Ignore:
Timestamp:
Nov 22, 2011, 12:45:17 AM (11 years ago)
Author:
achernya
Message:
Merge branches/fc15-dev to trunk
Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk

  • trunk/server/common/patches/openafs-scripts.patch

    r1693 r2066  
    44# and Anders Kaseorg <andersk@mit.edu>
    55# and Edward Z. Yang <ezyang@mit.edu>
     6# and Benjamin Kaduk <kaduk@mit.edu>
     7# and Alexander Chernyakhovsky <achernya@mit.edu>
    68#
    79# This file is available under both the MIT license and the GPL.
     
    4345# See /COPYRIGHT in this repository for more information.
    4446#
    45 diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
    46 --- openafs-1.4/src/afs/afs_analyze.c
    47 +++ openafs-1.4+scripts/src/afs/afs_analyze.c
    48 @@ -585,7 +585,7 @@
    49                          (afid ? afid->Fid.Volume : 0));
    50         }
    51  
    52 -       if (areq->busyCount > 100) {
    53 +       if (1) {
    54             if (aerrP)
    55                 (aerrP->err_Volume)++;
    56             areq->volumeError = VOLBUSY;
    57 diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
    58 --- openafs-1.4/src/afs/LINUX/osi_vnodeops.c
    59 +++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
    60 @@ -896,6 +896,28 @@
     47diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c
     48index 7c7705e..0d0e94f 100644
     49--- a/src/afs/LINUX/osi_vnodeops.c
     50+++ b/src/afs/LINUX/osi_vnodeops.c
     51@@ -904,6 +904,28 @@ afs_linux_dentry_revalidate(struct dentry *dp, int flags)
    6152        /* should we always update the attributes at this point? */
    6253        /* unlikely--the vcache entry hasn't changed */
    6354 
    6455+       /* [scripts] This code makes hardlinks work correctly.
    65 +        *
    66 +        * We want Apache to be able to read a file with hardlinks
    67 +        * named .htaccess and foo to be able to read it via .htaccess
    68 +        * and not via foo, regardless of which name was looked up
    69 +        * (remember, inodes do not have filenames associated with them.)
    70 +        *
    71 +        * It is important that we modify the existing cache entry even
    72 +        * if it is otherwise totally valid and would not be reloaded.
    73 +        * Otherwise, it won't recover from repeatedly reading the same
    74 +        * inode via multiple hardlinks or different names.  Specifically,
    75 +        * Apache will be able to read both names if it was first looked
    76 +        * up (by anyone!) via .htaccess, and neither if it was first
    77 +        * looked up via foo.
    78 +        *
    79 +        * With regards to performance, the strncmp() is bounded by
    80 +        * three characters, so it takes O(3) operations.  If this code
    81 +        * is extended to all static-cat extensions, we'll want to do
    82 +        * some clever hashing using gperf here.
    83 +        */
     56+       *
     57+       * We want Apache to be able to read a file with hardlinks
     58+       * named .htaccess and foo to be able to read it via .htaccess
     59+       * and not via foo, regardless of which name was looked up
     60+       * (remember, inodes do not have filenames associated with them.)
     61+       *
     62+       * It is important that we modify the existing cache entry even
     63+       * if it is otherwise totally valid and would not be reloaded.
     64+       * Otherwise, it won't recover from repeatedly reading the same
     65+       * inode via multiple hardlinks or different names.  Specifically,
     66+       * Apache will be able to read both names if it was first looked
     67+       * up (by anyone!) via .htaccess, and neither if it was first
     68+       * looked up via foo.
     69+       *
     70+       * With regards to performance, the strncmp() is bounded by
     71+       * three characters, so it takes O(3) operations.  If this code
     72+       * is extended to all static-cat extensions, we'll want to do
     73+       * some clever hashing using gperf here.
     74+       */
    8475+       vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0;
    8576+
     77        dput(parent);
    8678     } else {
    8779 #ifdef notyet
    88         pvcp = VTOAFS(dp->d_parent->d_inode);           /* dget_parent()? */
    89 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
    90 --- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c
    91 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
    92 @@ -1572,6 +1572,12 @@
     80diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c
     81index eabcfeb..6390850 100644
     82--- a/src/afs/VNOPS/afs_vnop_access.c
     83+++ b/src/afs/VNOPS/afs_vnop_access.c
     84@@ -130,6 +130,15 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq,
     85            dirBits = PRSFS_LOOKUP | PRSFS_READ;
     86            return (arights == (dirBits & arights));
     87        }
     88+       if ( areq->uid == globalpag &&
     89+           !(areq->realuid == avc->f.fid.Fid.Volume) &&
     90+           !((avc->f.anyAccess | arights) == avc->f.anyAccess) &&
     91+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
     92+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
     93+           !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
     94+           !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
     95+           return 0;
     96+       }
     97        return (arights == afs_GetAccessBits(avc, arights, areq));
     98     } else {
     99        /* some rights come from dir and some from file.  Specifically, you
     100@@ -183,6 +192,19 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq,
     101                    fileBits |= PRSFS_READ;
     102            }
     103        }
     104+
     105+       if ( areq->uid == globalpag &&
     106+           !(areq->realuid == avc->f.fid.Fid.Volume) &&
     107+           !((avc->f.anyAccess | arights) == avc->f.anyAccess) &&
     108+           !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
     109+           !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
     110+           !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
     111+               (avc->f.m.Mode == 0100777 || avc->apache_access)) &&
     112+           !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
     113+           !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
     114+           return 0;
     115+       }
     116+
     117        return ((fileBits & arights) == arights);       /* true if all rights bits are on */
     118     }
     119 }
     120diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c
     121index b3931e5..71ef05c 100644
     122--- a/src/afs/VNOPS/afs_vnop_attrs.c
     123+++ b/src/afs/VNOPS/afs_vnop_attrs.c
     124@@ -88,8 +88,8 @@ afs_CopyOutAttrs(struct vcache *avc, struct vattr *attrs)
     125        }
     126     }
     127 #endif /* AFS_DARWIN_ENV */
     128-    attrs->va_uid = fakedir ? 0 : avc->f.m.Owner;
     129-    attrs->va_gid = fakedir ? 0 : avc->f.m.Group;      /* yeah! */
     130+    attrs->va_uid = fakedir ? 0 : avc->f.fid.Fid.Volume;
     131+    attrs->va_gid = (avc->f.m.Owner == DAEMON_SCRIPTS_PTSID ? avc->f.m.Group : avc->f.m.Owner);
     132 #if defined(AFS_SUN56_ENV)
     133     attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
     134 #elif defined(AFS_DARWIN80_ENV)
     135diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c
     136index 8e7af1c..7e984e9 100644
     137--- a/src/afs/VNOPS/afs_vnop_lookup.c
     138+++ b/src/afs/VNOPS/afs_vnop_lookup.c
     139@@ -1877,6 +1877,12 @@ afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr
    93140     }
    94141 
    95142   done:
    96143+    if (tvc) {
    97 +       /* [scripts] check Apache's ability to read this file, so that
    98 +        * we can figure this out on an access() call */
    99 +       tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
     144+    /* [scripts] check Apache's ability to read this file, so that
     145+    * we can figure this out on an access() call */
     146+    tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
    100147+    }
    101148+
     
    103150     if (tname != aname && tname)
    104151        osi_FreeLargeSpace(tname);
    105 diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
    106 --- openafs-1.4/src/afs/afs.h
    107 +++ openafs-1.4+scripts/src/afs/afs.h
    108 @@ -208,8 +208,16 @@
    109  #define QTOC(e)            QEntry(e, struct cell, lruq)
    110  #define QTOVH(e)    QEntry(e, struct vcache, vhashq)
     152diff --git a/src/afs/afs.h b/src/afs/afs.h
     153index fcc4c70..0d53af6 100644
     154--- a/src/afs/afs.h
     155+++ b/src/afs/afs.h
     156@@ -233,8 +233,16 @@ struct afs_slotlist {
     157     struct afs_slotlist *next;
     158 };
    111159 
    112160+#define AFSAGENT_UID (101)
     
    123171     afs_int32 flags;           /* things like O_SYNC, O_NONBLOCK go here */
    124172     char initd;                        /* if non-zero, Error fields meaningful */
    125 @@ -743,6 +751,7 @@
     173@@ -887,6 +895,7 @@ struct vcache {
    126174 #ifdef AFS_SUN5_ENV
    127      short multiPage;           /* count of multi-page getpages in progress */
     175     struct afs_q multiPage;    /* list of multiPage_range structs */
    128176 #endif
    129177+    int apache_access;         /* whether or not Apache has access to a file */
     
    131179 
    132180 #define        DONT_CHECK_MODE_BITS    0
    133 diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
    134 --- openafs-1.4/src/afs/afs_osi_pag.c
    135 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c
    136 @@ -49,6 +49,8 @@
     181diff --git a/src/afs/afs_analyze.c b/src/afs/afs_analyze.c
     182index 1834e6d..673a8e6 100644
     183--- a/src/afs/afs_analyze.c
     184+++ b/src/afs/afs_analyze.c
     185@@ -368,7 +368,7 @@ afs_Analyze(struct afs_conn *aconn, afs_int32 acode,
     186                         (afid ? afid->Fid.Volume : 0));
     187        }
     188 
     189-       if (areq->busyCount > 100) {
     190+       if (1) {
     191            if (aerrP)
     192                (aerrP->err_Volume)++;
     193            areq->volumeError = VOLBUSY;
     194diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c
     195index c888605..ff5cf2d 100644
     196--- a/src/afs/afs_osi_pag.c
     197+++ b/src/afs/afs_osi_pag.c
     198@@ -49,6 +49,8 @@ afs_uint32 pagCounter = 0;
    137199 #endif
    138200 /* Local variables */
     
    143205  * Pags are implemented as follows: the set of groups whose long
    144206  * representation is '41XXXXXX' hex are used to represent the pags.
    145 @@ -449,6 +451,15 @@
    146         av->uid = acred->cr_ruid;       /* default when no pag is set */
     207@@ -484,6 +486,15 @@ afs_InitReq(struct vrequest *av, afs_ucred_t *acred)
     208        av->uid = afs_cr_uid(acred);    /* default when no pag is set */
    147209 #endif
    148210     }
    149211+
    150 +    av->realuid = acred->cr_ruid;
    151 +    if(!globalpag && acred->cr_ruid == AFSAGENT_UID) {
     212+    av->realuid = afs_cr_uid(acred);
     213+    if(!globalpag && av->realuid == AFSAGENT_UID) {
    152214+      globalpag = av->uid;
    153215+    }
    154 +    else if (globalpag && av->uid == acred->cr_ruid) {
     216+    else if (globalpag && av->uid == av->realuid) {
    155217+      av->uid = globalpag;
    156218+    }
     
    159221 }
    160222 
    161 diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
    162 --- openafs-1.4/src/afs/afs_pioctl.c
    163 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c
    164 @@ -1221,6 +1221,10 @@
    165      struct AFSFetchStatus OutStatus;
     223diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
     224index f282510..00f1360 100644
     225--- a/src/afs/afs_pioctl.c
     226+++ b/src/afs/afs_pioctl.c
     227@@ -1406,6 +1406,10 @@ DECL_PIOCTL(PSetAcl)
     228     struct rx_connection *rxconn;
    166229     XSTATS_DECLS;
    167230 
    168231+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
    169 +      return EACCES;
     232+       return EACCES;
    170233+    }
    171234+
     
    173236     if (!avc)
    174237        return EINVAL;
    175 @@ -1441,6 +1445,10 @@
     238@@ -1790,6 +1794,10 @@ DECL_PIOCTL(PSetTokens)
    176239     struct vrequest treq;
    177240     afs_int32 flag, set_parent_pag = 0;
     
    184247     if (!afs_resourceinit_flag) {
    185248        return EIO;
    186 @@ -1800,6 +1808,10 @@
    187      afs_int32 iterator;
     249@@ -2231,6 +2239,11 @@ DECL_PIOCTL(PGetTokens)
    188250     int newStyle;
     251     int code = E2BIG;
    189252 
    190253+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID &&
    191 +       areq->realuid != 0 && areq->realuid != SIGNUP_UID)
     254+       areq->realuid != 0 && areq->realuid != SIGNUP_UID) {
    192255+       return EDOM;
     256+    }
    193257+
    194258     AFS_STATCNT(PGetTokens);
    195259     if (!afs_resourceinit_flag)        /* afs daemons haven't started yet */
    196260        return EIO;             /* Inappropriate ioctl for device */
    197 @@ -1883,6 +1895,10 @@
    198      register afs_int32 i;
    199      register struct unixuser *tu;
     261@@ -2341,6 +2354,10 @@ DECL_PIOCTL(PUnlog)
     262     afs_int32 i;
     263     struct unixuser *tu;
    200264 
    201265+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
     
    206270     if (!afs_resourceinit_flag)        /* afs daemons haven't started yet */
    207271        return EIO;             /* Inappropriate ioctl for device */
    208 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
    209 --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c
    210 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
    211 @@ -118,6 +118,17 @@
    212  
    213      if ((vType(avc) == VDIR) || (avc->states & CForeign)) {
    214         /* rights are just those from acl */
    215 +
    216 +      if ( areq->uid == globalpag &&
    217 +           !(areq->realuid == avc->fid.Fid.Volume) &&
    218 +           !((avc->anyAccess | arights) == avc->anyAccess) &&
    219 +           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
    220 +           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
    221 +           !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
    222 +           !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
    223 +         return 0;
    224 +      }
    225 +
    226         return (arights == afs_GetAccessBits(avc, arights, areq));
    227      } else {
    228         /* some rights come from dir and some from file.  Specifically, you
    229 @@ -171,6 +182,19 @@
    230                     fileBits |= PRSFS_READ;
    231             }
    232         }
    233 +       
    234 +        if ( areq->uid == globalpag &&
    235 +             !(areq->realuid == avc->fid.Fid.Volume) &&
    236 +             !((avc->anyAccess | arights) == avc->anyAccess) &&
    237 +             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
    238 +             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
    239 +             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
    240 +                 (avc->m.Mode == 0100777 || avc->apache_access)) &&
    241 +             !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
    242 +             !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
    243 +           return 0;
    244 +        }
    245 +
    246         return ((fileBits & arights) == arights);       /* true if all rights bits are on */
    247      }
    248  }
    249 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
    250 --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c
    251 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
    252 @@ -87,8 +87,8 @@
    253         }
    254      }
    255  #endif /* AFS_DARWIN_ENV */
    256 -    attrs->va_uid = fakedir ? 0 : avc->m.Owner;
    257 -    attrs->va_gid = fakedir ? 0 : avc->m.Group;        /* yeah! */
    258 +    attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume;
    259 +    attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner);
    260  #if defined(AFS_SUN56_ENV)
    261      attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
    262  #elif defined(AFS_OSF_ENV)
Note: See TracChangeset for help on using the changeset viewer.