source: server/common/patches/openafs-scripts.patch @ 1070

Last change on this file since 1070 was 1070, checked in by mitchb, 17 years ago
Build system fixes to upgrade to OpenAFS 1.4.10 Pulls in fixes for CVE-2009-1250 and CVE-2009-1251, among other enhancements and bugfixes.
File size: 8.0 KB
RevLine 
[1]1# scripts.mit.edu openafs patch
2# Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
[259]3# with modifications by Joe Presbrey <presbrey@mit.edu>
[628]4# and Anders Kaseorg <andersk@mit.edu>
[1]5#
[622]6# This file is available under both the MIT license and the GPL.
7#
8
9# Permission is hereby granted, free of charge, to any person obtaining a copy
10# of this software and associated documentation files (the "Software"), to deal
11# in the Software without restriction, including without limitation the rights
12# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
13# copies of the Software, and to permit persons to whom the Software is
14# furnished to do so, subject to the following conditions:
15#
16# The above copyright notice and this permission notice shall be included in
17# all copies or substantial portions of the Software.
18#
19# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
20# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
21# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
22# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
23# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
24# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
25# THE SOFTWARE.
26#
27
[1]28# This program is free software; you can redistribute it and/or
29# modify it under the terms of the GNU General Public License
30# as published by the Free Software Foundation; either version 2
31# of the License, or (at your option) any later version.
32#
33# This program is distributed in the hope that it will be useful,
34# but WITHOUT ANY WARRANTY; without even the implied warranty of
35# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
36# GNU General Public License for more details.
37#
38# You should have received a copy of the GNU General Public License
39# along with this program; if not, write to the Free Software
40# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
41#
42# See /COPYRIGHT in this repository for more information.
43#
[628]44diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
[1070]45--- openafs-1.4/src/afs/afs_analyze.c   2008-10-27 19:54:06.000000000 -0400
46+++ openafs-1.4+scripts/src/afs/afs_analyze.c   2009-04-08 08:07:22.000000000 -0400
47@@ -585,7 +585,7 @@
[1]48                         (afid ? afid->Fid.Volume : 0));
49        }
50 
51-       if (areq->busyCount > 100) {
52+       if (1) {
53            if (aerrP)
54                (aerrP->err_Volume)++;
55            areq->volumeError = VOLBUSY;
[628]56diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
[1070]57--- openafs-1.4/src/afs/afs.h   2009-01-19 14:27:19.000000000 -0500
58+++ openafs-1.4+scripts/src/afs/afs.h   2009-04-08 08:07:22.000000000 -0400
59@@ -208,8 +208,16 @@
60 #define QTOC(e)            QEntry(e, struct cell, lruq)
61 #define QTOVH(e)    QEntry(e, struct vcache, vhashq)
[628]62 
[1]63+#define AFSAGENT_UID (101)
[258]64+#define SIGNUP_UID (102)
[1]65+#define HTTPD_UID (48)
[83]66+#define POSTFIX_UID (89)
[1]67+#define DAEMON_SCRIPTS_PTSID (33554596)
[628]68+extern afs_int32 globalpag;
69+
[1]70 struct vrequest {
71     afs_int32 uid;             /* user id making the request */
72+    afs_int32 realuid;
73     afs_int32 busyCount;       /* how many busies we've seen so far */
74     afs_int32 flags;           /* things like O_SYNC, O_NONBLOCK go here */
[1070]75     char initd;                        /* if non-zero, Error fields meaningful */
[628]76diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
[1070]77--- openafs-1.4/src/afs/afs_osi_pag.c   2008-10-20 15:29:46.000000000 -0400
78+++ openafs-1.4+scripts/src/afs/afs_osi_pag.c   2009-04-08 08:07:22.000000000 -0400
[628]79@@ -51,6 +51,8 @@
80 #endif
[1]81 /* Local variables */
82 
[55]83+afs_int32 globalpag = 0;
[1]84+
85 /*
86  * Pags are implemented as follows: the set of groups whose long
87  * representation is '41XXXXXX' hex are used to represent the pags.
[1070]88@@ -458,6 +460,15 @@
[1]89        av->uid = acred->cr_ruid;       /* default when no pag is set */
90 #endif
91     }
92+
93+    av->realuid = acred->cr_ruid;
[55]94+    if(!globalpag && acred->cr_ruid == AFSAGENT_UID) {
[1]95+      globalpag = av->uid;
96+    }
[628]97+    else if (globalpag && av->uid == acred->cr_ruid) {
[1]98+      av->uid = globalpag;
99+    }
100+
101     av->initd = 0;
102     return 0;
103 }
[628]104diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
[1070]105--- openafs-1.4/src/afs/afs_pioctl.c    2009-01-19 13:09:34.000000000 -0500
106+++ openafs-1.4+scripts/src/afs/afs_pioctl.c    2009-04-08 08:07:22.000000000 -0400
107@@ -1217,6 +1217,10 @@
[1]108     struct AFSFetchStatus OutStatus;
109     XSTATS_DECLS;
110 
[628]111+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
[1]112+      return EACCES;
113+    }
114+
115     AFS_STATCNT(PSetAcl);
116     if (!avc)
117        return EINVAL;
[1070]118@@ -1437,6 +1441,10 @@
[1]119     struct vrequest treq;
120     afs_int32 flag, set_parent_pag = 0;
121 
[628]122+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
123+       return 0;
[1]124+    }
125+
126     AFS_STATCNT(PSetTokens);
127     if (!afs_resourceinit_flag) {
128        return EIO;
[1070]129@@ -1796,6 +1804,10 @@
[936]130     afs_int32 iterator;
131     int newStyle;
132 
133+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID &&
[937]134+       areq->realuid != 0 && areq->realuid != SIGNUP_UID)
[936]135+       return 0;
136+
137     AFS_STATCNT(PGetTokens);
[1070]138     if (!afs_resourceinit_flag)        /* afs daemons haven't started yet */
139        return EIO;             /* Inappropriate ioctl for device */
140@@ -1879,6 +1891,10 @@
[1]141     register afs_int32 i;
142     register struct unixuser *tu;
143 
[628]144+    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
145+       return 0;
[1]146+    }
147+
148     AFS_STATCNT(PUnlog);
149     if (!afs_resourceinit_flag)        /* afs daemons haven't started yet */
150        return EIO;             /* Inappropriate ioctl for device */
[628]151diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
[1070]152--- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2008-03-07 12:34:08.000000000 -0500
153+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2009-04-08 08:07:22.000000000 -0400
[628]154@@ -118,6 +118,17 @@
[1]155 
156     if ((vType(avc) == VDIR) || (avc->states & CForeign)) {
157        /* rights are just those from acl */
158+
[628]159+      if ( areq->uid == globalpag &&
160+           !(areq->realuid == avc->fid.Fid.Volume) &&
[1]161+           !((avc->anyAccess | arights) == avc->anyAccess) &&
162+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
[258]163+           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) &&
[1047]164+           !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
165+           !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
[1]166+         return 0;
167+      }
168+
169        return (arights == afs_GetAccessBits(avc, arights, areq));
170     } else {
171        /* some rights come from dir and some from file.  Specifically, you
[628]172@@ -171,6 +182,18 @@
[1]173                    fileBits |= PRSFS_READ;
174            }
175        }
176+       
[628]177+        if ( areq->uid == globalpag &&
178+             !(areq->realuid == avc->fid.Fid.Volume) &&
[1]179+             !((avc->anyAccess | arights) == avc->anyAccess) &&
180+             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
[83]181+             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
[258]182+             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) &&
[1047]183+             !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
[1048]184+             !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
[1]185+           return 0;
186+        }
187+
188        return ((fileBits & arights) == arights);       /* true if all rights bits are on */
189     }
190 }
[628]191diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
[1070]192--- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c  2009-01-13 14:37:28.000000000 -0500
193+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c  2009-04-08 08:07:22.000000000 -0400
[1]194@@ -87,8 +87,8 @@
195        }
196     }
197 #endif /* AFS_DARWIN_ENV */
198-    attrs->va_uid = fakedir ? 0 : avc->m.Owner;
199-    attrs->va_gid = fakedir ? 0 : avc->m.Group;        /* yeah! */
200+    attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume;
201+    attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner);
202 #if defined(AFS_SUN56_ENV)
203     attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
204 #elif defined(AFS_OSF_ENV)
Note: See TracBrowser for help on using the repository browser.