Changeset 2066 for trunk/server/common
- Timestamp:
- Nov 22, 2011, 12:45:17 AM (13 years ago)
- Location:
- trunk
- Files:
-
- 6 deleted
- 8 edited
- 12 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk
- Property svn:mergeinfo changed
-
trunk/server/common/oursrc/execsys/execsys-binfmt
- Property svn:mergeinfo changed
/branches/fc15-dev/server/common/oursrc/execsys/execsys-binfmt (added) merged: 1878,1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/server/common/oursrc/php_scripts/php_scripts-config.m4
- Property svn:mergeinfo changed
/branches/fc15-dev/server/common/oursrc/php_scripts/php_scripts-config.m4 (added) merged: 1878,1938,1947,1973,1989,2026,2039,2055,2064
- Property svn:mergeinfo changed
-
trunk/server/common/oursrc/tokensys/configure.in
r38 r2066 24 24 REQUIRE_PATH(aklog) 25 25 26 AC_ARG_WITH(fs, 27 [ --with-fs[=PATH] fs is located at PATH],[ 28 if test "$withval" != "no" -a "$withval" != "yes"; then 29 fs_path="$withval" 30 fi 31 ]) 32 REQUIRE_PATH(fs) 33 26 34 AC_OUTPUT(Makefile) 27 35 AC_OUTPUT(renew) 36 AC_OUTPUT(scripts-afsagent-startup) -
trunk/server/common/oursrc/tokensys/renew.in
r1594 r2066 2 2 3 3 # This script renews afsagent's tickets and tokens. 4 # It is called by afsagent's crontab every 8 hours.4 # It is called by systemd on a regular schedule. 5 5 6 6 export KRB5CCNAME=/home/afsagent/krb5cc -
trunk/server/common/oursrc/whoisd/Makefile.in
r763 r2066 1 1 install: 2 2 install -Dpm 644 whoisd.tac ${DESTDIR}@libexecdir@/whoisd.tac 3 install -Dpm 644 crontab ${DESTDIR}/etc/cron.d/whoisd3 install -Dpm 644 scripts-whoisd.service ${DESTDIR}/lib/systemd/system/scripts-whoisd.service 4 4 5 5 clean: 6 6 rm -f ${DESTDIR}@libexecdir@/whoisd.tac 7 rm -f ${DESTDIR}/ etc/cron.d/whoisd7 rm -f ${DESTDIR}/lib/systemd/system/scripts-whoisd.service -
trunk/server/common/patches/krb5-kuserok-scripts.patch
r1693 r2066 1 1 # scripts.mit.edu krb5 kuserok patch 2 2 # Copyright (C) 2006 Tim Abbott <tabbott@mit.edu> 3 # 2011 Alexander Chernyakhovsky <achernya@mit.edu> 3 4 # 4 5 # This program is free software; you can redistribute it and/or … … 18 19 # See /COPYRIGHT in this repository for more information. 19 20 # 20 --- krb5-1. 6.3/src/lib/krb5/os/kuserok.c.old 2009-04-08 06:17:06.000000000 -040021 +++ krb5-1. 6.3/src/lib/krb5/os/kuserok.c 2009-04-08 06:17:18.000000000 -040022 @@ -3 1,6 +31,7 @@23 #if !defined(_WIN32) 21 --- krb5-1.9/src/lib/krb5/os/kuserok.c.old 2011-04-16 19:09:58.000000000 -0400 22 +++ krb5-1.9/src/lib/krb5/os/kuserok.c 2011-04-16 19:34:23.000000000 -0400 23 @@ -32,6 +32,7 @@ 24 #if !defined(_WIN32) /* Not yet for Windows */ 24 25 #include <stdio.h> 25 26 #include <pwd.h> … … 28 29 #if defined(_AIX) && defined(_IBMR2) 29 30 #include <sys/access.h> 30 @@ -71,7 +72,6 @@ 31 @@ -51,39 +52,6 @@ 32 enum result { ACCEPT, REJECT, PASS }; 33 34 /* 35 - * Find the k5login filename for luser, either in the user's homedir or in a 36 - * configured directory under the username. 37 - */ 38 -static krb5_error_code 39 -get_k5login_filename(krb5_context context, const char *luser, 40 - const char *homedir, char **filename_out) 41 -{ 42 - krb5_error_code ret; 43 - char *dir, *filename; 44 - 45 - *filename_out = NULL; 46 - ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, 47 - KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir); 48 - if (ret != 0) 49 - return ret; 50 - 51 - if (dir == NULL) { 52 - /* Look in the user's homedir. */ 53 - if (asprintf(&filename, "%s/.k5login", homedir) < 0) 54 - return ENOMEM; 55 - } else { 56 - /* Look in the configured directory. */ 57 - if (asprintf(&filename, "%s/%s", dir, luser) < 0) 58 - ret = ENOMEM; 59 - profile_release_string(dir); 60 - if (ret) 61 - return ret; 62 - } 63 - *filename_out = filename; 64 - return 0; 65 -} 66 - 67 -/* 68 * Determine whether principal is authorized to log in as luser according to 69 * the user's k5login file. Return ACCEPT if the k5login file authorizes the 70 * principal, PASS if the k5login file does not exist, or REJECT if the k5login 71 @@ -93,13 +61,12 @@ 72 static enum result 73 k5login_ok(krb5_context context, krb5_principal principal, const char *luser) 31 74 { 32 struct stat sbuf;33 struct passwd *pwd;34 - char pbuf[MAXPATHLEN];35 krb5_boolean isok = FALSE;36 FILE *fp;37 char kuser[MAX_USERNAME];38 @@ -79,71 +79,35 @@ 39 char linebuf[BUFSIZ];40 char *newline;41 int gobble;75 - int authoritative = TRUE, gobble; 76 + int authoritative = TRUE; 77 enum result result = REJECT; 78 - char *filename = NULL, *princname = NULL; 79 - char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ]; 80 - struct stat sbuf; 81 + char *princname = NULL; 82 + char pwbuf[BUFSIZ]; 83 struct passwd pwx, *pwd; 84 - FILE *fp = NULL; 42 85 + int pid, status; 43 86 44 /* no account => no access */45 char pwbuf[BUFSIZ];46 struct passwd pwx; 87 if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS, 88 KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE, 89 @@ -110,46 +77,29 @@ 47 90 if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) 48 return(FALSE);49 - (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); 50 - pbuf[sizeof(pbuf) - 1] = '\0';51 - (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));91 goto cleanup; 92 93 - if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0) 94 - goto cleanup; 52 95 - 53 - if (access(pbuf, F_OK)) { /* not accessible */ 54 - /* 55 - * if he's trying to log in as himself, and there is no .k5login file, 56 - * let him. To find out, call 57 - * krb5_aname_to_localname to convert the principal to a name 58 - * which we can string compare. 59 - */ 60 - if (!(krb5_aname_to_localname(context, principal, 61 - sizeof(kuser), kuser)) 62 - && (strcmp(kuser, luser) == 0)) { 63 - return(TRUE); 64 - } 96 - if (access(filename, F_OK) != 0) { 97 - result = PASS; 98 - goto cleanup; 65 99 - } 66 if (krb5_unparse_name(context, principal, &princname)) 67 return(FALSE); /* no hope of matching */ 100 - 101 if (krb5_unparse_name(context, principal, &princname) != 0) 102 goto cleanup; 68 103 69 - /* open ~/.k5login */ 70 - if ((fp = fopen(pbuf, "r")) == NULL) { 71 - free(princname); 72 - return(FALSE); 73 - } 104 - fp = fopen(filename, "r"); 105 - if (fp == NULL) 106 + if ((pid = fork()) == -1) 107 goto cleanup; 74 108 - set_cloexec_file(fp); 75 - /* 76 - * For security reasons, the .k5login file must be owned either by 77 - * the user himself, or by root. Otherwise, don't grant access. 78 - */ 79 - if (fstat(fileno(fp), &sbuf)) { 80 - fclose(fp); 81 - free(princname); 82 - return(FALSE); 83 + if ((pid = fork()) == -1) { 84 + free(princname); 85 + return(FALSE); 109 - 110 - /* For security reasons, the .k5login file must be owned either by 111 - * the user or by root. */ 112 - if (fstat(fileno(fp), &sbuf)) 113 - goto cleanup; 114 - if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) 115 - goto cleanup; 116 - 117 - /* Check each line. */ 118 - while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) { 119 - newline = strrchr(linebuf, '\n'); 120 - if (newline != NULL) 121 - *newline = '\0'; 122 - if (strcmp(linebuf, princname) == 0) 123 - result = ACCEPT; 124 - /* Clean up the rest of the line if necessary. */ 125 - if (newline == NULL) 126 - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); 127 + 128 + if (pid == 0) { 129 + char *args[4]; 130 +#define ADMOF_PATH "/usr/local/sbin/ssh-admof" 131 + args[0] = ADMOF_PATH; 132 + args[1] = (char *) luser; 133 + args[2] = princname; 134 + args[3] = NULL; 135 + execv(ADMOF_PATH, args); 136 + exit(1); 86 137 } 87 - if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) { 88 - fclose(fp); 89 - free(princname); 90 - return(FALSE); 91 + if (pid == 0) { 92 + char *args[4]; 93 +#define ADMOF_PATH "/usr/local/sbin/ssh-admof" 94 + args[0] = ADMOF_PATH; 95 + args[1] = (char *) luser; 96 + args[2] = princname; 97 + args[3] = NULL; 98 + execv(ADMOF_PATH, args); 99 + exit(1); 100 } 101 - 102 - /* check each line */ 103 - while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) { 104 - /* null-terminate the input string */ 105 - linebuf[BUFSIZ-1] = '\0'; 106 - newline = NULL; 107 - /* nuke the newline if it exists */ 108 - if ((newline = strchr(linebuf, '\n'))) 109 - *newline = '\0'; 110 - if (!strcmp(linebuf, princname)) { 111 - isok = TRUE; 112 - continue; 113 - } 114 - /* clean up the rest of the line if necessary */ 115 - if (!newline) 116 - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); 138 117 139 + if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { 118 + isok=TRUE;119 140 + result = ACCEPT; 141 + } 120 142 + 143 cleanup: 121 144 free(princname); 122 - fclose(fp); 123 return(isok); 145 - free(filename); 146 - if (fp != NULL) 147 - fclose(fp); 148 /* If k5login files are non-authoritative, never reject. */ 149 return (!authoritative && result == REJECT) ? PASS : result; 124 150 } 125 -
trunk/server/common/patches/openafs-scripts.patch
r1693 r2066 4 4 # and Anders Kaseorg <andersk@mit.edu> 5 5 # and Edward Z. Yang <ezyang@mit.edu> 6 # and Benjamin Kaduk <kaduk@mit.edu> 7 # and Alexander Chernyakhovsky <achernya@mit.edu> 6 8 # 7 9 # This file is available under both the MIT license and the GPL. … … 43 45 # See /COPYRIGHT in this repository for more information. 44 46 # 45 diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c 46 --- openafs-1.4/src/afs/afs_analyze.c 47 +++ openafs-1.4+scripts/src/afs/afs_analyze.c 48 @@ -585,7 +585,7 @@ 49 (afid ? afid->Fid.Volume : 0)); 50 } 51 52 - if (areq->busyCount > 100) { 53 + if (1) { 54 if (aerrP) 55 (aerrP->err_Volume)++; 56 areq->volumeError = VOLBUSY; 57 diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c 58 --- openafs-1.4/src/afs/LINUX/osi_vnodeops.c 59 +++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c 60 @@ -896,6 +896,28 @@ 47 diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c 48 index 7c7705e..0d0e94f 100644 49 --- a/src/afs/LINUX/osi_vnodeops.c 50 +++ b/src/afs/LINUX/osi_vnodeops.c 51 @@ -904,6 +904,28 @@ afs_linux_dentry_revalidate(struct dentry *dp, int flags) 61 52 /* should we always update the attributes at this point? */ 62 53 /* unlikely--the vcache entry hasn't changed */ 63 54 64 55 + /* [scripts] This code makes hardlinks work correctly. 65 + 66 + 67 + 68 + 69 + 70 + 71 + 72 + 73 + 74 + 75 + 76 + 77 + 78 + 79 + 80 + 81 + 82 + 83 + 56 + * 57 + * We want Apache to be able to read a file with hardlinks 58 + * named .htaccess and foo to be able to read it via .htaccess 59 + * and not via foo, regardless of which name was looked up 60 + * (remember, inodes do not have filenames associated with them.) 61 + * 62 + * It is important that we modify the existing cache entry even 63 + * if it is otherwise totally valid and would not be reloaded. 64 + * Otherwise, it won't recover from repeatedly reading the same 65 + * inode via multiple hardlinks or different names. Specifically, 66 + * Apache will be able to read both names if it was first looked 67 + * up (by anyone!) via .htaccess, and neither if it was first 68 + * looked up via foo. 69 + * 70 + * With regards to performance, the strncmp() is bounded by 71 + * three characters, so it takes O(3) operations. If this code 72 + * is extended to all static-cat extensions, we'll want to do 73 + * some clever hashing using gperf here. 74 + */ 84 75 + vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0; 85 76 + 77 dput(parent); 86 78 } else { 87 79 #ifdef notyet 88 pvcp = VTOAFS(dp->d_parent->d_inode); /* dget_parent()? */ 89 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c 90 --- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c 91 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c 92 @@ -1572,6 +1572,12 @@ 80 diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c 81 index eabcfeb..6390850 100644 82 --- a/src/afs/VNOPS/afs_vnop_access.c 83 +++ b/src/afs/VNOPS/afs_vnop_access.c 84 @@ -130,6 +130,15 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, 85 dirBits = PRSFS_LOOKUP | PRSFS_READ; 86 return (arights == (dirBits & arights)); 87 } 88 + if ( areq->uid == globalpag && 89 + !(areq->realuid == avc->f.fid.Fid.Volume) && 90 + !((avc->f.anyAccess | arights) == avc->f.anyAccess) && 91 + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) && 92 + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) && 93 + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && 94 + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { 95 + return 0; 96 + } 97 return (arights == afs_GetAccessBits(avc, arights, areq)); 98 } else { 99 /* some rights come from dir and some from file. Specifically, you 100 @@ -183,6 +192,19 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, 101 fileBits |= PRSFS_READ; 102 } 103 } 104 + 105 + if ( areq->uid == globalpag && 106 + !(areq->realuid == avc->f.fid.Fid.Volume) && 107 + !((avc->f.anyAccess | arights) == avc->f.anyAccess) && 108 + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && 109 + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && 110 + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && 111 + (avc->f.m.Mode == 0100777 || avc->apache_access)) && 112 + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && 113 + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { 114 + return 0; 115 + } 116 + 117 return ((fileBits & arights) == arights); /* true if all rights bits are on */ 118 } 119 } 120 diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c 121 index b3931e5..71ef05c 100644 122 --- a/src/afs/VNOPS/afs_vnop_attrs.c 123 +++ b/src/afs/VNOPS/afs_vnop_attrs.c 124 @@ -88,8 +88,8 @@ afs_CopyOutAttrs(struct vcache *avc, struct vattr *attrs) 125 } 126 } 127 #endif /* AFS_DARWIN_ENV */ 128 - attrs->va_uid = fakedir ? 0 : avc->f.m.Owner; 129 - attrs->va_gid = fakedir ? 0 : avc->f.m.Group; /* yeah! */ 130 + attrs->va_uid = fakedir ? 0 : avc->f.fid.Fid.Volume; 131 + attrs->va_gid = (avc->f.m.Owner == DAEMON_SCRIPTS_PTSID ? avc->f.m.Group : avc->f.m.Owner); 132 #if defined(AFS_SUN56_ENV) 133 attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0]; 134 #elif defined(AFS_DARWIN80_ENV) 135 diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c 136 index 8e7af1c..7e984e9 100644 137 --- a/src/afs/VNOPS/afs_vnop_lookup.c 138 +++ b/src/afs/VNOPS/afs_vnop_lookup.c 139 @@ -1877,6 +1877,12 @@ afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr 93 140 } 94 141 95 142 done: 96 143 + if (tvc) { 97 + 98 + 99 + 144 + /* [scripts] check Apache's ability to read this file, so that 145 + * we can figure this out on an access() call */ 146 + tvc->apache_access = strncmp(aname, ".ht", 3) == 0; 100 147 + } 101 148 + … … 103 150 if (tname != aname && tname) 104 151 osi_FreeLargeSpace(tname); 105 diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h 106 --- openafs-1.4/src/afs/afs.h 107 +++ openafs-1.4+scripts/src/afs/afs.h 108 @@ -208,8 +208,16 @@ 109 #define QTOC(e) QEntry(e, struct cell, lruq) 110 #define QTOVH(e) QEntry(e, struct vcache, vhashq) 152 diff --git a/src/afs/afs.h b/src/afs/afs.h 153 index fcc4c70..0d53af6 100644 154 --- a/src/afs/afs.h 155 +++ b/src/afs/afs.h 156 @@ -233,8 +233,16 @@ struct afs_slotlist { 157 struct afs_slotlist *next; 158 }; 111 159 112 160 +#define AFSAGENT_UID (101) … … 123 171 afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ 124 172 char initd; /* if non-zero, Error fields meaningful */ 125 @@ - 743,6 +751,7 @@173 @@ -887,6 +895,7 @@ struct vcache { 126 174 #ifdef AFS_SUN5_ENV 127 s hort multiPage; /* count of multi-page getpages in progress */175 struct afs_q multiPage; /* list of multiPage_range structs */ 128 176 #endif 129 177 + int apache_access; /* whether or not Apache has access to a file */ … … 131 179 132 180 #define DONT_CHECK_MODE_BITS 0 133 diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c 134 --- openafs-1.4/src/afs/afs_osi_pag.c 135 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c 136 @@ -49,6 +49,8 @@ 181 diff --git a/src/afs/afs_analyze.c b/src/afs/afs_analyze.c 182 index 1834e6d..673a8e6 100644 183 --- a/src/afs/afs_analyze.c 184 +++ b/src/afs/afs_analyze.c 185 @@ -368,7 +368,7 @@ afs_Analyze(struct afs_conn *aconn, afs_int32 acode, 186 (afid ? afid->Fid.Volume : 0)); 187 } 188 189 - if (areq->busyCount > 100) { 190 + if (1) { 191 if (aerrP) 192 (aerrP->err_Volume)++; 193 areq->volumeError = VOLBUSY; 194 diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c 195 index c888605..ff5cf2d 100644 196 --- a/src/afs/afs_osi_pag.c 197 +++ b/src/afs/afs_osi_pag.c 198 @@ -49,6 +49,8 @@ afs_uint32 pagCounter = 0; 137 199 #endif 138 200 /* Local variables */ … … 143 205 * Pags are implemented as follows: the set of groups whose long 144 206 * representation is '41XXXXXX' hex are used to represent the pags. 145 @@ -4 49,6 +451,15 @@146 av->uid = a cred->cr_ruid; /* default when no pag is set */207 @@ -484,6 +486,15 @@ afs_InitReq(struct vrequest *av, afs_ucred_t *acred) 208 av->uid = afs_cr_uid(acred); /* default when no pag is set */ 147 209 #endif 148 210 } 149 211 + 150 + av->realuid = a cred->cr_ruid;151 + if(!globalpag && a cred->cr_ruid == AFSAGENT_UID) {212 + av->realuid = afs_cr_uid(acred); 213 + if(!globalpag && av->realuid == AFSAGENT_UID) { 152 214 + globalpag = av->uid; 153 215 + } 154 + else if (globalpag && av->uid == a cred->cr_ruid) {216 + else if (globalpag && av->uid == av->realuid) { 155 217 + av->uid = globalpag; 156 218 + } … … 159 221 } 160 222 161 diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c 162 --- openafs-1.4/src/afs/afs_pioctl.c 163 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c 164 @@ -1221,6 +1221,10 @@ 165 struct AFSFetchStatus OutStatus; 223 diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c 224 index f282510..00f1360 100644 225 --- a/src/afs/afs_pioctl.c 226 +++ b/src/afs/afs_pioctl.c 227 @@ -1406,6 +1406,10 @@ DECL_PIOCTL(PSetAcl) 228 struct rx_connection *rxconn; 166 229 XSTATS_DECLS; 167 230 168 231 + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { 169 + return EACCES;232 + return EACCES; 170 233 + } 171 234 + … … 173 236 if (!avc) 174 237 return EINVAL; 175 @@ -1 441,6 +1445,10 @@238 @@ -1790,6 +1794,10 @@ DECL_PIOCTL(PSetTokens) 176 239 struct vrequest treq; 177 240 afs_int32 flag, set_parent_pag = 0; … … 184 247 if (!afs_resourceinit_flag) { 185 248 return EIO; 186 @@ -1800,6 +1808,10 @@ 187 afs_int32 iterator; 249 @@ -2231,6 +2239,11 @@ DECL_PIOCTL(PGetTokens) 188 250 int newStyle; 251 int code = E2BIG; 189 252 190 253 + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID && 191 + areq->realuid != 0 && areq->realuid != SIGNUP_UID) 254 + areq->realuid != 0 && areq->realuid != SIGNUP_UID) { 192 255 + return EDOM; 256 + } 193 257 + 194 258 AFS_STATCNT(PGetTokens); 195 259 if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ 196 260 return EIO; /* Inappropriate ioctl for device */ 197 @@ - 1883,6 +1895,10 @@198 registerafs_int32 i;199 registerstruct unixuser *tu;261 @@ -2341,6 +2354,10 @@ DECL_PIOCTL(PUnlog) 262 afs_int32 i; 263 struct unixuser *tu; 200 264 201 265 + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { … … 206 270 if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ 207 271 return EIO; /* Inappropriate ioctl for device */ 208 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c209 --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c210 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c211 @@ -118,6 +118,17 @@212 213 if ((vType(avc) == VDIR) || (avc->states & CForeign)) {214 /* rights are just those from acl */215 +216 + if ( areq->uid == globalpag &&217 + !(areq->realuid == avc->fid.Fid.Volume) &&218 + !((avc->anyAccess | arights) == avc->anyAccess) &&219 + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&220 + !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&221 + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&222 + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {223 + return 0;224 + }225 +226 return (arights == afs_GetAccessBits(avc, arights, areq));227 } else {228 /* some rights come from dir and some from file. Specifically, you229 @@ -171,6 +182,19 @@230 fileBits |= PRSFS_READ;231 }232 }233 +234 + if ( areq->uid == globalpag &&235 + !(areq->realuid == avc->fid.Fid.Volume) &&236 + !((avc->anyAccess | arights) == avc->anyAccess) &&237 + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&238 + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&239 + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&240 + (avc->m.Mode == 0100777 || avc->apache_access)) &&241 + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&242 + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {243 + return 0;244 + }245 +246 return ((fileBits & arights) == arights); /* true if all rights bits are on */247 }248 }249 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c250 --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c251 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c252 @@ -87,8 +87,8 @@253 }254 }255 #endif /* AFS_DARWIN_ENV */256 - attrs->va_uid = fakedir ? 0 : avc->m.Owner;257 - attrs->va_gid = fakedir ? 0 : avc->m.Group; /* yeah! */258 + attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume;259 + attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner);260 #if defined(AFS_SUN56_ENV)261 attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];262 #elif defined(AFS_OSF_ENV)
Note: See TracChangeset
for help on using the changeset viewer.