From: Benjamin Kaduk <kaduk@mit.edu>
Date: Sun, 9 Sep 2018 15:44:38 +0000 (-0500)
Subject: OPENAFS-SA-2018-001 backup: use authenticated connection to butc
X-Git-Tag: openafs-devel-1_9_0~457
X-Git-Url: https://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=345ee34236c08a0a2fb3fff016edfa18c7af4b0a

OPENAFS-SA-2018-001 backup: use authenticated connection to butc

Use the standard routine to pick a client security object, instead of
always assuming rxnull.  Respect -localauth as well as being able to
use the current user's tokens, but also provide a -nobutcauth argument
to fall back to the historical rxnull behavior (but only for the connections
to butc; vldb and budb connections are not affected).

Change-Id: Ibf8ebe5521bee8d0f7162527e26bc5541d07910d
---

diff --git a/doc/man-pages/pod8/backup.pod b/doc/man-pages/pod8/backup.pod
index f8e2ebc..0900fe6 100644
--- a/doc/man-pages/pod8/backup.pod
+++ b/doc/man-pages/pod8/backup.pod
@@ -194,6 +194,18 @@ interactive mode. The local identity and AFS tokens with which the
 B<backup> command interpreter enters interactive mode apply to all
 commands issued during the interactive session.
 
+=item B<-nobutcauth>
+
+Prior to the fix for OPENAFS-SA-2018-001, B<butc> did not allow incoming
+connections to be authenticated.  As part of that fix, B<backup> was modified
+to authenticate to the B<butc> services when possible, but a B<backup> utility
+with the security fix will not interoperate with a B<butc> that lacks the fix
+unless this option is passed, which forces the use of unauthenticated
+connections to the B<butc>.  Use of this option is strongly disrecommended,
+and it is provided only for backwards compatibility in environments where
+B<backup> and B<butc> communicate over a secure network environment that denies
+access to untrusted parties.
+
 =item B<-portoffset> <I<TC port offset>>
 
 Specifies the port offset number of the Tape Coordinator that is to
diff --git a/src/bucoord/bucoord_internal.h b/src/bucoord/bucoord_internal.h
index 543bf00..7866f47 100644
--- a/src/bucoord/bucoord_internal.h
+++ b/src/bucoord/bucoord_internal.h
@@ -117,6 +117,8 @@ extern afs_int32 bc_UpdateDumpSchedule(void);
 extern int bc_SaveDumpSchedule(void);
 
 /* main.c */
+extern int localauth, nobutcauth;
+extern char tcell[];
 extern time_t tokenExpires;
 extern afs_int32 doDispatch(afs_int32, char *[], afs_int32);
 extern void bc_HandleMisc(afs_int32 code);
diff --git a/src/bucoord/dump.c b/src/bucoord/dump.c
index 5d1f58a..e0b3ced 100644
--- a/src/bucoord/dump.c
+++ b/src/bucoord/dump.c
@@ -17,6 +17,7 @@
 #include <roken.h>
 
 #include <afs/cmd.h>
+#include <afs/cellconfig.h>
 #include <lwp.h>
 #include <rx/rx.h>
 #include <afs/bubasics.h>
@@ -470,15 +471,40 @@ bc_GetConn(struct bc_config *aconfig, afs_int32 aport,
 	   struct rx_connection **tconn)
 {
     afs_uint32 host;
+    afs_int32 code;
     unsigned short port;
     static struct rx_securityClass *rxsc;
+    static afs_int32 scIndex;
     struct bc_hostEntry *te;
 
     *tconn = (struct rx_connection *)0;
 
     /* use non-secure connections to butc */
-    if (!rxsc)
-	rxsc = rxnull_NewClientSecurityObject();
+    if (!rxsc) {
+	struct afsconf_dir *dir;
+	afsconf_secflags flags = AFSCONF_SECOPTS_FALLBACK_NULL;
+	char *cname;
+
+	if (nobutcauth)
+	    flags |= AFSCONF_SECOPTS_NOAUTH;
+	if (localauth) {
+	    flags |= AFSCONF_SECOPTS_LOCALAUTH;
+	    dir = afsconf_Open(AFSDIR_SERVER_ETC_DIRPATH);
+	} else {
+	    dir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH);
+	}
+	if (tcell[0] == '\0')
+	    cname = NULL;
+	else
+	    cname = tcell;
+	/* No need for cell info since butc is not a registered service */
+	code = afsconf_PickClientSecObj(dir, flags, NULL, cname, &rxsc, &scIndex,
+					NULL);
+	if (dir)
+	    afsconf_Close(dir);
+	if (code)
+	    return -1;
+    }
     if (!rxsc || !aconfig)
 	return (-1);
 
@@ -491,8 +517,8 @@ bc_GetConn(struct bc_config *aconfig, afs_int32 aport,
 
 	    port = htons(BC_TAPEPORT + aport);
 
-	    /* servers is 1; sec index is 0 */
-	    *tconn = rx_NewConnection(host, port, 1, rxsc, 0);
+	    /* servers is 1 */
+	    *tconn = rx_NewConnection(host, port, 1, rxsc, scIndex);
 	    return ((*tconn ? 0 : -1));
 	}
     }
diff --git a/src/bucoord/main.c b/src/bucoord/main.c
index 34a3a79..d2a5f36 100644
--- a/src/bucoord/main.c
+++ b/src/bucoord/main.c
@@ -41,7 +41,7 @@
 #include "bucoord_internal.h"
 #include "bucoord_prototypes.h"
 
-int localauth, interact;
+int localauth, interact, nobutcauth;
 char tcell[64];
 
 /*
@@ -292,6 +292,7 @@ MyBeforeProc(struct cmd_syndesc *as, void *arock)
     /* Handling the command line opcode */
     if (!bcInit) {
 	localauth = ((as && as->parms[14].items) ? 1 : 0);
+	nobutcauth = ((as && as->parms[16].items) ? 1 : 0);
 	if (as && as->parms[15].items)
 	    strcpy(tcell, as->parms[15].items->data);
 	else
@@ -432,6 +433,8 @@ add_std_args(struct cmd_syndesc *ts)
     cmd_AddParm(ts, "-localauth", CMD_FLAG, CMD_OPTIONAL,
 		"local authentication");
     cmd_AddParm(ts, "-cell", CMD_SINGLE, CMD_OPTIONAL, "cell name");
+    cmd_AddParm(ts, "-nobutcauth", CMD_FLAG, CMD_OPTIONAL,
+		"no authentication to butc");
 }
 
 int