[Pvfs2-cvs] commit by nlmills in pvfs2/src/server: check.c remove.sm
CVS commit program
cvs at parl.clemson.edu
Thu Jul 31 13:54:36 EDT 2008
Update of /anoncvs/pvfs2/src/server
In directory parlweb1:/tmp/cvs-serv6536/src/server
Modified Files:
Tag: cu-security-branch
check.c remove.sm
Log Message:
Index: check.c
===================================================================
RCS file: /anoncvs/pvfs2/src/server/check.c,v
diff -p -u -r1.1.8.16 -r1.1.8.17
--- check.c 31 Jul 2008 14:41:23 -0000 1.1.8.16
+++ check.c 31 Jul 2008 17:54:36 -0000 1.1.8.17
@@ -4,7 +4,7 @@
* Changes by Acxiom Corporation to add PINT_check_mode() helper function
* as a replacement for check_mode() in permission checking, also added
* PINT_check_group() for supplimental group support
- * Copyright © Acxiom Corporation, 2005.
+ * Copyright Acxiom Corporation, 2005.
*
* See COPYING in top-level directory.
*/
@@ -229,10 +229,13 @@ void PINT_getattr_check_perms(struct PIN
struct PINT_server_op *s_op = PINT_sm_frame(smcb, PINT_FRAME_CURRENT);
int i;
int acl_error_code = 0;
+
+ *op_mask = 0;
+ /* root has every possible capability */
if (uid == 0)
{
- *op_mask = ~0;
+ *op_mask = ~0L;
return;
}
@@ -242,19 +245,28 @@ void PINT_getattr_check_perms(struct PIN
{
acl_error_code = PINT_check_acls(s_op->val.buffer, s_op->val.read_sz,
&attr, uid, gid[i], PVFS2_ACL_READ);
- if (acl_error_code == 0) *op_mask |= PINT_CAP_READ;
- else if (acl_error_code == -PVFS_EIO) break;
- acl_error_code = 0;
+ if (!acl_error_code)
+ {
+ *op_mask |= PINT_CAP_READ;
+ }
+ else if (acl_error_code == -PVFS_EIO)
+ {
+ break;
+ }
acl_error_code = PINT_check_acls(s_op->val.buffer, s_op->val.read_sz,
&attr, uid, gid[i], PVFS2_ACL_WRITE);
- if (acl_error_code == 0) *op_mask |= PINT_CAP_WRITE;
- acl_error_code = 0;
+ if (!acl_error_code)
+ {
+ *op_mask |= PINT_CAP_WRITE;
+ }
acl_error_code = PINT_check_acls(s_op->val.buffer, s_op->val.read_sz,
&attr, uid, gid[i], PVFS2_ACL_EXECUTE);
- if (acl_error_code == 0) *op_mask |= PINT_CAP_EXEC;
- acl_error_code = 0;
+ if (!acl_error_code)
+ {
+ *op_mask |= PINT_CAP_EXEC;
+ }
}
/* only check standard permissions if ACL is not in place */
@@ -266,21 +278,42 @@ void PINT_getattr_check_perms(struct PIN
{
if (attr.group == gid[i]) break;
}
+ /* reset to prevent overflow */
+ if (i == num_groups)
+ {
+ i = 0;
+ }
- if (PINT_check_mode(&attr, uid, gid[i], PINT_ACCESS_READABLE) == 0)
+ if (!PINT_check_mode(&attr, uid, gid[i], PINT_ACCESS_READABLE))
+ {
*op_mask |= PINT_CAP_READ;
- if (PINT_check_mode(&attr, uid, gid[i], PINT_ACCESS_WRITABLE) == 0)
+ }
+
+ if (!PINT_check_mode(&attr, uid, gid[i], PINT_ACCESS_WRITABLE))
+ {
*op_mask |= PINT_CAP_WRITE;
- if (PINT_check_mode(&attr, uid, gid[i], PINT_ACCESS_EXECUTABLE) == 0)
+ }
+
+ if (!PINT_check_mode(&attr, uid, gid[i], PINT_ACCESS_EXECUTABLE))
+ {
*op_mask |= PINT_CAP_EXEC;
+ }
}
/* give setattr and remove/create caps based on uid and op_mask */
+
+ /* TODO: fix this nasty ownership issue */
if (uid == attr.owner || attr.owner == 0)
+ {
*op_mask |= PINT_CAP_SETATTR;
+ }
+
+ /* write access to directories allows create and remove */
if (attr.objtype == PVFS_TYPE_DIRECTORY
- && *op_mask & PINT_ACCESS_WRITABLE)
+ && *op_mask & PINT_ACCESS_WRITABLE)
+ {
*op_mask |= PINT_CAP_REMOVE | PINT_CAP_CREATE;
+ }
}
Index: remove.sm
===================================================================
RCS file: /anoncvs/pvfs2/src/server/remove.sm,v
diff -p -u -r1.60.2.3 -r1.60.2.4
--- remove.sm 31 Jul 2008 14:41:24 -0000 1.60.2.3
+++ remove.sm 31 Jul 2008 17:54:36 -0000 1.60.2.4
@@ -389,16 +389,8 @@ static int perm_remove(PINT_server_op *s
{
int ret;
- /* temporary stop-gap till we figure out how to handle removal tasks */
- /* TODO: Fix this */
- if (1 || s_op->req->capability.op_mask & PINT_CAP_REMOVE)
- {
- ret = 0;
- }
- else
- {
- ret = -PVFS_EACCES;
- }
+ /* TODO: find a way to check permissions on the parent directory */
+ ret = 0;
return ret;
}
More information about the Pvfs2-cvs
mailing list