source: server/common/patches/openafs-scripts.patch @ 1047

Last change on this file since 1047 was 1047, checked in by geofft, 15 years ago
openafs-scripts.patch: efficiency hack afs_GetAccessBits is a function call that can potentially do an RPC. Although I doubt it does so in this context, we might as well short circuit it, because the check for whether you're root or Apache is easy, and that case is rare.
File size: 8.0 KB
RevLine 
[1]1# scripts.mit.edu openafs patch
2# Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
[259]3# with modifications by Joe Presbrey <presbrey@mit.edu>
[628]4# and Anders Kaseorg <andersk@mit.edu>
[1]5#
[622]6# This file is available under both the MIT license and the GPL.
7#
8
9# Permission is hereby granted, free of charge, to any person obtaining a copy
10# of this software and associated documentation files (the "Software"), to deal
11# in the Software without restriction, including without limitation the rights
12# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
13# copies of the Software, and to permit persons to whom the Software is
14# furnished to do so, subject to the following conditions:
15#
16# The above copyright notice and this permission notice shall be included in
17# all copies or substantial portions of the Software.
18#
19# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
20# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
21# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
22# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
23# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
24# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
25# THE SOFTWARE.
26#
27
[1]28# This program is free software; you can redistribute it and/or
29# modify it under the terms of the GNU General Public License
30# as published by the Free Software Foundation; either version 2
31# of the License, or (at your option) any later version.
32#
33# This program is distributed in the hope that it will be useful,
34# but WITHOUT ANY WARRANTY; without even the implied warranty of
35# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
36# GNU General Public License for more details.
37#
38# You should have received a copy of the GNU General Public License
39# along with this program; if not, write to the Free Software
40# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
41#
42# See /COPYRIGHT in this repository for more information.
43#
[628]44diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
45--- openafs-1.4/src/afs/afs_analyze.c   2007-11-05 23:08:45.000000000 -0500
46+++ openafs-1.4+scripts/src/afs/afs_analyze.c   2007-12-18 19:22:59.000000000 -0500
[1]47@@ -505,7 +505,7 @@
48                         (afid ? afid->Fid.Volume : 0));
49        }
50 
51-       if (areq->busyCount > 100) {
52+       if (1) {
53            if (aerrP)
54                (aerrP->err_Volume)++;
55            areq->volumeError = VOLBUSY;
[628]56diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
57--- openafs-1.4/src/afs/afs.h   2007-12-05 03:57:36.000000000 -0500
58+++ openafs-1.4+scripts/src/afs/afs.h   2007-12-18 20:12:31.000000000 -0500
59@@ -177,8 +177,16 @@
60     struct afs_q *prev;
[1]61 };
[628]62 
[1]63+#define AFSAGENT_UID (101)
[258]64+#define SIGNUP_UID (102)
[1]65+#define HTTPD_UID (48)
[83]66+#define POSTFIX_UID (89)
[1]67+#define DAEMON_SCRIPTS_PTSID (33554596)
[628]68+extern afs_int32 globalpag;
69+
[1]70 struct vrequest {
71     afs_int32 uid;             /* user id making the request */
72+    afs_int32 realuid;
73     afs_int32 busyCount;       /* how many busies we've seen so far */
74     afs_int32 flags;           /* things like O_SYNC, O_NONBLOCK go here */
75     char initd;                        /* if non-zero, non-uid fields meaningful */
[628]76diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
77--- openafs-1.4/src/afs/afs_osi_pag.c   2007-11-05 23:08:45.000000000 -0500
78+++ openafs-1.4+scripts/src/afs/afs_osi_pag.c   2007-12-18 20:26:57.000000000 -0500
79@@ -51,6 +51,8 @@
80 #endif
[1]81 /* Local variables */
82 
[55]83+afs_int32 globalpag = 0;
[1]84+
85 /*
86  * Pags are implemented as follows: the set of groups whose long
87  * representation is '41XXXXXX' hex are used to represent the pags.
[628]88@@ -442,6 +444,15 @@
[1]89        av->uid = acred->cr_ruid;       /* default when no pag is set */
90 #endif
91     }
92+
93+    av->realuid = acred->cr_ruid;
[55]94+    if(!globalpag && acred->cr_ruid == AFSAGENT_UID) {
[1]95+      globalpag = av->uid;
96+    }
[628]97+    else if (globalpag && av->uid == acred->cr_ruid) {
[1]98+      av->uid = globalpag;
99+    }
100+
101     av->initd = 0;
102     return 0;
103 }
[628]104diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
105--- openafs-1.4/src/afs/afs_pioctl.c    2007-12-05 03:57:37.000000000 -0500
106+++ openafs-1.4+scripts/src/afs/afs_pioctl.c    2007-12-18 21:05:10.000000000 -0500
107@@ -1208,6 +1208,10 @@
[1]108     struct AFSFetchStatus OutStatus;
109     XSTATS_DECLS;
110 
[628]111+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
[1]112+      return EACCES;
113+    }
114+
115     AFS_STATCNT(PSetAcl);
116     if (!avc)
117        return EINVAL;
[628]118@@ -1428,6 +1432,10 @@
[1]119     struct vrequest treq;
120     afs_int32 flag, set_parent_pag = 0;
121 
[628]122+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
123+       return 0;
[1]124+    }
125+
126     AFS_STATCNT(PSetTokens);
127     if (!afs_resourceinit_flag) {
128        return EIO;
[936]129@@ -1804,6 +1804,10 @@
130     afs_int32 iterator;
131     int newStyle;
132 
133+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID &&
[937]134+       areq->realuid != 0 && areq->realuid != SIGNUP_UID)
[936]135+       return 0;
136+
137     AFS_STATCNT(PGetTokens);
138     if (!afs_resourceinit_flag)        /* afs daemons haven't started yet */
139        return EIO;             /* Inappropriate ioctl for device */
[628]140@@ -1870,6 +1878,10 @@
[1]141     register afs_int32 i;
142     register struct unixuser *tu;
143 
[628]144+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
145+       return 0;
[1]146+    }
147+
148     AFS_STATCNT(PUnlog);
149     if (!afs_resourceinit_flag)        /* afs daemons haven't started yet */
150        return EIO;             /* Inappropriate ioctl for device */
[628]151diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
152--- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2007-11-05 23:08:46.000000000 -0500
153+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2007-12-18 21:06:20.000000000 -0500
154@@ -118,6 +118,17 @@
[1]155 
156     if ((vType(avc) == VDIR) || (avc->states & CForeign)) {
157        /* rights are just those from acl */
158+
[628]159+      if ( areq->uid == globalpag &&
160+           !(areq->realuid == avc->fid.Fid.Volume) &&
[1]161+           !((avc->anyAccess | arights) == avc->anyAccess) &&
162+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
[258]163+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
[1047]164+           !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
165+           !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
[1]166+         return 0;
167+      }
168+
169        return (arights == afs_GetAccessBits(avc, arights, areq));
170     } else {
171        /* some rights come from dir and some from file.  Specifically, you
[628]172@@ -171,6 +182,18 @@
[1]173                    fileBits |= PRSFS_READ;
174            }
175        }
176+       
[628]177+        if ( areq->uid == globalpag &&
178+             !(areq->realuid == avc->fid.Fid.Volume) &&
[1]179+             !((avc->anyAccess | arights) == avc->anyAccess) &&
180+             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
[83]181+             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
[258]182+             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) &&
[1047]183+             !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
184+             !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
[1]185+           return 0;
186+        }
187+
188        return ((fileBits & arights) == arights);       /* true if all rights bits are on */
189     }
190 }
[628]191diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
192--- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c  2007-11-05 23:08:46.000000000 -0500
193+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c  2007-12-18 19:22:59.000000000 -0500
[1]194@@ -87,8 +87,8 @@
195        }
196     }
197 #endif /* AFS_DARWIN_ENV */
198-    attrs->va_uid = fakedir ? 0 : avc->m.Owner;
199-    attrs->va_gid = fakedir ? 0 : avc->m.Group;        /* yeah! */
200+    attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume;
201+    attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner);
202 #if defined(AFS_SUN56_ENV)
203     attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
204 #elif defined(AFS_OSF_ENV)
Note: See TracBrowser for help on using the repository browser.