Changeset 2066 for trunk/server/common


Ignore:
Timestamp:
Nov 22, 2011, 12:45:17 AM (11 years ago)
Author:
achernya
Message:
Merge branches/fc15-dev to trunk
Location:
trunk
Files:
6 deleted
8 edited
12 copied

Legend:

Unmodified
Added
Removed
  • trunk

  • trunk/server/common/oursrc/execsys/execsys-binfmt

  • trunk/server/common/oursrc/php_scripts/php_scripts-config.m4

  • trunk/server/common/oursrc/tokensys/configure.in

    r38 r2066  
    2424REQUIRE_PATH(aklog)
    2525
     26AC_ARG_WITH(fs,
     27[  --with-fs[=PATH]          fs is located at PATH],[
     28  if test "$withval" != "no" -a "$withval" != "yes"; then
     29    fs_path="$withval"
     30  fi
     31])
     32REQUIRE_PATH(fs)
     33
    2634AC_OUTPUT(Makefile)
    2735AC_OUTPUT(renew)
     36AC_OUTPUT(scripts-afsagent-startup)
  • trunk/server/common/oursrc/tokensys/renew.in

    r1594 r2066  
    22
    33# This script renews afsagent's tickets and tokens.
    4 # It is called by afsagent's crontab every 8 hours.
     4# It is called by systemd on a regular schedule.
    55
    66export KRB5CCNAME=/home/afsagent/krb5cc
  • trunk/server/common/oursrc/whoisd/Makefile.in

    r763 r2066  
    11install:
    22        install -Dpm 644 whoisd.tac ${DESTDIR}@libexecdir@/whoisd.tac
    3         install -Dpm 644 crontab ${DESTDIR}/etc/cron.d/whoisd
     3        install -Dpm 644 scripts-whoisd.service ${DESTDIR}/lib/systemd/system/scripts-whoisd.service
    44
    55clean:
    66        rm -f ${DESTDIR}@libexecdir@/whoisd.tac
    7         rm -f ${DESTDIR}/etc/cron.d/whoisd
     7        rm -f ${DESTDIR}/lib/systemd/system/scripts-whoisd.service
  • trunk/server/common/patches/krb5-kuserok-scripts.patch

    r1693 r2066  
    11# scripts.mit.edu krb5 kuserok patch
    22# Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
     3#               2011  Alexander Chernyakhovsky <achernya@mit.edu>
    34#
    45# This program is free software; you can redistribute it and/or
     
    1819# See /COPYRIGHT in this repository for more information.
    1920#
    20 --- krb5-1.6.3/src/lib/krb5/os/kuserok.c.old    2009-04-08 06:17:06.000000000 -0400
    21 +++ krb5-1.6.3/src/lib/krb5/os/kuserok.c        2009-04-08 06:17:18.000000000 -0400
    22 @@ -31,6 +31,7 @@
    23  #if !defined(_WIN32)           /* Not yet for Windows */
     21--- krb5-1.9/src/lib/krb5/os/kuserok.c.old      2011-04-16 19:09:58.000000000 -0400
     22+++ krb5-1.9/src/lib/krb5/os/kuserok.c  2011-04-16 19:34:23.000000000 -0400
     23@@ -32,6 +32,7 @@
     24 #if !defined(_WIN32)            /* Not yet for Windows */
    2425 #include <stdio.h>
    2526 #include <pwd.h>
     
    2829 #if defined(_AIX) && defined(_IBMR2)
    2930 #include <sys/access.h>
    30 @@ -71,7 +72,6 @@
     31@@ -51,39 +52,6 @@
     32 enum result { ACCEPT, REJECT, PASS };
     33 
     34 /*
     35- * Find the k5login filename for luser, either in the user's homedir or in a
     36- * configured directory under the username.
     37- */
     38-static krb5_error_code
     39-get_k5login_filename(krb5_context context, const char *luser,
     40-                     const char *homedir, char **filename_out)
     41-{
     42-    krb5_error_code ret;
     43-    char *dir, *filename;
     44-
     45-    *filename_out = NULL;
     46-    ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
     47-                             KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir);
     48-    if (ret != 0)
     49-        return ret;
     50-
     51-    if (dir == NULL) {
     52-        /* Look in the user's homedir. */
     53-        if (asprintf(&filename, "%s/.k5login", homedir) < 0)
     54-            return ENOMEM;
     55-    } else {
     56-        /* Look in the configured directory. */
     57-        if (asprintf(&filename, "%s/%s", dir, luser) < 0)
     58-            ret = ENOMEM;
     59-        profile_release_string(dir);
     60-        if (ret)
     61-            return ret;
     62-    }
     63-    *filename_out = filename;
     64-    return 0;
     65-}
     66-
     67-/*
     68  * Determine whether principal is authorized to log in as luser according to
     69  * the user's k5login file.  Return ACCEPT if the k5login file authorizes the
     70  * principal, PASS if the k5login file does not exist, or REJECT if the k5login
     71@@ -93,13 +61,12 @@
     72 static enum result
     73 k5login_ok(krb5_context context, krb5_principal principal, const char *luser)
    3174 {
    32      struct stat sbuf;
    33      struct passwd *pwd;
    34 -    char pbuf[MAXPATHLEN];
    35      krb5_boolean isok = FALSE;
    36      FILE *fp;
    37      char kuser[MAX_USERNAME];
    38 @@ -79,71 +79,35 @@
    39      char linebuf[BUFSIZ];
    40      char *newline;
    41      int gobble;
     75-    int authoritative = TRUE, gobble;
     76+    int authoritative = TRUE;
     77     enum result result = REJECT;
     78-    char *filename = NULL, *princname = NULL;
     79-    char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ];
     80-    struct stat sbuf;
     81+    char *princname = NULL;
     82+    char pwbuf[BUFSIZ];
     83     struct passwd pwx, *pwd;
     84-    FILE *fp = NULL;
    4285+    int pid, status;
    4386 
    44      /* no account => no access */
    45      char pwbuf[BUFSIZ];
    46      struct passwd pwx;
     87     if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
     88                             KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE,
     89@@ -110,46 +77,29 @@
    4790     if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
    48         return(FALSE);
    49 -    (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
    50 -    pbuf[sizeof(pbuf) - 1] = '\0';
    51 -    (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
     91         goto cleanup;
     92 
     93-    if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0)
     94-        goto cleanup;
    5295-
    53 -    if (access(pbuf, F_OK)) {   /* not accessible */
    54 -       /*
    55 -        * if he's trying to log in as himself, and there is no .k5login file,
    56 -        * let him.  To find out, call
    57 -        * krb5_aname_to_localname to convert the principal to a name
    58 -        * which we can string compare.
    59 -        */
    60 -       if (!(krb5_aname_to_localname(context, principal,
    61 -                                     sizeof(kuser), kuser))
    62 -           && (strcmp(kuser, luser) == 0)) {
    63 -           return(TRUE);
    64 -       }
     96-    if (access(filename, F_OK) != 0) {
     97-        result = PASS;
     98-        goto cleanup;
    6599-    }
    66      if (krb5_unparse_name(context, principal, &princname))
    67         return(FALSE);                  /* no hope of matching */
     100-
     101     if (krb5_unparse_name(context, principal, &princname) != 0)
     102         goto cleanup;
    68103 
    69 -    /* open ~/.k5login */
    70 -    if ((fp = fopen(pbuf, "r")) == NULL) {
    71 -       free(princname);
    72 -       return(FALSE);
    73 -    }
     104-    fp = fopen(filename, "r");
     105-    if (fp == NULL)
     106+    if ((pid = fork()) == -1)
     107         goto cleanup;
    74108-    set_cloexec_file(fp);
    75 -    /*
    76 -     * For security reasons, the .k5login file must be owned either by
    77 -     * the user himself, or by root.  Otherwise, don't grant access.
    78 -     */
    79 -    if (fstat(fileno(fp), &sbuf)) {
    80 -       fclose(fp);
    81 -       free(princname);
    82 -       return(FALSE);
    83 +    if ((pid = fork()) == -1) {
    84 +       free(princname);
    85 +       return(FALSE);
     109-
     110-    /* For security reasons, the .k5login file must be owned either by
     111-     * the user or by root. */
     112-    if (fstat(fileno(fp), &sbuf))
     113-        goto cleanup;
     114-    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid))
     115-        goto cleanup;
     116-
     117-    /* Check each line. */
     118-    while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) {
     119-        newline = strrchr(linebuf, '\n');
     120-        if (newline != NULL)
     121-            *newline = '\0';
     122-        if (strcmp(linebuf, princname) == 0)
     123-            result = ACCEPT;
     124-        /* Clean up the rest of the line if necessary. */
     125-        if (newline == NULL)
     126-            while (((gobble = getc(fp)) != EOF) && gobble != '\n');
     127+   
     128+    if (pid == 0) {
     129+        char *args[4];
     130+#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
     131+        args[0] = ADMOF_PATH;
     132+        args[1] = (char *) luser;
     133+        args[2] = princname;
     134+        args[3] = NULL;
     135+        execv(ADMOF_PATH, args);
     136+        exit(1);
    86137     }
    87 -    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) {
    88 -       fclose(fp);
    89 -       free(princname);
    90 -       return(FALSE);
    91 +    if (pid == 0) {
    92 +       char *args[4];
    93 +#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
    94 +       args[0] = ADMOF_PATH;
    95 +       args[1] = (char *) luser;
    96 +       args[2] = princname;
    97 +       args[3] = NULL;
    98 +       execv(ADMOF_PATH, args);
    99 +       exit(1);
    100      }
    101 -
    102 -    /* check each line */
    103 -    while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
    104 -       /* null-terminate the input string */
    105 -       linebuf[BUFSIZ-1] = '\0';
    106 -       newline = NULL;
    107 -       /* nuke the newline if it exists */
    108 -       if ((newline = strchr(linebuf, '\n')))
    109 -           *newline = '\0';
    110 -       if (!strcmp(linebuf, princname)) {
    111 -           isok = TRUE;
    112 -           continue;
    113 -       }
    114 -       /* clean up the rest of the line if necessary */
    115 -       if (!newline)
    116 -           while (((gobble = getc(fp)) != EOF) && gobble != '\n');
     138 
    117139+    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
    118 +       isok=TRUE;
    119      }
     140+        result = ACCEPT;
     141+    }
    120142+   
     143 cleanup:
    121144     free(princname);
    122 -    fclose(fp);
    123      return(isok);
     145-    free(filename);
     146-    if (fp != NULL)
     147-        fclose(fp);
     148     /* If k5login files are non-authoritative, never reject. */
     149     return (!authoritative && result == REJECT) ? PASS : result;
    124150 }
    125  
  • trunk/server/common/patches/openafs-scripts.patch

    r1693 r2066  
    44# and Anders Kaseorg <andersk@mit.edu>
    55# and Edward Z. Yang <ezyang@mit.edu>
     6# and Benjamin Kaduk <kaduk@mit.edu>
     7# and Alexander Chernyakhovsky <achernya@mit.edu>
    68#
    79# This file is available under both the MIT license and the GPL.
     
    4345# See /COPYRIGHT in this repository for more information.
    4446#
    45 diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
    46 --- openafs-1.4/src/afs/afs_analyze.c
    47 +++ openafs-1.4+scripts/src/afs/afs_analyze.c
    48 @@ -585,7 +585,7 @@
    49                          (afid ? afid->Fid.Volume : 0));
    50         }
    51  
    52 -       if (areq->busyCount > 100) {
    53 +       if (1) {
    54             if (aerrP)
    55                 (aerrP->err_Volume)++;
    56             areq->volumeError = VOLBUSY;
    57 diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
    58 --- openafs-1.4/src/afs/LINUX/osi_vnodeops.c
    59 +++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
    60 @@ -896,6 +896,28 @@
     47diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c
     48index 7c7705e..0d0e94f 100644
     49--- a/src/afs/LINUX/osi_vnodeops.c
     50+++ b/src/afs/LINUX/osi_vnodeops.c
     51@@ -904,6 +904,28 @@ afs_linux_dentry_revalidate(struct dentry *dp, int flags)
    6152        /* should we always update the attributes at this point? */
    6253        /* unlikely--the vcache entry hasn't changed */
    6354 
    6455+       /* [scripts] This code makes hardlinks work correctly.
    65 +        *
    66 +        * We want Apache to be able to read a file with hardlinks
    67 +        * named .htaccess and foo to be able to read it via .htaccess
    68 +        * and not via foo, regardless of which name was looked up
    69 +        * (remember, inodes do not have filenames associated with them.)
    70 +        *
    71 +        * It is important that we modify the existing cache entry even
    72 +        * if it is otherwise totally valid and would not be reloaded.
    73 +        * Otherwise, it won't recover from repeatedly reading the same
    74 +        * inode via multiple hardlinks or different names.  Specifically,
    75 +        * Apache will be able to read both names if it was first looked
    76 +        * up (by anyone!) via .htaccess, and neither if it was first
    77 +        * looked up via foo.
    78 +        *
    79 +        * With regards to performance, the strncmp() is bounded by
    80 +        * three characters, so it takes O(3) operations.  If this code
    81 +        * is extended to all static-cat extensions, we'll want to do
    82 +        * some clever hashing using gperf here.
    83 +        */
     56+       *
     57+       * We want Apache to be able to read a file with hardlinks
     58+       * named .htaccess and foo to be able to read it via .htaccess
     59+       * and not via foo, regardless of which name was looked up
     60+       * (remember, inodes do not have filenames associated with them.)
     61+       *
     62+       * It is important that we modify the existing cache entry even
     63+       * if it is otherwise totally valid and would not be reloaded.
     64+       * Otherwise, it won't recover from repeatedly reading the same
     65+       * inode via multiple hardlinks or different names.  Specifically,
     66+       * Apache will be able to read both names if it was first looked
     67+       * up (by anyone!) via .htaccess, and neither if it was first
     68+       * looked up via foo.
     69+       *
     70+       * With regards to performance, the strncmp() is bounded by
     71+       * three characters, so it takes O(3) operations.  If this code
     72+       * is extended to all static-cat extensions, we'll want to do
     73+       * some clever hashing using gperf here.
     74+       */
    8475+       vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0;
    8576+
     77        dput(parent);
    8678     } else {
    8779 #ifdef notyet
    88         pvcp = VTOAFS(dp->d_parent->d_inode);           /* dget_parent()? */
    89 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
    90 --- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c
    91 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
    92 @@ -1572,6 +1572,12 @@
     80diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c
     81index eabcfeb..6390850 100644
     82--- a/src/afs/VNOPS/afs_vnop_access.c
     83+++ b/src/afs/VNOPS/afs_vnop_access.c
     84@@ -130,6 +130,15 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq,
     85            dirBits = PRSFS_LOOKUP | PRSFS_READ;
     86            return (arights == (dirBits & arights));
     87        }
     88+       if ( areq->uid == globalpag &&
     89+           !(areq->realuid == avc->f.fid.Fid.Volume) &&
     90+           !((avc->f.anyAccess | arights) == avc->f.anyAccess) &&
     91+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
     92+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
     93+           !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
     94+           !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
     95+           return 0;
     96+       }
     97        return (arights == afs_GetAccessBits(avc, arights, areq));
     98     } else {
     99        /* some rights come from dir and some from file.  Specifically, you
     100@@ -183,6 +192,19 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq,
     101                    fileBits |= PRSFS_READ;
     102            }
     103        }
     104+
     105+       if ( areq->uid == globalpag &&
     106+           !(areq->realuid == avc->f.fid.Fid.Volume) &&
     107+           !((avc->f.anyAccess | arights) == avc->f.anyAccess) &&
     108+           !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
     109+           !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
     110+           !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
     111+               (avc->f.m.Mode == 0100777 || avc->apache_access)) &&
     112+           !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
     113+           !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
     114+           return 0;
     115+       }
     116+
     117        return ((fileBits & arights) == arights);       /* true if all rights bits are on */
     118     }
     119 }
     120diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c
     121index b3931e5..71ef05c 100644
     122--- a/src/afs/VNOPS/afs_vnop_attrs.c
     123+++ b/src/afs/VNOPS/afs_vnop_attrs.c
     124@@ -88,8 +88,8 @@ afs_CopyOutAttrs(struct vcache *avc, struct vattr *attrs)
     125        }
     126     }
     127 #endif /* AFS_DARWIN_ENV */
     128-    attrs->va_uid = fakedir ? 0 : avc->f.m.Owner;
     129-    attrs->va_gid = fakedir ? 0 : avc->f.m.Group;      /* yeah! */
     130+    attrs->va_uid = fakedir ? 0 : avc->f.fid.Fid.Volume;
     131+    attrs->va_gid = (avc->f.m.Owner == DAEMON_SCRIPTS_PTSID ? avc->f.m.Group : avc->f.m.Owner);
     132 #if defined(AFS_SUN56_ENV)
     133     attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
     134 #elif defined(AFS_DARWIN80_ENV)
     135diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c
     136index 8e7af1c..7e984e9 100644
     137--- a/src/afs/VNOPS/afs_vnop_lookup.c
     138+++ b/src/afs/VNOPS/afs_vnop_lookup.c
     139@@ -1877,6 +1877,12 @@ afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr
    93140     }
    94141 
    95142   done:
    96143+    if (tvc) {
    97 +       /* [scripts] check Apache's ability to read this file, so that
    98 +        * we can figure this out on an access() call */
    99 +       tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
     144+    /* [scripts] check Apache's ability to read this file, so that
     145+    * we can figure this out on an access() call */
     146+    tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
    100147+    }
    101148+
     
    103150     if (tname != aname && tname)
    104151        osi_FreeLargeSpace(tname);
    105 diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
    106 --- openafs-1.4/src/afs/afs.h
    107 +++ openafs-1.4+scripts/src/afs/afs.h
    108 @@ -208,8 +208,16 @@
    109  #define QTOC(e)            QEntry(e, struct cell, lruq)
    110  #define QTOVH(e)    QEntry(e, struct vcache, vhashq)
     152diff --git a/src/afs/afs.h b/src/afs/afs.h
     153index fcc4c70..0d53af6 100644
     154--- a/src/afs/afs.h
     155+++ b/src/afs/afs.h
     156@@ -233,8 +233,16 @@ struct afs_slotlist {
     157     struct afs_slotlist *next;
     158 };
    111159 
    112160+#define AFSAGENT_UID (101)
     
    123171     afs_int32 flags;           /* things like O_SYNC, O_NONBLOCK go here */
    124172     char initd;                        /* if non-zero, Error fields meaningful */
    125 @@ -743,6 +751,7 @@
     173@@ -887,6 +895,7 @@ struct vcache {
    126174 #ifdef AFS_SUN5_ENV
    127      short multiPage;           /* count of multi-page getpages in progress */
     175     struct afs_q multiPage;    /* list of multiPage_range structs */
    128176 #endif
    129177+    int apache_access;         /* whether or not Apache has access to a file */
     
    131179 
    132180 #define        DONT_CHECK_MODE_BITS    0
    133 diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
    134 --- openafs-1.4/src/afs/afs_osi_pag.c
    135 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c
    136 @@ -49,6 +49,8 @@
     181diff --git a/src/afs/afs_analyze.c b/src/afs/afs_analyze.c
     182index 1834e6d..673a8e6 100644
     183--- a/src/afs/afs_analyze.c
     184+++ b/src/afs/afs_analyze.c
     185@@ -368,7 +368,7 @@ afs_Analyze(struct afs_conn *aconn, afs_int32 acode,
     186                         (afid ? afid->Fid.Volume : 0));
     187        }
     188 
     189-       if (areq->busyCount > 100) {
     190+       if (1) {
     191            if (aerrP)
     192                (aerrP->err_Volume)++;
     193            areq->volumeError = VOLBUSY;
     194diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c
     195index c888605..ff5cf2d 100644
     196--- a/src/afs/afs_osi_pag.c
     197+++ b/src/afs/afs_osi_pag.c
     198@@ -49,6 +49,8 @@ afs_uint32 pagCounter = 0;
    137199 #endif
    138200 /* Local variables */
     
    143205  * Pags are implemented as follows: the set of groups whose long
    144206  * representation is '41XXXXXX' hex are used to represent the pags.
    145 @@ -449,6 +451,15 @@
    146         av->uid = acred->cr_ruid;       /* default when no pag is set */
     207@@ -484,6 +486,15 @@ afs_InitReq(struct vrequest *av, afs_ucred_t *acred)
     208        av->uid = afs_cr_uid(acred);    /* default when no pag is set */
    147209 #endif
    148210     }
    149211+
    150 +    av->realuid = acred->cr_ruid;
    151 +    if(!globalpag && acred->cr_ruid == AFSAGENT_UID) {
     212+    av->realuid = afs_cr_uid(acred);
     213+    if(!globalpag && av->realuid == AFSAGENT_UID) {
    152214+      globalpag = av->uid;
    153215+    }
    154 +    else if (globalpag && av->uid == acred->cr_ruid) {
     216+    else if (globalpag && av->uid == av->realuid) {
    155217+      av->uid = globalpag;
    156218+    }
     
    159221 }
    160222 
    161 diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
    162 --- openafs-1.4/src/afs/afs_pioctl.c
    163 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c
    164 @@ -1221,6 +1221,10 @@
    165      struct AFSFetchStatus OutStatus;
     223diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
     224index f282510..00f1360 100644
     225--- a/src/afs/afs_pioctl.c
     226+++ b/src/afs/afs_pioctl.c
     227@@ -1406,6 +1406,10 @@ DECL_PIOCTL(PSetAcl)
     228     struct rx_connection *rxconn;
    166229     XSTATS_DECLS;
    167230 
    168231+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
    169 +      return EACCES;
     232+       return EACCES;
    170233+    }
    171234+
     
    173236     if (!avc)
    174237        return EINVAL;
    175 @@ -1441,6 +1445,10 @@
     238@@ -1790,6 +1794,10 @@ DECL_PIOCTL(PSetTokens)
    176239     struct vrequest treq;
    177240     afs_int32 flag, set_parent_pag = 0;
     
    184247     if (!afs_resourceinit_flag) {
    185248        return EIO;
    186 @@ -1800,6 +1808,10 @@
    187      afs_int32 iterator;
     249@@ -2231,6 +2239,11 @@ DECL_PIOCTL(PGetTokens)
    188250     int newStyle;
     251     int code = E2BIG;
    189252 
    190253+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID &&
    191 +       areq->realuid != 0 && areq->realuid != SIGNUP_UID)
     254+       areq->realuid != 0 && areq->realuid != SIGNUP_UID) {
    192255+       return EDOM;
     256+    }
    193257+
    194258     AFS_STATCNT(PGetTokens);
    195259     if (!afs_resourceinit_flag)        /* afs daemons haven't started yet */
    196260        return EIO;             /* Inappropriate ioctl for device */
    197 @@ -1883,6 +1895,10 @@
    198      register afs_int32 i;
    199      register struct unixuser *tu;
     261@@ -2341,6 +2354,10 @@ DECL_PIOCTL(PUnlog)
     262     afs_int32 i;
     263     struct unixuser *tu;
    200264 
    201265+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
     
    206270     if (!afs_resourceinit_flag)        /* afs daemons haven't started yet */
    207271        return EIO;             /* Inappropriate ioctl for device */
    208 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
    209 --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c
    210 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
    211 @@ -118,6 +118,17 @@
    212  
    213      if ((vType(avc) == VDIR) || (avc->states & CForeign)) {
    214         /* rights are just those from acl */
    215 +
    216 +      if ( areq->uid == globalpag &&
    217 +           !(areq->realuid == avc->fid.Fid.Volume) &&
    218 +           !((avc->anyAccess | arights) == avc->anyAccess) &&
    219 +           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
    220 +           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
    221 +           !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
    222 +           !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
    223 +         return 0;
    224 +      }
    225 +
    226         return (arights == afs_GetAccessBits(avc, arights, areq));
    227      } else {
    228         /* some rights come from dir and some from file.  Specifically, you
    229 @@ -171,6 +182,19 @@
    230                     fileBits |= PRSFS_READ;
    231             }
    232         }
    233 +       
    234 +        if ( areq->uid == globalpag &&
    235 +             !(areq->realuid == avc->fid.Fid.Volume) &&
    236 +             !((avc->anyAccess | arights) == avc->anyAccess) &&
    237 +             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
    238 +             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
    239 +             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
    240 +                 (avc->m.Mode == 0100777 || avc->apache_access)) &&
    241 +             !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
    242 +             !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
    243 +           return 0;
    244 +        }
    245 +
    246         return ((fileBits & arights) == arights);       /* true if all rights bits are on */
    247      }
    248  }
    249 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
    250 --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c
    251 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
    252 @@ -87,8 +87,8 @@
    253         }
    254      }
    255  #endif /* AFS_DARWIN_ENV */
    256 -    attrs->va_uid = fakedir ? 0 : avc->m.Owner;
    257 -    attrs->va_gid = fakedir ? 0 : avc->m.Group;        /* yeah! */
    258 +    attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume;
    259 +    attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner);
    260  #if defined(AFS_SUN56_ENV)
    261      attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
    262  #elif defined(AFS_OSF_ENV)
Note: See TracChangeset for help on using the changeset viewer.