audit-consolidate-open-20081217

[openafs.git] / src / ptserver / ptserver.c

diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c
index 8ab574a..09eb7dc 100644 (file)
--- a/src/ptserver/ptserver.c
+++ b/src/ptserver/ptserver.c
@@ -111,7 +111,8 @@
 #include <afsconfig.h>
 #include <afs/param.h>
 
-RCSID("$Header$");
+RCSID
+    ("$Header$");
 
 #include <afs/stds.h>
 #ifdef AFS_AIX32_ENV
@@ -119,20 +120,16 @@ RCSID("$Header$");
 #endif
 #include <sys/types.h>
 #include <stdio.h>
-#ifdef AFS_NT40_ENV 
+#include <fcntl.h>
+#include <sys/stat.h>
+#ifdef AFS_NT40_ENV
 #include <winsock2.h>
 #include <WINNT/afsevent.h>
 #else
 #include <netdb.h>
 #include <netinet/in.h>
 #endif
-#ifdef HAVE_STRING_H
 #include <string.h>
-#else
-#ifdef HAVE_STRINGS_H
-#include <strings.h>
-#endif
-#endif
 #include <rx/xdr.h>
 #include <rx/rx.h>
 #include <rx/rx_globals.h>
@@ -145,6 +142,7 @@ RCSID("$Header$");
 #include "error_macros.h"
 #include "afs/audit.h"
 #include <afs/afsutil.h>
+#include <afs/com_err.h>
 
 
 /* make        all of these into a structure if you want */
@@ -156,27 +154,60 @@ struct afsconf_dir *prdir;
 extern afs_int32 depthsg;
 #endif
 
-extern afs_int32 ubik_lastYesTime;
-extern afs_int32 ubik_nBuffers;
-
 extern int afsconf_ServerAuth();
 extern int afsconf_CheckAuth();
 
-int   pr_realmNameLen;
+int pr_realmNameLen;
 char *pr_realmName;
 
+int debuglevel = 0;
+int restricted = 0;
+int rxMaxMTU = -1;
+int rxBind = 0;
+int rxkadDisableDotCheck = 0;
+
+#define ADDRSPERSITE 16         /* Same global is in rx/rx_user.c */
+afs_uint32 SHostAddrs[ADDRSPERSITE];
+
+static struct afsconf_cell info;
+
+extern int prp_group_default;
+extern int prp_user_default;
+
 #include "AFS_component_version_number.c"
 
+int
+prp_access_mask(s)
+    char *s;
+{
+    int r;
+    if (*s >= '0' && *s <= '9') {
+       return strtol(s, NULL, 0);
+    }
+    r = 0;
+    while (*s) switch(*s++)
+    {
+    case 'S':  r |= PRP_STATUS_ANY; break;
+    case 's':  r |= PRP_STATUS_MEM; break;
+    case 'O':  r |= PRP_OWNED_ANY; break;
+    case 'M':  r |= PRP_MEMBER_ANY; break;
+    case 'm':  r |= PRP_MEMBER_MEM; break;
+    case 'A':  r |= PRP_ADD_ANY; break;
+    case 'a':  r |= PRP_ADD_MEM; break;
+    case 'r':  r |= PRP_REMOVE_MEM; break;
+    }
+    return r;
+}
+
 /* check whether caller is authorized to manage RX statistics */
-int pr_rxstat_userok(call)
-    struct rx_call *call;
+int
+pr_rxstat_userok(struct rx_call *call)
 {
     return afsconf_SuperUser(prdir, call, NULL);
 }
 
-void main (argc, argv)
-  int argc;
-  char **argv;
+int
+main(int argc, char **argv)
 {
     register afs_int32 code;
     afs_int32 myHost;
@@ -189,17 +220,17 @@ void main (argc, argv)
 #if 0
     struct ktc_encryptionKey tkey;
 #endif
-    struct afsconf_cell info;
-    int kerberosKeys;                  /* set if found some keys */
+    int kerberosKeys;          /* set if found some keys */
     int lwps = 3;
     char clones[MAXHOSTSPERCELL];
+    afs_uint32 host = htonl(INADDR_ANY);
 
     const char *pr_dbaseName;
     char *whoami = "ptserver";
 
-    int   a;
-    char  arg[100];
-    
+    int a;
+    char arg[100];
+
 #ifdef AFS_AIX32_ENV
     /*
      * The following signal action for AIX is necessary so that in case of a 
@@ -208,21 +239,23 @@ void main (argc, argv)
      * generated which, in many cases, isn't too useful.
      */
     struct sigaction nsa;
-    
+
     sigemptyset(&nsa.sa_mask);
     nsa.sa_handler = SIG_DFL;
     nsa.sa_flags = SA_FULLDUMP;
     sigaction(SIGABRT, &nsa, NULL);
     sigaction(SIGSEGV, &nsa, NULL);
 #endif
-    osi_audit (PTS_StartEvent, 0, AUD_END);
+    osi_audit_init();
+    osi_audit(PTS_StartEvent, 0, AUD_END);
 
     /* Initialize dirpaths */
     if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) {
 #ifdef AFS_NT40_ENV
-       ReportErrorEventAlt(AFSEVT_SVR_NO_INSTALL_DIR, 0, argv[0],0);
+       ReportErrorEventAlt(AFSEVT_SVR_NO_INSTALL_DIR, 0, argv[0], 0);
 #endif
-       fprintf(stderr,"%s: Unable to obtain AFS server directory.\n", argv[0]);
+       fprintf(stderr, "%s: Unable to obtain AFS server directory.\n",
+               argv[0]);
        exit(2);
     }
 
@@ -230,156 +263,211 @@ void main (argc, argv)
 
 #if defined(SUPERGROUPS)
     /* make sure the structures for database records are the same size */
-    if((sizeof(struct prentry) != ENTRYSIZE) ||
-        (sizeof(struct prentryg) != ENTRYSIZE)) {
-      fprintf(stderr,"The structures for the database records are different"
-                    " sizes\n"
-                    "struct prentry = %d\n"
-                    "struct prentryg = %d\n"
-                    "ENTRYSIZE = %d\n",
-                     sizeof(struct prentry), sizeof(struct prentryg),
-                    ENTRYSIZE); 
-      PT_EXIT(1);
+    if ((sizeof(struct prentry) != ENTRYSIZE)
+       || (sizeof(struct prentryg) != ENTRYSIZE)) {
+       fprintf(stderr,
+               "The structures for the database records are different"
+               " sizes\n" "struct prentry = %d\n" "struct prentryg = %d\n"
+               "ENTRYSIZE = %d\n", sizeof(struct prentry),
+               sizeof(struct prentryg), ENTRYSIZE);
+       PT_EXIT(1);
     }
 #endif
 
-    for (a=1; a<argc; a++) {
+    for (a = 1; a < argc; a++) {
        int alen;
-       lcstring (arg, argv[a], sizeof(arg));
-       alen = strlen (arg);
-       if ((strncmp (arg, "-database", alen) == 0) ||
-           (strncmp (arg, "-db", alen) == 0)) {
+       lcstring(arg, argv[a], sizeof(arg));
+       alen = strlen(arg);
+       if ((strncmp(arg, "-database", alen) == 0)
+           || (strncmp(arg, "-db", alen) == 0)) {
            pr_dbaseName = argv[++a];   /* specify a database */
-       }
-       else if (strncmp(arg, "-p", alen) == 0) {
-          lwps = atoi(argv[++a]);
-          if (lwps > 16) {       /* maximum of 16 */
-             printf("Warning: '-p %d' is too big; using %d instead\n",
-                    lwps, 16);
-             lwps = 16;
-          } else if (lwps < 3) { /* minimum of 3 */
-             printf("Warning: '-p %d' is too small; using %d instead\n",
-                    lwps, 3);
-             lwps = 3;
-          }
-       }
-       else if (strncmp (arg, "-rebuild", alen) == 0) /* rebuildDB++ */ ;
+       } else if (strcmp(argv[a], "-d") == 0) {
+           if ((a + 1) >= argc) {
+               fprintf(stderr, "missing argument for -d\n"); 
+               return -1; 
+           }
+           debuglevel = atoi(argv[++a]);
+           LogLevel = debuglevel;
+       } else if (strncmp(arg, "-p", alen) == 0) {
+           lwps = atoi(argv[++a]);
+           if (lwps > 16) {    /* maximum of 16 */
+               printf("Warning: '-p %d' is too big; using %d instead\n",
+                      lwps, 16);
+               lwps = 16;
+           } else if (lwps < 3) {      /* minimum of 3 */
+               printf("Warning: '-p %d' is too small; using %d instead\n",
+                      lwps, 3);
+               lwps = 3;
+           }
+       } else if (strncmp(arg, "-rebuild", alen) == 0) /* rebuildDB++ */
+           ;
 #if defined(SUPERGROUPS)
-       else if ((strncmp (arg, "-groupdepth", alen) == 0) ||
-                (strncmp (arg, "-depth", alen) == 0)) {
-           depthsg = atoi(argv[++a]);  /* Max search depth for supergroups */
+       else if ((strncmp(arg, "-groupdepth", alen) == 0)
+                || (strncmp(arg, "-depth", alen) == 0)) {
+           depthsg = atoi(argv[++a]);  /* Max search depth for supergroups */
        }
 #endif
-       else if (strncmp (arg, "-enable_peer_stats", alen) == 0) {
-           rx_enablePeerRPCStats();
+       else if (strncmp(arg, "-default_access", alen) == 0) {
+           prp_user_default = prp_access_mask(argv[++a]);
+           prp_group_default = prp_access_mask(argv[++a]);
+       }
+       else if (strncmp(arg, "-restricted", alen) == 0) {
+           restricted = 1;
+       }
+       else if (strncmp(arg, "-rxbind", alen) == 0) {
+           rxBind = 1;
        }
-       else if (strncmp (arg, "-enable_process_stats", alen) == 0) {
+       else if (strncmp(arg, "-allow-dotted-principals", alen) == 0) {
+           rxkadDisableDotCheck = 1;
+       }
+       else if (strncmp(arg, "-enable_peer_stats", alen) == 0) {
+           rx_enablePeerRPCStats();
+       } else if (strncmp(arg, "-enable_process_stats", alen) == 0) {
            rx_enableProcessRPCStats();
        }
 #ifndef AFS_NT40_ENV
-       else if (strncmp(arg, "-syslog", alen)==0) {
+       else if (strncmp(arg, "-syslog", alen) == 0) {
            /* set syslog logging flag */
            serverLogSyslog = 1;
-       } 
-       else if (strncmp(arg, "-syslog=", MIN(8,alen))==0) {
+       } else if (strncmp(arg, "-syslog=", MIN(8, alen)) == 0) {
            serverLogSyslog = 1;
-           serverLogSyslogFacility = atoi(arg+8);
+           serverLogSyslogFacility = atoi(arg + 8);
        }
 #endif
+       else if (strncmp(arg, "-auditlog", alen) == 0) {
+           char *fileName = argv[++a];
+
+            osi_audit_file(fileName);
+            osi_audit(PTS_StartEvent, 0, AUD_END);
+       }
+       else if (!strncmp(arg, "-rxmaxmtu", alen)) {
+           if ((a + 1) >= argc) {
+               fprintf(stderr, "missing argument for -rxmaxmtu\n");
+               PT_EXIT(1);
+           }
+           rxMaxMTU = atoi(argv[++a]);
+           if ((rxMaxMTU < RX_MIN_PACKET_SIZE) ||
+                (rxMaxMTU > RX_MAX_PACKET_DATA_SIZE)) {
+               printf("rxMaxMTU %d invalid; must be between %d-%d\n",
+                       rxMaxMTU, RX_MIN_PACKET_SIZE,
+                       RX_MAX_PACKET_DATA_SIZE);
+               PT_EXIT(1);
+           }
+       } 
        else if (*arg == '-') {
-               /* hack in help flag support */
+           /* hack in help flag support */
 
 #if defined(SUPERGROUPS)
 #ifndef AFS_NT40_ENV
-               printf ("Usage: ptserver [-database <db path>] "
-                       "[-syslog[=FACILITY]] "
-                       "[-p <number of processes>] [-rebuild] "
-                       "[-groupdepth <depth>] "
-                       "[-enable_peer_stats] [-enable_process_stats] "
-                       "[-help]\n");
+           printf("Usage: ptserver [-database <db path>] "
+                  "[-auditlog <log path>] "
+                  "[-syslog[=FACILITY]] [-d <debug level>] "
+                  "[-p <number of processes>] [-rebuild] "
+                  "[-groupdepth <depth>] "
+                  "[-restricted] [-rxmaxmtu <bytes>] [-rxbind] "
+                  "[-allow-dotted-principals] "
+                  "[-enable_peer_stats] [-enable_process_stats] "
+                  "[-default_access default_user_access default_group_access] "
+                  "[-help]\n");
 #else /* AFS_NT40_ENV */
-               printf ("Usage: ptserver [-database <db path>] "
-                       "[-p <number of processes>] [-rebuild] "
-                       "[-groupdepth <depth>] "
-                       "[-help]\n");
+           printf("Usage: ptserver [-database <db path>] "
+                  "[-auditlog <log path>] [-d <debug level>] "
+                  "[-p <number of processes>] [-rebuild] [-rxbind] "
+                  "[-allow-dotted-principals] "
+                  "[-default_access default_user_access default_group_access] "
+                  "[-restricted] [-rxmaxmtu <bytes>] [-rxbind] "
+                  "[-groupdepth <depth>] " "[-help]\n");
 #endif
 #else
 #ifndef AFS_NT40_ENV
-               printf ("Usage: ptserver [-database <db path>] "
-                       "[-syslog[=FACILITY]] "
-                       "[-p <number of processes>] [-rebuild] "
-                       "[-enable_peer_stats] [-enable_process_stats] "
-                       "[-help]\n");
+           printf("Usage: ptserver [-database <db path>] "
+                  "[-auditlog <log path>] [-d <debug level>] "
+                  "[-syslog[=FACILITY]] "
+                  "[-p <number of processes>] [-rebuild] "
+                  "[-enable_peer_stats] [-enable_process_stats] "
+                  "[-default_access default_user_access default_group_access] "
+                  "[-restricted] [-rxmaxmtu <bytes>] [-rxbind] "
+                  "[-allow-dotted-principals] "
+                  "[-help]\n");
 #else /* AFS_NT40_ENV */
-               printf ("Usage: ptserver [-database <db path>] "
-                       "[-p <number of processes>] [-rebuild] "
-                       "[-help]\n");
+           printf("Usage: ptserver [-database <db path>] "
+                  "[-auditlog <log path>] [-d <debug level>] "
+                  "[-default_access default_user_access default_group_access] "
+                  "[-restricted] [-rxmaxmtu <bytes>] [-rxbind] "
+                  "[-allow-dotted-principals] "
+                  "[-p <number of processes>] [-rebuild] " "[-help]\n");
 #endif
 #endif
-               fflush(stdout);
+           fflush(stdout);
 
            PT_EXIT(1);
        }
 #if defined(SUPERGROUPS)
        else {
-           fprintf (stderr, "Unrecognized arg: '%s' ignored!\n", arg);
+           fprintf(stderr, "Unrecognized arg: '%s' ignored!\n", arg);
        }
 #endif
     }
 
-    OpenLog(AFSDIR_SERVER_PTLOG_FILEPATH);     /* set up logging */
+#ifndef AFS_NT40_ENV
+    serverLogSyslogTag = "ptserver";
+#endif
+    OpenLog(AFSDIR_SERVER_PTLOG_FILEPATH);     /* set up logging */
     SetupLogSignals();
- 
+
     prdir = afsconf_Open(AFSDIR_SERVER_ETC_DIRPATH);
     if (!prdir) {
-       fprintf (stderr, "ptserver: can't open configuration directory.\n");
+       fprintf(stderr, "ptserver: can't open configuration directory.\n");
        PT_EXIT(1);
     }
     if (afsconf_GetNoAuthFlag(prdir))
-       printf ("ptserver: running unauthenticated\n");
+       printf("ptserver: running unauthenticated\n");
 
-#ifdef AFS_NT40_ENV 
+#ifdef AFS_NT40_ENV
     /* initialize winsock */
-    if (afs_winsockInit()<0) {
-      ReportErrorEventAlt(AFSEVT_SVR_WINSOCK_INIT_FAILED, 0,
-                         argv[0],0);
-      
-      fprintf(stderr, "ptserver: couldn't initialize winsock. \n");
-      PT_EXIT(1);
+    if (afs_winsockInit() < 0) {
+       ReportErrorEventAlt(AFSEVT_SVR_WINSOCK_INIT_FAILED, 0, argv[0], 0);
+
+       fprintf(stderr, "ptserver: couldn't initialize winsock. \n");
+       PT_EXIT(1);
     }
 #endif
     /* get this host */
-    gethostname(hostname,sizeof(hostname));
+    gethostname(hostname, sizeof(hostname));
     th = gethostbyname(hostname);
     if (!th) {
-       fprintf (stderr, "ptserver: couldn't get address of this host.\n");
+       fprintf(stderr, "ptserver: couldn't get address of this host.\n");
        PT_EXIT(1);
     }
     memcpy(&myHost, th->h_addr, sizeof(afs_int32));
-        
+
     /* get list of servers */
-    code = afsconf_GetExtendedCellInfo(prdir,NULL,"afsprot",
-                       &info, &clones);
+    code =
+       afsconf_GetExtendedCellInfo(prdir, NULL, "afsprot", &info, &clones);
     if (code) {
-       com_err (whoami, code, "Couldn't get server list");
+       afs_com_err(whoami, code, "Couldn't get server list");
        PT_EXIT(2);
     }
     pr_realmName = info.name;
-    pr_realmNameLen = strlen (pr_realmName);
+    pr_realmNameLen = strlen(pr_realmName);
 
 #if 0
     /* get keys */
-    code = afsconf_GetKey(prdir,999,&tkey);
+    code = afsconf_GetKey(prdir, 999, &tkey);
     if (code) {
-       com_err (whoami, code, "couldn't get bcrypt keys from key file, ignoring.");
+       afs_com_err(whoami, code,
+               "couldn't get bcrypt keys from key file, ignoring.");
     }
 #endif
-    {   afs_int32 kvno;                        /* see if there is a KeyFile here */
+    {
+       afs_int32 kvno;         /* see if there is a KeyFile here */
        struct ktc_encryptionKey key;
-       code = afsconf_GetLatestKey (prdir, &kvno, &key);
+       code = afsconf_GetLatestKey(prdir, &kvno, &key);
        kerberosKeys = (code == 0);
        if (!kerberosKeys)
-           printf ("ptserver: can't find any Kerberos keys, code = %d, ignoring\n", code);
+           printf
+               ("ptserver: can't find any Kerberos keys, code = %d, ignoring\n",
+                code);
     }
     if (kerberosKeys) {
        /* initialize ubik */
@@ -398,14 +486,38 @@ void main (argc, argv)
      * CoEntry this adds up to as much as 1+1+39*3 = 119.  If all these entries
      * and the header are in separate Ubik buffers then 120 buffers may be
      * required. */
-    ubik_nBuffers = 120 + /*fudge*/40;
-    code = ubik_ServerInitByInfo(myHost, htons(AFSCONF_PROTPORT), &info,
-                           &clones, pr_dbaseName, &dbase);
+    ubik_nBuffers = 120 + /*fudge */ 40;
+
+    if (rxBind) {
+       afs_int32 ccode;
+       if (AFSDIR_SERVER_NETRESTRICT_FILEPATH || 
+           AFSDIR_SERVER_NETINFO_FILEPATH) {
+           char reason[1024];
+           ccode = parseNetFiles(SHostAddrs, NULL, NULL,
+                                          ADDRSPERSITE, reason,
+                                          AFSDIR_SERVER_NETINFO_FILEPATH,
+                                          AFSDIR_SERVER_NETRESTRICT_FILEPATH);
+       } else 
+       {
+           ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
+       }
+       if (ccode == 1) {
+           host = SHostAddrs[0];
+           /* the following call is idempotent so if/when it gets called
+            * again by the ubik init stuff, it doesn't really matter
+            * -- klm
+            */
+           rx_InitHost(host, htons(AFSCONF_PROTPORT));
+       }
+    }
+
+    code =
+       ubik_ServerInitByInfo(myHost, htons(AFSCONF_PROTPORT), &info, &clones,
+                             pr_dbaseName, &dbase);
     if (code) {
-       com_err (whoami, code, "Ubik init failed");
+       afs_com_err(whoami, code, "Ubik init failed");
        PT_EXIT(2);
     }
-
 #if defined(SUPERGROUPS)
     pt_hook_write();
 #endif
@@ -413,34 +525,45 @@ void main (argc, argv)
     sc[0] = rxnull_NewServerSecurityObject();
     sc[1] = 0;
     if (kerberosKeys) {
-       sc[2] = rxkad_NewServerSecurityObject
-           (0, prdir, afsconf_GetKey, NULL);
-    }
-    else sc[2] = sc[0];
+       sc[2] = rxkad_NewServerSecurityObject(0, prdir, afsconf_GetKey, NULL);
+    } else
+       sc[2] = sc[0];
 
     /* Disable jumbograms */
     rx_SetNoJumbo();
 
-    tservice = rx_NewService(0,PRSRV,"Protection Server",sc,3,PR_ExecuteRequest);
+    if (rxMaxMTU != -1) {
+       rx_SetMaxMTU(rxMaxMTU);
+    }
+
+    tservice =
+       rx_NewServiceHost(host, 0, PRSRV, "Protection Server", sc, 3,
+                     PR_ExecuteRequest);
     if (tservice == (struct rx_service *)0) {
-       fprintf (stderr, "ptserver: Could not create new rx service.\n");
+       fprintf(stderr, "ptserver: Could not create new rx service.\n");
        PT_EXIT(3);
     }
-    rx_SetMinProcs(tservice,2);
-    rx_SetMaxProcs(tservice,lwps);
+    rx_SetMinProcs(tservice, 2);
+    rx_SetMaxProcs(tservice, lwps);
+    if (rxkadDisableDotCheck) {
+        rx_SetSecurityConfiguration(tservice, RXS_CONFIG_FLAGS,
+                                    (void *)RXS_CONFIG_FLAGS_DISABLE_DOTCHECK);
+    }
 
-    tservice = rx_NewService(0,RX_STATS_SERVICE_ID,"rpcstats",sc,3,RXSTATS_ExecuteRequest);
+    tservice =
+       rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", sc, 3,
+                     RXSTATS_ExecuteRequest);
     if (tservice == (struct rx_service *)0) {
-       fprintf (stderr, "ptserver: Could not create new rx service.\n");
+       fprintf(stderr, "ptserver: Could not create new rx service.\n");
        PT_EXIT(3);
     }
-    rx_SetMinProcs(tservice,2);
-    rx_SetMaxProcs(tservice,4);
+    rx_SetMinProcs(tservice, 2);
+    rx_SetMaxProcs(tservice, 4);
 
     /* allow super users to manage RX statistics */
     rx_SetRxStatUserOk(pr_rxstat_userok);
 
     rx_StartServer(1);
-    osi_audit (PTS_FinishEvent, -1, AUD_END);
+    osi_audit(PTS_FinishEvent, -1, AUD_END);
     exit(0);
 }