2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
17 * afs_get_pag_from_groups
18 * afs_get_groups_from_pag
22 #include <afsconfig.h>
23 #include "afs/param.h"
26 #include "afs/sysincludes.h" /* Standard vendor system headers */
27 #include "afsincludes.h" /* Afs-based standard headers */
28 #include "afs/afs_stats.h" /* statistics */
29 #include "afs/afs_cbqueue.h"
30 #include "afs/nfsclient.h"
31 #include "afs/afs_osidnlc.h"
34 /* Imported variables */
35 extern enum afs_shutdown_state afs_shuttingdown;
37 /* Exported variables */
40 afs_uint32 pagCounter = 1;
42 afs_uint32 pagCounter = 0;
46 * Pags are implemented as follows: the set of groups whose long
47 * representation is '41XXXXXX' hex are used to represent the pags.
48 * Being a member of such a group means you are authenticated as pag
49 * XXXXXX (0x41 == 'A', for Andrew). You are never authenticated as
50 * multiple pags at once.
52 * The function afs_InitReq takes a credential field and formats the
53 * corresponding venus request structure. The uid field in the
54 * vrequest structure is set to the *pag* you are authenticated as, or
55 * the uid, if you aren't authenticated with a pag.
57 * The basic motivation behind pags is this: just because your unix
58 * uid is N doesn't mean that you should have the same privileges as
59 * anyone logged in on the machine as user N, since this would enable
60 * the superuser on the machine to sneak in and make use of anyone's
61 * authentication info, even that which is only accidentally left
62 * behind when someone leaves a public workstation.
64 * AFS doesn't use the unix uid for anything except
65 * a handle with which to find the actual authentication tokens
66 * anyway, so the pag is an alternative handle which is somewhat more
67 * secure (although of course not absolutely secure).
74 #ifdef AFS_LINUX20_ENV
75 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
76 return (('A' << 24) + ((pag_epoch + pagCounter++) & 0xffffff));
77 #else /* AFS_LINUX20_ENV */
78 return (('A' << 24) + (pagCounter++ & 0xffffff));
79 #endif /* AFS_LINUX20_ENV */
86 #ifdef AFS_LINUX20_ENV
87 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
88 return (('A' << 24) + ((pag_epoch + pagCounter) & 0xffffff));
90 return (('A' << 24) + (pagCounter & 0xffffff));
96 /* Web enhancement: we don't need to restrict pags to 41XXXXXX since
97 * we are not sharing the space with anyone. So we use the full 32 bits. */
103 #ifdef AFS_LINUX20_ENV
104 return (pag_epoch + pagCounter++);
106 return (pagCounter++);
107 #endif /* AFS_LINUX20_ENV */
114 #ifdef AFS_LINUX20_ENV
115 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
116 return (pag_epoch + pagCounter);
123 /* used to require 10 seconds between each setpag to guarantee that
124 * PAGs never wrap - which would be a security hole. If we presume
125 * that in ordinary operation, the average rate of PAG allocation
126 * will not exceed one per second, the 24 bits provided will be
127 * sufficient for ~200 days. Unfortunately, if we merely assume that,
128 * there will be an opportunity for attack. So we must enforce it.
129 * If we need to increase the average rate of PAG allocation, we
130 * should increase the number of bits in a PAG, and/or reduce our
131 * window in which we guarantee that the PAG counter won't wrap.
132 * By permitting an average of one new PAG per second, new PAGs can
133 * be allocated VERY frequently over a short period relative to total uptime.
134 * Of course, there's only an issue here if one user stays logged (and re-
135 * activates tokens repeatedly) for that entire period.
138 static int afs_pag_sleepcnt = 0;
139 static int afs_pag_timewarn = 0;
142 afs_pag_sleep(afs_ucred_t *acred)
146 if (!afs_suser(acred)) {
147 if(osi_Time() - pag_epoch < pagCounter) {
150 if (rv && (osi_Time() < pag_epoch)) {
151 if (!afs_pag_timewarn) {
152 afs_pag_timewarn = 1;
153 afs_warn("clock went backwards, not PAG throttling");
163 afs_pag_wait(afs_ucred_t *acred)
167 if (afs_pag_sleep(acred)) {
168 if (!afs_pag_sleepcnt) {
169 afs_warn("%s() PAG throttling triggered, pid %d... sleeping. sleepcnt %d\n",
170 "afs_pag_wait", osi_getpid(), afs_pag_sleepcnt);
176 code = afs_osi_Wait(1000, (struct afs_osi_WaitHandle *)0, 0);
177 } while (!code && afs_pag_sleep(acred));
186 #if defined(AFS_SUN5_ENV)
187 afs_setpag(afs_ucred_t **credpp)
188 #elif defined(AFS_FBSD_ENV)
189 afs_setpag(struct thread *td, void *args)
190 #elif defined(AFS_NBSD_ENV)
191 afs_setpag(afs_proc_t *p, const void *args, register_t *retval)
192 #elif defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
193 afs_setpag(afs_proc_t *p, void *args, int *retval)
199 #if defined(AFS_SUN5_ENV)
200 afs_ucred_t *acred = *credpp;
201 #elif defined(AFS_OBSD_ENV)
202 afs_ucred_t *acred = p->p_ucred;
204 afs_ucred_t *acred = NULL;
209 #if defined(AFS_SGI53_ENV) && defined(MP)
210 /* This is our first chance to get the global lock. */
212 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
214 AFS_STATCNT(afs_setpag);
216 code = afs_pag_wait(acred);
222 #if defined(AFS_SUN5_ENV)
223 code = AddPag(genpag(), credpp);
224 #elif defined(AFS_FBSD_ENV)
225 code = AddPag(td, genpag(), &td->td_ucred);
226 #elif defined(AFS_NBSD40_ENV)
227 code = AddPag(p, genpag(), &p->l_proc->p_cred);
228 #elif defined(AFS_XBSD_ENV)
229 code = AddPag(p, genpag(), &p->p_rcred);
230 #elif defined(AFS_AIX41_ENV)
233 struct ucred *credp0;
237 code = AddPag(genpag(), &credp);
238 /* If AddPag() didn't make a new cred, then free our cred ref */
239 if (credp == credp0) {
243 #elif defined(AFS_HPUX110_ENV)
245 struct ucred *credp = p_cred(u.u_procp);
246 code = AddPag(genpag(), &credp);
248 #elif defined(AFS_SGI_ENV)
251 credp = OSI_GET_CURRENT_CRED();
252 code = AddPag(genpag(), &credp);
254 #elif defined(AFS_LINUX20_ENV)
256 afs_ucred_t *credp = crref();
257 code = AddPag(genpag(), &credp);
260 #elif defined(AFS_DARWIN80_ENV)
262 afs_ucred_t *credp = kauth_cred_proc_ref(p);
263 code = AddPag(p, genpag(), &credp);
266 #elif defined(AFS_DARWIN_ENV)
268 afs_ucred_t *credp = crdup(p->p_cred->pc_ucred);
269 code = AddPag(p, genpag(), &credp);
272 #elif defined(UKERNEL)
273 code = AddPag(genpag(), &(get_user_struct()->u_cred));
275 code = AddPag(genpag(), &u.u_cred);
279 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
281 #if defined(KERNEL_HAVE_UERROR)
286 #if defined(AFS_SGI53_ENV) && defined(MP)
288 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
296 * This function is like setpag but sets the current thread's pag id to a
297 * caller-provided value instead of calling genpag(). This implements a
298 * form of token caching since the caller can recall a particular pag value
299 * for the thread to restore tokens, rather than reauthenticating.
302 #if defined(AFS_SUN5_ENV)
303 afs_setpag_val(afs_ucred_t **credpp, int pagval)
304 #elif defined(AFS_FBSD_ENV)
305 afs_setpag_val(struct thread *td, void *args, int pagval)
306 #elif defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
307 afs_setpag_val(afs_proc_t *p, void *args, int *retval, int pagval)
309 afs_setpag_val(int pagval)
313 #if defined(AFS_SUN5_ENV)
314 afs_ucred_t *acred = *credp;
315 #elif defined(AFS_OBSD_ENV)
316 afs_ucred_t *acred = p->p_ucred;
318 afs_ucred_t *acred = NULL;
323 #if defined(AFS_SGI53_ENV) && defined(MP)
324 /* This is our first chance to get the global lock. */
326 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
328 AFS_STATCNT(afs_setpag);
330 code = afs_pag_wait(acred);
335 #if defined(AFS_SUN5_ENV)
336 code = AddPag(pagval, credpp);
337 #elif defined(AFS_FBSD_ENV)
338 code = AddPag(td, pagval, &td->td_ucred);
339 #elif defined(AFS_XBSD_ENV)
340 code = AddPag(p, pagval, &p->p_rcred);
341 #elif defined(AFS_AIX41_ENV)
344 struct ucred *credp0;
348 code = AddPag(pagval, &credp);
349 /* If AddPag() didn't make a new cred, then free our cred ref */
350 if (credp == credp0) {
354 #elif defined(AFS_HPUX110_ENV)
356 struct ucred *credp = p_cred(u.u_procp);
357 code = AddPag(pagval, &credp);
359 #elif defined(AFS_SGI_ENV)
362 credp = OSI_GET_CURRENT_CRED();
363 code = AddPag(pagval, &credp);
365 #elif defined(AFS_LINUX20_ENV)
367 afs_ucred_t *credp = crref();
368 code = AddPag(pagval, &credp);
371 #elif defined(AFS_DARWIN_ENV)
373 struct ucred *credp = crdup(p->p_cred->pc_ucred);
374 code = AddPag(p, pagval, &credp);
377 #elif defined(UKERNEL)
378 code = AddPag(pagval, &(get_user_struct()->u_cred));
380 code = AddPag(pagval, &u.u_cred);
384 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
385 #if defined(KERNEL_HAVE_UERROR)
389 #if defined(AFS_SGI53_ENV) && defined(MP)
391 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
395 #ifndef AFS_PAG_ONEGROUP_ENV
401 afs_ucred_t *credp = get_user_struct()->u_cred;
403 afs_ucred_t *credp = u.u_cred;
405 gid_t gidset0, gidset1;
406 #ifdef AFS_SUN510_ENV
409 gids = crgetgroups(*credp);
413 gidset0 = credp->cr_groups[0];
414 gidset1 = credp->cr_groups[1];
416 pagvalue = afs_get_pag_from_groups(gidset0, gidset1);
423 /* Note - needs to be available on AIX, others can be static - rework this */
425 #if defined(AFS_FBSD_ENV)
426 AddPag(struct thread *p, afs_int32 aval, afs_ucred_t **credpp)
427 #elif defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
428 AddPag(afs_proc_t *p, afs_int32 aval, afs_ucred_t **credpp)
430 AddPag(afs_int32 aval, afs_ucred_t **credpp)
437 #if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
438 if ((code = setpag(p, credpp, aval, &newpag, 0)))
440 if ((code = setpag(credpp, aval, &newpag, 0)))
442 #if defined(KERNEL_HAVE_UERROR)
443 return (setuerror(code), code);
452 afs_InitReq(struct vrequest *av, afs_ucred_t *acred)
454 #if defined(AFS_LINUX26_ENV) && !defined(AFS_NONFSTRANS)
458 AFS_STATCNT(afs_InitReq);
459 memset(av, 0, sizeof(*av));
460 if (afs_shuttingdown == AFS_SHUTDOWN)
463 #ifdef AFS_LINUX26_ENV
464 #if !defined(AFS_NONFSTRANS)
465 if (osi_linux_nfs_initreq(av, acred, &code))
470 av->uid = PagInCred(acred);
471 if (av->uid == NOPAG) {
472 /* Afs doesn't use the unix uid for anuthing except a handle
473 * with which to find the actual authentication tokens so I
474 * think it's ok to use the real uid to make setuid
475 * programs (without setpag) to work properly.
477 #if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
479 av->uid = -2; /* XXX nobody... ? */
481 av->uid = afs_cr_uid(acred); /* bsd creds don't have ruid */
482 #elif defined(AFS_SUN510_ENV)
483 av->uid = crgetruid(acred);
485 av->uid = afs_cr_ruid(acred); /* default when no pag is set */
492 * Allocate and setup a vrequest.
494 * \note The caller must free the allocated vrequest with
495 * afs_DestroyReq() if this function returns successfully (zero).
497 * \note The GLOCK must be held on platforms which require the GLOCK
498 * for osi_AllocSmallSpace() and osi_FreeSmallSpace().
500 * \param[out] avpp address of the vrequest pointer
501 * \param[in] acred user credentials to setup the vrequest
502 * afs_osi_credp should be used for anonymous connections
503 * \return 0 on success
506 afs_CreateReq(struct vrequest **avpp, afs_ucred_t *acred)
509 struct vrequest *treq = NULL;
511 if (afs_shuttingdown == AFS_SHUTDOWN) {
514 if (!avpp || !acred) {
517 treq = osi_AllocSmallSpace(sizeof(struct vrequest));
521 code = afs_InitReq(treq, acred);
523 osi_FreeSmallSpace(treq);
531 * Deallocate a vrequest.
533 * \note The GLOCK must be held on platforms which require the GLOCK
534 * for osi_FreeSmallSpace().
536 * \param[in] av pointer to the vrequest to free; may be NULL
539 afs_DestroyReq(struct vrequest *av)
542 osi_FreeSmallSpace(av);
547 afs_get_pag_from_groups(gid_t g0a, gid_t g1a)
551 afs_uint32 h, l, ret;
553 AFS_STATCNT(afs_get_pag_from_groups);
557 if (g0 < 0xc000 && g1 < 0xc000) {
558 l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
560 h = (g1 >> 14) + h + h + h;
561 ret = ((h << 28) | l);
562 # if defined(UKERNEL)
565 /* Additional testing */
566 if (((ret >> 24) & 0xff) == 'A')
568 # endif /* UKERNEL */
573 #ifndef AFS_PAG_ONEGROUP_ENV
575 afs_get_groups_from_pag(afs_uint32 pag, gid_t * g0p, gid_t * g1p)
577 unsigned short g0, g1;
579 AFS_STATCNT(afs_get_groups_from_pag);
582 # if !defined(UKERNEL)
584 # endif /* UKERNEL */
585 g0 = 0x3fff & (pag >> 14);
587 g0 |= ((pag >> 28) / 3) << 14;
588 g1 |= ((pag >> 28) % 3) << 14;
594 afs_get_groups_from_pag(afs_uint32 pag, gid_t *g0p, gid_t *g1p)
596 AFS_STATCNT(afs_get_groups_from_pag);
602 #ifdef AFS_LINUX26_ENV
603 /* osi_get_group_pag is defined in <ARCH>/osi_groups.c */
604 #elif defined(AFS_PAG_ONEGROUP_ENV)
605 /* osi_get_group_pag is defined in <ARCH>/osi_groups.c */
606 #elif defined(AFS_DARWIN110_ENV)
607 /* We don't have pags, so we do not define an osi_get_group_pag */
610 osi_get_group_pag(afs_ucred_t *cred)
612 afs_int32 pag = NOPAG;
614 #if defined(AFS_SUN510_ENV)
619 #if defined(AFS_SUN510_ENV)
620 gids = crgetgroups(cred);
621 ngroups = crgetngroups(cred);
623 #if defined(AFS_NBSD40_ENV)
624 if (cred == NOCRED || cred == FSCRED)
626 if (osi_crngroups(cred) < 3)
628 g0 = osi_crgroupbyid(cred, 1);
629 g1 = osi_crgroupbyid(cred, 2);
630 #elif defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
631 if (cred == NOCRED || cred == FSCRED)
633 if (cred->cr_ngroups < 3)
635 /* gid is stored in cr_groups[0] */
636 g0 = cred->cr_groups[1];
637 g1 = cred->cr_groups[2];
639 # if defined(AFS_AIX_ENV)
640 if (cred->cr_ngrps < 2)
642 # elif defined(AFS_LINUX26_ENV)
643 if (afs_cr_group_info(cred)->ngroups < AFS_NUMPAGGROUPS)
645 # elif defined(AFS_SGI_ENV) || defined(AFS_SUN5_ENV) || defined(AFS_LINUX20_ENV) || defined(AFS_XBSD_ENV)
646 # if defined(AFS_SUN510_ENV)
649 if (cred->cr_ngroups < 2) {
654 # if defined(AFS_AIX51_ENV)
655 g0 = cred->cr_groupset.gs_union.un_groups[0];
656 g1 = cred->cr_groupset.gs_union.un_groups[1];
657 #elif defined(AFS_SUN510_ENV)
661 g0 = cred->cr_groups[0];
662 g1 = cred->cr_groups[1];
665 pag = (afs_int32) afs_get_pag_from_groups(g0, g1);
672 PagInCred(afs_ucred_t *cred)
674 afs_int32 pag = NOPAG;
676 AFS_STATCNT(PagInCred);
677 if (cred == NULL || cred == afs_osi_credp) {
680 #ifndef AFS_DARWIN110_ENV
681 #if defined(AFS_LINUX26_ENV) && defined(LINUX_KEYRING_SUPPORT)
683 * If linux keyrings are in use and we carry the session keyring in our credentials
684 * structure, they should be the only criteria for determining
685 * if we're in a PAG. Groups are updated for legacy reasons only for now,
686 * and should not be used to infer PAG membership
687 * With keyrings but no kernel credentials, look at groups first and fall back
688 * to looking at the keyrings.
690 # if !defined(STRUCT_TASK_STRUCT_HAS_CRED)
691 pag = osi_get_group_pag(cred);
694 pag = osi_get_keyring_pag(cred);
695 #elif defined(AFS_AIX51_ENV)
696 if (kcred_getpag(cred, PAG_AFS, &pag) < 0 || pag == 0)
699 pag = osi_get_group_pag(cred);