[1] | 1 | # scripts.mit.edu openafs patch |
---|
| 2 | # Copyright (C) 2006 Jeff Arnold <jbarnold@mit.edu> |
---|
[259] | 3 | # with modifications by Joe Presbrey <presbrey@mit.edu> |
---|
[628] | 4 | # and Anders Kaseorg <andersk@mit.edu> |
---|
[1] | 5 | # |
---|
[622] | 6 | # This file is available under both the MIT license and the GPL. |
---|
| 7 | # |
---|
| 8 | |
---|
| 9 | # Permission is hereby granted, free of charge, to any person obtaining a copy |
---|
| 10 | # of this software and associated documentation files (the "Software"), to deal |
---|
| 11 | # in the Software without restriction, including without limitation the rights |
---|
| 12 | # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
---|
| 13 | # copies of the Software, and to permit persons to whom the Software is |
---|
| 14 | # furnished to do so, subject to the following conditions: |
---|
| 15 | # |
---|
| 16 | # The above copyright notice and this permission notice shall be included in |
---|
| 17 | # all copies or substantial portions of the Software. |
---|
| 18 | # |
---|
| 19 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
---|
| 20 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
---|
| 21 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
---|
| 22 | # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
---|
| 23 | # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
---|
| 24 | # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN |
---|
| 25 | # THE SOFTWARE. |
---|
| 26 | # |
---|
| 27 | |
---|
[1] | 28 | # This program is free software; you can redistribute it and/or |
---|
| 29 | # modify it under the terms of the GNU General Public License |
---|
| 30 | # as published by the Free Software Foundation; either version 2 |
---|
| 31 | # of the License, or (at your option) any later version. |
---|
| 32 | # |
---|
| 33 | # This program is distributed in the hope that it will be useful, |
---|
| 34 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 35 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 36 | # GNU General Public License for more details. |
---|
| 37 | # |
---|
| 38 | # You should have received a copy of the GNU General Public License |
---|
| 39 | # along with this program; if not, write to the Free Software |
---|
| 40 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
---|
| 41 | # |
---|
| 42 | # See /COPYRIGHT in this repository for more information. |
---|
| 43 | # |
---|
[628] | 44 | diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c |
---|
| 45 | --- openafs-1.4/src/afs/afs_analyze.c 2007-11-05 23:08:45.000000000 -0500 |
---|
| 46 | +++ openafs-1.4+scripts/src/afs/afs_analyze.c 2007-12-18 19:22:59.000000000 -0500 |
---|
[1] | 47 | @@ -505,7 +505,7 @@ |
---|
| 48 | (afid ? afid->Fid.Volume : 0)); |
---|
| 49 | } |
---|
| 50 | |
---|
| 51 | - if (areq->busyCount > 100) { |
---|
| 52 | + if (1) { |
---|
| 53 | if (aerrP) |
---|
| 54 | (aerrP->err_Volume)++; |
---|
| 55 | areq->volumeError = VOLBUSY; |
---|
[628] | 56 | diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h |
---|
| 57 | --- openafs-1.4/src/afs/afs.h 2007-12-05 03:57:36.000000000 -0500 |
---|
| 58 | +++ openafs-1.4+scripts/src/afs/afs.h 2007-12-18 20:12:31.000000000 -0500 |
---|
| 59 | @@ -177,8 +177,16 @@ |
---|
| 60 | struct afs_q *prev; |
---|
[1] | 61 | }; |
---|
[628] | 62 | |
---|
[1] | 63 | +#define AFSAGENT_UID (101) |
---|
[258] | 64 | +#define SIGNUP_UID (102) |
---|
[1] | 65 | +#define HTTPD_UID (48) |
---|
[83] | 66 | +#define POSTFIX_UID (89) |
---|
[1] | 67 | +#define DAEMON_SCRIPTS_PTSID (33554596) |
---|
[628] | 68 | +extern afs_int32 globalpag; |
---|
| 69 | + |
---|
[1] | 70 | struct vrequest { |
---|
| 71 | afs_int32 uid; /* user id making the request */ |
---|
| 72 | + afs_int32 realuid; |
---|
| 73 | afs_int32 busyCount; /* how many busies we've seen so far */ |
---|
| 74 | afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ |
---|
| 75 | char initd; /* if non-zero, non-uid fields meaningful */ |
---|
[628] | 76 | diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c |
---|
| 77 | --- openafs-1.4/src/afs/afs_osi_pag.c 2007-11-05 23:08:45.000000000 -0500 |
---|
| 78 | +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c 2007-12-18 20:26:57.000000000 -0500 |
---|
| 79 | @@ -51,6 +51,8 @@ |
---|
| 80 | #endif |
---|
[1] | 81 | /* Local variables */ |
---|
| 82 | |
---|
[55] | 83 | +afs_int32 globalpag = 0; |
---|
[1] | 84 | + |
---|
| 85 | /* |
---|
| 86 | * Pags are implemented as follows: the set of groups whose long |
---|
| 87 | * representation is '41XXXXXX' hex are used to represent the pags. |
---|
[628] | 88 | @@ -442,6 +444,15 @@ |
---|
[1] | 89 | av->uid = acred->cr_ruid; /* default when no pag is set */ |
---|
| 90 | #endif |
---|
| 91 | } |
---|
| 92 | + |
---|
| 93 | + av->realuid = acred->cr_ruid; |
---|
[55] | 94 | + if(!globalpag && acred->cr_ruid == AFSAGENT_UID) { |
---|
[1] | 95 | + globalpag = av->uid; |
---|
| 96 | + } |
---|
[628] | 97 | + else if (globalpag && av->uid == acred->cr_ruid) { |
---|
[1] | 98 | + av->uid = globalpag; |
---|
| 99 | + } |
---|
| 100 | + |
---|
| 101 | av->initd = 0; |
---|
| 102 | return 0; |
---|
| 103 | } |
---|
[628] | 104 | diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c |
---|
| 105 | --- openafs-1.4/src/afs/afs_pioctl.c 2007-12-05 03:57:37.000000000 -0500 |
---|
| 106 | +++ openafs-1.4+scripts/src/afs/afs_pioctl.c 2007-12-18 21:05:10.000000000 -0500 |
---|
| 107 | @@ -1208,6 +1208,10 @@ |
---|
[1] | 108 | struct AFSFetchStatus OutStatus; |
---|
| 109 | XSTATS_DECLS; |
---|
| 110 | |
---|
[628] | 111 | + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { |
---|
[1] | 112 | + return EACCES; |
---|
| 113 | + } |
---|
| 114 | + |
---|
| 115 | AFS_STATCNT(PSetAcl); |
---|
| 116 | if (!avc) |
---|
| 117 | return EINVAL; |
---|
[628] | 118 | @@ -1428,6 +1432,10 @@ |
---|
[1] | 119 | struct vrequest treq; |
---|
| 120 | afs_int32 flag, set_parent_pag = 0; |
---|
| 121 | |
---|
[628] | 122 | + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { |
---|
| 123 | + return 0; |
---|
[1] | 124 | + } |
---|
| 125 | + |
---|
| 126 | AFS_STATCNT(PSetTokens); |
---|
| 127 | if (!afs_resourceinit_flag) { |
---|
| 128 | return EIO; |
---|
[936] | 129 | @@ -1804,6 +1804,10 @@ |
---|
| 130 | afs_int32 iterator; |
---|
| 131 | int newStyle; |
---|
| 132 | |
---|
| 133 | + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID && |
---|
[937] | 134 | + areq->realuid != 0 && areq->realuid != SIGNUP_UID) |
---|
[936] | 135 | + return 0; |
---|
| 136 | + |
---|
| 137 | AFS_STATCNT(PGetTokens); |
---|
| 138 | if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ |
---|
| 139 | return EIO; /* Inappropriate ioctl for device */ |
---|
[628] | 140 | @@ -1870,6 +1878,10 @@ |
---|
[1] | 141 | register afs_int32 i; |
---|
| 142 | register struct unixuser *tu; |
---|
| 143 | |
---|
[628] | 144 | + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { |
---|
| 145 | + return 0; |
---|
[1] | 146 | + } |
---|
| 147 | + |
---|
| 148 | AFS_STATCNT(PUnlog); |
---|
| 149 | if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ |
---|
| 150 | return EIO; /* Inappropriate ioctl for device */ |
---|
[628] | 151 | diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c |
---|
| 152 | --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2007-11-05 23:08:46.000000000 -0500 |
---|
| 153 | +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2007-12-18 21:06:20.000000000 -0500 |
---|
| 154 | @@ -118,6 +118,17 @@ |
---|
[1] | 155 | |
---|
| 156 | if ((vType(avc) == VDIR) || (avc->states & CForeign)) { |
---|
| 157 | /* rights are just those from acl */ |
---|
| 158 | + |
---|
[628] | 159 | + if ( areq->uid == globalpag && |
---|
| 160 | + !(areq->realuid == avc->fid.Fid.Volume) && |
---|
[1] | 161 | + !((avc->anyAccess | arights) == avc->anyAccess) && |
---|
| 162 | + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) && |
---|
[258] | 163 | + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) && |
---|
| 164 | + !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && areq->realuid == 0) && |
---|
| 165 | + !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && (areq->realuid == 0 || areq->realuid == SIGNUP_UID)) ) { |
---|
[1] | 166 | + return 0; |
---|
| 167 | + } |
---|
| 168 | + |
---|
| 169 | return (arights == afs_GetAccessBits(avc, arights, areq)); |
---|
| 170 | } else { |
---|
| 171 | /* some rights come from dir and some from file. Specifically, you |
---|
[628] | 172 | @@ -171,6 +182,18 @@ |
---|
[1] | 173 | fileBits |= PRSFS_READ; |
---|
| 174 | } |
---|
| 175 | } |
---|
| 176 | + |
---|
[628] | 177 | + if ( areq->uid == globalpag && |
---|
| 178 | + !(areq->realuid == avc->fid.Fid.Volume) && |
---|
[1] | 179 | + !((avc->anyAccess | arights) == avc->anyAccess) && |
---|
| 180 | + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && |
---|
[83] | 181 | + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && |
---|
[258] | 182 | + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) && |
---|
| 183 | + !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && areq->realuid == 0) && |
---|
| 184 | + !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && (areq->realuid == 0 || areq->realuid == SIGNUP_UID)) ) { |
---|
[1] | 185 | + return 0; |
---|
| 186 | + } |
---|
| 187 | + |
---|
| 188 | return ((fileBits & arights) == arights); /* true if all rights bits are on */ |
---|
| 189 | } |
---|
| 190 | } |
---|
[628] | 191 | diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c |
---|
| 192 | --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c 2007-11-05 23:08:46.000000000 -0500 |
---|
| 193 | +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c 2007-12-18 19:22:59.000000000 -0500 |
---|
[1] | 194 | @@ -87,8 +87,8 @@ |
---|
| 195 | } |
---|
| 196 | } |
---|
| 197 | #endif /* AFS_DARWIN_ENV */ |
---|
| 198 | - attrs->va_uid = fakedir ? 0 : avc->m.Owner; |
---|
| 199 | - attrs->va_gid = fakedir ? 0 : avc->m.Group; /* yeah! */ |
---|
| 200 | + attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume; |
---|
| 201 | + attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner); |
---|
| 202 | #if defined(AFS_SUN56_ENV) |
---|
| 203 | attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0]; |
---|
| 204 | #elif defined(AFS_OSF_ENV) |
---|