d410fa4ef9
move LSM-, credentials-, and keys-related files from Documentation/ to Documentation/security/, add Documentation/security/00-INDEX, and update all occurrences of Documentation/<moved_file> to Documentation/security/<moved_file>.
68 lines
2.9 KiB
Plaintext
68 lines
2.9 KiB
Plaintext
|
|
=========
|
|
ID Mapper
|
|
=========
|
|
Id mapper is used by NFS to translate user and group ids into names, and to
|
|
translate user and group names into ids. Part of this translation involves
|
|
performing an upcall to userspace to request the information. Id mapper will
|
|
user request-key to perform this upcall and cache the result. The program
|
|
/usr/sbin/nfs.idmap should be called by request-key, and will perform the
|
|
translation and initialize a key with the resulting information.
|
|
|
|
NFS_USE_NEW_IDMAPPER must be selected when configuring the kernel to use this
|
|
feature.
|
|
|
|
===========
|
|
Configuring
|
|
===========
|
|
The file /etc/request-key.conf will need to be modified so /sbin/request-key can
|
|
direct the upcall. The following line should be added:
|
|
|
|
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
|
|
#====== ======= =============== =============== ===============================
|
|
create id_resolver * * /usr/sbin/nfs.idmap %k %d 600
|
|
|
|
This will direct all id_resolver requests to the program /usr/sbin/nfs.idmap.
|
|
The last parameter, 600, defines how many seconds into the future the key will
|
|
expire. This parameter is optional for /usr/sbin/nfs.idmap. When the timeout
|
|
is not specified, nfs.idmap will default to 600 seconds.
|
|
|
|
id mapper uses for key descriptions:
|
|
uid: Find the UID for the given user
|
|
gid: Find the GID for the given group
|
|
user: Find the user name for the given UID
|
|
group: Find the group name for the given GID
|
|
|
|
You can handle any of these individually, rather than using the generic upcall
|
|
program. If you would like to use your own program for a uid lookup then you
|
|
would edit your request-key.conf so it look similar to this:
|
|
|
|
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
|
|
#====== ======= =============== =============== ===============================
|
|
create id_resolver uid:* * /some/other/program %k %d 600
|
|
create id_resolver * * /usr/sbin/nfs.idmap %k %d 600
|
|
|
|
Notice that the new line was added above the line for the generic program.
|
|
request-key will find the first matching line and corresponding program. In
|
|
this case, /some/other/program will handle all uid lookups and
|
|
/usr/sbin/nfs.idmap will handle gid, user, and group lookups.
|
|
|
|
See <file:Documentation/security/keys-request-keys.txt> for more information
|
|
about the request-key function.
|
|
|
|
|
|
=========
|
|
nfs.idmap
|
|
=========
|
|
nfs.idmap is designed to be called by request-key, and should not be run "by
|
|
hand". This program takes two arguments, a serialized key and a key
|
|
description. The serialized key is first converted into a key_serial_t, and
|
|
then passed as an argument to keyctl_instantiate (both are part of keyutils.h).
|
|
|
|
The actual lookups are performed by functions found in nfsidmap.h. nfs.idmap
|
|
determines the correct function to call by looking at the first part of the
|
|
description string. For example, a uid lookup description will appear as
|
|
"uid:user@domain".
|
|
|
|
nfs.idmap will return 0 if the key was instantiated, and non-zero otherwise.
|