group name */ |
| 320 | static const char *gid_to_name(gid_t gid) |
| 321 | { |
| 322 | - struct group *grp = getgrgid(gid); |
| 323 | - if (grp) |
| 324 | + struct group *grp; |
| 325 | + |
| 326 | + if (namecvt_pid) |
| 327 | + return namecvt_id("gid", (int)gid); |
| 328 | + |
| 329 | + if ((grp = getgrgid(gid)) != NULL) |
| 330 | return strdup(grp->gr_name); |
| 331 | return NULL; |
| 332 | } |
| 333 | diff --git a/util.c b/util.c |
| 334 | --- a/util.c |
| 335 | +++ b/util.c |
| 336 | @@ -31,9 +31,10 @@ extern int modify_window; |
| 337 | extern int relative_paths; |
| 338 | extern int preserve_xattrs; |
| 339 | extern char *module_dir; |
| 340 | -extern unsigned int module_dirlen; |
| 341 | extern mode_t orig_umask; |
| 342 | extern char *partial_dir; |
| 343 | +extern pid_t namecvt_pid; |
| 344 | +extern unsigned int module_dirlen; |
| 345 | extern filter_rule_list daemon_filter_list; |
| 346 | |
| 347 | int sanitize_paths = 0; |
| 348 | @@ -537,32 +538,54 @@ void kill_all(int sig) |
| 349 | /* Parse a user name or (optionally) a number into a uid */ |
| 350 | int user_to_uid(const char *name, uid_t *uid_p, BOOL num_ok) |
| 351 | { |
| 352 | - struct passwd *pass; |
| 353 | + uid_t uid; |
| 354 | + |
| 355 | if (!name || !*name) |
| 356 | return 0; |
| 357 | + |
| 358 | if (num_ok && name[strspn(name, "0123456789")] == '\0') { |
| 359 | *uid_p = atol(name); |
| 360 | return 1; |
| 361 | } |
| 362 | - if (!(pass = getpwnam(name))) |
| 363 | - return 0; |
| 364 | - *uid_p = pass->pw_uid; |
| 365 | + |
| 366 | + if (namecvt_pid) { |
| 367 | + if (!(uid = namecvt_name("usr", name))) |
| 368 | + return 0; |
| 369 | + } else { |
| 370 | + struct passwd *pass; |
| 371 | + if (!(pass = getpwnam(name))) |
| 372 | + return 0; |
| 373 | + uid = pass->pw_uid; |
| 374 | + } |
| 375 | + |
| 376 | + *uid_p = uid; |
| 377 | return 1; |
| 378 | } |
| 379 | |
| 380 | /* Parse a group name or (optionally) a number into a gid */ |
| 381 | int group_to_gid(const char *name, gid_t *gid_p, BOOL num_ok) |
| 382 | { |
| 383 | - struct group *grp; |
| 384 | + gid_t gid; |
| 385 | + |
| 386 | if (!name || !*name) |
| 387 | return 0; |
| 388 | + |
| 389 | if (num_ok && name[strspn(name, "0123456789")] == '\0') { |
| 390 | *gid_p = atol(name); |
| 391 | return 1; |
| 392 | } |
| 393 | - if (!(grp = getgrnam(name))) |
| 394 | - return 0; |
| 395 | - *gid_p = grp->gr_gid; |
| 396 | + |
| 397 | + if (namecvt_pid) { |
| 398 | + if (!(gid = namecvt_name("grp", name))) |
| 399 | + return 0; |
| 400 | + } else { |
| 401 | + struct group *grp; |
| 402 | + if (!(grp = getgrnam(name))) |
| 403 | + return 0; |
| 404 | + gid = grp->gr_gid; |
| 405 | + } |
| 406 | + |
| 407 | + *gid_p = gid; |
| 408 | return 1; |
| 409 | } |
| 410 | |