Add "PerFileAccessCheck" registry value.

The HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon
"PerFileAccessCheck" registry value (DWORD) is intended for
use only by developers who wish to test how Windows would
behave if a per-file access rights check was performed.

Windows performs all access rights checks using the directory
access rights.  There is no support for the VL_DFSFILESET flag.
During CreateFile() processing the requested access rights are
checked against the access rights reported by the file server
for the directory.  If the reported rights are more permissive than
the effective access rights for the file, Windows applications
(including the Explorer Shell) will behave quite poorly.  In other
words, if the request is for write privilege and the CreateFile()
successfully opens the file with write privilege, subsequently
reporting an access denied on a WriteFile() call will result in
very poor behavior.

The addition of this option is simply to make it easier on
developers to test various prototype solutions for adding per-file
access rights.

LICENSE MIT

Reviewed-on: http://gerrit.openafs.org/15
Reviewed-by: Asanka Herath <asanka@gmail.com>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Verified-by: Jeffrey Altman <jaltman@openafs.org>
Reviewed-by: Jeffrey Altman <jaltman@openafs.org>

diff --git a/src/WINNT/afsd/afsd_init.c b/src/WINNT/afsd/afsd_init.c
index 032e589..bcf3302 100644 (file)
--- a/src/WINNT/afsd/afsd_init.c
+++ b/src/WINNT/afsd/afsd_init.c
@@ -1145,6 +1145,14 @@ int afsd_InitCM(char **reasonP)
     } 
     afsi_log("CM FollowBackupPath is %u", cm_followBackupPath);
 
+    dummyLen = sizeof(DWORD);
+    code = RegQueryValueEx(parmKey, "PerFileAccessCheck", NULL, NULL,
+                           (BYTE *) &dwValue, &dummyLen);
+    if (code == ERROR_SUCCESS) {
+        cm_accessPerFileCheck = (int) dwValue;
+    } 
+    afsi_log("CM PerFileAccessCheck is %d", cm_accessPerFileCheck);
+
     RegCloseKey (parmKey);
 
     cacheBlocks = ((afs_uint64)cacheSize * 1024) / blockSize;

diff --git a/src/WINNT/afsd/cm_access.c b/src/WINNT/afsd/cm_access.c
index 57ca0aa..b9ebaed 100644 (file)
--- a/src/WINNT/afsd/cm_access.c
+++ b/src/WINNT/afsd/cm_access.c
@@ -20,6 +20,7 @@
 #include "afsd.h"
 
 int cm_deleteReadOnly = 0;
+int cm_accessPerFileCheck = 0;
 
 /* called with scp write-locked, check to see if we have the ACL info we need
  * and can get it w/o blocking for any locks.
@@ -40,7 +41,7 @@ int cm_HaveAccessRights(struct cm_scache *scp, struct cm_user *userp, afs_uint32
     int release = 0;    /* Used to avoid a call to cm_HoldSCache in the directory case */
 
     didLock = 0;
-    if (scp->fileType == CM_SCACHETYPE_DIRECTORY) {
+    if (scp->fileType == CM_SCACHETYPE_DIRECTORY || cm_accessPerFileCheck) {
         aclScp = scp;   /* not held, not released */
     } else {
         cm_SetFid(&tfid, scp->fid.cell, scp->fid.volume, scp->parentVnode, scp->parentUnique);
@@ -155,7 +156,7 @@ long cm_GetAccessRights(struct cm_scache *scp, struct cm_user *userp,
     /* first, start by finding out whether we have a directory or something
      * else, so we can find what object's ACL we need.
      */
-    if (scp->fileType == CM_SCACHETYPE_DIRECTORY ) {
+    if (scp->fileType == CM_SCACHETYPE_DIRECTORY || cm_accessPerFileCheck) {
        code = cm_SyncOp(scp, NULL, userp, reqp, 0,
                         CM_SCACHESYNC_NEEDCALLBACK | CM_SCACHESYNC_GETSTATUS | CM_SCACHESYNC_FORCECB);
        if (!code) 
@@ -179,8 +180,8 @@ long cm_GetAccessRights(struct cm_scache *scp, struct cm_user *userp,
        if (!code)
            cm_SyncOpDone(aclScp, NULL, 
                          CM_SCACHESYNC_NEEDCALLBACK | CM_SCACHESYNC_GETSTATUS);
-    else 
-        osi_Log3(afsd_logp, "GetAccessRights parent syncop failure scp %x user %x code %x", aclScp, userp, code);
+        else 
+            osi_Log3(afsd_logp, "GetAccessRights parent syncop failure scp %x user %x code %x", aclScp, userp, code);
        lock_ReleaseWrite(&aclScp->rw);
         cm_ReleaseSCache(aclScp);
         lock_ObtainWrite(&scp->rw);

diff --git a/src/WINNT/afsd/cm_access.h b/src/WINNT/afsd/cm_access.h
index b5f7d2a..2dd8deb 100644 (file)
--- a/src/WINNT/afsd/cm_access.h
+++ b/src/WINNT/afsd/cm_access.h
@@ -18,4 +18,5 @@ extern int cm_HaveAccessRights(struct cm_scache *scp, struct cm_user *up,
 extern long cm_GetAccessRights(struct cm_scache *scp, struct cm_user *up,
        struct cm_req *reqp);
 
+extern int cm_accessPerFileCheck;
 #endif /*  _CM_ACCESS_H_ENV__ */