2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
17 * afs_get_pag_from_groups
18 * afs_get_groups_from_pag
22 #include <afsconfig.h>
23 #include "afs/param.h"
28 #include "afs/sysincludes.h" /* Standard vendor system headers */
29 #include "afsincludes.h" /* Afs-based standard headers */
30 #include "afs/afs_stats.h" /* statistics */
31 #include "afs/afs_cbqueue.h"
32 #include "afs/nfsclient.h"
33 #include "afs/afs_osidnlc.h"
36 /* Imported variables */
37 extern int afs_shuttingdown;
39 /* Exported variables */
41 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
42 afs_uint32 pagCounter = 1;
44 afs_uint32 pagCounter = 0;
45 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
50 * Pags are implemented as follows: the set of groups whose long
51 * representation is '41XXXXXX' hex are used to represent the pags.
52 * Being a member of such a group means you are authenticated as pag
53 * XXXXXX (0x41 == 'A', for Andrew). You are never authenticated as
54 * multiple pags at once.
56 * The function afs_InitReq takes a credential field and formats the
57 * corresponding venus request structure. The uid field in the
58 * vrequest structure is set to the *pag* you are authenticated as, or
59 * the uid, if you aren't authenticated with a pag.
61 * The basic motivation behind pags is this: just because your unix
62 * uid is N doesn't mean that you should have the same privileges as
63 * anyone logged in on the machine as user N, since this would enable
64 * the superuser on the machine to sneak in and make use of anyone's
65 * authentication info, even that which is only accidentally left
66 * behind when someone leaves a public workstation.
68 * AFS doesn't use the unix uid for anything except
69 * a handle with which to find the actual authentication tokens
70 * anyway, so the pag is an alternative handle which is somewhat more
71 * secure (although of course not absolutely secure).
73 #if !defined(UKERNEL) || !defined(AFS_WEB_ENHANCEMENTS)
78 #ifdef AFS_LINUX20_ENV
79 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
80 return (('A' << 24) + ((pag_epoch + pagCounter++) & 0xffffff));
81 #else /* AFS_LINUX20_ENV */
82 return (('A' << 24) + (pagCounter++ & 0xffffff));
83 #endif /* AFS_LINUX20_ENV */
90 #ifdef AFS_LINUX20_ENV
91 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
92 return (('A' << 24) + ((pag_epoch + pagCounter) & 0xffffff));
94 return (('A' << 24) + (pagCounter & 0xffffff));
100 /* Web enhancement: we don't need to restrict pags to 41XXXXXX since
101 * we are not sharing the space with anyone. So we use the full 32 bits. */
107 #ifdef AFS_LINUX20_ENV
108 return (pag_epoch + pagCounter++);
110 return (pagCounter++);
111 #endif /* AFS_LINUX20_ENV */
118 #ifdef AFS_LINUX20_ENV
119 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
120 return (pag_epoch + pagCounter);
125 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
127 /* used to require 10 seconds between each setpag to guarantee that
128 * PAGs never wrap - which would be a security hole. If we presume
129 * that in ordinary operation, the average rate of PAG allocation
130 * will not exceed one per second, the 24 bits provided will be
131 * sufficient for ~200 days. Unfortunately, if we merely assume that,
132 * there will be an opportunity for attack. So we must enforce it.
133 * If we need to increase the average rate of PAG allocation, we
134 * should increase the number of bits in a PAG, and/or reduce our
135 * window in which we guarantee that the PAG counter won't wrap.
136 * By permitting an average of one new PAG per second, new PAGs can
137 * be allocated VERY frequently over a short period relative to total uptime.
138 * Of course, there's only an issue here if one user stays logged (and re-
139 * activates tokens repeatedly) for that entire period.
142 static int afs_pag_sleepcnt = 0;
145 afs_pag_sleep(struct AFS_UCRED **acred)
148 if(!afs_suser(acred)) {
149 if(osi_Time() - pag_epoch < pagCounter) {
158 afs_pag_wait(struct AFS_UCRED **acred)
160 if(afs_pag_sleep(acred)) {
161 if(!afs_pag_sleepcnt) {
162 printf("%s() PAG throttling triggered, pid %d... sleeping. sleepcnt %d\n",
163 "afs_pag_wait", getpid(), afs_pag_sleepcnt);
169 /* XXX spins on EINTR */
170 afs_osi_Wait(1000, (struct afs_osi_WaitHandle *)0, 0);
171 } while(afs_pag_sleep(acred));
180 #if defined(AFS_SUN5_ENV)
181 afs_setpag(struct AFS_UCRED **credpp)
182 #elif defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
183 afs_setpag(struct proc *p, void *args, int *retval)
189 #if defined(AFS_SUN5_ENV)
190 struct AFS_UCRED **acred = *credpp;
191 #elif defined(AFS_OBSD_ENV)
192 struct AFS_UCRED **acred = p->p_ucred;
194 struct AFS_UCRED **acred = NULL;
199 #if defined(AFS_SGI53_ENV) && defined(MP)
200 /* This is our first chance to get the global lock. */
202 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
204 AFS_STATCNT(afs_setpag);
209 #if defined(AFS_SUN5_ENV)
210 code = AddPag(genpag(), credpp);
211 #elif defined(AFS_OSF_ENV) || defined(AFS_XBSD_ENV)
212 code = AddPag(p, genpag(), &p->p_rcred);
213 #elif defined(AFS_AIX41_ENV)
216 struct ucred *credp0;
220 code = AddPag(genpag(), &credp);
221 /* If AddPag() didn't make a new cred, then free our cred ref */
222 if (credp == credp0) {
226 #elif defined(AFS_HPUX110_ENV)
228 struct ucred *credp = p_cred(u.u_procp);
229 code = AddPag(genpag(), &credp);
231 #elif defined(AFS_SGI_ENV)
234 credp = OSI_GET_CURRENT_CRED();
235 code = AddPag(genpag(), &credp);
237 #elif defined(AFS_LINUX20_ENV)
239 struct AFS_UCRED *credp = crref();
240 code = AddPag(genpag(), &credp);
243 #elif defined(AFS_DARWIN_ENV)
245 struct ucred *credp = crdup(p->p_cred->pc_ucred);
246 code = AddPag(p, genpag(), &credp);
250 code = AddPag(genpag(), &u.u_cred);
253 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
255 #if defined(KERNEL_HAVE_UERROR)
260 #if defined(AFS_SGI53_ENV) && defined(MP)
262 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
267 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
270 * This function is like setpag but sets the current thread's pag id to a
271 * caller-provided value instead of calling genpag(). This implements a
272 * form of token caching since the caller can recall a particular pag value
273 * for the thread to restore tokens, rather than reauthenticating.
276 #if defined(AFS_SUN5_ENV)
277 afs_setpag_val(struct AFS_UCRED **credpp, int pagval)
278 #elif defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
279 afs_setpag_val(struct proc *p, void *args, int *retval, int pagval)
281 afs_setpag_val(int pagval)
285 #if defined(AFS_SUN5_ENV)
286 struct AFS_UCRED **acred = *credp;
287 #elif defined(AFS_OBSD_ENV)
288 struct AFS_UCRED **acred = p->p_ucred;
290 struct AFS_UCRED **acred = NULL;
295 #if defined(AFS_SGI53_ENV) && defined(MP)
296 /* This is our first chance to get the global lock. */
298 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
300 AFS_STATCNT(afs_setpag);
304 #if defined(AFS_SUN5_ENV)
305 code = AddPag(pagval, credpp);
306 #elif defined(AFS_OSF_ENV) || defined(AFS_XBSD_ENV)
307 code = AddPag(p, pagval, &p->p_rcred);
308 #elif defined(AFS_AIX41_ENV)
311 struct ucred *credp0;
315 code = AddPag(pagval, &credp);
316 /* If AddPag() didn't make a new cred, then free our cred ref */
317 if (credp == credp0) {
321 #elif defined(AFS_HPUX110_ENV)
323 struct ucred *credp = p_cred(u.u_procp);
324 code = AddPag(pagval, &credp);
326 #elif defined(AFS_SGI_ENV)
329 credp = OSI_GET_CURRENT_CRED();
330 code = AddPag(pagval, &credp);
332 #elif defined(AFS_LINUX20_ENV)
334 struct AFS_UCRED *credp = crref();
335 code = AddPag(pagval, &credp);
338 #elif defined(AFS_DARWIN_ENV)
340 struct ucred *credp = crdup(p->p_cred->pc_ucred);
341 code = AddPag(p, pagval, &credp);
345 code = AddPag(pagval, &u.u_cred);
348 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
349 #if defined(KERNEL_HAVE_UERROR)
353 #if defined(AFS_SGI53_ENV) && defined(MP)
355 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
363 struct AFS_UCRED *credp = u.u_cred;
364 int gidset0, gidset1;
366 gidset0 = credp->cr_groups[0];
367 gidset1 = credp->cr_groups[1];
368 pagvalue = afs_get_pag_from_groups(gidset0, gidset1);
371 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
374 /* Note - needs to be available on AIX, others can be static - rework this */
375 #if defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
377 AddPag(struct proc *p, afs_int32 aval, struct AFS_UCRED **credpp)
380 AddPag(afs_int32 aval, struct AFS_UCRED **credpp)
383 afs_int32 newpag, code;
386 #if defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
387 if ((code = setpag(p, credpp, aval, &newpag, 0)))
389 if ((code = setpag(credpp, aval, &newpag, 0)))
391 #if defined(KERNEL_HAVE_UERROR)
392 return (setuerror(code), code);
401 afs_InitReq(register struct vrequest *av, struct AFS_UCRED *acred)
403 AFS_STATCNT(afs_InitReq);
404 if (afs_shuttingdown)
406 av->uid = PagInCred(acred);
407 if (av->uid == NOPAG) {
408 /* Afs doesn't use the unix uid for anuthing except a handle
409 * with which to find the actual authentication tokens so I
410 * think it's ok to use the real uid to make setuid
411 * programs (without setpag) to work properly.
413 #if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
415 av->uid = -2; /* XXX nobody... ? */
417 av->uid = acred->cr_uid; /* bsd creds don't have ruid */
419 av->uid = acred->cr_ruid; /* default when no pag is set */
429 afs_get_pag_from_groups(gid_t g0a, gid_t g1a)
433 afs_uint32 h, l, ret;
435 AFS_STATCNT(afs_get_pag_from_groups);
438 if (g0 < 0xc000 && g1 < 0xc000) {
439 l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
441 h = (g1 >> 14) + h + h + h;
442 ret = ((h << 28) | l);
443 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
446 /* Additional testing */
447 if (((ret >> 24) & 0xff) == 'A')
451 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
458 afs_get_groups_from_pag(afs_uint32 pag, gid_t * g0p, gid_t * g1p)
460 unsigned short g0, g1;
463 AFS_STATCNT(afs_get_groups_from_pag);
464 #if !defined(UKERNEL) || !defined(AFS_WEB_ENHANCEMENTS)
466 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
467 g0 = 0x3fff & (pag >> 14);
469 g0 |= ((pag >> 28) / 3) << 14;
470 g1 |= ((pag >> 28) % 3) << 14;
477 PagInCred(const struct AFS_UCRED *cred)
482 AFS_STATCNT(PagInCred);
486 #if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
487 if (cred == NOCRED || cred == FSCRED) {
490 if (cred->cr_ngroups < 3)
492 /* gid is stored in cr_groups[0] */
493 g0 = cred->cr_groups[1];
494 g1 = cred->cr_groups[2];
496 #if defined(AFS_AIX51_ENV)
497 if (kcred_getpag(cred, PAG_AFS, &pag) < 0 || pag == 0)
500 #elif defined(AFS_AIX_ENV)
501 if (cred->cr_ngrps < 2) {
504 #elif defined(AFS_LINUX26_ENV)
505 if (cred->cr_group_info->ngroups < 2)
507 #elif defined(AFS_SGI_ENV) || defined(AFS_SUN5_ENV) || defined(AFS_DUX40_ENV) || defined(AFS_LINUX20_ENV) || defined(AFS_XBSD_ENV)
508 if (cred->cr_ngroups < 2)
511 #if defined(AFS_AIX51_ENV)
512 g0 = cred->cr_groupset.gs_union.un_groups[0];
513 g1 = cred->cr_groupset.gs_union.un_groups[1];
514 #elif defined(AFS_LINUX26_ENV)
515 g0 = GROUP_AT(cred->cr_group_info, 0);
516 g1 = GROUP_AT(cred->cr_group_info, 1);
518 g0 = cred->cr_groups[0];
519 g1 = cred->cr_groups[1];
522 pag = (afs_int32) afs_get_pag_from_groups(g0, g1);