source: trunk/server/common/patches/openafs-scripts.patch @ 2335

Last change on this file since 2335 was 2066, checked in by achernya, 11 years ago
Merge branches/fc15-dev to trunk
File size: 10.1 KB
  • src/afs/LINUX/osi_vnodeops.c

    # scripts.mit.edu openafs patch
    # Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
    # with modifications by Joe Presbrey <presbrey@mit.edu>
    # and Anders Kaseorg <andersk@mit.edu>
    # and Edward Z. Yang <ezyang@mit.edu>
    # and Benjamin Kaduk <kaduk@mit.edu>
    # and Alexander Chernyakhovsky <achernya@mit.edu>
    #
    # This file is available under both the MIT license and the GPL.
    #
    
    # Permission is hereby granted, free of charge, to any person obtaining a copy
    # of this software and associated documentation files (the "Software"), to deal
    # in the Software without restriction, including without limitation the rights
    # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    # copies of the Software, and to permit persons to whom the Software is
    # furnished to do so, subject to the following conditions:
    # 
    # The above copyright notice and this permission notice shall be included in
    # all copies or substantial portions of the Software.
    # 
    # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    # THE SOFTWARE.
    #
    
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of the GNU General Public License
    # as published by the Free Software Foundation; either version 2
    # of the License, or (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program; if not, write to the Free Software
    # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
    #
    # See /COPYRIGHT in this repository for more information.
    #
    diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c
    index 7c7705e..0d0e94f 100644
    a b afs_linux_dentry_revalidate(struct dentry *dp, int flags) 
    904904        /* should we always update the attributes at this point? */
    905905        /* unlikely--the vcache entry hasn't changed */
    906906
     907        /* [scripts] This code makes hardlinks work correctly.
     908        *
     909        * We want Apache to be able to read a file with hardlinks
     910        * named .htaccess and foo to be able to read it via .htaccess
     911        * and not via foo, regardless of which name was looked up
     912        * (remember, inodes do not have filenames associated with them.)
     913        *
     914        * It is important that we modify the existing cache entry even
     915        * if it is otherwise totally valid and would not be reloaded.
     916        * Otherwise, it won't recover from repeatedly reading the same
     917        * inode via multiple hardlinks or different names.  Specifically,
     918        * Apache will be able to read both names if it was first looked
     919        * up (by anyone!) via .htaccess, and neither if it was first
     920        * looked up via foo.
     921        *
     922        * With regards to performance, the strncmp() is bounded by
     923        * three characters, so it takes O(3) operations.  If this code
     924        * is extended to all static-cat extensions, we'll want to do
     925        * some clever hashing using gperf here.
     926        */
     927        vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0;
     928
    907929        dput(parent);
    908930    } else {
    909931#ifdef notyet
  • src/afs/VNOPS/afs_vnop_access.c

    diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c
    index eabcfeb..6390850 100644
    a b afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, 
    130130            dirBits = PRSFS_LOOKUP | PRSFS_READ;
    131131            return (arights == (dirBits & arights));
    132132        }
     133        if ( areq->uid == globalpag &&
     134            !(areq->realuid == avc->f.fid.Fid.Volume) &&
     135            !((avc->f.anyAccess | arights) == avc->f.anyAccess) &&
     136            !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
     137            !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
     138            !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
     139            !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
     140            return 0;
     141        }
    133142        return (arights == afs_GetAccessBits(avc, arights, areq));
    134143    } else {
    135144        /* some rights come from dir and some from file.  Specifically, you
    afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, 
    183192                    fileBits |= PRSFS_READ;
    184193            }
    185194        }
     195
     196        if ( areq->uid == globalpag &&
     197            !(areq->realuid == avc->f.fid.Fid.Volume) &&
     198            !((avc->f.anyAccess | arights) == avc->f.anyAccess) &&
     199            !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
     200            !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
     201            !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
     202                (avc->f.m.Mode == 0100777 || avc->apache_access)) &&
     203            !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
     204            !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
     205            return 0;
     206        }
     207
    186208        return ((fileBits & arights) == arights);       /* true if all rights bits are on */
    187209    }
    188210}
  • src/afs/VNOPS/afs_vnop_attrs.c

    diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c
    index b3931e5..71ef05c 100644
    a b afs_CopyOutAttrs(struct vcache *avc, struct vattr *attrs) 
    8888        }
    8989    }
    9090#endif /* AFS_DARWIN_ENV */
    91     attrs->va_uid = fakedir ? 0 : avc->f.m.Owner;
    92     attrs->va_gid = fakedir ? 0 : avc->f.m.Group;       /* yeah! */
     91    attrs->va_uid = fakedir ? 0 : avc->f.fid.Fid.Volume;
     92    attrs->va_gid = (avc->f.m.Owner == DAEMON_SCRIPTS_PTSID ? avc->f.m.Group : avc->f.m.Owner);
    9393#if defined(AFS_SUN56_ENV)
    9494    attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
    9595#elif defined(AFS_DARWIN80_ENV)
  • src/afs/VNOPS/afs_vnop_lookup.c

    diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c
    index 8e7af1c..7e984e9 100644
    a b afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr 
    18771877    }
    18781878
    18791879  done:
     1880    if (tvc) {
     1881    /* [scripts] check Apache's ability to read this file, so that
     1882    * we can figure this out on an access() call */
     1883    tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
     1884    }
     1885
    18801886    /* put the network buffer back, if need be */
    18811887    if (tname != aname && tname)
    18821888        osi_FreeLargeSpace(tname);
  • src/afs/afs.h

    diff --git a/src/afs/afs.h b/src/afs/afs.h
    index fcc4c70..0d53af6 100644
    a b struct afs_slotlist { 
    233233    struct afs_slotlist *next;
    234234};
    235235
     236#define AFSAGENT_UID (101)
     237#define SIGNUP_UID (102)
     238#define HTTPD_UID (48)
     239#define POSTFIX_UID (89)
     240#define DAEMON_SCRIPTS_PTSID (33554596)
     241extern afs_int32 globalpag;
     242
    236243struct vrequest {
    237244    afs_int32 uid;              /* user id making the request */
     245    afs_int32 realuid;
    238246    afs_int32 busyCount;        /* how many busies we've seen so far */
    239247    afs_int32 flags;            /* things like O_SYNC, O_NONBLOCK go here */
    240248    char initd;                 /* if non-zero, Error fields meaningful */
    struct vcache { 
    887895#ifdef AFS_SUN5_ENV
    888896    struct afs_q multiPage;     /* list of multiPage_range structs */
    889897#endif
     898    int apache_access;          /* whether or not Apache has access to a file */
    890899};
    891900
    892901#define DONT_CHECK_MODE_BITS    0
  • src/afs/afs_analyze.c

    diff --git a/src/afs/afs_analyze.c b/src/afs/afs_analyze.c
    index 1834e6d..673a8e6 100644
    a b afs_Analyze(struct afs_conn *aconn, afs_int32 acode, 
    368368                         (afid ? afid->Fid.Volume : 0));
    369369        }
    370370
    371         if (areq->busyCount > 100) {
     371        if (1) {
    372372            if (aerrP)
    373373                (aerrP->err_Volume)++;
    374374            areq->volumeError = VOLBUSY;
  • src/afs/afs_osi_pag.c

    diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c
    index c888605..ff5cf2d 100644
    a b afs_uint32 pagCounter = 0; 
    4949#endif
    5050/* Local variables */
    5151
     52afs_int32 globalpag = 0;
     53
    5254/*
    5355 * Pags are implemented as follows: the set of groups whose long
    5456 * representation is '41XXXXXX' hex are used to represent the pags.
    afs_InitReq(struct vrequest *av, afs_ucred_t *acred) 
    484486        av->uid = afs_cr_uid(acred);    /* default when no pag is set */
    485487#endif
    486488    }
     489
     490    av->realuid = afs_cr_uid(acred);
     491    if(!globalpag && av->realuid == AFSAGENT_UID) {
     492      globalpag = av->uid;
     493    }
     494    else if (globalpag && av->uid == av->realuid) {
     495      av->uid = globalpag;
     496    }
     497
    487498    return 0;
    488499}
    489500
  • src/afs/afs_pioctl.c

    diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
    index f282510..00f1360 100644
    a b DECL_PIOCTL(PSetAcl) 
    14061406    struct rx_connection *rxconn;
    14071407    XSTATS_DECLS;
    14081408
     1409    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
     1410       return EACCES;
     1411    }
     1412
    14091413    AFS_STATCNT(PSetAcl);
    14101414    if (!avc)
    14111415        return EINVAL;
    DECL_PIOCTL(PSetTokens) 
    17901794    struct vrequest treq;
    17911795    afs_int32 flag, set_parent_pag = 0;
    17921796
     1797    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
     1798        return EACCES;
     1799    }
     1800
    17931801    AFS_STATCNT(PSetTokens);
    17941802    if (!afs_resourceinit_flag) {
    17951803        return EIO;
    DECL_PIOCTL(PGetTokens) 
    22312239    int newStyle;
    22322240    int code = E2BIG;
    22332241
     2242    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID &&
     2243        areq->realuid != 0 && areq->realuid != SIGNUP_UID) {
     2244        return EDOM;
     2245    }
     2246
    22342247    AFS_STATCNT(PGetTokens);
    22352248    if (!afs_resourceinit_flag) /* afs daemons haven't started yet */
    22362249        return EIO;             /* Inappropriate ioctl for device */
    DECL_PIOCTL(PUnlog) 
    23412354    afs_int32 i;
    23422355    struct unixuser *tu;
    23432356
     2357    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
     2358        return EACCES;
     2359    }
     2360
    23442361    AFS_STATCNT(PUnlog);
    23452362    if (!afs_resourceinit_flag) /* afs daemons haven't started yet */
    23462363        return EIO;             /* Inappropriate ioctl for device */
Note: See TracBrowser for help on using the repository browser.