#endif
#include <sys/types.h>
#include <stdio.h>
+#include <fcntl.h>
+#include <sys/stat.h>
#ifdef AFS_NT40_ENV
#include <winsock2.h>
#include <WINNT/afsevent.h>
#include <netdb.h>
#include <netinet/in.h>
#endif
-#ifdef HAVE_STRING_H
#include <string.h>
-#else
-#ifdef HAVE_STRINGS_H
-#include <strings.h>
-#endif
-#endif
#include <rx/xdr.h>
#include <rx/rx.h>
#include <rx/rx_globals.h>
#include <afs/auth.h>
#include <afs/keys.h>
#include "ptserver.h"
+#include "ptprototypes.h"
#include "error_macros.h"
#include "afs/audit.h"
#include <afs/afsutil.h>
-
+#include <afs/com_err.h>
+#include <rx/rxstat.h>
/* make all of these into a structure if you want */
struct prheader cheader;
extern afs_int32 depthsg;
#endif
-extern int afsconf_ServerAuth();
-extern int afsconf_CheckAuth();
-
int pr_realmNameLen;
char *pr_realmName;
+int debuglevel = 0;
+int restricted = 0;
+int rxMaxMTU = -1;
+int rxBind = 0;
+int rxkadDisableDotCheck = 0;
+
+#define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
+afs_uint32 SHostAddrs[ADDRSPERSITE];
+
static struct afsconf_cell info;
+extern int prp_group_default;
+extern int prp_user_default;
+
#include "AFS_component_version_number.c"
+int
+prp_access_mask(char *s)
+{
+ int r;
+ if (*s >= '0' && *s <= '9') {
+ return strtol(s, NULL, 0);
+ }
+ r = 0;
+ while (*s) switch(*s++)
+ {
+ case 'S': r |= PRP_STATUS_ANY; break;
+ case 's': r |= PRP_STATUS_MEM; break;
+ case 'O': r |= PRP_OWNED_ANY; break;
+ case 'M': r |= PRP_MEMBER_ANY; break;
+ case 'm': r |= PRP_MEMBER_MEM; break;
+ case 'A': r |= PRP_ADD_ANY; break;
+ case 'a': r |= PRP_ADD_MEM; break;
+ case 'r': r |= PRP_REMOVE_MEM; break;
+ }
+ return r;
+}
+
/* check whether caller is authorized to manage RX statistics */
int
-pr_rxstat_userok(call)
- struct rx_call *call;
+pr_rxstat_userok(struct rx_call *call)
{
return afsconf_SuperUser(prdir, call, NULL);
}
struct rx_service *tservice;
struct rx_securityClass *sc[3];
extern int RXSTATS_ExecuteRequest();
- extern int PR_ExecuteRequest();
#if 0
struct ktc_encryptionKey tkey;
#endif
int kerberosKeys; /* set if found some keys */
int lwps = 3;
char clones[MAXHOSTSPERCELL];
+ afs_uint32 host = htonl(INADDR_ANY);
const char *pr_dbaseName;
char *whoami = "ptserver";
sigaction(SIGABRT, &nsa, NULL);
sigaction(SIGSEGV, &nsa, NULL);
#endif
+ osi_audit_init();
osi_audit(PTS_StartEvent, 0, AUD_END);
/* Initialize dirpaths */
int alen;
lcstring(arg, argv[a], sizeof(arg));
alen = strlen(arg);
- if ((strncmp(arg, "-database", alen) == 0)
+ if (strcmp(argv[a], "-d") == 0) {
+ if ((a + 1) >= argc) {
+ fprintf(stderr, "missing argument for -d\n");
+ return -1;
+ }
+ debuglevel = atoi(argv[++a]);
+ LogLevel = debuglevel;
+ } else if ((strncmp(arg, "-database", alen) == 0)
|| (strncmp(arg, "-db", alen) == 0)) {
pr_dbaseName = argv[++a]; /* specify a database */
} else if (strncmp(arg, "-p", alen) == 0) {
depthsg = atoi(argv[++a]); /* Max search depth for supergroups */
}
#endif
+ else if (strncmp(arg, "-default_access", alen) == 0) {
+ prp_user_default = prp_access_mask(argv[++a]);
+ prp_group_default = prp_access_mask(argv[++a]);
+ }
+ else if (strncmp(arg, "-restricted", alen) == 0) {
+ restricted = 1;
+ }
+ else if (strncmp(arg, "-rxbind", alen) == 0) {
+ rxBind = 1;
+ }
+ else if (strncmp(arg, "-allow-dotted-principals", alen) == 0) {
+ rxkadDisableDotCheck = 1;
+ }
else if (strncmp(arg, "-enable_peer_stats", alen) == 0) {
rx_enablePeerRPCStats();
} else if (strncmp(arg, "-enable_process_stats", alen) == 0) {
serverLogSyslogFacility = atoi(arg + 8);
}
#endif
+ else if (strncmp(arg, "-auditlog", alen) == 0) {
+ char *fileName = argv[++a];
+
+ osi_audit_file(fileName);
+ osi_audit(PTS_StartEvent, 0, AUD_END);
+ }
+ else if (!strncmp(arg, "-rxmaxmtu", alen)) {
+ if ((a + 1) >= argc) {
+ fprintf(stderr, "missing argument for -rxmaxmtu\n");
+ PT_EXIT(1);
+ }
+ rxMaxMTU = atoi(argv[++a]);
+ if ((rxMaxMTU < RX_MIN_PACKET_SIZE) ||
+ (rxMaxMTU > RX_MAX_PACKET_DATA_SIZE)) {
+ printf("rxMaxMTU %lu invalid; must be between %d-%d\n",
+ rxMaxMTU, RX_MIN_PACKET_SIZE,
+ RX_MAX_PACKET_DATA_SIZE);
+ PT_EXIT(1);
+ }
+ }
else if (*arg == '-') {
/* hack in help flag support */
#if defined(SUPERGROUPS)
#ifndef AFS_NT40_ENV
printf("Usage: ptserver [-database <db path>] "
- "[-syslog[=FACILITY]] "
+ "[-auditlog <log path>] "
+ "[-syslog[=FACILITY]] [-d <debug level>] "
"[-p <number of processes>] [-rebuild] "
"[-groupdepth <depth>] "
+ "[-restricted] [-rxmaxmtu <bytes>] [-rxbind] "
+ "[-allow-dotted-principals] "
"[-enable_peer_stats] [-enable_process_stats] "
+ "[-default_access default_user_access default_group_access] "
"[-help]\n");
#else /* AFS_NT40_ENV */
printf("Usage: ptserver [-database <db path>] "
- "[-p <number of processes>] [-rebuild] "
+ "[-auditlog <log path>] [-d <debug level>] "
+ "[-p <number of processes>] [-rebuild] [-rxbind] "
+ "[-allow-dotted-principals] "
+ "[-default_access default_user_access default_group_access] "
+ "[-restricted] [-rxmaxmtu <bytes>] [-rxbind] "
"[-groupdepth <depth>] " "[-help]\n");
#endif
#else
#ifndef AFS_NT40_ENV
printf("Usage: ptserver [-database <db path>] "
+ "[-auditlog <log path>] [-d <debug level>] "
"[-syslog[=FACILITY]] "
"[-p <number of processes>] [-rebuild] "
"[-enable_peer_stats] [-enable_process_stats] "
+ "[-default_access default_user_access default_group_access] "
+ "[-restricted] [-rxmaxmtu <bytes>] [-rxbind] "
+ "[-allow-dotted-principals] "
"[-help]\n");
#else /* AFS_NT40_ENV */
printf("Usage: ptserver [-database <db path>] "
+ "[-auditlog <log path>] [-d <debug level>] "
+ "[-default_access default_user_access default_group_access] "
+ "[-restricted] [-rxmaxmtu <bytes>] [-rxbind] "
+ "[-allow-dotted-principals] "
"[-p <number of processes>] [-rebuild] " "[-help]\n");
#endif
#endif
code =
afsconf_GetExtendedCellInfo(prdir, NULL, "afsprot", &info, &clones);
if (code) {
- com_err(whoami, code, "Couldn't get server list");
+ afs_com_err(whoami, code, "Couldn't get server list");
PT_EXIT(2);
}
pr_realmName = info.name;
/* get keys */
code = afsconf_GetKey(prdir, 999, &tkey);
if (code) {
- com_err(whoami, code,
+ afs_com_err(whoami, code,
"couldn't get bcrypt keys from key file, ignoring.");
}
#endif
if (kerberosKeys) {
/* initialize ubik */
ubik_CRXSecurityProc = afsconf_ClientAuth;
- ubik_CRXSecurityRock = (char *)prdir;
+ ubik_CRXSecurityRock = prdir;
ubik_SRXSecurityProc = afsconf_ServerAuth;
- ubik_SRXSecurityRock = (char *)prdir;
+ ubik_SRXSecurityRock = prdir;
ubik_CheckRXSecurityProc = afsconf_CheckAuth;
- ubik_CheckRXSecurityRock = (char *)prdir;
+ ubik_CheckRXSecurityRock = prdir;
}
/* The max needed is when deleting an entry. A full CoEntry deletion
* required removal from 39 entries. Each of which may refers to the entry
* and the header are in separate Ubik buffers then 120 buffers may be
* required. */
ubik_nBuffers = 120 + /*fudge */ 40;
+
+ if (rxBind) {
+ afs_int32 ccode;
+ if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
+ AFSDIR_SERVER_NETINFO_FILEPATH) {
+ char reason[1024];
+ ccode = parseNetFiles(SHostAddrs, NULL, NULL,
+ ADDRSPERSITE, reason,
+ AFSDIR_SERVER_NETINFO_FILEPATH,
+ AFSDIR_SERVER_NETRESTRICT_FILEPATH);
+ } else
+ {
+ ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
+ }
+ if (ccode == 1) {
+ host = SHostAddrs[0];
+ /* the following call is idempotent so if/when it gets called
+ * again by the ubik init stuff, it doesn't really matter
+ * -- klm
+ */
+ rx_InitHost(host, htons(AFSCONF_PROTPORT));
+ }
+ }
+
code =
- ubik_ServerInitByInfo(myHost, htons(AFSCONF_PROTPORT), &info, &clones,
+ ubik_ServerInitByInfo(myHost, htons(AFSCONF_PROTPORT), &info, clones,
pr_dbaseName, &dbase);
if (code) {
- com_err(whoami, code, "Ubik init failed");
+ afs_com_err(whoami, code, "Ubik init failed");
PT_EXIT(2);
}
#if defined(SUPERGROUPS)
/* Disable jumbograms */
rx_SetNoJumbo();
+ if (rxMaxMTU != -1) {
+ rx_SetMaxMTU(rxMaxMTU);
+ }
+
tservice =
- rx_NewService(0, PRSRV, "Protection Server", sc, 3,
+ rx_NewServiceHost(host, 0, PRSRV, "Protection Server", sc, 3,
PR_ExecuteRequest);
if (tservice == (struct rx_service *)0) {
fprintf(stderr, "ptserver: Could not create new rx service.\n");
}
rx_SetMinProcs(tservice, 2);
rx_SetMaxProcs(tservice, lwps);
+ if (rxkadDisableDotCheck) {
+ rx_SetSecurityConfiguration(tservice, RXS_CONFIG_FLAGS,
+ (void *)RXS_CONFIG_FLAGS_DISABLE_DOTCHECK);
+ }
tservice =
- rx_NewService(0, RX_STATS_SERVICE_ID, "rpcstats", sc, 3,
+ rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", sc, 3,
RXSTATS_ExecuteRequest);
if (tservice == (struct rx_service *)0) {
fprintf(stderr, "ptserver: Could not create new rx service.\n");