4 files changed, 44 insertions, 2 deletions

diff --git a/rpc/rpc-lib/src/auth-glusterfs.c b/rpc/rpc-lib/src/auth-glusterfs.c
index c08871466..9c6f8385b 100644
--- a/rpc/rpc-lib/src/auth-glusterfs.c
+++ b/rpc/rpc-lib/src/auth-glusterfs.c
@@ -64,9 +64,9 @@ int auth_glusterfs_authenticate (rpcsvc_request_t *req, void *priv)
         struct auth_glusterfs_parms  au = {0,};
 
         int ret      = RPCSVC_AUTH_REJECT;
-        int gidcount = 0;
         int j        = 0;
         int i        = 0;
+        int gidcount = 0;
 
         if (!req)
                 return ret;
@@ -99,6 +99,8 @@ int auth_glusterfs_authenticate (rpcsvc_request_t *req, void *priv)
         for (gidcount = 0; gidcount < au.ngrps; ++gidcount)
                 req->auxgids[gidcount] = au.groups[gidcount];
 
+        RPC_AUTH_ROOT_SQUASH(req);
+
         gf_log (GF_RPCSVC, GF_LOG_TRACE, "Auth Info: pid: %u, uid: %d"
                 ", gid: %d, owner: %s",
                 req->pid, req->uid, req->gid, lkowner_utoa (&req->lk_owner));
@@ -207,6 +209,8 @@ int auth_glusterfs_v2_authenticate (rpcsvc_request_t *req, void *priv)
         for (i = 0; i < au.lk_owner.lk_owner_len; ++i)
                 req->lk_owner.data[i] = au.lk_owner.lk_owner_val[i];
 
+        RPC_AUTH_ROOT_SQUASH(req);
+
         gf_log (GF_RPCSVC, GF_LOG_TRACE, "Auth Info: pid: %u, uid: %d"
                 ", gid: %d, owner: %s",
                 req->pid, req->uid, req->gid, lkowner_utoa (&req->lk_owner));
diff --git a/rpc/rpc-lib/src/rpcsvc-auth.c b/rpc/rpc-lib/src/rpcsvc-auth.c
index 3a46cc498..907ae1ec9 100644
--- a/rpc/rpc-lib/src/rpcsvc-auth.c
+++ b/rpc/rpc-lib/src/rpcsvc-auth.c
@@ -204,6 +204,21 @@ rpcsvc_set_allow_insecure (rpcsvc_t *svc, dict_t *options)
 }
 
 int
+rpcsvc_set_root_squash (rpcsvc_t *svc, dict_t *options)
+{
+        GF_ASSERT (svc);
+        GF_ASSERT (options);
+
+        if (dict_get_str_boolean (options, "root-squash", 0))
+                svc->root_squash = _gf_true;
+
+        if (svc->root_squash)
+                gf_log (GF_RPCSVC, GF_LOG_DEBUG, "root squashing enabled ");
+
+        return 0;
+}
+
+int
 rpcsvc_auth_init (rpcsvc_t *svc, dict_t *options)
 {
         int             ret = -1;
@@ -212,6 +227,7 @@ rpcsvc_auth_init (rpcsvc_t *svc, dict_t *options)
                 return -1;
 
         (void) rpcsvc_set_allow_insecure (svc, options);
+        (void) rpcsvc_set_root_squash (svc, options);
         ret = rpcsvc_auth_add_initers (svc);
         if (ret == -1) {
                 gf_log (GF_RPCSVC, GF_LOG_ERROR, "Failed to add initers");
diff --git a/rpc/rpc-lib/src/rpcsvc-common.h b/rpc/rpc-lib/src/rpcsvc-common.h
index 81f798116..2c6f07488 100644
--- a/rpc/rpc-lib/src/rpcsvc-common.h
+++ b/rpc/rpc-lib/src/rpcsvc-common.h
@@ -52,6 +52,7 @@ typedef struct rpcsvc_state {
         /* Allow insecure ports. */
         int                     allow_insecure;
         gf_boolean_t            register_portmap;
+        gf_boolean_t            root_squash;
         glusterfs_ctx_t         *ctx;
 
         /* list of connections which will listen for incoming connections */
diff --git a/rpc/rpc-lib/src/rpcsvc.h b/rpc/rpc-lib/src/rpcsvc.h
index 7fdeaeb04..1323c8b7a 100644
--- a/rpc/rpc-lib/src/rpcsvc.h
+++ b/rpc/rpc-lib/src/rpcsvc.h
@@ -48,6 +48,10 @@
 #define RPCSVC_POOLCOUNT_MULT           64
 #define RPCSVC_CONN_READ        (128 * GF_UNIT_KB)
 #define RPCSVC_PAGE_SIZE        (128 * GF_UNIT_KB)
+#define RPC_ROOT_UID             0
+#define RPC_ROOT_GID             0
+#define RPC_NOBODY_UID           65534
+#define RPC_NOBODY_GID           65534
 
 /* RPC Record States */
 #define RPCSVC_READ_FRAGHDR     1
@@ -261,7 +265,22 @@ struct rpcsvc_request {
 #define rpcsvc_request_vecstate(req) ((req)->vecstate)
 #define rpcsvc_request_transport(req) ((req)->trans)
 #define rpcsvc_request_transport_ref(req) (rpc_transport_ref((req)->trans))
-
+#define RPC_AUTH_ROOT_SQUASH(req)                                       \
+        do {                                                            \
+                int gidcount = 0;                                       \
+                if (req->svc->root_squash) {                            \
+                        if (req->uid == RPC_ROOT_UID)                   \
+                                req->uid = RPC_NOBODY_UID;              \
+                        if (req->gid == RPC_ROOT_GID)                   \
+                                req->gid = RPC_NOBODY_GID;              \
+                        for (gidcount = 0; gidcount < req->auxgidcount; \
+                             ++gidcount) {                              \
+                                if (!req->auxgids[gidcount])            \
+                                        req->auxgids[gidcount] =        \
+                                                RPC_NOBODY_GID;         \
+                        }                                               \
+                }                                                       \
+        } while (0);
 
 #define RPCSVC_ACTOR_SUCCESS    0
 #define RPCSVC_ACTOR_ERROR      (-1)
@@ -546,6 +565,8 @@ rpcsvc_transport_unix_options_build (dict_t **options, char *filepath);
 int
 rpcsvc_set_allow_insecure (rpcsvc_t *svc, dict_t *options);
 int
+rpcsvc_set_root_squash (rpcsvc_t *svc, dict_t *options);
+int
 rpcsvc_auth_array (rpcsvc_t *svc, char *volname, int *autharr, int arrlen);
 char *
 rpcsvc_volume_allowed (dict_t *options, char *volname);