Currently, all prdb write operations, except for SPR_Delete, will fail
with PRPERM if called by a non-system:administrators caller while
restricted mode is active. SPR_Delete is missing this check, and so
is not affected by the -restricted option.
Fix this by inserting the same check for -restricted as all other code
paths that check for -restricted.
Reviewed-on: https://gerrit.openafs.org/13374
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit
2e556c0f23ae439c804352cf51fcf30878b03c7a)
Change-Id: I9a31cf4e6490aa13dc0c239d2660fc146553ee75
Reviewed-on: https://gerrit.openafs.org/13688
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
&& !IsAMemberOf(tt, *cid, tentry.owner) && !pr_noAuth)
ABORT_WITH(tt, PRPERM);
+ if (restricted && !IsAMemberOf(tt, *cid, SYSADMINID)) {
+ ABORT_WITH(tt, PRPERM);
+ }
+
/* Delete each continuation block as a separate transaction so that no one
* transaction become to large to complete. */
nptr = tentry.next;