2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
17 * afs_get_pag_from_groups
18 * afs_get_groups_from_pag
22 #include <afsconfig.h>
23 #include "afs/param.h"
28 #include "afs/sysincludes.h" /* Standard vendor system headers */
29 #include "afsincludes.h" /* Afs-based standard headers */
30 #include "afs/afs_stats.h" /* statistics */
31 #include "afs/afs_cbqueue.h"
32 #include "afs/nfsclient.h"
33 #include "afs/afs_osidnlc.h"
36 /* Imported variables */
37 extern int afs_shuttingdown;
39 /* Exported variables */
41 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
42 afs_uint32 pagCounter = 1;
44 afs_uint32 pagCounter = 0;
45 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
47 #ifdef AFS_LINUX26_ONEGROUP_ENV
48 #define NUMPAGGROUPS 1
50 #define NUMPAGGROUPS 2
55 * Pags are implemented as follows: the set of groups whose long
56 * representation is '41XXXXXX' hex are used to represent the pags.
57 * Being a member of such a group means you are authenticated as pag
58 * XXXXXX (0x41 == 'A', for Andrew). You are never authenticated as
59 * multiple pags at once.
61 * The function afs_InitReq takes a credential field and formats the
62 * corresponding venus request structure. The uid field in the
63 * vrequest structure is set to the *pag* you are authenticated as, or
64 * the uid, if you aren't authenticated with a pag.
66 * The basic motivation behind pags is this: just because your unix
67 * uid is N doesn't mean that you should have the same privileges as
68 * anyone logged in on the machine as user N, since this would enable
69 * the superuser on the machine to sneak in and make use of anyone's
70 * authentication info, even that which is only accidentally left
71 * behind when someone leaves a public workstation.
73 * AFS doesn't use the unix uid for anything except
74 * a handle with which to find the actual authentication tokens
75 * anyway, so the pag is an alternative handle which is somewhat more
76 * secure (although of course not absolutely secure).
78 #if !defined(UKERNEL) || !defined(AFS_WEB_ENHANCEMENTS)
83 #ifdef AFS_LINUX20_ENV
84 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
85 return (('A' << 24) + ((pag_epoch + pagCounter++) & 0xffffff));
86 #else /* AFS_LINUX20_ENV */
87 return (('A' << 24) + (pagCounter++ & 0xffffff));
88 #endif /* AFS_LINUX20_ENV */
95 #ifdef AFS_LINUX20_ENV
96 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
97 return (('A' << 24) + ((pag_epoch + pagCounter) & 0xffffff));
99 return (('A' << 24) + (pagCounter & 0xffffff));
105 /* Web enhancement: we don't need to restrict pags to 41XXXXXX since
106 * we are not sharing the space with anyone. So we use the full 32 bits. */
112 #ifdef AFS_LINUX20_ENV
113 return (pag_epoch + pagCounter++);
115 return (pagCounter++);
116 #endif /* AFS_LINUX20_ENV */
123 #ifdef AFS_LINUX20_ENV
124 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
125 return (pag_epoch + pagCounter);
130 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
132 /* used to require 10 seconds between each setpag to guarantee that
133 * PAGs never wrap - which would be a security hole. If we presume
134 * that in ordinary operation, the average rate of PAG allocation
135 * will not exceed one per second, the 24 bits provided will be
136 * sufficient for ~200 days. Unfortunately, if we merely assume that,
137 * there will be an opportunity for attack. So we must enforce it.
138 * If we need to increase the average rate of PAG allocation, we
139 * should increase the number of bits in a PAG, and/or reduce our
140 * window in which we guarantee that the PAG counter won't wrap.
141 * By permitting an average of one new PAG per second, new PAGs can
142 * be allocated VERY frequently over a short period relative to total uptime.
143 * Of course, there's only an issue here if one user stays logged (and re-
144 * activates tokens repeatedly) for that entire period.
147 static int afs_pag_sleepcnt = 0;
148 static int afs_pag_timewarn = 0;
151 afs_pag_sleep(struct AFS_UCRED **acred)
155 if (!afs_suser(acred)) {
156 if(osi_Time() - pag_epoch < pagCounter) {
159 if (rv && (osi_Time() < pag_epoch)) {
160 if (!afs_pag_timewarn) {
161 afs_pag_timewarn = 1;
162 printf("clock went backwards, not PAG throttling");
172 afs_pag_wait(struct AFS_UCRED **acred)
174 if (afs_pag_sleep(acred)) {
175 if (!afs_pag_sleepcnt) {
176 printf("%s() PAG throttling triggered, pid %d... sleeping. sleepcnt %d\n",
177 "afs_pag_wait", osi_getpid(), afs_pag_sleepcnt);
183 /* XXX spins on EINTR */
184 afs_osi_Wait(1000, (struct afs_osi_WaitHandle *)0, 0);
185 } while (afs_pag_sleep(acred));
194 #if defined(AFS_SUN5_ENV)
195 afs_setpag(struct AFS_UCRED **credpp)
196 #elif defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
197 afs_setpag(struct proc *p, void *args, int *retval)
203 #if defined(AFS_SUN5_ENV)
204 struct AFS_UCRED **acred = *credpp;
205 #elif defined(AFS_OBSD_ENV)
206 struct AFS_UCRED **acred = &p->p_ucred;
208 struct AFS_UCRED **acred = NULL;
213 #if defined(AFS_SGI53_ENV) && defined(MP)
214 /* This is our first chance to get the global lock. */
216 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
218 AFS_STATCNT(afs_setpag);
223 #if defined(AFS_SUN5_ENV)
224 code = AddPag(genpag(), credpp);
225 #elif defined(AFS_OSF_ENV) || defined(AFS_XBSD_ENV)
226 code = AddPag(p, genpag(), &p->p_rcred);
227 #elif defined(AFS_AIX41_ENV)
230 struct ucred *credp0;
234 code = AddPag(genpag(), &credp);
235 /* If AddPag() didn't make a new cred, then free our cred ref */
236 if (credp == credp0) {
240 #elif defined(AFS_HPUX110_ENV)
242 struct ucred *credp = p_cred(u.u_procp);
243 code = AddPag(genpag(), &credp);
245 #elif defined(AFS_SGI_ENV)
248 credp = OSI_GET_CURRENT_CRED();
249 code = AddPag(genpag(), &credp);
251 #elif defined(AFS_LINUX20_ENV)
253 struct AFS_UCRED *credp = crref();
254 code = AddPag(genpag(), &credp);
257 #elif defined(AFS_DARWIN80_ENV)
259 struct ucred *credp = kauth_cred_proc_ref(p);
260 code = AddPag(p, genpag(), &credp);
261 kauth_cred_rele(credp);
263 #elif defined(AFS_DARWIN_ENV)
265 struct ucred *credp = crdup(p->p_cred->pc_ucred);
266 code = AddPag(p, genpag(), &credp);
270 code = AddPag(genpag(), &u.u_cred);
273 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
275 #if defined(KERNEL_HAVE_UERROR)
280 #if defined(AFS_SGI53_ENV) && defined(MP)
282 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
287 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
290 * This function is like setpag but sets the current thread's pag id to a
291 * caller-provided value instead of calling genpag(). This implements a
292 * form of token caching since the caller can recall a particular pag value
293 * for the thread to restore tokens, rather than reauthenticating.
296 #if defined(AFS_SUN5_ENV)
297 afs_setpag_val(struct AFS_UCRED **credpp, int pagval)
298 #elif defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
299 afs_setpag_val(struct proc *p, void *args, int *retval, int pagval)
301 afs_setpag_val(int pagval)
305 #if defined(AFS_SUN5_ENV)
306 struct AFS_UCRED **acred = *credp;
307 #elif defined(AFS_OBSD_ENV)
308 struct AFS_UCRED **acred = &p->p_ucred;
310 struct AFS_UCRED **acred = NULL;
315 #if defined(AFS_SGI53_ENV) && defined(MP)
316 /* This is our first chance to get the global lock. */
318 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
320 AFS_STATCNT(afs_setpag);
324 #if defined(AFS_SUN5_ENV)
325 code = AddPag(pagval, credpp);
326 #elif defined(AFS_OSF_ENV) || defined(AFS_XBSD_ENV)
327 code = AddPag(p, pagval, &p->p_rcred);
328 #elif defined(AFS_AIX41_ENV)
331 struct ucred *credp0;
335 code = AddPag(pagval, &credp);
336 /* If AddPag() didn't make a new cred, then free our cred ref */
337 if (credp == credp0) {
341 #elif defined(AFS_HPUX110_ENV)
343 struct ucred *credp = p_cred(u.u_procp);
344 code = AddPag(pagval, &credp);
346 #elif defined(AFS_SGI_ENV)
349 credp = OSI_GET_CURRENT_CRED();
350 code = AddPag(pagval, &credp);
352 #elif defined(AFS_LINUX20_ENV)
354 struct AFS_UCRED *credp = crref();
355 code = AddPag(pagval, &credp);
358 #elif defined(AFS_DARWIN_ENV)
360 struct ucred *credp = crdup(p->p_cred->pc_ucred);
361 code = AddPag(p, pagval, &credp);
365 code = AddPag(pagval, &u.u_cred);
368 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
369 #if defined(KERNEL_HAVE_UERROR)
373 #if defined(AFS_SGI53_ENV) && defined(MP)
375 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
379 #ifndef AFS_LINUX26_ONEGROUP_ENV
384 struct AFS_UCRED *credp = u.u_cred;
385 gid_t gidset0, gidset1;
386 #ifdef AFS_SUN510_ENV
389 gids = crgetgroups(*credp);
393 gidset0 = credp->cr_groups[0];
394 gidset1 = credp->cr_groups[1];
396 pagvalue = afs_get_pag_from_groups(gidset0, gidset1);
400 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
403 /* Note - needs to be available on AIX, others can be static - rework this */
404 #if defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
406 AddPag(struct proc *p, afs_int32 aval, struct AFS_UCRED **credpp)
409 AddPag(afs_int32 aval, struct AFS_UCRED **credpp)
412 afs_int32 newpag, code;
415 #if defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
416 if ((code = setpag(p, credpp, aval, &newpag, 0)))
418 if ((code = setpag(credpp, aval, &newpag, 0)))
420 #if defined(KERNEL_HAVE_UERROR)
421 return (setuerror(code), code);
430 afs_InitReq(register struct vrequest *av, struct AFS_UCRED *acred)
435 AFS_STATCNT(afs_InitReq);
436 memset(av, 0, sizeof(*av));
437 if (afs_shuttingdown)
442 while (i < MAXHOSTS) {
443 av->skipserver[i] = 0;
446 #ifdef AFS_LINUX26_ENV
447 #if !defined(AFS_NONFSTRANS)
448 if (osi_linux_nfs_initreq(av, acred, &code))
453 av->uid = PagInCred(acred);
454 if (av->uid == NOPAG) {
455 /* Afs doesn't use the unix uid for anuthing except a handle
456 * with which to find the actual authentication tokens so I
457 * think it's ok to use the real uid to make setuid
458 * programs (without setpag) to work properly.
460 #if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
462 av->uid = -2; /* XXX nobody... ? */
464 av->uid = acred->cr_uid; /* bsd creds don't have ruid */
465 #elif defined(AFS_SUN510_ENV)
466 av->uid = crgetruid(acred);
468 av->uid = acred->cr_ruid; /* default when no pag is set */
476 #ifdef AFS_LINUX26_ONEGROUP_ENV
478 afs_get_pag_from_groups(struct group_info *group_info)
483 AFS_STATCNT(afs_get_pag_from_groups);
484 for (i = 0; (i < group_info->ngroups &&
485 (g0 = GROUP_AT(group_info, i)) != (gid_t) NOGROUP); i++) {
486 if (((g0 >> 24) & 0xff) == 'A')
493 afs_get_pag_from_groups(gid_t g0a, gid_t g1a)
497 afs_uint32 h, l, ret;
499 AFS_STATCNT(afs_get_pag_from_groups);
503 if (g0 < 0xc000 && g1 < 0xc000) {
504 l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
506 h = (g1 >> 14) + h + h + h;
507 ret = ((h << 28) | l);
508 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
511 /* Additional testing */
512 if (((ret >> 24) & 0xff) == 'A')
514 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
521 afs_get_groups_from_pag(afs_uint32 pag, gid_t * g0p, gid_t * g1p)
523 unsigned short g0, g1;
526 AFS_STATCNT(afs_get_groups_from_pag);
527 #ifdef AFS_LINUX26_ONEGROUP_ENV
531 #if !defined(UKERNEL) || !defined(AFS_WEB_ENHANCEMENTS)
533 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
534 g0 = 0x3fff & (pag >> 14);
536 g0 |= ((pag >> 28) / 3) << 14;
537 g1 |= ((pag >> 28) % 3) << 14;
545 PagInCred(const struct AFS_UCRED *cred)
549 #if defined(AFS_SUN510_ENV)
554 AFS_STATCNT(PagInCred);
555 if (cred == NULL || cred == afs_osi_credp) {
558 #if defined(AFS_SUN510_ENV)
559 gids = crgetgroups(cred);
560 ngroups = crgetngroups(cred);
562 #if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
563 if (cred == NOCRED || cred == FSCRED) {
566 if (cred->cr_ngroups < 3)
568 /* gid is stored in cr_groups[0] */
569 g0 = cred->cr_groups[1];
570 g1 = cred->cr_groups[2];
572 #if defined(AFS_AIX_ENV)
573 if (cred->cr_ngrps < 2) {
576 #elif defined(AFS_LINUX26_ENV)
577 if (cred->cr_group_info->ngroups < NUMPAGGROUPS) {
581 #elif defined(AFS_SGI_ENV) || defined(AFS_SUN5_ENV) || defined(AFS_DUX40_ENV) || defined(AFS_LINUX20_ENV) || defined(AFS_XBSD_ENV)
582 #if defined(AFS_SUN510_ENV)
585 if (cred->cr_ngroups < 2) {
591 #if defined(AFS_AIX51_ENV)
592 g0 = cred->cr_groupset.gs_union.un_groups[0];
593 g1 = cred->cr_groupset.gs_union.un_groups[1];
594 #elif defined(AFS_LINUX26_ONEGROUP_ENV)
595 #elif defined(AFS_LINUX26_ENV)
596 g0 = GROUP_AT(cred->cr_group_info, 0);
597 g1 = GROUP_AT(cred->cr_group_info, 1);
598 #elif defined(AFS_SUN510_ENV)
602 g0 = cred->cr_groups[0];
603 g1 = cred->cr_groups[1];
606 #if defined(AFS_LINUX26_ONEGROUP_ENV)
607 pag = (afs_int32) afs_get_pag_from_groups(cred->cr_group_info);
609 pag = (afs_int32) afs_get_pag_from_groups(g0, g1);
612 #if defined(AFS_LINUX26_ENV) && defined(LINUX_KEYRING_SUPPORT)
613 if (pag == NOPAG && cred->cr_rgid != NFSXLATOR_CRED) {
615 afs_uint32 upag, newpag;
617 key = request_key(&key_type_afs_pag, "_pag", NULL);
619 if (key_validate(key) == 0 && key->uid == 0) { /* also verify in the session keyring? */
620 upag = (afs_uint32) key->payload.value;
621 if (((upag >> 24) & 0xff) == 'A') {
622 __setpag(&cred, upag, &newpag, 0);
623 pag = (afs_int32) upag;