# scripts.mit.edu openafs patch
# Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
# with modifications by Joe Presbrey <presbrey@mit.edu>
# and Anders Kaseorg <andersk@mit.edu>
#
# This file is available under both the MIT license and the GPL.
#

# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# 
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#

# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
#
# See /COPYRIGHT in this repository for more information.
#
diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
--- openafs-1.4/src/afs/afs_analyze.c	2007-11-05 23:08:45.000000000 -0500
+++ openafs-1.4+scripts/src/afs/afs_analyze.c	2007-12-18 19:22:59.000000000 -0500
@@ -505,7 +505,7 @@
 			 (afid ? afid->Fid.Volume : 0));
 	}
 
-	if (areq->busyCount > 100) {
+	if (1) {
 	    if (aerrP)
 		(aerrP->err_Volume)++;
 	    areq->volumeError = VOLBUSY;
diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
--- openafs-1.4/src/afs/afs.h	2007-12-05 03:57:36.000000000 -0500
+++ openafs-1.4+scripts/src/afs/afs.h	2007-12-18 20:12:31.000000000 -0500
@@ -177,8 +177,16 @@
     struct afs_q *prev;
 };
 
+#define AFSAGENT_UID (101)
+#define SIGNUP_UID (102)
+#define HTTPD_UID (48)
+#define POSTFIX_UID (89)
+#define DAEMON_SCRIPTS_PTSID (33554596)
+extern afs_int32 globalpag;
+
 struct vrequest {
     afs_int32 uid;		/* user id making the request */
+    afs_int32 realuid;
     afs_int32 busyCount;	/* how many busies we've seen so far */
     afs_int32 flags;		/* things like O_SYNC, O_NONBLOCK go here */
     char initd;			/* if non-zero, non-uid fields meaningful */
diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
--- openafs-1.4/src/afs/afs_osi_pag.c	2007-11-05 23:08:45.000000000 -0500
+++ openafs-1.4+scripts/src/afs/afs_osi_pag.c	2007-12-18 20:26:57.000000000 -0500
@@ -51,6 +51,8 @@
 #endif
 /* Local variables */
 
+afs_int32 globalpag = 0;
+
 /*
  * Pags are implemented as follows: the set of groups whose long
  * representation is '41XXXXXX' hex are used to represent the pags.
@@ -442,6 +444,15 @@
 	av->uid = acred->cr_ruid;	/* default when no pag is set */
 #endif
     }
+
+    av->realuid = acred->cr_ruid;
+    if(!globalpag && acred->cr_ruid == AFSAGENT_UID) {
+      globalpag = av->uid;
+    }
+    else if (globalpag && av->uid == acred->cr_ruid) {
+      av->uid = globalpag;
+    }
+
     av->initd = 0;
     return 0;
 }
diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
--- openafs-1.4/src/afs/afs_pioctl.c	2007-12-05 03:57:37.000000000 -0500
+++ openafs-1.4+scripts/src/afs/afs_pioctl.c	2007-12-18 21:05:10.000000000 -0500
@@ -1208,6 +1208,10 @@
     struct AFSFetchStatus OutStatus;
     XSTATS_DECLS;
 
+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
+      return EACCES;
+    }
+
     AFS_STATCNT(PSetAcl);
     if (!avc)
 	return EINVAL;
@@ -1428,6 +1432,10 @@
     struct vrequest treq;
     afs_int32 flag, set_parent_pag = 0;
 
+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
+	return 0;
+    }
+
     AFS_STATCNT(PSetTokens);
     if (!afs_resourceinit_flag) {
 	return EIO;
@@ -1870,6 +1878,10 @@
     register afs_int32 i;
     register struct unixuser *tu;
 
+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
+	return 0;
+    }
+
     AFS_STATCNT(PUnlog);
     if (!afs_resourceinit_flag)	/* afs daemons haven't started yet */
 	return EIO;		/* Inappropriate ioctl for device */
diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
--- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c	2007-11-05 23:08:46.000000000 -0500
+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c	2007-12-18 21:06:20.000000000 -0500
@@ -118,6 +118,17 @@
 
     if ((vType(avc) == VDIR) || (avc->states & CForeign)) {
 	/* rights are just those from acl */
+
+      if ( areq->uid == globalpag &&
+           !(areq->realuid == avc->fid.Fid.Volume) &&
+           !((avc->anyAccess | arights) == avc->anyAccess) &&
+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
+           !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && areq->realuid == 0) &&
+           !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && (areq->realuid == 0 || areq->realuid == SIGNUP_UID)) ) {
+         return 0;
+      }
+
 	return (arights == afs_GetAccessBits(avc, arights, areq));
     } else {
 	/* some rights come from dir and some from file.  Specifically, you 
@@ -171,6 +182,18 @@
 		    fileBits |= PRSFS_READ;
 	    }
 	}
+	
+        if ( areq->uid == globalpag &&
+             !(areq->realuid == avc->fid.Fid.Volume) &&
+             !((avc->anyAccess | arights) == avc->anyAccess) &&
+             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
+             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
+             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) &&
+             !(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) && areq->realuid == 0) &&
+             !(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) && (areq->realuid == 0 || areq->realuid == SIGNUP_UID)) ) {
+           return 0;
+        }
+
 	return ((fileBits & arights) == arights);	/* true if all rights bits are on */
     }
 }
@@ -192,6 +215,7 @@
     OSI_VC_CONVERT(avc);
 
     AFS_STATCNT(afs_access);
+    amode = amode & ~VEXEC;
     afs_Trace3(afs_iclSetp, CM_TRACE_ACCESS, ICL_TYPE_POINTER, avc,
 	       ICL_TYPE_INT32, amode, ICL_TYPE_OFFSET,
 	       ICL_HANDLE_OFFSET(avc->m.Length));
diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
--- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c	2007-11-05 23:08:46.000000000 -0500
+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c	2007-12-18 19:22:59.000000000 -0500
@@ -87,8 +87,8 @@
 	}
     }
 #endif /* AFS_DARWIN_ENV */
-    attrs->va_uid = fakedir ? 0 : avc->m.Owner;
-    attrs->va_gid = fakedir ? 0 : avc->m.Group;	/* yeah! */
+    attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume;
+    attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner);
 #if defined(AFS_SUN56_ENV)
     attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
 #elif defined(AFS_OSF_ENV)
@@ -172,6 +172,7 @@
 #else /* everything else */
     attrs->va_blocks = (attrs->va_size ? ((attrs->va_size + 1023)>>10)<<1:0);
 #endif
+    attrs->va_mode |= 0100;
     return 0;
 }
 
