2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
17 * afs_get_pag_from_groups
18 * afs_get_groups_from_pag
22 #include <afsconfig.h>
23 #include "../afs/param.h"
27 #include "../afs/sysincludes.h" /* Standard vendor system headers */
28 #include "../afs/afsincludes.h" /* Afs-based standard headers */
29 #include "../afs/afs_stats.h" /* statistics */
30 #include "../afs/afs_cbqueue.h"
31 #include "../afs/nfsclient.h"
32 #include "../afs/afs_osidnlc.h"
35 /* Imported variables */
36 extern int afs_shuttingdown;
38 /* Exported variables */
40 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
41 afs_uint32 pagCounter = 1;
43 afs_uint32 pagCounter = 0;
44 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
49 * Pags are implemented as follows: the set of groups whose long
50 * representation is '41XXXXXX' hex are used to represent the pags.
51 * Being a member of such a group means you are authenticated as pag
52 * XXXXXX (0x41 == 'A', for Andrew). You are never authenticated as
53 * multiple pags at once.
55 * The function afs_InitReq takes a credential field and formats the
56 * corresponding venus request structure. The uid field in the
57 * vrequest structure is set to the *pag* you are authenticated as, or
58 * the uid, if you aren't authenticated with a pag.
60 * The basic motivation behind pags is this: just because your unix
61 * uid is N doesn't mean that you should have the same privileges as
62 * anyone logged in on the machine as user N, since this would enable
63 * the superuser on the machine to sneak in and make use of anyone's
64 * authentication info, even that which is only accidentally left
65 * behind when someone leaves a public workstation.
67 * AFS doesn't use the unix uid for anything except
68 * a handle with which to find the actual authentication tokens
69 * anyway, so the pag is an alternative handle which is somewhat more
70 * secure (although of course not absolutely secure).
72 #if !defined(UKERNEL) || !defined(AFS_WEB_ENHANCEMENTS)
73 afs_uint32 genpag(void) {
75 #ifdef AFS_LINUX20_ENV
76 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
77 return (('A' << 24) + ((pag_epoch + pagCounter++) & 0xffffff));
78 #else /* AFS_LINUX20_ENV */
79 return (('A' << 24) + (pagCounter++ & 0xffffff));
80 #endif /* AFS_LINUX20_ENV */
83 afs_uint32 getpag(void) {
85 #ifdef AFS_LINUX20_ENV
86 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
87 return (('A' << 24) + ((pag_epoch + pagCounter) & 0xffffff));
89 return (('A' << 24) + (pagCounter & 0xffffff));
95 /* Web enhancement: we don't need to restrict pags to 41XXXXXX since
96 * we are not sharing the space with anyone. So we use the full 32 bits. */
98 afs_uint32 genpag(void) {
100 #ifdef AFS_LINUX20_ENV
101 return (pag_epoch + pagCounter++);
103 return (pagCounter++);
104 #endif /* AFS_LINUX20_ENV */
107 afs_uint32 getpag(void) {
109 #ifdef AFS_LINUX20_ENV
110 /* Ensure unique PAG's (mod 200 days) when reloading the client. */
111 return (pag_epoch + pagCounter);
116 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
118 /* used to require 10 seconds between each setpag to guarantee that
119 * PAGs never wrap - which would be a security hole. If we presume
120 * that in ordinary operation, the average rate of PAG allocation
121 * will not exceed one per second, the 24 bits provided will be
122 * sufficient for ~200 days. Unfortunately, if we merely assume that,
123 * there will be an opportunity for attack. So we must enforce it.
124 * If we need to increase the average rate of PAG allocation, we
125 * should increase the number of bits in a PAG, and/or reduce our
126 * window in which we guarantee that the PAG counter won't wrap.
127 * By permitting an average of one new PAG per second, new PAGs can
128 * be allocated VERY frequently over a short period relative to total uptime.
129 * Of course, there's only an issue here if one user stays logged (and re-
130 * activates tokens repeatedly) for that entire period.
134 #if defined(AFS_SUN5_ENV)
135 afs_setpag (struct AFS_UCRED **credpp)
136 #elif defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
137 afs_setpag (struct proc *p, void *args, int *retval)
144 #if defined(AFS_SGI53_ENV) && defined(MP)
145 /* This is our first chance to get the global lock. */
147 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
149 AFS_STATCNT(afs_setpag);
151 if (!afs_suser(*credpp))
156 while (osi_Time() - pag_epoch < pagCounter ) {
157 afs_osi_Wait(1000, (struct afs_osi_WaitHandle *) 0, 0);
161 #if defined(AFS_SUN5_ENV)
162 code = AddPag(genpag(), credpp);
163 #elif defined(AFS_OSF_ENV) || defined(AFS_FBSD_ENV)
164 code = AddPag(p, genpag(), &p->p_rcred);
165 #elif defined(AFS_AIX41_ENV)
168 struct ucred *credp0;
172 code = AddPag(genpag(), &credp);
173 /* If AddPag() didn't make a new cred, then free our cred ref */
174 if (credp == credp0) {
178 #elif defined(AFS_HPUX110_ENV)
180 struct ucred *credp = p_cred(u.u_procp);
181 code = AddPag(genpag(), &credp);
183 #elif defined(AFS_SGI_ENV)
186 credp = OSI_GET_CURRENT_CRED();
187 code = AddPag(genpag(), &credp);
189 #elif defined(AFS_LINUX20_ENV)
191 struct AFS_UCRED *credp = crref();
192 code = AddPag(genpag(), &credp);
195 #elif defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
197 struct ucred *credp=crdup(p->p_cred->pc_ucred);
198 code=AddPag(p, genpag(), &credp);
202 code = AddPag(genpag(), &u.u_cred);
205 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
206 #if defined(AFS_SUN5_ENV) || defined(AFS_SGI_ENV) || defined(AFS_OSF_ENV) || defined(AFS_LINUX20_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
207 #if defined(AFS_SGI53_ENV) && defined(MP)
209 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
218 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
221 * This function is like setpag but sets the current thread's pag id to a
222 * caller-provided value instead of calling genpag(). This implements a
223 * form of token caching since the caller can recall a particular pag value
224 * for the thread to restore tokens, rather than reauthenticating.
227 #if defined(AFS_SUN5_ENV)
228 afs_setpag_val (struct AFS_UCRED **credpp, int pagval)
229 #elif defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
230 afs_setpag_val (struct proc *p, void *args, int *retval, int pagval)
232 afs_setpag_val (int pagval)
237 #if defined(AFS_SGI53_ENV) && defined(MP)
238 /* This is our first chance to get the global lock. */
240 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
242 AFS_STATCNT(afs_setpag);
244 if (!afs_suser(*credpp))
249 while (osi_Time() - pag_epoch < pagCounter ) {
250 afs_osi_Wait(1000, (struct afs_osi_WaitHandle *) 0, 0);
254 #if defined(AFS_SUN5_ENV)
255 code = AddPag(pagval, credpp);
256 #elif defined(AFS_OSF_ENV) || defined(AFS_FBSD_ENV)
257 code = AddPag(p, pagval, &p->p_rcred);
258 #elif defined(AFS_AIX41_ENV)
261 struct ucred *credp0;
265 code = AddPag(pagval, &credp);
266 /* If AddPag() didn't make a new cred, then free our cred ref */
267 if (credp == credp0) {
271 #elif defined(AFS_HPUX110_ENV)
273 struct ucred *credp = p_cred(u.u_procp);
274 code = AddPag(pagval, &credp);
276 #elif defined(AFS_SGI_ENV)
279 credp = OSI_GET_CURRENT_CRED();
280 code = AddPag(pagval, &credp);
282 #elif defined(AFS_LINUX20_ENV)
284 struct AFS_UCRED *credp = crref();
285 code = AddPag(pagval, &credp);
288 #elif defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
290 struct ucred *credp=crdup(p->p_cred->pc_ucred);
291 code=AddPag(p, pagval, &credp);
295 code = AddPag(pagval, &u.u_cred);
298 afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
299 #if defined(AFS_SUN5_ENV) || defined(AFS_SGI_ENV) || defined(AFS_OSF_ENV) || defined(AFS_LINUX20_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
300 #if defined(AFS_SGI53_ENV) && defined(MP)
302 #endif /* defined(AFS_SGI53_ENV) && defined(MP) */
310 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
312 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
316 struct AFS_UCRED *credp = u.u_cred;
317 int gidset0, gidset1;
319 gidset0 = credp->cr_groups[0];
320 gidset1 = credp->cr_groups[1];
321 pagvalue=afs_get_pag_from_groups(gidset0, gidset1);
324 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
327 #if defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
328 int AddPag(struct proc *p, afs_int32 aval, struct AFS_UCRED **credpp)
329 #else /* AFS_OSF_ENV || AFS_FBSD_ENV */
330 int AddPag(afs_int32 aval, struct AFS_UCRED **credpp)
333 afs_int32 newpag, code;
335 #if defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
336 if (code = setpag(p, credpp, aval, &newpag, 0))
337 #else /* AFS_OSF_ENV */
338 if (code = setpag(credpp, aval, &newpag, 0))
340 #if defined(AFS_SUN5_ENV) || defined(AFS_SGI_ENV) || defined(AFS_OSF_ENV) || defined(AFS_LINUX20_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
343 return (setuerror(code), code);
349 afs_InitReq(av, acred)
350 register struct vrequest *av;
351 struct AFS_UCRED *acred; {
353 AFS_STATCNT(afs_InitReq);
354 if (afs_shuttingdown) return EIO;
355 av->uid = PagInCred(acred);
356 if (av->uid == NOPAG) {
357 /* Afs doesn't use the unix uid for anuthing except a handle
358 * with which to find the actual authentication tokens so I
359 * think it's ok to use the real uid to make setuid
360 * programs (without setpag) to work properly.
362 #if defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
363 av->uid = acred->cr_uid; /* default when no pag is set */
364 /* bsd creds don't have ruid */
366 av->uid = acred->cr_ruid; /* default when no pag is set */
375 afs_uint32 afs_get_pag_from_groups(gid_t g0a, gid_t g1a)
379 afs_uint32 h, l, ret;
381 AFS_STATCNT(afs_get_pag_from_groups);
384 if (g0 < 0xc000 && g1 < 0xc000) {
385 l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
387 h = (g1 >> 14) + h + h + h;
388 ret = ((h << 28) | l);
389 #if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
392 /* Additional testing */
393 if (((ret >> 24) & 0xff) == 'A')
397 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
403 void afs_get_groups_from_pag(afs_uint32 pag, gid_t *g0p, gid_t *g1p)
405 unsigned short g0, g1;
408 AFS_STATCNT(afs_get_groups_from_pag);
409 #if !defined(UKERNEL) || !defined(AFS_WEB_ENHANCEMENTS)
411 #endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
412 g0 = 0x3fff & (pag >> 14);
414 g0 |= ((pag >> 28) / 3) << 14;
415 g1 |= ((pag >> 28) % 3) << 14;
421 afs_int32 PagInCred(const struct AFS_UCRED *cred)
426 AFS_STATCNT(PagInCred);
430 #if defined(AFS_DARWIN_ENV) || defined(AFS_FBSD_ENV)
431 if (cred == NOCRED || cred == FSCRED) {
434 if (cred->cr_ngroups < 3) return NOPAG;
435 /* gid is stored in cr_groups[0] */
436 g0 = cred->cr_groups[1];
437 g1 = cred->cr_groups[2];
440 if (cred->cr_ngrps < 2) {
444 #if defined(AFS_SGI_ENV) || defined(AFS_SUN5_ENV) || defined(AFS_DUX40_ENV) || defined(AFS_LINUX_ENV) || defined(AFS_FBSD_ENV)
445 if (cred->cr_ngroups < 2) return NOPAG;
448 g0 = cred->cr_groups[0];
449 g1 = cred->cr_groups[1];
451 pag = (afs_int32)afs_get_pag_from_groups(g0, g1);