# scripts.mit.edu openafs patch # Copyright (C) 2006 Jeff Arnold # with modifications by Joe Presbrey # and Anders Kaseorg # # This file is available under both the MIT license and the GPL. # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA # # See /COPYRIGHT in this repository for more information. # diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c --- openafs-1.4/src/afs/afs_analyze.c 2007-11-05 23:08:45.000000000 -0500 +++ openafs-1.4+scripts/src/afs/afs_analyze.c 2007-12-18 19:22:59.000000000 -0500 @@ -505,7 +505,7 @@ (afid ? afid->Fid.Volume : 0)); } - if (areq->busyCount > 100) { + if (1) { if (aerrP) (aerrP->err_Volume)++; areq->volumeError = VOLBUSY; diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h --- openafs-1.4/src/afs/afs.h 2007-12-05 03:57:36.000000000 -0500 +++ openafs-1.4+scripts/src/afs/afs.h 2007-12-18 20:12:31.000000000 -0500 @@ -177,8 +177,16 @@ struct afs_q *prev; }; +#define AFSAGENT_UID (101) +#define SIGNUP_UID (102) +#define HTTPD_UID (48) +#define POSTFIX_UID (89) +#define DAEMON_SCRIPTS_PTSID (33554596) +extern afs_int32 globalpag; + struct vrequest { afs_int32 uid; /* user id making the request */ + afs_int32 realuid; afs_int32 busyCount; /* how many busies we've seen so far */ afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ char initd; /* if non-zero, non-uid fields meaningful */ diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c --- openafs-1.4/src/afs/afs_osi_pag.c 2007-11-05 23:08:45.000000000 -0500 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c 2007-12-18 20:26:57.000000000 -0500 @@ -51,6 +51,8 @@ #endif /* Local variables */ +afs_int32 globalpag = 0; + /* * Pags are implemented as follows: the set of groups whose long * representation is '41XXXXXX' hex are used to represent the pags. @@ -442,6 +444,15 @@ av->uid = acred->cr_ruid; /* default when no pag is set */ #endif } + + av->realuid = acred->cr_ruid; + if(!globalpag && acred->cr_ruid == AFSAGENT_UID) { + globalpag = av->uid; + } + else if (globalpag && av->uid == acred->cr_ruid) { + av->uid = globalpag; + } + av->initd = 0; return 0; } diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c --- openafs-1.4/src/afs/afs_pioctl.c 2007-12-05 03:57:37.000000000 -0500 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c 2007-12-18 21:05:10.000000000 -0500 @@ -1208,6 +1208,10 @@ struct AFSFetchStatus OutStatus; XSTATS_DECLS; + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { + return EACCES; + } + AFS_STATCNT(PSetAcl); if (!avc) return EINVAL; @@ -1428,6 +1432,10 @@ struct vrequest treq; afs_int32 flag, set_parent_pag = 0; + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { + return 0; + } + AFS_STATCNT(PSetTokens); if (!afs_resourceinit_flag) { return EIO; @@ -1870,6 +1878,10 @@ register afs_int32 i; register struct unixuser *tu; + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { + return 0; + } + AFS_STATCNT(PUnlog); if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ return EIO; /* Inappropriate ioctl for device */ diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2007-11-05 23:08:46.000000000 -0500 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2007-12-18 21:06:20.000000000 -0500 @@ -118,6 +118,17 @@ if ((vType(avc) == VDIR) || (avc->states & CForeign)) { /* rights are just those from acl */ + + if ( areq->uid == globalpag && + !(areq->realuid == avc->fid.Fid.Volume) && + !((avc->anyAccess | arights) == avc->anyAccess) && + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) && + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) && + !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && areq->realuid == 0) && + !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && (areq->realuid == 0 || areq->realuid == SIGNUP_UID)) ) { + return 0; + } + return (arights == afs_GetAccessBits(avc, arights, areq)); } else { /* some rights come from dir and some from file. Specifically, you @@ -171,6 +182,18 @@ fileBits |= PRSFS_READ; } } + + if ( areq->uid == globalpag && + !(areq->realuid == avc->fid.Fid.Volume) && + !((avc->anyAccess | arights) == avc->anyAccess) && + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) && + !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && areq->realuid == 0) && + !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && (areq->realuid == 0 || areq->realuid == SIGNUP_UID)) ) { + return 0; + } + return ((fileBits & arights) == arights); /* true if all rights bits are on */ } } @@ -192,6 +215,7 @@ OSI_VC_CONVERT(avc); AFS_STATCNT(afs_access); + amode = amode & ~VEXEC; afs_Trace3(afs_iclSetp, CM_TRACE_ACCESS, ICL_TYPE_POINTER, avc, ICL_TYPE_INT32, amode, ICL_TYPE_OFFSET, ICL_HANDLE_OFFSET(avc->m.Length)); diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c 2007-11-05 23:08:46.000000000 -0500 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c 2007-12-18 19:22:59.000000000 -0500 @@ -87,8 +87,8 @@ } } #endif /* AFS_DARWIN_ENV */ - attrs->va_uid = fakedir ? 0 : avc->m.Owner; - attrs->va_gid = fakedir ? 0 : avc->m.Group; /* yeah! */ + attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume; + attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner); #if defined(AFS_SUN56_ENV) attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0]; #elif defined(AFS_OSF_ENV) @@ -172,6 +172,7 @@ #else /* everything else */ attrs->va_blocks = (attrs->va_size ? ((attrs->va_size + 1023)>>10)<<1:0); #endif + attrs->va_mode |= 0100; return 0; }