[Pvfs2-cvs] commit by nlmills in pvfs2/src/server: lookup.sm
CVS commit program
cvs at parl.clemson.edu
Tue Jun 24 14:19:30 EDT 2008
Update of /anoncvs/pvfs2/src/server
In directory parlweb1:/tmp/cvs-serv19987/src/server
Modified Files:
Tag: cu-security-branch
lookup.sm
Log Message:
reverted to an earlier version of the lookup code
Index: lookup.sm
===================================================================
RCS file: /anoncvs/pvfs2/src/server/lookup.sm,v
diff -p -u -r1.57.2.6 -r1.57.2.7
--- lookup.sm 17 Jun 2008 15:42:16 -0000 1.57.2.6
+++ lookup.sm 24 Jun 2008 18:19:25 -0000 1.57.2.7
@@ -58,6 +58,7 @@ machine pvfs2_lookup_sm
{
run lookup_verify_object_metadata;
LOOKUP_CHECK_DIR_ACLS => read_directory_acls;
+ success => read_directory_entry_handle;
default => setup_resp;
}
@@ -262,6 +263,7 @@ static PINT_sm_action lookup_verify_obje
struct PINT_smcb *smcb, job_status_s *js_p)
{
struct PINT_server_op *s_op = PINT_sm_frame(smcb, PINT_FRAME_CURRENT);
+ int ret = -PVFS_EINVAL;
PVFS_object_attr *a_p = NULL;
PVFS_ds_attributes *ds_attr = NULL;
@@ -327,8 +329,37 @@ static PINT_sm_action lookup_verify_obje
return SM_ACTION_COMPLETE;
}
- /* move on to checking permissions, start with ACL */
- js_p->error_code = LOOKUP_CHECK_DIR_ACLS;
+ /* if we reach this point, the object is a directory. Verify that we
+ * have execute permission on the directory before continuing traversal
+ */
+ js_p->error_code = PINT_check_mode(a_p, s_op->req->credentials.uid,
+ s_op->req->credentials.gid, PINT_ACCESS_EXECUTABLE);
+ if(js_p->error_code != 0)
+ {
+ /* doesn't look like we have permission to traverse directory; bail
+ * out
+ */
+ js_p->error_code = LOOKUP_CHECK_DIR_ACLS;
+ return SM_ACTION_COMPLETE;
+ }
+
+ /* find the segment that we should look up in the directory */
+ ret = PINT_string_next_segment(
+ s_op->req->u.lookup_path.path, &s_op->u.lookup.segp,
+ &s_op->u.lookup.segstate);
+
+ if(ret != 0)
+ {
+ gossip_err("PINT_string_next_segment failed: path: %s\n",
+ s_op->req->u.lookup_path.path);
+ }
+ assert(ret == 0);
+
+ gossip_debug(GOSSIP_SERVER_DEBUG, " object is a directory; will be "
+ "looking for handle for segment \"%s\" in a bit\n",
+ s_op->u.lookup.segp);
+
+
return SM_ACTION_COMPLETE;
}
@@ -389,8 +420,7 @@ static PINT_sm_action lookup_check_acls_
/*
* Verify if the completed keyval DB operation allows the lookup
* to proceed or not. i.e. executable privileges on directory
- * for the requesting user or not. Falls back to file permissions
- * if ACL is invalid or missing.
+ * for the requesting user or not.
*/
static PINT_sm_action lookup_check_acls(
struct PINT_smcb *smcb, job_status_s* js_p)
@@ -398,17 +428,6 @@ static PINT_sm_action lookup_check_acls(
struct PINT_server_op *s_op = PINT_sm_frame(smcb, PINT_FRAME_CURRENT);
PVFS_object_attr *obj_attr = NULL;
int want = PVFS2_ACL_EXECUTE;
- PVFS_object_attr *a_p = NULL;
-
- if (s_op->u.lookup.seg_nr == 0)
- {
- a_p = &s_op->attr;
- }
- else
- {
- a_p = &s_op->resp.u.lookup_path.attr_array[
- s_op->u.lookup.seg_nr - 1];
- }
/* The dspace attr must have been read at this point */
obj_attr = s_op->target_object_attr;
@@ -446,19 +465,6 @@ static PINT_sm_action lookup_check_acls(
"object is a directory; will be "
"looking for handle for segment \"%s\" in a bit\n",
s_op->u.lookup.segp);
- }
- }
- /* if lookup fails because of missing ACL, check normal permissions */
- else if (js_p->error_code == -PVFS_EIO)
- {
- js_p->error_code = PINT_check_mode(a_p, s_op->req->credentials.uid,
- s_op->req->credentials.gid, PINT_ACCESS_EXECUTABLE);
- if(js_p->error_code != 0)
- {
- /* doesn't look like we have permission to traverse directory; bail
- * out
- */
- js_p->error_code = -PVFS_EACCES;
}
}
cleanup:
More information about the Pvfs2-cvs
mailing list