source: trunk/server/common/patches/openafs-scripts.patch @ 1134

Last change on this file since 1134 was 1134, checked in by ezyang, 13 years ago
Update OpenAFS patch to not need 777 for .htaccess files. Symlinks to files that are not named .htaccess still need to be 777; if a file is hard linked, Apache can access it through its .htaccess name but not through any other name.
File size: 9.9 KB
  • src/afs/afs_analyze.c

    # scripts.mit.edu openafs patch
    # Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
    # with modifications by Joe Presbrey <presbrey@mit.edu>
    # and Anders Kaseorg <andersk@mit.edu>
    # and Edward Z. Yang <ezyang@mit.edu>
    #
    # This file is available under both the MIT license and the GPL.
    #
    
    # Permission is hereby granted, free of charge, to any person obtaining a copy
    # of this software and associated documentation files (the "Software"), to deal
    # in the Software without restriction, including without limitation the rights
    # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    # copies of the Software, and to permit persons to whom the Software is
    # furnished to do so, subject to the following conditions:
    # 
    # The above copyright notice and this permission notice shall be included in
    # all copies or substantial portions of the Software.
    # 
    # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    # THE SOFTWARE.
    #
    
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of the GNU General Public License
    # as published by the Free Software Foundation; either version 2
    # of the License, or (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program; if not, write to the Free Software
    # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
    #
    # See /COPYRIGHT in this repository for more information.
    #
    diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
    old new  
    585585                         (afid ? afid->Fid.Volume : 0));
    586586        }
    587587
    588         if (areq->busyCount > 100) {
     588        if (1) {
    589589            if (aerrP)
    590590                (aerrP->err_Volume)++;
    591591            areq->volumeError = VOLBUSY;
  • src/afs/LINUX/osi_vnodeops.c

    diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
    old new  
    875875        /* should we always update the attributes at this point? */
    876876        /* unlikely--the vcache entry hasn't changed */
    877877
     878        /* [scripts] This code makes hardlinks work correctly.
     879         *
     880         * We want Apache to be able to read a file with hardlinks
     881         * named .htaccess and foo to be able to read it via .htaccess
     882         * and not via foo, regardless of which name was looked up
     883         * (remember, inodes do not have filenames associated with them.)
     884         *
     885         * It is important that we modify the existing cache entry even
     886         * if it is otherwise totally valid and would not be reloaded.
     887         * Otherwise, it won't recover from repeatedly reading the same
     888         * inode via multiple hardlinks or different names.  Specifically,
     889         * Apache will be able to read both names if it was first looked
     890         * up (by anyone!) via .htaccess, and neither if it was first
     891         * looked up via foo.
     892         *
     893         * With regards to performance, the strncmp() is bounded by
     894         * three characters, so it takes O(3) operations.  If this code
     895         * is extended to all static-cat extensions, we'll want to do
     896         * some clever hashing using gperf here.
     897         */
     898        vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0;
     899
    878900    } else {
    879901#ifdef notyet
    880902        pvcp = VTOAFS(dp->d_parent->d_inode);           /* dget_parent()? */
  • src/afs/VNOPS/afs_vnop_lookup.c

    diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
    old new  
    15721572    }
    15731573
    15741574  done:
     1575    if (tvc) {
     1576        /* [scripts] check Apache's ability to read this file, so that
     1577         * we can figure this out on an access() call */
     1578        tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
     1579    }
     1580
    15751581    /* put the network buffer back, if need be */
    15761582    if (tname != aname && tname)
    15771583        osi_FreeLargeSpace(tname);
  • src/afs/afs.h

    diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
    old new  
    208208#define QTOC(e)     QEntry(e, struct cell, lruq)
    209209#define QTOVH(e)    QEntry(e, struct vcache, vhashq)
    210210
     211#define AFSAGENT_UID (101)
     212#define SIGNUP_UID (102)
     213#define HTTPD_UID (48)
     214#define POSTFIX_UID (89)
     215#define DAEMON_SCRIPTS_PTSID (33554596)
     216extern afs_int32 globalpag;
     217
    211218struct vrequest {
    212219    afs_int32 uid;              /* user id making the request */
     220    afs_int32 realuid;
    213221    afs_int32 busyCount;        /* how many busies we've seen so far */
    214222    afs_int32 flags;            /* things like O_SYNC, O_NONBLOCK go here */
    215223    char initd;                 /* if non-zero, Error fields meaningful */
     
    743751#ifdef AFS_SUN5_ENV
    744752    short multiPage;            /* count of multi-page getpages in progress */
    745753#endif
     754    bool apache_access;         /* whether or not Apache has access to a file */
    746755};
    747756
    748757#define DONT_CHECK_MODE_BITS    0
  • src/afs/afs_osi_pag.c

    diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
    old new  
    5151#endif
    5252/* Local variables */
    5353
     54afs_int32 globalpag = 0;
     55
    5456/*
    5557 * Pags are implemented as follows: the set of groups whose long
    5658 * representation is '41XXXXXX' hex are used to represent the pags.
     
    458460        av->uid = acred->cr_ruid;       /* default when no pag is set */
    459461#endif
    460462    }
     463
     464    av->realuid = acred->cr_ruid;
     465    if(!globalpag && acred->cr_ruid == AFSAGENT_UID) {
     466      globalpag = av->uid;
     467    }
     468    else if (globalpag && av->uid == acred->cr_ruid) {
     469      av->uid = globalpag;
     470    }
     471
    461472    av->initd = 0;
    462473    return 0;
    463474}
  • src/afs/afs_pioctl.c

    diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
    old new  
    12171217    struct AFSFetchStatus OutStatus;
    12181218    XSTATS_DECLS;
    12191219
     1220    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
     1221      return EACCES;
     1222    }
     1223
    12201224    AFS_STATCNT(PSetAcl);
    12211225    if (!avc)
    12221226        return EINVAL;
     
    14371441    struct vrequest treq;
    14381442    afs_int32 flag, set_parent_pag = 0;
    14391443
     1444    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
     1445        return 0;
     1446    }
     1447
    14401448    AFS_STATCNT(PSetTokens);
    14411449    if (!afs_resourceinit_flag) {
    14421450        return EIO;
     
    17961804    afs_int32 iterator;
    17971805    int newStyle;
    17981806
     1807    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID &&
     1808        areq->realuid != 0 && areq->realuid != SIGNUP_UID)
     1809        return 0;
     1810
    17991811    AFS_STATCNT(PGetTokens);
    18001812    if (!afs_resourceinit_flag) /* afs daemons haven't started yet */
    18011813        return EIO;             /* Inappropriate ioctl for device */
     
    18791891    register afs_int32 i;
    18801892    register struct unixuser *tu;
    18811893
     1894    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
     1895        return 0;
     1896    }
     1897
    18821898    AFS_STATCNT(PUnlog);
    18831899    if (!afs_resourceinit_flag) /* afs daemons haven't started yet */
    18841900        return EIO;             /* Inappropriate ioctl for device */
  • src/afs/VNOPS/afs_vnop_access.c

    diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
    old new  
    118118
    119119    if ((vType(avc) == VDIR) || (avc->states & CForeign)) {
    120120        /* rights are just those from acl */
     121
     122      if ( areq->uid == globalpag &&
     123           !(areq->realuid == avc->fid.Fid.Volume) &&
     124           !((avc->anyAccess | arights) == avc->anyAccess) &&
     125           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
     126           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
     127           !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
     128           !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
     129         return 0;
     130      }
     131
    121132        return (arights == afs_GetAccessBits(avc, arights, areq));
    122133    } else {
    123134        /* some rights come from dir and some from file.  Specifically, you
     
    171182                    fileBits |= PRSFS_READ;
    172183            }
    173184        }
     185       
     186        if ( areq->uid == globalpag &&
     187             !(areq->realuid == avc->fid.Fid.Volume) &&
     188             !((avc->anyAccess | arights) == avc->anyAccess) &&
     189             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
     190             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
     191             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
     192                 (avc->m.Mode == 0100777 || avc->apache_access)) &&
     193             !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
     194             !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
     195           return 0;
     196        }
     197
    174198        return ((fileBits & arights) == arights);       /* true if all rights bits are on */
    175199    }
    176200}
  • src/afs/VNOPS/afs_vnop_attrs.c

    diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
    old new  
    8787        }
    8888    }
    8989#endif /* AFS_DARWIN_ENV */
    90     attrs->va_uid = fakedir ? 0 : avc->m.Owner;
    91     attrs->va_gid = fakedir ? 0 : avc->m.Group; /* yeah! */
     90    attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume;
     91    attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner);
    9292#if defined(AFS_SUN56_ENV)
    9393    attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
    9494#elif defined(AFS_OSF_ENV)
Note: See TracBrowser for help on using the repository browser.