extern char *optarg;
extern int optind;
+int restricted = 0;
int display_entry();
void add_group();
void display_groups();
#define IP_WILDCARDS 1 /* XXX Should be defined outside of here XXX */
+extern int restricted;
extern struct ubik_dbase *dbase;
extern afs_int32 Initdb();
extern int pr_noAuth;
afs_int32 flag; /* indicates type of entry */
int admin; /* sysadmin membership */
{
+ if (restricted && !admin)
+ return 0;
+
if (flag & PRFOREIGN) {
/* Foreign users are recognized by the '@' sign and
* not by the PRFOREIGN flag.
ABORT_WITH(tt, PRPERM);
admin = IsAMemberOf(tt, cid, SYSADMINID);
} else {
- admin = (!strcmp(aname, cname)) || IsAMemberOf(tt, cid, SYSADMINID);
+ admin = ((!restricted && !strcmp(aname, cname))) || IsAMemberOf(tt, cid, SYSADMINID);
oid = cid = SYSADMINID;
}
if (!CreateOK(tt, cid, oid, flag, admin))
int pr_realmNameLen;
char *pr_realmName;
+int restricted = 0;
+
static struct afsconf_cell info;
extern int prp_group_default;
prp_user_default = prp_access_mask(argv[++a]);
prp_group_default = prp_access_mask(argv[++a]);
}
+ else if (strncmp(arg, "-restricted", alen) == 0) {
+ restricted = 1;
+ }
else if (strncmp(arg, "-enable_peer_stats", alen) == 0) {
rx_enablePeerRPCStats();
} else if (strncmp(arg, "-enable_process_stats", alen) == 0) {
"[-syslog[=FACILITY]] "
"[-p <number of processes>] [-rebuild] "
"[-groupdepth <depth>] "
+ "[-restricted] "
"[-enable_peer_stats] [-enable_process_stats] "
"[-default_access default_user_access default_group_access] "
"[-help]\n");
printf("Usage: ptserver [-database <db path>] "
"[-p <number of processes>] [-rebuild] "
"[-default_access default_user_access default_group_access] "
+ "[-restricted] "
"[-groupdepth <depth>] " "[-help]\n");
#endif
#else
"[-p <number of processes>] [-rebuild] "
"[-enable_peer_stats] [-enable_process_stats] "
"[-default_access default_user_access default_group_access] "
+ "[-restricted] "
"[-help]\n");
#else /* AFS_NT40_ENV */
printf("Usage: ptserver [-database <db path>] "
"[-default_access default_user_access default_group_access] "
+ "[-restricted] "
"[-p <number of processes>] [-rebuild] " "[-help]\n");
#endif
#endif
/* Foreign cells are represented by the group system:authuser@cell*/
#define AUTHUSER_GROUP "system:authuser"
-
+extern int restricted;
extern struct ubik_dbase *dbase;
extern struct afsconf_dir *prdir;
extern int pr_noAuth;
return 1;
if (cid == SYSADMINID)
return 1; /* special case fileserver */
+ if (restricted && ((mem == PRP_ADD_MEM) || (mem == any == 0)))
+ return 0;
if (tentry) {
flags = tentry->flags;
oid = tentry->owner;
code = pr_ReadEntry(at, 0, loc, &tentry);
if (code)
return PRDBFAIL;
+ if (restricted && !IsAMemberOf(at, cid, SYSADMINID))
+ return PRPERM;
if (tentry.owner != cid && !IsAMemberOf(at, cid, SYSADMINID)
&& !IsAMemberOf(at, cid, tentry.owner) && !pr_noAuth)
return PRPERM;