* PagInCred
*/
-#include "../afs/param.h" /* Should be always first */
-#include "../afs/sysincludes.h" /* Standard vendor system headers */
-#include "../afs/afsincludes.h" /* Afs-based standard headers */
-#include "../afs/afs_stats.h" /* statistics */
-#include "../afs/afs_cbqueue.h"
-#include "../afs/nfsclient.h"
-#include "../afs/afs_osidnlc.h"
+#include <afsconfig.h>
+#include "afs/param.h"
+
+RCSID
+ ("$Header$");
+
+#include "afs/sysincludes.h" /* Standard vendor system headers */
+#include "afsincludes.h" /* Afs-based standard headers */
+#include "afs/afs_stats.h" /* statistics */
+#include "afs/afs_cbqueue.h"
+#include "afs/nfsclient.h"
+#include "afs/afs_osidnlc.h"
/* Imported variables */
/* Exported variables */
afs_uint32 pag_epoch;
+#if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
+afs_uint32 pagCounter = 1;
+#else
afs_uint32 pagCounter = 0;
+#endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
+#ifdef AFS_LINUX26_ONEGROUP_ENV
+#define NUMPAGGROUPS 1
+#else
+#define NUMPAGGROUPS 2
+#endif
/* Local variables */
/*
* anyway, so the pag is an alternative handle which is somewhat more
* secure (although of course not absolutely secure).
*/
-afs_uint32 genpag(void) {
+#if !defined(UKERNEL) || !defined(AFS_WEB_ENHANCEMENTS)
+afs_uint32
+genpag(void)
+{
AFS_STATCNT(genpag);
#ifdef AFS_LINUX20_ENV
/* Ensure unique PAG's (mod 200 days) when reloading the client. */
return (('A' << 24) + ((pag_epoch + pagCounter++) & 0xffffff));
-#else
+#else /* AFS_LINUX20_ENV */
return (('A' << 24) + (pagCounter++ & 0xffffff));
-#endif
+#endif /* AFS_LINUX20_ENV */
}
-afs_uint32 getpag(void) {
+afs_uint32
+getpag(void)
+{
AFS_STATCNT(getpag);
#ifdef AFS_LINUX20_ENV
/* Ensure unique PAG's (mod 200 days) when reloading the client. */
#endif
}
+#else
+
+/* Web enhancement: we don't need to restrict pags to 41XXXXXX since
+ * we are not sharing the space with anyone. So we use the full 32 bits. */
+
+afs_uint32
+genpag(void)
+{
+ AFS_STATCNT(genpag);
+#ifdef AFS_LINUX20_ENV
+ return (pag_epoch + pagCounter++);
+#else
+ return (pagCounter++);
+#endif /* AFS_LINUX20_ENV */
+}
+
+afs_uint32
+getpag(void)
+{
+ AFS_STATCNT(getpag);
+#ifdef AFS_LINUX20_ENV
+ /* Ensure unique PAG's (mod 200 days) when reloading the client. */
+ return (pag_epoch + pagCounter);
+#else
+ return (pagCounter);
+#endif
+}
+#endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
/* used to require 10 seconds between each setpag to guarantee that
* PAGs never wrap - which would be a security hole. If we presume
* activates tokens repeatedly) for that entire period.
*/
+static int afs_pag_sleepcnt = 0;
+
+static int
+afs_pag_sleep(struct AFS_UCRED **acred)
+{
+ int rv = 0;
+
+ if (!afs_suser(acred)) {
+ if(osi_Time() - pag_epoch < pagCounter) {
+ rv = 1;
+ }
+ }
+
+ return rv;
+}
+
+static int
+afs_pag_wait(struct AFS_UCRED **acred)
+{
+ if (afs_pag_sleep(acred)) {
+ if (!afs_pag_sleepcnt) {
+ printf("%s() PAG throttling triggered, pid %d... sleeping. sleepcnt %d\n",
+ "afs_pag_wait", osi_getpid(), afs_pag_sleepcnt);
+ }
+
+ afs_pag_sleepcnt++;
+
+ do {
+ /* XXX spins on EINTR */
+ afs_osi_Wait(1000, (struct afs_osi_WaitHandle *)0, 0);
+ } while (afs_pag_sleep(acred));
+
+ afs_pag_sleepcnt--;
+ }
+
+ return 0;
+}
+
int
#if defined(AFS_SUN5_ENV)
-afs_setpag (struct AFS_UCRED **credpp)
-#elif defined(AFS_OSF_ENV)
-afs_setpag (struct proc *p, void *args, int *retval)
+afs_setpag(struct AFS_UCRED **credpp)
+#elif defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
+afs_setpag(struct proc *p, void *args, int *retval)
#else
-afs_setpag (void)
+afs_setpag(void)
#endif
{
+
+#if defined(AFS_SUN5_ENV)
+ struct AFS_UCRED **acred = *credpp;
+#elif defined(AFS_OBSD_ENV)
+ struct AFS_UCRED **acred = &p->p_ucred;
+#else
+ struct AFS_UCRED **acred = NULL;
+#endif
+
int code = 0;
#if defined(AFS_SGI53_ENV) && defined(MP)
/* This is our first chance to get the global lock. */
AFS_GLOCK();
-#endif /* defined(AFS_SGI53_ENV) && defined(MP) */
+#endif /* defined(AFS_SGI53_ENV) && defined(MP) */
AFS_STATCNT(afs_setpag);
-#ifdef AFS_SUN5_ENV
- if (!afs_suser(*credpp))
-#else
- if (!afs_suser())
-#endif
- {
- while (osi_Time() - pag_epoch < pagCounter ) {
- afs_osi_Wait(1000, (struct afs_osi_WaitHandle *) 0, 0);
- }
- }
+
+ afs_pag_wait(acred);
+
#if defined(AFS_SUN5_ENV)
code = AddPag(genpag(), credpp);
-#elif defined(AFS_OSF_ENV)
+#elif defined(AFS_OSF_ENV) || defined(AFS_XBSD_ENV)
code = AddPag(p, genpag(), &p->p_rcred);
#elif defined(AFS_AIX41_ENV)
{
struct ucred *credp;
struct ucred *credp0;
-
+
credp = crref();
credp0 = credp;
code = AddPag(genpag(), &credp);
code = AddPag(genpag(), &credp);
crfree(credp);
}
+#elif defined(AFS_DARWIN80_ENV)
+ {
+ struct ucred *credp = kauth_cred_proc_ref(p);
+ code = AddPag(p, genpag(), &credp);
+ kauth_cred_rele(credp);
+ }
+#elif defined(AFS_DARWIN_ENV)
+ {
+ struct ucred *credp = crdup(p->p_cred->pc_ucred);
+ code = AddPag(p, genpag(), &credp);
+ crfree(credp);
+ }
#else
code = AddPag(genpag(), &u.u_cred);
#endif
afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
-#if defined(AFS_SUN5_ENV) || defined(AFS_SGI_ENV) || defined(AFS_OSF_ENV) || defined(AFS_LINUX20_ENV)
+
+#if defined(KERNEL_HAVE_UERROR)
+ if (!getuerror())
+ setuerror(code);
+#endif
+
#if defined(AFS_SGI53_ENV) && defined(MP)
AFS_GUNLOCK();
-#endif /* defined(AFS_SGI53_ENV) && defined(MP) */
+#endif /* defined(AFS_SGI53_ENV) && defined(MP) */
+
return (code);
+}
+
+#if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
+/*
+ * afs_setpag_val
+ * This function is like setpag but sets the current thread's pag id to a
+ * caller-provided value instead of calling genpag(). This implements a
+ * form of token caching since the caller can recall a particular pag value
+ * for the thread to restore tokens, rather than reauthenticating.
+ */
+int
+#if defined(AFS_SUN5_ENV)
+afs_setpag_val(struct AFS_UCRED **credpp, int pagval)
+#elif defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
+afs_setpag_val(struct proc *p, void *args, int *retval, int pagval)
+#else
+afs_setpag_val(int pagval)
+#endif
+{
+
+#if defined(AFS_SUN5_ENV)
+ struct AFS_UCRED **acred = *credp;
+#elif defined(AFS_OBSD_ENV)
+ struct AFS_UCRED **acred = &p->p_ucred;
+#else
+ struct AFS_UCRED **acred = NULL;
+#endif
+
+ int code = 0;
+
+#if defined(AFS_SGI53_ENV) && defined(MP)
+ /* This is our first chance to get the global lock. */
+ AFS_GLOCK();
+#endif /* defined(AFS_SGI53_ENV) && defined(MP) */
+
+ AFS_STATCNT(afs_setpag);
+
+ afs_pag_wait(acred);
+
+#if defined(AFS_SUN5_ENV)
+ code = AddPag(pagval, credpp);
+#elif defined(AFS_OSF_ENV) || defined(AFS_XBSD_ENV)
+ code = AddPag(p, pagval, &p->p_rcred);
+#elif defined(AFS_AIX41_ENV)
+ {
+ struct ucred *credp;
+ struct ucred *credp0;
+
+ credp = crref();
+ credp0 = credp;
+ code = AddPag(pagval, &credp);
+ /* If AddPag() didn't make a new cred, then free our cred ref */
+ if (credp == credp0) {
+ crfree(credp);
+ }
+ }
+#elif defined(AFS_HPUX110_ENV)
+ {
+ struct ucred *credp = p_cred(u.u_procp);
+ code = AddPag(pagval, &credp);
+ }
+#elif defined(AFS_SGI_ENV)
+ {
+ cred_t *credp;
+ credp = OSI_GET_CURRENT_CRED();
+ code = AddPag(pagval, &credp);
+ }
+#elif defined(AFS_LINUX20_ENV)
+ {
+ struct AFS_UCRED *credp = crref();
+ code = AddPag(pagval, &credp);
+ crfree(credp);
+ }
+#elif defined(AFS_DARWIN_ENV)
+ {
+ struct ucred *credp = crdup(p->p_cred->pc_ucred);
+ code = AddPag(p, pagval, &credp);
+ crfree(credp);
+ }
#else
+ code = AddPag(pagval, &u.u_cred);
+#endif
+
+ afs_Trace1(afs_iclSetp, CM_TRACE_SETPAG, ICL_TYPE_INT32, code);
+#if defined(KERNEL_HAVE_UERROR)
if (!getuerror())
- setuerror(code);
+ setuerror(code);
+#endif
+#if defined(AFS_SGI53_ENV) && defined(MP)
+ AFS_GUNLOCK();
+#endif /* defined(AFS_SGI53_ENV) && defined(MP) */
return (code);
+}
+
+#ifndef AFS_LINUX26_ONEGROUP_ENV
+int
+afs_getpag_val()
+{
+ int pagvalue;
+ struct AFS_UCRED *credp = u.u_cred;
+ gid_t gidset0, gidset1;
+#ifdef AFS_SUN510_ENV
+ const gid_t *gids;
+
+ gids = crgetgroups(*credp);
+ gidset0 = gids[0];
+ gidset1 = gids[1];
+#else
+ gidset0 = credp->cr_groups[0];
+ gidset1 = credp->cr_groups[1];
#endif
+ pagvalue = afs_get_pag_from_groups(gidset0, gidset1);
+ return pagvalue;
}
+#endif
+#endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
-#ifdef AFS_OSF_ENV
-int AddPag(struct proc *p, afs_int32 aval, struct AFS_UCRED **credpp)
-#else /* AFS_OSF_ENV */
-int AddPag(afs_int32 aval, struct AFS_UCRED **credpp)
+
+/* Note - needs to be available on AIX, others can be static - rework this */
+#if defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
+int
+AddPag(struct proc *p, afs_int32 aval, struct AFS_UCRED **credpp)
+#else
+int
+AddPag(afs_int32 aval, struct AFS_UCRED **credpp)
#endif
{
afs_int32 newpag, code;
+
AFS_STATCNT(AddPag);
-#ifdef AFS_OSF_ENV
- if (code = setpag(p, credpp, aval, &newpag, 0))
-#else /* AFS_OSF_ENV */
- if (code = setpag(credpp, aval, &newpag, 0))
-#endif
-#if defined(AFS_SUN5_ENV) || defined(AFS_SGI_ENV) || defined(AFS_OSF_ENV) || defined(AFS_LINUX20_ENV)
- return (code);
+#if defined(AFS_OSF_ENV) || defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
+ if ((code = setpag(p, credpp, aval, &newpag, 0)))
#else
+ if ((code = setpag(credpp, aval, &newpag, 0)))
+#endif
+#if defined(KERNEL_HAVE_UERROR)
return (setuerror(code), code);
+#else
+ return (code);
#endif
return 0;
}
-afs_InitReq(av, acred)
- register struct vrequest *av;
- struct AFS_UCRED *acred; {
+int
+afs_InitReq(register struct vrequest *av, struct AFS_UCRED *acred)
+{
+ int code;
AFS_STATCNT(afs_InitReq);
- if (afs_shuttingdown) return EIO;
+ memset(av, 0, sizeof(*av));
+ if (afs_shuttingdown)
+ return EIO;
+
+#ifdef AFS_LINUX26_ENV
+#if !defined(AFS_NONFSTRANS)
+ if (osi_linux_nfs_initreq(av, acred, &code))
+ return code;
+#endif
+#endif
+
av->uid = PagInCred(acred);
if (av->uid == NOPAG) {
/* Afs doesn't use the unix uid for anuthing except a handle
* with which to find the actual authentication tokens so I
* think it's ok to use the real uid to make setuid
- * programs (without setpag) to work properly.
- */
- av->uid = acred->cr_ruid; /* default when no pag is set */
+ * programs (without setpag) to work properly.
+ */
+#if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
+ if (acred == NOCRED)
+ av->uid = -2; /* XXX nobody... ? */
+ else
+ av->uid = acred->cr_uid; /* bsd creds don't have ruid */
+#elif defined(AFS_SUN510_ENV)
+ av->uid = crgetruid(acred);
+#else
+ av->uid = acred->cr_ruid; /* default when no pag is set */
+#endif
}
av->initd = 0;
return 0;
}
+#ifdef AFS_LINUX26_ONEGROUP_ENV
+afs_uint32
+afs_get_pag_from_groups(struct group_info *group_info)
+{
+ afs_uint32 g0 = 0;
+ afs_uint32 i;
-afs_uint32 afs_get_pag_from_groups(gid_t g0a, gid_t g1a)
+ AFS_STATCNT(afs_get_pag_from_groups);
+ for (i = 0; (i < group_info->ngroups &&
+ (g0 = GROUP_AT(group_info, i)) != (gid_t) NOGROUP); i++) {
+ if (((g0 >> 24) & 0xff) == 'A')
+ return g0;
+ }
+ return NOPAG;
+}
+#else
+afs_uint32
+afs_get_pag_from_groups(gid_t g0a, gid_t g1a)
{
afs_uint32 g0 = g0a;
afs_uint32 g1 = g1a;
afs_uint32 h, l, ret;
AFS_STATCNT(afs_get_pag_from_groups);
+
g0 -= 0x3f00;
g1 -= 0x3f00;
if (g0 < 0xc000 && g1 < 0xc000) {
h = (g0 >> 14);
h = (g1 >> 14) + h + h + h;
ret = ((h << 28) | l);
+#if defined(UKERNEL) && defined(AFS_WEB_ENHANCEMENTS)
+ return ret;
+#else
/* Additional testing */
if (((ret >> 24) & 0xff) == 'A')
return ret;
- else
- return NOPAG;
+#endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
}
return NOPAG;
}
+#endif
-
-void afs_get_groups_from_pag(afs_uint32 pag, gid_t *g0p, gid_t *g1p)
+void
+afs_get_groups_from_pag(afs_uint32 pag, gid_t * g0p, gid_t * g1p)
{
unsigned short g0, g1;
AFS_STATCNT(afs_get_groups_from_pag);
+#ifdef AFS_LINUX26_ONEGROUP_ENV
+ *g0p = pag;
+ *g1p = 0;
+#else
+#if !defined(UKERNEL) || !defined(AFS_WEB_ENHANCEMENTS)
pag &= 0x7fffffff;
+#endif /* UKERNEL && AFS_WEB_ENHANCEMENTS */
g0 = 0x3fff & (pag >> 14);
g1 = 0x3fff & pag;
g0 |= ((pag >> 28) / 3) << 14;
g1 |= ((pag >> 28) % 3) << 14;
*g0p = g0 + 0x3f00;
*g1p = g1 + 0x3f00;
+#endif
}
-afs_int32 PagInCred(const struct AFS_UCRED *cred)
+afs_int32
+PagInCred(const struct AFS_UCRED *cred)
{
afs_int32 pag;
gid_t g0, g1;
+#if defined(AFS_SUN510_ENV)
+ const gid_t *gids;
+ int ngroups;
+#endif
AFS_STATCNT(PagInCred);
- if (cred == NULL) {
+ if (cred == NULL || cred == afs_osi_credp) {
return NOPAG;
}
-#ifdef AFS_AIX_ENV
+#if defined(AFS_SUN510_ENV)
+ gids = crgetgroups(cred);
+ ngroups = crgetngroups(cred);
+#endif
+#if defined(AFS_DARWIN_ENV) || defined(AFS_XBSD_ENV)
+ if (cred == NOCRED || cred == FSCRED) {
+ return NOPAG;
+ }
+ if (cred->cr_ngroups < 3)
+ return NOPAG;
+ /* gid is stored in cr_groups[0] */
+ g0 = cred->cr_groups[1];
+ g1 = cred->cr_groups[2];
+#else
+#if defined(AFS_AIX51_ENV)
+ if (kcred_getpag(cred, PAG_AFS, &pag) < 0 || pag == 0)
+ pag = NOPAG;
+ return pag;
+#elif defined(AFS_AIX_ENV)
if (cred->cr_ngrps < 2) {
return NOPAG;
}
+#elif defined(AFS_LINUX26_ENV)
+ if (cred->cr_group_info->ngroups < NUMPAGGROUPS) {
+ pag = NOPAG;
+ goto out;
+ }
+#elif defined(AFS_SGI_ENV) || defined(AFS_SUN5_ENV) || defined(AFS_DUX40_ENV) || defined(AFS_LINUX20_ENV) || defined(AFS_XBSD_ENV)
+#if defined(AFS_SUN510_ENV)
+ if (ngroups < 2) {
#else
-#if defined(AFS_SGI_ENV) || defined(AFS_SUN5_ENV) || defined(AFS_DUX40_ENV) || defined(AFS_LINUX_ENV)
- if (cred->cr_ngroups < 2) return NOPAG;
+ if (cred->cr_ngroups < 2) {
#endif
+ pag = NOPAG;
+ goto out;
+ }
#endif
+#if defined(AFS_AIX51_ENV)
+ g0 = cred->cr_groupset.gs_union.un_groups[0];
+ g1 = cred->cr_groupset.gs_union.un_groups[1];
+#elif defined(AFS_LINUX26_ONEGROUP_ENV)
+#elif defined(AFS_LINUX26_ENV)
+ g0 = GROUP_AT(cred->cr_group_info, 0);
+ g1 = GROUP_AT(cred->cr_group_info, 1);
+#elif defined(AFS_SUN510_ENV)
+ g0 = gids[0];
+ g1 = gids[1];
+#else
g0 = cred->cr_groups[0];
g1 = cred->cr_groups[1];
- pag = (afs_int32)afs_get_pag_from_groups(g0, g1);
+#endif
+#endif
+#if defined(AFS_LINUX26_ONEGROUP_ENV)
+ pag = (afs_int32) afs_get_pag_from_groups(cred->cr_group_info);
+#else
+ pag = (afs_int32) afs_get_pag_from_groups(g0, g1);
+#endif
+out:
+#if defined(AFS_LINUX26_ENV) && defined(LINUX_KEYRING_SUPPORT)
+ if (pag == NOPAG) {
+ struct key *key;
+ afs_uint32 upag, newpag;
+
+ key = request_key(&key_type_afs_pag, "_pag", NULL);
+ if (!IS_ERR(key)) {
+ if (key_validate(key) == 0 && key->uid == 0) { /* also verify in the session keyring? */
+ upag = (afs_uint32) key->payload.value;
+ if (((upag >> 24) & 0xff) == 'A') {
+ __setpag(&cred, upag, &newpag, 0);
+ pag = (afs_int32) upag;
+ }
+ }
+ key_put(key);
+ }
+ }
+#endif
return pag;
}
git://git.openafs.org / openafs.git / blobdiff