From: Simon Wilkinson Date: Thu, 24 Dec 2009 13:00:53 +0000 (+0000) Subject: Turn on bos restricted code X-Git-Tag: openafs-devel-1_5_69~68 X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=f085951d39c0d6c1e6a626177c30235704317600 Turn on bos restricted code Remove the #ifdef's around the bos restricted mode code. This makes restricted mode available as part of the standard build, but a server will not go into restricted mode unless the relevant command line options are specified, or bos setrestricted is run. Document bos_setrestricted and bos_getrestricted, and the new '-restricted' command line option. Add a note to the man pages of all of the commands whose behaviour is affected by restricted mode. Add 'setr' and 'getr' aliases for setrestart and getrestart so that these documented shortcuts continue to work (otherwise they'd be ambiguous against setrestricted and getrestricted). Note that setre, setres, and setrest will not work once this patch is applied. Change-Id: Ie69d21493ea5f78757f0a3d478de43fdaabd3c31 Reviewed-on: http://gerrit.openafs.org/1028 Reviewed-by: Michael Meffie Reviewed-by: Andrew Deason Tested-by: Andrew Deason Reviewed-by: Derrick Brashear Tested-by: Derrick Brashear --- diff --git a/acinclude.m4 b/acinclude.m4 index 5849570..dd37867 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -51,7 +51,6 @@ AH_VERBATIM([OPENAFS_HEADER], #undef AFS_LARGEFILE_ENV #undef AFS_NAMEI_ENV #undef BITMAP_LATER -#undef BOS_RESTRICTED_MODE #undef FAST_RESTART #undef FULL_LISTVOL_SWITCH #undef COMPLETION_H_EXISTS @@ -104,12 +103,6 @@ AC_ARG_ENABLE([pam], [AS_HELP_STRING([--disable-pam], [disable PAM support])], , [enable_pam="yes"]) -AC_ARG_ENABLE([bos-restricted-mode], - [AS_HELP_STRING([--enable-bos-restricted-mode], - [enable bosserver restricted mode which disables certain bosserver - functionality])], - , - [enable_bos_restricted_mode="no"]) AC_ARG_ENABLE([largefile-fileserver], [AS_HELP_STRING([--disable-largefile-fileserver], [disable large file support in fileserver])], @@ -1478,10 +1471,6 @@ if test "$enable_icmp_pmtu_discovery" = "yes"; then fi fi -if test "$enable_bos_restricted_mode" = "yes"; then - AC_DEFINE(BOS_RESTRICTED_MODE, 1, [define if you want to want bos restricted mode]) -fi - if test "$enable_largefile_fileserver" = "yes"; then AC_DEFINE(AFS_LARGEFILE_ENV, 1, [define if you want large file fileserver]) fi diff --git a/doc/man-pages/pod8/bos.pod b/doc/man-pages/pod8/bos.pod index ce875a2..adeabca 100644 --- a/doc/man-pages/pod8/bos.pod +++ b/doc/man-pages/pod8/bos.pod @@ -36,8 +36,8 @@ restart>, B, B, B, and B. =item * Commands to set and verify server process and server machine status: B, B, B, B, and B. +getlog>, B, B, B, +B, B and B. =item * @@ -252,6 +252,7 @@ L, L, L, L, +L, L, L, L, @@ -266,6 +267,7 @@ L, L, L, L, +L, L, L, L, diff --git a/doc/man-pages/pod8/bos_create.pod b/doc/man-pages/pod8/bos_create.pod index 1f1001a..a0afefd 100644 --- a/doc/man-pages/pod8/bos_create.pod +++ b/doc/man-pages/pod8/bos_create.pod @@ -290,6 +290,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command cannot be run against servers which are in +restricted mode. + =head1 NOTES If the B<-notifier> argument is included when this command is used to diff --git a/doc/man-pages/pod8/bos_delete.pod b/doc/man-pages/pod8/bos_delete.pod index 9b4d558..6982d05 100644 --- a/doc/man-pages/pod8/bos_delete.pod +++ b/doc/man-pages/pod8/bos_delete.pod @@ -87,6 +87,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command cannot be run against servers which are in +restricted mode. + =head1 SEE ALSO L, diff --git a/doc/man-pages/pod8/bos_exec.pod b/doc/man-pages/pod8/bos_exec.pod index 4cdbe4e..fb65d53 100644 --- a/doc/man-pages/pod8/bos_exec.pod +++ b/doc/man-pages/pod8/bos_exec.pod @@ -79,6 +79,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command is not available on servers running in restricted +mode. + =head1 SEE ALSO L diff --git a/doc/man-pages/pod8/bos_getlog.pod b/doc/man-pages/pod8/bos_getlog.pod index 75d52eb..b397963 100644 --- a/doc/man-pages/pod8/bos_getlog.pod +++ b/doc/man-pages/pod8/bos_getlog.pod @@ -141,6 +141,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +When a server is in restricted mode, B can only return the +contents of the salvager's log. + =head1 SEE ALSO L diff --git a/doc/man-pages/pod8/bos_getrestricted.pod b/doc/man-pages/pod8/bos_getrestricted.pod new file mode 100644 index 0000000..f9706a9 --- /dev/null +++ b/doc/man-pages/pod8/bos_getrestricted.pod @@ -0,0 +1,88 @@ +=head1 NAME + +bos_getrestricted - Displays whether a bos server is restricted or not + +=head1 SYNOPSIS + +=for html +
+ +B S<<< B<-server> > >>> S<<< [B<-cell> >] >>> + [B<-noauth>] [B<-localauth>] [B<-help>] + +=for html +
+ +=head1 DESCRIPTION + +The bos getrestricted command shows whether the server machine named by +the B<-server> argument is running in restricted mode. + +Restricted mode limits access to certain bos commands. See +L for details of which commands are disabled by +restricting a server. + +Use the B command to restrict, or un-restrict, a server. + +=head1 OPTIONS + +=over 4 + +=item B<-server> > + +Indicates the server machine for which to display the restart +times. Identify the machine by IP address or its host name (either +fully-qualified or abbreviated unambiguously). For details, see L. + +=item B<-cell> > + +Names the cell in which to run the command. Do not combine this argument +with the B<-localauth> flag. For more details, see L. + +=item B<-noauth> + +Assigns the unprivileged identity C to the issuer. Do not +combine this flag with the B<-localauth> flag. For more details, see +L. + +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. The B command interpreter presents the +ticket to the BOS Server during mutual authentication. Do not combine this +flag with the B<-cell> or B<-noauth> options. For more details, see +L. + +=item B<-help> + +Prints the online help for this command. All other valid options are +ignored. + +=back + +=head1 OUTPUT + +The output consists of a single line + + Restricted mode is + +Where is "on" or "off" + +=head1 PRIVILEGE REQUIRED + +None + +=head1 SEE ALSO + +L, +L, +L, + +=head1 COPYRIGHT + +Copyright 2009 Simon Wilkinson + +This documentation is covered by the BSD License as written in the +doc/LICENSE file. This man page was written by Simon Wilkinson for +OpenAFS. + diff --git a/doc/man-pages/pod8/bos_install.pod b/doc/man-pages/pod8/bos_install.pod index 3b1307b..4ccbca2 100644 --- a/doc/man-pages/pod8/bos_install.pod +++ b/doc/man-pages/pod8/bos_install.pod @@ -118,6 +118,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command cannot be run against servers which are in +restricted mode. + =head1 SEE ALSO L, diff --git a/doc/man-pages/pod8/bos_prune.pod b/doc/man-pages/pod8/bos_prune.pod index b85f96f..fe6896c 100644 --- a/doc/man-pages/pod8/bos_prune.pod +++ b/doc/man-pages/pod8/bos_prune.pod @@ -129,6 +129,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command cannot be run against servers which are in +restricted mode. + =head1 SEE ALSO L, diff --git a/doc/man-pages/pod8/bos_setrestricted.pod b/doc/man-pages/pod8/bos_setrestricted.pod new file mode 100644 index 0000000..4edef68 --- /dev/null +++ b/doc/man-pages/pod8/bos_setrestricted.pod @@ -0,0 +1,88 @@ +=head1 NAME + +bos_setrestricted - place a server in restricted mode + +=head1 SYNOPSIS + +=for html +
+ +B S<<< B<-server> > >>> S<<< B<-mode> 1 >>> + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] [B<-help>] + +=for html +
+ +=head1 DESCRIPTION + +The B command places the server in restricted mode. This +mode increases the security of the bos server by removing access to a +number of bos commands that are only used whilst configuring a system. + +When a server is in restricted mode, access to B, B, +B, B, B, B, B +is denied, and the use of B is limited. + +=head1 CAUTIONS + +Once a server has been placed in restricted mode, it may not be opened up +again using a remote command. That is, B has no method +of setting an unrestricted mode. Once a server is restricted, it can only +be opened up again by sending it a SIGFPE, which must be done as root on +the local machine. + +=head1 OPTIONS + +=over 4 + +=item B<-server> > + +Indicates the server machine to restrict. + +=item B<-cell> > + +Names the cell in which to run the command. Do not combine this argument +with the B<-localauth> flag. For more details, see L. + +=item B<-noauth> + +Assigns the unprivileged identity C to the issuer. Do not +combine this flag with the B<-localauth> flag. For more details, see +L. + +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. The B command interpreter presents the +ticket to the BOS Server during mutual authentication. Do not combine this +flag with the B<-cell> or B<-noauth> options. For more details, see +L. + +=item B<-help> + +Prints the online help for this command. All other valid options are +ignored. + +=back + +=head1 PRIVILEGE REQUIRED + +The issuer must be listed in the F file on the +machine named by the B<-server> argument, or must be logged in as the +local superuser C if the B<-localauth> flag is included. + +As noted above, this command cannot be run against servers which are +already in restricted mode. + +=head1 SEE ALSO + +L + +=head1 COPYRIGHT + +Copyright 2009 Simon wilkinson + +This documentation is covered by the BSD License as written in the +doc/LICENSE file. This man page was written by Simon Wilkinson for +OpenAFS. + diff --git a/doc/man-pages/pod8/bos_uninstall.pod b/doc/man-pages/pod8/bos_uninstall.pod index fe20ba5..4b4995f 100644 --- a/doc/man-pages/pod8/bos_uninstall.pod +++ b/doc/man-pages/pod8/bos_uninstall.pod @@ -101,6 +101,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command cannot be run against servers running in +restricted mode. + =head1 SEE ALSO L, diff --git a/doc/man-pages/pod8/bosserver.pod b/doc/man-pages/pod8/bosserver.pod index aa75e9b..8c7181d 100644 --- a/doc/man-pages/pod8/bosserver.pod +++ b/doc/man-pages/pod8/bosserver.pod @@ -9,7 +9,8 @@ bosserver - Initializes the BOS Server B [B<-noauth>] [B<-log>] [B<-enable_peer_stats>] S<<< [B<-auditlog> >] >>> [B<-audit-interface> (file | sysvmq)] - [B<-enable_process_stats>] [B<-allow-dotted-principals>] [B<-help>] + [B<-enable_process_stats>] [B<-allow-dotted-principals>] + [B<-restricted>] [B<-help>] =for html @@ -154,6 +155,15 @@ user.admin PTS entry. Sites whose Kerberos realms don't have these collisions between principal names may disable this check by starting the server with this option. +=item B<-restricted> + +In normal operation, the bos server allows a super user to run any command. +When the bos server is running in restricted mode (either due to this +command line flag, or when configured by L) a number +of commands are unavailable. Note that this flag persists across reboots. +Once a server has been placed in restricted mode, it can only be opened up +by sending the SIGFPE signal. + =item B<-help> Prints the online help for this command. All other valid options are @@ -183,6 +193,7 @@ L, L, L, L, +L, L, L, L, diff --git a/src/bozo/bos.c b/src/bozo/bos.c index fd79e4f..411e64d 100644 --- a/src/bozo/bos.c +++ b/src/bozo/bos.c @@ -1876,7 +1876,6 @@ DoStat(IN char *aname, return 0; } -#ifdef BOS_RESTRICTED_MODE static int GetRestrict(struct cmd_syndesc *as, void *arock) { @@ -1906,7 +1905,6 @@ SetRestrict(struct cmd_syndesc *as, void *arock) printf("bos: failed to set restricted mode (%s)\n", em(code)); return 0; } -#endif static void add_std_args(register struct cmd_syndesc *ts) @@ -2135,11 +2133,13 @@ main(int argc, char **argv) cmd_AddParm(ts, "-newbinary", CMD_FLAG, CMD_OPTIONAL, "set new binary restart time"); add_std_args(ts); + cmd_CreateAlias(ts, "setr"); ts = cmd_CreateSyntax("getrestart", GetRestartCmd, NULL, "get restart times"); cmd_AddParm(ts, "-server", CMD_SINGLE, CMD_REQUIRED, "machine name"); add_std_args(ts); + cmd_CreateAlias(ts, "getr"); ts = cmd_CreateSyntax("salvage", SalvageCmd, NULL, "salvage partition or volumes"); @@ -2209,7 +2209,6 @@ main(int argc, char **argv) cmd_AddParm(ts, "-server", CMD_SINGLE, CMD_REQUIRED, "machine name"); add_std_args(ts); -#ifdef BOS_RESTRICTED_MODE ts = cmd_CreateSyntax("getrestricted", GetRestrict, NULL, "get restrict mode"); cmd_AddParm(ts, "-server", CMD_SINGLE, 0, "machine name"); @@ -2221,7 +2220,6 @@ main(int argc, char **argv) cmd_AddParm(ts, "-mode", CMD_SINGLE, 0, "mode to set"); add_std_args(ts); #endif -#endif code = cmd_Dispatch(argc, argv); rx_Finalize(); diff --git a/src/bozo/bosoprocs.c b/src/bozo/bosoprocs.c index 9bd56a0..66e10f5 100644 --- a/src/bozo/bosoprocs.c +++ b/src/bozo/bosoprocs.c @@ -47,9 +47,7 @@ extern struct ktime bozo_nextRestartKT, bozo_nextDayKT; extern struct afsconf_dir *bozo_confdir; extern int bozo_newKTs; extern int DoLogging; -#ifdef BOS_RESTRICTED_MODE extern int bozo_isrestricted; -#endif afs_int32 SBOZO_GetRestartTime(struct rx_call *acall, afs_int32 atype, struct bozo_netKTime *aktime) @@ -125,12 +123,10 @@ SBOZO_Exec(struct rx_call *acall, char *acmd) code = BZACCESS; goto fail; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) { code = BZACCESS; goto fail; } -#endif if (DoLogging) bozo_Log("%s is executing the shell command '%s'\n", caller, acmd); @@ -192,13 +188,11 @@ SBOZO_UnInstall(struct rx_call *acall, register char *aname) osi_auditU(acall, BOS_UnInstallEvent, code, AUD_STR, aname, AUD_END); return code; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) { code = BZACCESS; osi_auditU(acall, BOS_UnInstallEvent, code, AUD_STR, aname, AUD_END); return code; } -#endif /* construct local path from canonical (wire-format) path */ if (ConstructLocalBinPath(aname, &filepath)) { @@ -291,10 +285,8 @@ SBOZO_Install(struct rx_call *acall, char *aname, afs_int32 asize, afs_int32 mod if (!afsconf_SuperUser(bozo_confdir, acall, caller)) return BZACCESS; -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) return BZACCESS; -#endif /* construct local path from canonical (wire-format) path */ if (ConstructLocalBinPath(aname, &fpp)) { @@ -782,7 +774,6 @@ SBOZO_CreateBnode(struct rx_call *acall, char *atype, char *ainstance, code = BZACCESS; goto fail; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) { if (strcmp(atype, "cron") || strcmp(ainstance, "salvage-tmp") || strcmp(ap2, "now") @@ -792,7 +783,6 @@ SBOZO_CreateBnode(struct rx_call *acall, char *atype, char *ainstance, goto fail; } } -#endif code = bnode_Create(atype, ainstance, &tb, ap1, ap2, ap3, ap4, ap5, notifier, @@ -836,12 +826,10 @@ SBOZO_DeleteBnode(struct rx_call *acall, char *ainstance) code = BZACCESS; goto fail; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) { code = BZACCESS; goto fail; } -#endif if (DoLogging) bozo_Log("%s is executing DeleteBnode '%s'\n", caller, ainstance); @@ -1174,12 +1162,10 @@ SBOZO_Prune(struct rx_call *acall, afs_int32 aflags) code = BZACCESS; goto fail; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) { code = BZACCESS; goto fail; } -#endif if (DoLogging) bozo_Log("%s is executing Prune (flags=%d)\n", caller, aflags); @@ -1436,13 +1422,11 @@ SBOZO_GetLog(register struct rx_call *acall, char *aname) code = BZACCESS; goto fail; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted && strchr(aname, '/') && strcmp(aname, AFSDIR_CANONICAL_SERVER_SLVGLOG_FILEPATH)) { code = BZACCESS; goto fail; } -#endif /* construct local path from canonical (wire-format) path */ if (ConstructLocalLogPath(aname, &logpath)) { @@ -1517,7 +1501,6 @@ SBOZO_GetInstanceStrings(struct rx_call *acall, char *abnodeName, return BZNOENT; } -#ifdef BOS_RESTRICTED_MODE afs_int32 SBOZO_GetRestrictedMode(struct rx_call *acall, afs_int32 *arestmode) { @@ -1542,22 +1525,9 @@ SBOZO_SetRestrictedMode(struct rx_call *acall, afs_int32 arestmode) } bozo_isrestricted = arestmode; code = WriteBozoFile(0); - fail: - return code; -} -#else -afs_int32 -SBOZO_GetRestrictedMode(struct rx_call *acall, afs_int32 *arestmode) -{ - return RXGEN_OPCODE; -} -afs_int32 -SBOZO_SetRestrictedMode(struct rx_call *acall, afs_int32 arestmode) -{ - return RXGEN_OPCODE; + return code; } -#endif void * bozo_ShutdownAndExit(void *param) diff --git a/src/bozo/bosserver.c b/src/bozo/bosserver.c index df36902..49bc39b 100644 --- a/src/bozo/bosserver.c +++ b/src/bozo/bosserver.c @@ -78,7 +78,6 @@ int rxkadDisableDotCheck = 0; #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */ afs_uint32 SHostAddrs[ADDRSPERSITE]; -#ifdef BOS_RESTRICTED_MODE int bozo_isrestricted = 0; int bozo_restdisable = 0; @@ -89,7 +88,6 @@ bozo_insecureme(int sig) bozo_isrestricted = 0; bozo_restdisable = 1; } -#endif struct bztemp { FILE *file; @@ -281,9 +279,7 @@ ReadBozoFile(char *aname) afs_int32 i, goal; struct bnode *tb; char *parms[MAXPARMS]; -#ifdef BOS_RESTRICTED_MODE int rmode; -#endif /* rename BozoInit to BosServer for the user */ if (!aname) { @@ -367,7 +363,7 @@ ReadBozoFile(char *aname) bozo_nextDayKT.sec = ktsec; continue; } -#ifdef BOS_RESTRICTED_MODE + if (strncmp(tbuffer, "restrictmode", 12) == 0) { code = sscanf(tbuffer, "restrictmode %d", &rmode); if (code != 1) { @@ -381,7 +377,6 @@ ReadBozoFile(char *aname) bozo_isrestricted = rmode; continue; } -#endif if (strncmp("bnode", tbuffer, 5) != 0) { code = -1; @@ -466,9 +461,8 @@ WriteBozoFile(char *aname) if (!tfile) return -1; btemp.file = tfile; -#ifdef BOS_RESTRICTED_MODE + fprintf(tfile, "restrictmode %d\n", bozo_isrestricted); -#endif fprintf(tfile, "restarttime %d %d %d %d %d\n", bozo_nextRestartKT.mask, bozo_nextRestartKT.day, bozo_nextRestartKT.hour, bozo_nextRestartKT.min, bozo_nextRestartKT.sec); @@ -526,12 +520,11 @@ BozoDaemon(void *unused) IOMGR_Sleep(60); now = FT_ApproxTime(); -#ifdef BOS_RESTRICTED_MODE if (bozo_restdisable) { bozo_Log("Restricted mode disabled by signal\n"); bozo_restdisable = 0; } -#endif + if (bozo_newKTs) { /* need to recompute restart times */ bozo_newKTs = 0; /* done for a while */ nextRestart = ktime_next(&bozo_nextRestartKT, BOZO_MINSKIP); @@ -753,9 +746,7 @@ main(int argc, char **argv, char **envp) sigaction(SIGABRT, &nsa, NULL); #endif osi_audit_init(); -#ifdef BOS_RESTRICTED_MODE signal(SIGFPE, bozo_insecureme); -#endif #ifdef AFS_NT40_ENV /* Initialize winsock */ @@ -816,11 +807,9 @@ main(int argc, char **argv, char **envp) } else if (strcmp(argv[code], "-enable_process_stats") == 0) { rx_enableProcessRPCStats(); } -#ifdef BOS_RESTRICTED_MODE else if (strcmp(argv[code], "-restricted") == 0) { bozo_isrestricted = 1; } -#endif else if (strcmp(argv[code], "-rxbind") == 0) { rxBind = 1; } diff --git a/src/config/afsconfig-windows.h b/src/config/afsconfig-windows.h index 05de66a..7248592 100644 --- a/src/config/afsconfig-windows.h +++ b/src/config/afsconfig-windows.h @@ -213,7 +213,6 @@ /*#undef AFS_AFSDB_ENV*/ #define AFS_AFSDB_ENV 1 #undef AFS_NAMEI_ENV -#define BOS_RESTRICTED_MODE #undef FAST_RESTART #undef BITMAP_LATER