source: server/common/patches/openafs-scripts.patch @ 258

Last change on this file since 258 was 258, checked in by presbrey, 17 years ago
Added special permission bits for root and signup
File size: 6.9 KB
RevLine 
[1]1# scripts.mit.edu openafs patch
2# Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
[258]3#                     Joe Presbrey <presbrey@mit.edu>
[1]4#
5# This program is free software; you can redistribute it and/or
6# modify it under the terms of the GNU General Public License
7# as published by the Free Software Foundation; either version 2
8# of the License, or (at your option) any later version.
9#
10# This program is distributed in the hope that it will be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program; if not, write to the Free Software
17# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
18#
19# See /COPYRIGHT in this repository for more information.
20#
21diff -ur openafs-1.4.1-rc10/src/afs/afs_analyze.c openafs-1.4.1-rc10-scripts/src/afs/afs_analyze.c
22--- openafs-1.4.1-rc10/src/afs/afs_analyze.c    2003-08-27 17:43:16.000000000 -0400
23+++ openafs-1.4.1-rc10-scripts/src/afs/afs_analyze.c    2006-04-18 16:38:55.000000000 -0400
24@@ -505,7 +505,7 @@
25                         (afid ? afid->Fid.Volume : 0));
26        }
27 
28-       if (areq->busyCount > 100) {
29+       if (1) {
30            if (aerrP)
31                (aerrP->err_Volume)++;
32            areq->volumeError = VOLBUSY;
33diff -ur openafs-1.4.1-rc10/src/afs/afs.h openafs-1.4.1-rc10-scripts/src/afs/afs.h
34--- openafs-1.4.1-rc10/src/afs/afs.h    2006-02-17 16:58:33.000000000 -0500
35+++ openafs-1.4.1-rc10-scripts/src/afs/afs.h    2006-04-18 16:38:55.000000000 -0400
[258]36@@ -175,8 +175,14 @@
[1]37    struct afs_q *prev;
38 };
39
40+#define AFSAGENT_UID (101)
[258]41+#define SIGNUP_UID (102)
[1]42+#define HTTPD_UID (48)
[83]43+#define POSTFIX_UID (89)
[1]44+#define DAEMON_SCRIPTS_PTSID (33554596)
45 struct vrequest {
46     afs_int32 uid;             /* user id making the request */
47+    afs_int32 realuid;
48     afs_int32 busyCount;       /* how many busies we've seen so far */
49     afs_int32 flags;           /* things like O_SYNC, O_NONBLOCK go here */
50     char initd;                        /* if non-zero, non-uid fields meaningful */
51diff -ur openafs-1.4.1-rc10/src/afs/afs_osi_pag.c openafs-1.4.1-rc10-scripts/src/afs/afs_osi_pag.c
52--- openafs-1.4.1-rc10/src/afs/afs_osi_pag.c    2005-10-05 01:58:27.000000000 -0400
53+++ openafs-1.4.1-rc10-scripts/src/afs/afs_osi_pag.c    2006-04-18 16:38:55.000000000 -0400
54@@ -46,6 +46,8 @@
55 
56 /* Local variables */
57 
[55]58+afs_int32 globalpag = 0;
[1]59+
60 /*
61  * Pags are implemented as follows: the set of groups whose long
62  * representation is '41XXXXXX' hex are used to represent the pags.
63@@ -426,6 +430,15 @@
64        av->uid = acred->cr_ruid;       /* default when no pag is set */
65 #endif
66     }
67+
68+    av->realuid = acred->cr_ruid;
[55]69+    if(!globalpag && acred->cr_ruid == AFSAGENT_UID) {
[1]70+      globalpag = av->uid;
71+    }
72+    else {
73+      av->uid = globalpag;
74+    }
75+
76     av->initd = 0;
77     return 0;
78 }
79diff -ur openafs-1.4.1-rc10/src/afs/afs_pioctl.c openafs-1.4.1-rc10-scripts/src/afs/afs_pioctl.c
80--- openafs-1.4.1-rc10/src/afs/afs_pioctl.c     2006-03-02 01:44:05.000000000 -0500
81+++ openafs-1.4.1-rc10-scripts/src/afs/afs_pioctl.c     2006-04-18 16:38:55.000000000 -0400
82@@ -1202,6 +1202,10 @@
83     struct AFSFetchStatus OutStatus;
84     XSTATS_DECLS;
85 
86+    if(areq->realuid != AFSAGENT_UID) {
87+      return EACCES;
88+    }
89+
90     AFS_STATCNT(PSetAcl);
91     if (!avc)
92        return EINVAL;
93@@ -1422,6 +1428,10 @@
94     struct vrequest treq;
95     afs_int32 flag, set_parent_pag = 0;
96 
97+    if(areq->realuid != AFSAGENT_UID) {
98+      return 0;
99+    }
100+
101     AFS_STATCNT(PSetTokens);
102     if (!afs_resourceinit_flag) {
103        return EIO;
104@@ -1864,6 +1876,10 @@
105     register afs_int32 i;
106     register struct unixuser *tu;
107 
108+    if(areq->realuid != AFSAGENT_UID) {
109+      return 0;
110+    }
111+
112     AFS_STATCNT(PUnlog);
113     if (!afs_resourceinit_flag)        /* afs daemons haven't started yet */
114        return EIO;             /* Inappropriate ioctl for device */
115diff -ur openafs-1.4.1-rc10/src/afs/VNOPS/afs_vnop_access.c openafs-1.4.1-rc10-scripts/src/afs/VNOPS/afs_vnop_access.c
116--- openafs-1.4.1-rc10/src/afs/VNOPS/afs_vnop_access.c  2004-08-25 03:09:35.000000000 -0400
117+++ openafs-1.4.1-rc10-scripts/src/afs/VNOPS/afs_vnop_access.c  2006-04-18 16:38:55.000000000 -0400
[258]118@@ -118,6 +118,16 @@
[1]119 
120     if ((vType(avc) == VDIR) || (avc->states & CForeign)) {
121        /* rights are just those from acl */
122+
123+      if ( !(areq->realuid == avc->fid.Fid.Volume) &&
124+           !((avc->anyAccess | arights) == avc->anyAccess) &&
125+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
[258]126+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
127+           !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && areq->realuid == 0) &&
128+           !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && (areq->realuid == 0 || areq->realuid == SIGNUP_UID)) ) {
[1]129+         return 0;
130+      }
131+
132        return (arights == afs_GetAccessBits(avc, arights, areq));
133     } else {
134        /* some rights come from dir and some from file.  Specifically, you
[258]135@@ -171,6 +181,17 @@
[1]136                    fileBits |= PRSFS_READ;
137            }
138        }
139+       
140+        if ( !(areq->realuid == avc->fid.Fid.Volume) &&
141+             !((avc->anyAccess | arights) == avc->anyAccess) &&
142+             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
[83]143+             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
[258]144+             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) &&
145+             !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && areq->realuid == 0) &&
146+             !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && (areq->realuid == 0 || areq->realuid == SIGNUP_UID)) ) {
[1]147+           return 0;
148+        }
149+
150        return ((fileBits & arights) == arights);       /* true if all rights bits are on */
151     }
152 }
[258]153@@ -192,6 +213,7 @@
[1]154     OSI_VC_CONVERT(avc);
155 
156     AFS_STATCNT(afs_access);
[11]157+    amode = amode & ~VEXEC;
[1]158     afs_Trace3(afs_iclSetp, CM_TRACE_ACCESS, ICL_TYPE_POINTER, avc,
159               ICL_TYPE_INT32, amode, ICL_TYPE_OFFSET,
160               ICL_HANDLE_OFFSET(avc->m.Length));
161diff -ur openafs-1.4.1-rc10/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4.1-rc10-scripts/src/afs/VNOPS/afs_vnop_attrs.c
162--- openafs-1.4.1-rc10/src/afs/VNOPS/afs_vnop_attrs.c   2005-10-23 02:31:23.000000000 -0400
163+++ openafs-1.4.1-rc10-scripts/src/afs/VNOPS/afs_vnop_attrs.c   2006-04-18 16:41:32.000000000 -0400
164@@ -87,8 +87,8 @@
165        }
166     }
167 #endif /* AFS_DARWIN_ENV */
168-    attrs->va_uid = fakedir ? 0 : avc->m.Owner;
169-    attrs->va_gid = fakedir ? 0 : avc->m.Group;        /* yeah! */
170+    attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume;
171+    attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner);
172 #if defined(AFS_SUN56_ENV)
173     attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
174 #elif defined(AFS_OSF_ENV)
175@@ -172,6 +179,7 @@
176 #else /* everything else */
177     attrs->va_blocks = (attrs->va_size ? ((attrs->va_size + 1023)>>10)<<1:0);
178 #endif
179+    attrs->va_mode |= 0100;
180     return 0;
181 }
182 
Note: See TracBrowser for help on using the repository browser.