2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
17 * afs_get_pag_from_groups
18 * afs_get_groups_from_pag
22 #include "../afs/param.h" /* Should be always first */
23 #include "../afs/sysincludes.h" /* Standard vendor system headers */
24 #include "../afs/afsincludes.h" /* Afs-based standard headers */
25 #include "../afs/afs_stats.h" /* statistics */
26 #include "../afs/afs_cbqueue.h"
27 #include "../afs/nfsclient.h"
28 #include "../afs/afs_osidnlc.h"
31 /* Imported variables */
32 extern int afs_shuttingdown;
34 /* Exported variables */
36 afs_uint32 pagCounter = 0;
41 * Pags are implemented as follows: the set of groups whose long
42 * representation is '41XXXXXX' hex are used to represent the pags.
43 * Being a member of such a group means you are authenticated as pag
44 * XXXXXX (0x41 == 'A', for Andrew). You are never authenticated as
45 * multiple pags at once.
47 * The function afs_InitReq takes a credential field and formats the
48 * corresponding venus request structure. The uid field in the
49 * vrequest structure is set to the *pag* you are authenticated as, or
50 * the uid, if you aren't authenticated with a pag.
52 * The basic motivation behind pags is this: just because your unix
53 * uid is N doesn't mean that you should have the same privileges as
54 * anyone logged in on the machine as user N, since this would enable
55 * the superuser on the machine to sneak in and make use of anyone's
56 * authentication info, even that which is only accidentally left
57 * behind when someone leaves a public workstation.
59 * AFS doesn't use the unix uid for anything except
60 * a handle with which to find the actual authentication tokens
61 * anyway, so the pag is an alternative handle which is somewhat more
62 * secure (although of course not absolutely secure).
64 afs_uint32 genpag(void) {
66 #ifdef AFS_LINUX20_ENV
67 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
68 return (('A' << 24) + ((pag_epoch + pagCounter++) & 0xffffff));
70 return (('A' << 24) + (pagCounter++ & 0xffffff));
74 afs_uint32 getpag(void) {
76 #ifdef AFS_LINUX20_ENV
77 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
78 return (('A' << 24) + ((pag_epoch + pagCounter) & 0xffffff));
80 return (('A' << 24) + (pagCounter & 0xffffff));
85 /* used to require 10 seconds between each setpag to guarantee that
86 * PAGs never wrap - which would be a security hole. If we presume
87 * that in ordinary operation, the average rate of PAG allocation
88 * will not exceed one per second, the 24 bits provided will be
89 * sufficient for ~200 days. Unfortunately, if we merely assume that,
90 * there will be an opportunity for attack. So we must enforce it.
91 * If we need to increase the average rate of PAG allocation, we
92 * should increase the number of bits in a PAG, and/or reduce our
93 * window in which we guarantee that the PAG counter won't wrap.
94 * By permitting an average of one new PAG per second, new PAGs can
95 * be allocated VERY frequently over a short period relative to total uptime.
96 * Of course, there's only an issue here if one user stays logged (and re-
97 * activates tokens repeatedly) for that entire period.
101 #if defined(AFS_SUN5_ENV)
102 afs_setpag (struct AFS_UCRED **credpp)
103 #elif defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV)
104 afs_setpag (struct proc *p, void *args, int *retval)
111 #if defined(AFS_SGI53_ENV) && defined(MP)
112 /* This is our first chance to get the global lock. */
114 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
116 AFS_STATCNT(afs_setpag);
118 if (!afs_suser(*credpp))
123 while (osi_Time() - pag_epoch < pagCounter ) {
124 afs_osi_Wait(1000, (struct afs_osi_WaitHandle *) 0, 0);
128 #if defined(AFS_SUN5_ENV)
129 code = AddPag(genpag(), credpp);
130 #elif defined(AFS_OSF_ENV)
131 code = AddPag(p, genpag(), &p->p_rcred);
132 #elif defined(AFS_AIX41_ENV)
135 struct ucred *credp0;
139 code = AddPag(genpag(), &credp);
140 /* If AddPag() didn't make a new cred, then free our cred ref */
141 if (credp == credp0) {
145 #elif defined(AFS_HPUX110_ENV)
147 struct ucred *credp = p_cred(u.u_procp);
148 code = AddPag(genpag(), &credp);
150 #elif defined(AFS_SGI_ENV)
153 credp = OSI_GET_CURRENT_CRED();
154 code = AddPag(genpag(), &credp);
156 #elif defined(AFS_LINUX20_ENV)
158 struct AFS_UCRED *credp = crref();
159 code = AddPag(genpag(), &credp);
162 #elif defined(AFS_DARWIN_ENV)
164 struct ucred *credp=crdup(p->p_cred->pc_ucred);
165 code=AddPag(p, genpag(), &credp);
169 code = AddPag(genpag(), &u.u_cred);
172 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
173 #if defined(AFS_SUN5_ENV) || defined(AFS_SGI_ENV) || defined(AFS_OSF_ENV) || defined(AFS_LINUX20_ENV) || defined(AFS_DARWIN_ENV)
174 #if defined(AFS_SGI53_ENV) && defined(MP)
176 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
185 #if defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV)
186 int AddPag(struct proc *p, afs_int32 aval, struct AFS_UCRED **credpp)
187 #else /* AFS_OSF_ENV */
188 int AddPag(afs_int32 aval, struct AFS_UCRED **credpp)
191 afs_int32 newpag, code;
193 #if defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV)
194 if (code = setpag(p, credpp, aval, &newpag, 0))
195 #else /* AFS_OSF_ENV */
196 if (code = setpag(credpp, aval, &newpag, 0))
198 #if defined(AFS_SUN5_ENV) || defined(AFS_SGI_ENV) || defined(AFS_OSF_ENV) || defined(AFS_LINUX20_ENV) || defined(AFS_DARWIN_ENV)
201 return (setuerror(code), code);
207 afs_InitReq(av, acred)
208 register struct vrequest *av;
209 struct AFS_UCRED *acred; {
211 AFS_STATCNT(afs_InitReq);
212 if (afs_shuttingdown) return EIO;
213 av->uid = PagInCred(acred);
214 if (av->uid == NOPAG) {
215 /* Afs doesn't use the unix uid for anuthing except a handle
216 * with which to find the actual authentication tokens so I
217 * think it's ok to use the real uid to make setuid
218 * programs (without setpag) to work properly.
220 #ifdef AFS_DARWIN_ENV
221 av->uid = acred->cr_uid; /* default when no pag is set */
222 /* bsd creds don't have ruid */
224 av->uid = acred->cr_ruid; /* default when no pag is set */
233 afs_uint32 afs_get_pag_from_groups(gid_t g0a, gid_t g1a)
237 afs_uint32 h, l, ret;
239 AFS_STATCNT(afs_get_pag_from_groups);
242 if (g0 < 0xc000 && g1 < 0xc000) {
243 l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
245 h = (g1 >> 14) + h + h + h;
246 ret = ((h << 28) | l);
247 /* Additional testing */
248 if (((ret >> 24) & 0xff) == 'A')
257 void afs_get_groups_from_pag(afs_uint32 pag, gid_t *g0p, gid_t *g1p)
259 unsigned short g0, g1;
262 AFS_STATCNT(afs_get_groups_from_pag);
264 g0 = 0x3fff & (pag >> 14);
266 g0 |= ((pag >> 28) / 3) << 14;
267 g1 |= ((pag >> 28) % 3) << 14;
273 afs_int32 PagInCred(const struct AFS_UCRED *cred)
278 AFS_STATCNT(PagInCred);
282 #ifdef AFS_DARWIN_ENV
283 if (cred == NOCRED || cred == FSCRED) {
286 if (cred->cr_ngroups < 3) return NOPAG;
287 /* gid is stored in cr_groups[0] */
288 g0 = cred->cr_groups[1];
289 g1 = cred->cr_groups[2];
292 if (cred->cr_ngrps < 2) {
296 #if defined(AFS_SGI_ENV) || defined(AFS_SUN5_ENV) || defined(AFS_DUX40_ENV) || defined(AFS_LINUX_ENV)
297 if (cred->cr_ngroups < 2) return NOPAG;
301 g0 = cred->cr_groups[0];
302 g1 = cred->cr_groups[1];
303 pag = (afs_int32)afs_get_pag_from_groups(g0, g1);