2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
17 * afs_get_pag_from_groups
18 * afs_get_groups_from_pag
22 #include <afsconfig.h>
23 #include "afs/param.h"
26 #include "afs/sysincludes.h" /* Standard vendor system headers */
27 #include "afsincludes.h" /* Afs-based standard headers */
28 #include "afs/afs_stats.h" /* statistics */
29 #include "afs/afs_cbqueue.h"
30 #include "afs/nfsclient.h"
31 #include "afs/afs_osidnlc.h"
34 /* Imported variables */
35 extern int afs_shuttingdown;
37 /* Exported variables */
39 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
40 afs_uint32 pagCounter = 1;
42 afs_uint32 pagCounter = 0;
43 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
45 #ifdef AFS_LINUX26_ONEGROUP_ENV
46 #define NUMPAGGROUPS 1
48 #define NUMPAGGROUPS 2
53 * Pags are implemented as follows: the set of groups whose long
54 * representation is '41XXXXXX' hex are used to represent the pags.
55 * Being a member of such a group means you are authenticated as pag
56 * XXXXXX (0x41 == 'A', for Andrew). You are never authenticated as
57 * multiple pags at once.
59 * The function afs_InitReq takes a credential field and formats the
60 * corresponding venus request structure. The uid field in the
61 * vrequest structure is set to the *pag* you are authenticated as, or
62 * the uid, if you aren't authenticated with a pag.
64 * The basic motivation behind pags is this: just because your unix
65 * uid is N doesn't mean that you should have the same privileges as
66 * anyone logged in on the machine as user N, since this would enable
67 * the superuser on the machine to sneak in and make use of anyone's
68 * authentication info, even that which is only accidentally left
69 * behind when someone leaves a public workstation.
71 * AFS doesn't use the unix uid for anything except
72 * a handle with which to find the actual authentication tokens
73 * anyway, so the pag is an alternative handle which is somewhat more
74 * secure (although of course not absolutely secure).
76 #if !defined(UKERNEL) || !defined(AFS_WEB_ENHANCEMENTS)
81 #ifdef AFS_LINUX20_ENV
82 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
83 return (('A' << 24) + ((pag_epoch + pagCounter++) & 0xffffff));
84 #else /* AFS_LINUX20_ENV */
85 return (('A' << 24) + (pagCounter++ & 0xffffff));
86 #endif /* AFS_LINUX20_ENV */
93 #ifdef AFS_LINUX20_ENV
94 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
95 return (('A' << 24) + ((pag_epoch + pagCounter) & 0xffffff));
97 return (('A' << 24) + (pagCounter & 0xffffff));
103 /* Web enhancement: we don't need to restrict pags to 41XXXXXX since
104 * we are not sharing the space with anyone. So we use the full 32 bits. */
110 #ifdef AFS_LINUX20_ENV
111 return (pag_epoch + pagCounter++);
113 return (pagCounter++);
114 #endif /* AFS_LINUX20_ENV */
121 #ifdef AFS_LINUX20_ENV
122 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
123 return (pag_epoch + pagCounter);
128 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
130 /* used to require 10 seconds between each setpag to guarantee that
131 * PAGs never wrap - which would be a security hole. If we presume
132 * that in ordinary operation, the average rate of PAG allocation
133 * will not exceed one per second, the 24 bits provided will be
134 * sufficient for ~200 days. Unfortunately, if we merely assume that,
135 * there will be an opportunity for attack. So we must enforce it.
136 * If we need to increase the average rate of PAG allocation, we
137 * should increase the number of bits in a PAG, and/or reduce our
138 * window in which we guarantee that the PAG counter won't wrap.
139 * By permitting an average of one new PAG per second, new PAGs can
140 * be allocated VERY frequently over a short period relative to total uptime.
141 * Of course, there's only an issue here if one user stays logged (and re-
142 * activates tokens repeatedly) for that entire period.
145 static int afs_pag_sleepcnt = 0;
146 static int afs_pag_timewarn = 0;
149 afs_pag_sleep(afs_ucred_t **acred)
153 if (!afs_suser(acred)) {
154 if(osi_Time() - pag_epoch < pagCounter) {
157 if (rv && (osi_Time() < pag_epoch)) {
158 if (!afs_pag_timewarn) {
159 afs_pag_timewarn = 1;
160 afs_warn("clock went backwards, not PAG throttling");
170 afs_pag_wait(afs_ucred_t **acred)
172 if (afs_pag_sleep(acred)) {
173 if (!afs_pag_sleepcnt) {
174 afs_warn("%s() PAG throttling triggered, pid %d... sleeping. sleepcnt %d\n",
175 "afs_pag_wait", osi_getpid(), afs_pag_sleepcnt);
181 /* XXX spins on EINTR */
182 afs_osi_Wait(1000, (struct afs_osi_WaitHandle *)0, 0);
183 } while (afs_pag_sleep(acred));
192 #if defined(AFS_SUN5_ENV)
193 afs_setpag(afs_ucred_t **credpp)
194 #elif defined(AFS_FBSD_ENV)
195 afs_setpag(struct thread *td, void *args)
196 #elif defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
197 afs_setpag(afs_proc_t *p, void *args, int *retval)
203 #if defined(AFS_SUN5_ENV)
204 afs_ucred_t **acred = *credpp;
205 #elif defined(AFS_OBSD_ENV)
206 afs_ucred_t **acred = &p->p_ucred;
208 afs_ucred_t **acred = NULL;
213 #if defined(AFS_SGI53_ENV) && defined(MP)
214 /* This is our first chance to get the global lock. */
216 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
218 AFS_STATCNT(afs_setpag);
223 #if defined(AFS_SUN5_ENV)
224 code = AddPag(genpag(), credpp);
225 #elif defined(AFS_FBSD_ENV)
226 code = AddPag(td, genpag(), &td->td_ucred);
227 #elif defined(AFS_NBSD40_ENV)
228 /* XXXX won't work */
229 code = AddPag(p, genpag(), (afs_ucred_t **) osi_curcred());
230 #elif defined(AFS_XBSD_ENV)
231 code = AddPag(p, genpag(), &p->p_rcred);
232 #elif defined(AFS_AIX41_ENV)
235 struct ucred *credp0;
239 code = AddPag(genpag(), &credp);
240 /* If AddPag() didn't make a new cred, then free our cred ref */
241 if (credp == credp0) {
245 #elif defined(AFS_HPUX110_ENV)
247 struct ucred *credp = p_cred(u.u_procp);
248 code = AddPag(genpag(), &credp);
250 #elif defined(AFS_SGI_ENV)
253 credp = OSI_GET_CURRENT_CRED();
254 code = AddPag(genpag(), &credp);
256 #elif defined(AFS_LINUX20_ENV)
258 afs_ucred_t *credp = crref();
259 code = AddPag(genpag(), &credp);
262 #elif defined(AFS_DARWIN80_ENV)
264 afs_ucred_t *credp = kauth_cred_proc_ref(p);
265 code = AddPag(p, genpag(), &credp);
268 #elif defined(AFS_DARWIN_ENV)
270 afs_ucred_t *credp = crdup(p->p_cred->pc_ucred);
271 code = AddPag(p, genpag(), &credp);
274 #elif defined(UKERNEL)
275 code = AddPag(genpag(), &(get_user_struct()->u_cred));
277 code = AddPag(genpag(), &u.u_cred);
280 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
282 #if defined(KERNEL_HAVE_UERROR)
287 #if defined(AFS_SGI53_ENV) && defined(MP)
289 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
294 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
297 * This function is like setpag but sets the current thread's pag id to a
298 * caller-provided value instead of calling genpag(). This implements a
299 * form of token caching since the caller can recall a particular pag value
300 * for the thread to restore tokens, rather than reauthenticating.
303 #if defined(AFS_SUN5_ENV)
304 afs_setpag_val(afs_ucred_t **credpp, int pagval)
305 #elif defined(AFS_FBSD_ENV)
306 afs_setpag_val(struct thread *td, void *args, int pagval)
307 #elif defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
308 afs_setpag_val(afs_proc_t *p, void *args, int *retval, int pagval)
310 afs_setpag_val(int pagval)
314 #if defined(AFS_SUN5_ENV)
315 afs_ucred_t **acred = *credp;
316 #elif defined(AFS_OBSD_ENV)
317 afs_ucred_t **acred = &p->p_ucred;
319 afs_ucred_t **acred = NULL;
324 #if defined(AFS_SGI53_ENV) && defined(MP)
325 /* This is our first chance to get the global lock. */
327 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
329 AFS_STATCNT(afs_setpag);
333 #if defined(AFS_SUN5_ENV)
334 code = AddPag(pagval, credpp);
335 #elif defined(AFS_FBSD_ENV)
336 code = AddPag(td, pagval, &td->td_ucred);
337 #elif defined(AFS_XBSD_ENV)
338 code = AddPag(p, pagval, &p->p_rcred);
339 #elif defined(AFS_AIX41_ENV)
342 struct ucred *credp0;
346 code = AddPag(pagval, &credp);
347 /* If AddPag() didn't make a new cred, then free our cred ref */
348 if (credp == credp0) {
352 #elif defined(AFS_HPUX110_ENV)
354 struct ucred *credp = p_cred(u.u_procp);
355 code = AddPag(pagval, &credp);
357 #elif defined(AFS_SGI_ENV)
360 credp = OSI_GET_CURRENT_CRED();
361 code = AddPag(pagval, &credp);
363 #elif defined(AFS_LINUX20_ENV)
365 afs_ucred_t *credp = crref();
366 code = AddPag(pagval, &credp);
369 #elif defined(AFS_DARWIN_ENV)
371 struct ucred *credp = crdup(p->p_cred->pc_ucred);
372 code = AddPag(p, pagval, &credp);
375 #elif defined(UKERNEL)
376 code = AddPag(pagval, &(get_user_struct()->u_cred));
378 code = AddPag(pagval, &u.u_cred);
381 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
382 #if defined(KERNEL_HAVE_UERROR)
386 #if defined(AFS_SGI53_ENV) && defined(MP)
388 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
392 #ifndef AFS_LINUX26_ONEGROUP_ENV
398 afs_ucred_t *credp = get_user_struct()->u_cred;
400 afs_ucred_t *credp = u.u_cred;
402 gid_t gidset0, gidset1;
403 #ifdef AFS_SUN510_ENV
406 gids = crgetgroups(*credp);
410 gidset0 = credp->cr_groups[0];
411 gidset1 = credp->cr_groups[1];
413 pagvalue = afs_get_pag_from_groups(gidset0, gidset1);
417 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
420 /* Note - needs to be available on AIX, others can be static - rework this */
422 #if defined(AFS_FBSD_ENV)
423 AddPag(struct thread *p, afs_int32 aval, afs_ucred_t **credpp)
424 #elif defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
425 AddPag(afs_proc_t *p, afs_int32 aval, afs_ucred_t **credpp)
427 AddPag(afs_int32 aval, afs_ucred_t **credpp)
434 #if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
435 if ((code = setpag(p, credpp, aval, &newpag, 0)))
436 #elif defined(AFS_NBSD40_ENV)
437 if ((code = setpag(p, (void *) credpp, aval, &newpag, 0)))
439 if ((code = setpag(credpp, aval, &newpag, 0)))
441 #if defined(KERNEL_HAVE_UERROR)
442 return (setuerror(code), code);
451 afs_InitReq(struct vrequest *av, afs_ucred_t *acred)
453 #if defined(AFS_LINUX26_ENV) && !defined(AFS_NONFSTRANS)
457 AFS_STATCNT(afs_InitReq);
458 memset(av, 0, sizeof(*av));
459 if (afs_shuttingdown)
462 #ifdef AFS_LINUX26_ENV
463 #if !defined(AFS_NONFSTRANS)
464 if (osi_linux_nfs_initreq(av, acred, &code))
469 av->uid = PagInCred(acred);
470 if (av->uid == NOPAG) {
471 /* Afs doesn't use the unix uid for anuthing except a handle
472 * with which to find the actual authentication tokens so I
473 * think it's ok to use the real uid to make setuid
474 * programs (without setpag) to work properly.
476 #if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
478 av->uid = -2; /* XXX nobody... ? */
480 av->uid = afs_cr_uid(acred); /* bsd creds don't have ruid */
481 #elif defined(AFS_SUN510_ENV)
482 av->uid = crgetruid(acred);
484 av->uid = afs_cr_uid(acred); /* default when no pag is set */
490 #ifndef AFS_LINUX26_ONEGROUP_ENV
492 afs_get_pag_from_groups(gid_t g0a, gid_t g1a)
496 afs_uint32 h, l, ret;
498 AFS_STATCNT(afs_get_pag_from_groups);
502 if (g0 < 0xc000 && g1 < 0xc000) {
503 l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
505 h = (g1 >> 14) + h + h + h;
506 ret = ((h << 28) | l);
507 # if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
510 /* Additional testing */
511 if (((ret >> 24) & 0xff) == 'A')
513 # endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
519 afs_get_groups_from_pag(afs_uint32 pag, gid_t * g0p, gid_t * g1p)
521 unsigned short g0, g1;
523 AFS_STATCNT(afs_get_groups_from_pag);
526 # if !defined(UKERNEL) || !defined(AFS_WEB_ENHANCEMENTS)
528 # endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
529 g0 = 0x3fff & (pag >> 14);
531 g0 |= ((pag >> 28) / 3) << 14;
532 g1 |= ((pag >> 28) % 3) << 14;
537 void afs_get_groups_from_pag(afs_uint32 pag, gid_t *g0p, gid_t *g1p)
539 AFS_STATCNT(afs_get_groups_from_pag);
545 #ifndef AFS_LINUX26_ENV
547 osi_get_group_pag(afs_ucred_t *cred)
549 afs_int32 pag = NOPAG;
551 #if defined(AFS_SUN510_ENV)
556 #if defined(AFS_SUN510_ENV)
557 gids = crgetgroups(cred);
558 ngroups = crgetngroups(cred);
560 #if defined(AFS_NBSD40_ENV)
561 #warning com afs_ucred_t w/magic will not work
562 if (cred == NOCRED || cred == FSCRED)
564 if (osi_crngroups(cred) < 3)
566 g0 = osi_crgroupbyid(cred, 0);
567 g1 = osi_crgroupbyid(cred, 1);
568 #elif defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
569 if (cred == NOCRED || cred == FSCRED)
571 if (cred->cr_ngroups < 3)
573 /* gid is stored in cr_groups[0] */
574 g0 = cred->cr_groups[1];
575 g1 = cred->cr_groups[2];
577 # if defined(AFS_AIX_ENV)
578 if (cred->cr_ngrps < 2)
580 # elif defined(AFS_LINUX26_ENV)
581 if (afs_cr_group_info(cred)->ngroups < NUMPAGGROUPS)
583 # elif defined(AFS_SGI_ENV) || defined(AFS_SUN5_ENV) || defined(AFS_LINUX20_ENV) || defined(AFS_XBSD_ENV)
584 # if defined(AFS_SUN510_ENV)
587 if (cred->cr_ngroups < 2) {
592 # if defined(AFS_AIX51_ENV)
593 g0 = cred->cr_groupset.gs_union.un_groups[0];
594 g1 = cred->cr_groupset.gs_union.un_groups[1];
595 #elif defined(AFS_SUN510_ENV)
599 g0 = cred->cr_groups[0];
600 g1 = cred->cr_groups[1];
603 pag = (afs_int32) afs_get_pag_from_groups(g0, g1);
610 PagInCred(afs_ucred_t *cred)
612 afs_int32 pag = NOPAG;
614 AFS_STATCNT(PagInCred);
615 if (cred == NULL || cred == afs_osi_credp) {
618 #if defined(AFS_LINUX26_ENV) && defined(LINUX_KEYRING_SUPPORT)
620 * If linux keyrings are in use and we carry the session keyring in our credentials
621 * structure, they should be the only criteria for determining
622 * if we're in a PAG. Groups are updated for legacy reasons only for now,
623 * and should not be used to infer PAG membership
624 * With keyrings but no kernel credentials, look at groups first and fall back
625 * to looking at the keyrings.
627 # if !defined(STRUCT_TASK_STRUCT_HAS_CRED)
628 pag = osi_get_group_pag(cred);
631 pag = osi_get_keyring_pag(cred);
633 pag = osi_get_group_pag(cred);