#include "afs/audit.h"
extern int restricted;
+extern int restrict_anonymous;
extern struct ubik_dbase *dbase;
extern int pr_noAuth;
extern int prp_group_default;
static afs_int32 addToGroup(struct rx_call *call, afs_int32 aid, afs_int32 gid,
afs_int32 *cid);
static afs_int32 nameToID(struct rx_call *call, namelist *aname, idlist *aid);
-static afs_int32 idToName(struct rx_call *call, idlist *aid, namelist *aname);
+static afs_int32 idToName(struct rx_call *call, idlist *aid, namelist *aname, afs_int32 *cid);
static afs_int32 Delete(struct rx_call *call, afs_int32 aid, afs_int32 *cid);
static afs_int32 UpdateEntry(struct rx_call *call, afs_int32 aid, char *name,
struct PrUpdateEntry *uentry, afs_int32 *cid);
static afs_int32 getCPS2(struct rx_call *call, afs_int32 aid, afs_uint32 ahost,
prlist *alist, afs_int32 *over, afs_int32 *cid);
static afs_int32 getHostCPS(struct rx_call *call, afs_uint32 ahost,
- prlist *alist, afs_int32 *over);
-static afs_int32 listMax(struct rx_call *call, afs_int32 *uid, afs_int32 *gid);
+ prlist *alist, afs_int32 *over, afs_int32 *cid);
+static afs_int32 listMax(struct rx_call *call, afs_int32 *uid, afs_int32 *gid, afs_int32 *cid);
static afs_int32 setMax(struct rx_call *call, afs_int32 aid, afs_int32 gflag,
afs_int32 *cid);
static afs_int32 listEntry(struct rx_call *call, afs_int32 aid,
return 0;
}
} else { /* creating a user */
+ if (oid == ANONYMOUSID)
+ return 0;
if (!admin && !pr_noAuth)
return 0;
}
afs_int32 code;
struct ubik_trans *tt;
int admin;
+ int foreign = 0;
char cname[PR_MAXNAMELEN];
stolower(aname);
* automatic id assignment.
*/
code = WhoIsThisWithName(call, tt, cid, cname);
- if (code != 2) { /* 2 specifies that this is a foreign cell request */
- if (code)
- ABORT_WITH(tt, PRPERM);
- admin = IsAMemberOf(tt, *cid, SYSADMINID);
- } else {
- admin = ((!restricted && !strcmp(aname, cname))) || IsAMemberOf(tt, *cid, SYSADMINID);
- oid = *cid = SYSADMINID;
+ if (code && code != 2)
+ ABORT_WITH(tt, PRPERM);
+ admin = IsAMemberOf(tt, *cid, SYSADMINID);
+ if (code == 2 /* foreign cell request */) {
+ foreign = 1;
+
+ if (!restricted && (strcmp(aname, cname) == 0)) {
+ /* can't autoregister while providing an owner id */
+ if (oid != 0)
+ ABORT_WITH(tt, PRPERM);
+
+ admin = 1;
+ oid = SYSADMINID;
+ }
}
if (!CreateOK(tt, *cid, oid, flag, admin))
ABORT_WITH(tt, PRPERM);
code = CreateEntry(tt, aname, aid, 0, flag, oid, *cid);
+ /*
+ * If this was an autoregistration then be sure to audit log
+ * the proper id as the creator.
+ */
+ if (foreign && code == 0 && *aid > 0)
+ *cid = *aid;
if (code != PRSUCCESS)
ABORT_WITH(tt, code);
code = WhoIsThis(call, tt, cid);
if (code)
ABORT_WITH(tt, PRPERM);
+ if (!pr_noAuth && restrict_anonymous && *cid == ANONYMOUSID)
+ ABORT_WITH(tt, PRPERM);
temp = FindByID(tt, aid);
if (!temp)
if (cell && *cell) {
code = afsconf_IsLocalRealmMatch(prdir, &islocal, nameinst, NULL, cell);
- ViceLog(0,
+ ViceLog(125,
("PTS_NameToID: afsconf_IsLocalRealmMatch(); code=%d, nameinst=%s, cell=%s\n",
code, nameinst, cell));
}
SPR_IDToName(struct rx_call *call, idlist *aid, namelist *aname)
{
afs_int32 code;
+ afs_int32 cid = ANONYMOUSID;
- code = idToName(call, aid, aname);
+ code = idToName(call, aid, aname, &cid);
osi_auditU(call, PTS_IdToNmEvent, code, AUD_END);
ViceLog(125, ("PTS_IDToName: code %d\n", code));
return code;
}
static afs_int32
-idToName(struct rx_call *call, idlist *aid, namelist *aname)
+idToName(struct rx_call *call, idlist *aid, namelist *aname, afs_int32 *cid)
{
afs_int32 code;
struct ubik_trans *tt;
size = aid->idlist_len;
if (size == 0)
return 0;
- if (size < 0)
+ if (size < 0 || size > INT_MAX / PR_MAXNAMELEN)
return PRTOOMANY;
- aname->namelist_val = malloc(size * PR_MAXNAMELEN);
+ aname->namelist_val = calloc(size, PR_MAXNAMELEN);
aname->namelist_len = 0;
if (aname->namelist_val == 0)
return PRNOMEM;
if (code)
return code;
+ code = WhoIsThis(call, tt, cid);
+ if (code)
+ ABORT_WITH(tt, PRPERM);
+ if (!pr_noAuth && restrict_anonymous && *cid == ANONYMOUSID)
+ ABORT_WITH(tt, PRPERM);
+
for (i = 0; i < aid->idlist_len; i++) {
code = IDToName(tt, aid->idlist_val[i], aname->namelist_val[i]);
if (code != PRSUCCESS)
if (code)
return code;
+ code = WhoIsThis(call, tt, cid);
+ if (code)
+ ABORT_WITH(tt, PRPERM);
+ if (!pr_noAuth && restrict_anonymous && *cid == ANONYMOUSID)
+ ABORT_WITH(tt, PRPERM);
+
temp = FindByID(tt, aid);
if (!temp)
ABORT_WITH(tt, PRNOENT);
if (code)
ABORT_WITH(tt, code);
- /* afs does authenticate now */
- code = WhoIsThis(call, tt, cid);
- if (code || !AccessOK(tt, *cid, &tentry, PRP_MEMBER_MEM, PRP_MEMBER_ANY))
+ if (!AccessOK(tt, *cid, &tentry, PRP_MEMBER_MEM, PRP_MEMBER_ANY))
ABORT_WITH(tt, PRPERM);
code = GetList(tt, &tentry, alist, 1);
afs_int32 *over)
{
afs_int32 code;
+ afs_int32 cid = ANONYMOUSID;
- code = getHostCPS(call, ahost, alist, over);
+ code = getHostCPS(call, ahost, alist, over, &cid);
osi_auditU(call, PTS_GetHCPSEvent, code, AUD_HOST, htonl(ahost), AUD_END);
- ViceLog(125, ("PTS_GetHostCPS: code %d ahost %d\n", code, ahost));
+ ViceLog(125, ("PTS_GetHostCPS: code %d ahost %u (0x%x)\n", code, ahost, ahost));
return code;
}
afs_int32
getHostCPS(struct rx_call *call, afs_uint32 ahost, prlist *alist,
- afs_int32 *over)
+ afs_int32 *over, afs_int32 *cid)
{
afs_int32 code, temp;
struct ubik_trans *tt;
if (code)
return code;
+ code = WhoIsThis(call, tt, cid);
+ if (code)
+ ABORT_WITH(tt, PRPERM);
+ if (!pr_noAuth && restrict_anonymous && *cid == ANONYMOUSID)
+ ABORT_WITH(tt, PRPERM);
+
code = NameToID(tt, afs_inet_ntoa_r(iaddr.s_addr, hoststr), &hostid);
if (code == PRSUCCESS && hostid != 0) {
temp = FindByID(tt, hostid);
SPR_ListMax(struct rx_call *call, afs_int32 *uid, afs_int32 *gid)
{
afs_int32 code;
+ afs_int32 cid = ANONYMOUSID;
- code = listMax(call, uid, gid);
+ code = listMax(call, uid, gid, &cid);
osi_auditU(call, PTS_LstMaxEvent, code, AUD_END);
ViceLog(125, ("PTS_ListMax: code %d\n", code));
return code;
}
afs_int32
-listMax(struct rx_call *call, afs_int32 *uid, afs_int32 *gid)
+listMax(struct rx_call *call, afs_int32 *uid, afs_int32 *gid, afs_int32 *cid)
{
afs_int32 code;
struct ubik_trans *tt;
if (code)
return code;
+ code = WhoIsThis(call, tt, cid);
+ if (code)
+ ABORT_WITH(tt, PRPERM);
+ if (!pr_noAuth && restrict_anonymous && *cid == ANONYMOUSID)
+ ABORT_WITH(tt, PRPERM);
+
code = GetMax(tt, uid, gid);
if (code != PRSUCCESS)
ABORT_WITH(tt, code);
code = WhoIsThis(call, tt, cid);
if (code)
ABORT_WITH(tt, PRPERM);
+ if (!pr_noAuth && restrict_anonymous && *cid == ANONYMOUSID)
+ ABORT_WITH(tt, PRPERM);
temp = FindByID(tt, aid);
if (!temp)
ABORT_WITH(tt, PRNOENT);
entry = bulkentries->prentries_val;
entry += bulkentries->prentries_len;
+ memset(entry, 0, sizeof(*entry));
entry->flags = tentry->flags >> PRIVATE_SHIFT;
if (entry->flags == 0) {
entry->flags =
entry->nusers = tentry->nusers;
entry->count = tentry->count;
strncpy(entry->name, tentry->name, PR_MAXNAMELEN);
- memset(entry->reserved, 0, sizeof(entry->reserved));
bulkentries->prentries_len++;
return 0;
}
if (code)
return code;
- code = ubik_SetLock(tt, 1, 1, LOCKREAD);
- if (code)
- ABORT_WITH(tt, code);
code = WhoIsThis(call, tt, cid);
if (code)
ABORT_WITH(tt, PRPERM);
+ if (!pr_noAuth && restrict_anonymous && *cid == ANONYMOUSID)
+ ABORT_WITH(tt, PRPERM);
+
+ code = ubik_SetLock(tt, 1, 1, LOCKREAD);
+ if (code)
+ ABORT_WITH(tt, code);
temp = FindByID(tt, aid);
if (!temp)
*aid = ANONYMOUSID;
tconn = rx_ConnectionOf(acall);
code = rx_SecurityClassOf(tconn);
- if (code == 0)
+ if (code == RX_SECIDX_NULL)
return 0;
- else if (code == 1) { /* vab class */
+ else if (code == RX_SECIDX_VAB) {
goto done; /* no longer supported */
- } else if (code == 2) { /* kad class */
+ } else if (code == RX_SECIDX_KAD) {
if ((code = rxkad_GetServerInfo(rx_ConnectionOf(acall), NULL, NULL,
name, inst, tcell, NULL)))
goto done;
strcat(vname, "@");
strcat(vname, tcell);
lcstring(vname, vname, sizeof(vname));
- code = NameToID(at, vname, aid);
+ NameToID(at, vname, aid);
if (aname)
strcpy(aname, vname);
return 2;
git://git.openafs.org / openafs.git / blobdiff