Context Navigation

openafs-scripts.patch @ 1913

Last change on this file since 1913 was 1913, checked in by achernya, 13 years ago

Update OpenAFS from 1.4.14 to 1.6.0pre6 kaduk finished porting the openafs-scripts patch to 1.6.0, which was then lightly modified be me to get it to compile -- mostly fixing typos. The openafs.spec.patch was also fixed, including another chmod +x hack on some libraries to get rpm to properly process them for Provides directives. Interestingly, these libraries had the correct mode in 1.4.14. The patches that were added to get 1.4.14 to compile have also been removed, as 1.6.0pre6 compiles on kernel 2.6.38 unmodified. openafs-numsysnames is getting removed because 32 is now the default. openafs-localcsdb is getting removed because the change was included in kaduk's patchset.

File size: 10.6 KB

src/afs/LINUX/osi_vnodeops.c

# scripts.mit.edu openafs patch
# Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
# with modifications by Joe Presbrey <presbrey@mit.edu>
# and Anders Kaseorg <andersk@mit.edu>
# and Edward Z. Yang <ezyang@mit.edu>
# and Benjamin Kaduk <kaduk@mit.edu>
# and Alexander Chernyakhovsky <achernya@mit.edu>
#
# This file is available under both the MIT license and the GPL.
#

# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# 
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#

# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
#
# See /COPYRIGHT in this repository for more information.
#
diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c
index 7c7705e..0d0e94f 100644

  afs_linux_dentry_revalidate(struct dentry *dp, int flags)
         /* should we always update the attributes at this point? */
         /* unlikely--the vcache entry hasn't changed */
+        /* [scripts] This code makes hardlinks work correctly.
+        *
+        * We want Apache to be able to read a file with hardlinks
+        * named .htaccess and foo to be able to read it via .htaccess
+        * and not via foo, regardless of which name was looked up
+        * (remember, inodes do not have filenames associated with them.)
+        *
+        * It is important that we modify the existing cache entry even
+        * if it is otherwise totally valid and would not be reloaded.
+        * Otherwise, it won't recover from repeatedly reading the same
+        * inode via multiple hardlinks or different names.  Specifically,
+        * Apache will be able to read both names if it was first looked
+        * up (by anyone!) via .htaccess, and neither if it was first
+        * looked up via foo.
+        *
+        * With regards to performance, the strncmp() is bounded by
+        * three characters, so it takes O(3) operations.  If this code
+        * is extended to all static-cat extensions, we'll want to do
+        * some clever hashing using gperf here.
+        */
+        vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0;
         dput(parent);
     } else {
 #ifdef notyet

src/afs/VNOPS/afs_vnop_access.c

diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c
index eabcfeb..6390850 100644

  afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq,
             dirBits = PRSFS_LOOKUP | PRSFS_READ;
             return (arights == (dirBits & arights));
+        }
+        if ( areq->uid == globalpag &&
+            !(areq->realuid == avc->f.fid.Fid.Volume) &&
+            !((avc->f.anyAccess | arights) == avc->f.anyAccess) &&
+            !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
+            !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
+            !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
+            !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
+            return 0;
+        }
         return (arights == afs_GetAccessBits(avc, arights, areq));
     } else {
         /* some rights come from dir and some from file.  Specifically, you
-…
+ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq,
                     fileBits |= PRSFS_READ;
+            }
+        }
+        if ( areq->uid == globalpag &&
+            !(areq->realuid == avc->f.fid.Fid.Volume) &&
+            !((avc->f.anyAccess | arights) == avc->f.anyAccess) &&
+            !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
+            !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
+            !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
+                (avc->f.m.Mode == 0100777 || avc->apache_access)) &&
+            !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
+            !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
+            return 0;
+        }
         return ((fileBits & arights) == arights);       /* true if all rights bits are on */
+    }
+}

src/afs/VNOPS/afs_vnop_attrs.c

diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c
index b3931e5..71ef05c 100644

  afs_CopyOutAttrs(struct vcache *avc, struct vattr *attrs)
+        }
+    }
 #endif /* AFS_DARWIN_ENV */
     attrs->va_uid = fakedir ? 0 : avc->f.m.Owner;
     attrs->va_gid = fakedir ? 0 : avc->f.m.Group;       /* yeah! */
+    attrs->va_uid = fakedir ? 0 : avc->f.fid.Fid.Volume;
+    attrs->va_gid = (avc->f.m.Owner == DAEMON_SCRIPTS_PTSID ? avc->f.m.Group : avc->f.m.Owner);
 #if defined(AFS_SUN56_ENV)
     attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
 #elif defined(AFS_DARWIN80_ENV)

src/afs/VNOPS/afs_vnop_lookup.c

diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c
index 8e7af1c..7e984e9 100644

  afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr
+    }
   done:
+    if (tvc) {
+    /* [scripts] check Apache's ability to read this file, so that
+    * we can figure this out on an access() call */
+    tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
+    }
     /* put the network buffer back, if need be */
     if (tname != aname && tname)
         osi_FreeLargeSpace(tname);

src/afs/afs.h

diff --git a/src/afs/afs.h b/src/afs/afs.h
index fcc4c70..0d53af6 100644

  struct afs_slotlist {
     struct afs_slotlist *next;
 };
+#define AFSAGENT_UID (101)
+#define SIGNUP_UID (102)
+#define HTTPD_UID (48)
+#define POSTFIX_UID (89)
+#define DAEMON_SCRIPTS_PTSID (33554596)
+extern afs_int32 globalpag;
 struct vrequest {
     afs_int32 uid;              /* user id making the request */
+    afs_int32 realuid;
     afs_int32 busyCount;        /* how many busies we've seen so far */
     afs_int32 flags;            /* things like O_SYNC, O_NONBLOCK go here */
     char initd;                 /* if non-zero, Error fields meaningful */
-…
+ struct vcache {
 #ifdef AFS_SUN5_ENV
     short multiPage;            /* count of multi-page getpages in progress */
 #endif
+    int apache_access;          /* whether or not Apache has access to a file */
 };
 #define DONT_CHECK_MODE_BITS    0

src/afs/afs_analyze.c

diff --git a/src/afs/afs_analyze.c b/src/afs/afs_analyze.c
index 1834e6d..673a8e6 100644

  afs_Analyze(struct afs_conn *aconn, afs_int32 acode,
                          (afid ? afid->Fid.Volume : 0));
+        }
         if (areq->busyCount > 100) {
+        if (1) {
             if (aerrP)
                 (aerrP->err_Volume)++;
             areq->volumeError = VOLBUSY;

src/afs/afs_osi_pag.c

diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c
index c888605..ff5cf2d 100644

  afs_uint32 pagCounter = 0;
 #endif
 /* Local variables */
+afs_int32 globalpag = 0;
 /*
  * Pags are implemented as follows: the set of groups whose long
  * representation is '41XXXXXX' hex are used to represent the pags.
-…
+ afs_InitReq(struct vrequest *av, afs_ucred_t *acred)
         av->uid = afs_cr_uid(acred);    /* default when no pag is set */
 #endif
+    }
+    av->realuid = afs_cr_uid(acred);
+    if(!globalpag && av->realuid == AFSAGENT_UID) {
+      globalpag = av->uid;
+    }
+    else if (globalpag && av->uid == av->realuid) {
+      av->uid = globalpag;
+    }
     return 0;
+}

src/afs/afs_pioctl.c

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index f282510..00f1360 100644

  DECL_PIOCTL(PSetAcl)
     struct AFSFetchStatus OutStatus;
     XSTATS_DECLS;
+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
+        return EACCES;
+    }
     AFS_STATCNT(PSetAcl);
     if (!avc)
         return EINVAL;
-…
+ DECL_PIOCTL(PSetTokens)
     struct vrequest treq;
     afs_int32 flag, set_parent_pag = 0;
+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
+        return EACCES;
+    }
     AFS_STATCNT(PSetTokens);
     if (!afs_resourceinit_flag) {
         return EIO;
-…
+ DECL_PIOCTL(PGetTokens)
     int newStyle;
     int code = E2BIG;
+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID &&
+        areq->realuid != 0 && areq->realuid != SIGNUP_UID) {
+        return EDOM;
+    }
     AFS_STATCNT(PGetTokens);
     if (!afs_resourceinit_flag) /* afs daemons haven't started yet */
         return EIO;             /* Inappropriate ioctl for device */
-…
+ DECL_PIOCTL(PUnlog)
     afs_int32 i;
     struct unixuser *tu;
+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
+        return EACCES;
+    }
     AFS_STATCNT(PUnlog);
     if (!afs_resourceinit_flag) /* afs daemons haven't started yet */
         return EIO;             /* Inappropriate ioctl for device */

src/packaging/RedHat/openafs-client.init

diff --git a/src/packaging/RedHat/openafs-client.init b/src/packaging/RedHat/openafs-client.init
index 10ec647..a4ecbc8 100644

-                      a
 start() {
         echo -n $"Updating CellServDB: "
         cat /usr/vice/etc/CellServDB.local /usr/vice/etc/CellServDB.dist > \
+        cat /usr/vice/etc/CellServDB.local > \
                /usr/vice/etc/CellServDB
         chmod 644 /usr/vice/etc/CellServDB
         echo

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: branches/fc15-dev/server/common/patches/openafs-scripts.patch @ 1913

Download in other formats: