]> git.michaelhowe.org Git - packages/o/openafs.git/commit
projects / packages / o / openafs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4096ee7) | patch
SOLARIS: Use AFS_PAG_ONEGROUP_ENV for Solaris 11
authorAndrew Deason <adeason@dson.org>
Sat, 8 Aug 2015 21:49:50 +0000 (16:49 -0500)
committerStephan Wiesand <stephan.wiesand@desy.de>
Wed, 15 Mar 2017 18:04:56 +0000 (14:04 -0400)
commit3457b8965be5e86c820678f6adf1ca45ee440ddc
tree368298f1372efa501a53a4b286b4ca5d165a7d63tree | snapshot
parent4096ee7a759956202aa892d0c2347c14decf9647commit | diff
SOLARIS: Use AFS_PAG_ONEGROUP_ENV for Solaris 11

On Solaris 11 (specifically, Solaris 11.1+), the supplemental group
list for a process is supposed to be sorted. Starting with Solaris
11.2, more authorization checks are done that assume the list is
sorted (e.g., to do a binary search), so having them out of order
can cause incorrect behavior. For example:

  $ echo foo > /tmp/testfile
  $ chmod 660 /tmp/testfile
  $ sudo chown root:daemon /tmp/testfile
  $ cat /tmp/testfile
  foo
  $ id -a
  uid=100(adeason) gid=10(staff) groups=10(staff),12(daemon),20(games),21(ftp),50(gdm),60(xvm),90(postgres)
  $ pagsh
  $ cat /tmp/testfile
  cat: cannot open /tmp/testfile: Permission denied
  $ id -a
  uid=100(adeason) gid=10(staff) groups=33536,32514,10(staff),12(daemon),20(games),21(ftp),50(gdm),60(xvm),90(postgres)

Solaris sorts the groups given to crsetgroups() on versions which
required the group ids to be sorted, but we currently manually put our
PAG groups in our own order in afs_setgroups(). This is currently
required, since various places in the code assume that PAG groups are
the first two groups in a process's group list.

To get around this, do not require the PAG gids to be the first two
gids anymore. To more easily identify PAG gids in group processes, use
a single gid instead of two gids to identify a PAG, like modern Linux
currently uses (under the AFS_PAG_ONEGROUP_ENV). High-numbered groups
have been possible for quite a long time on Solaris, allegedly further
back than Solaris 8. Only do this for Solaris 11, though, to reduce
the platforms we affect.

[mmeffie@sinenomine.net: Define AFS_PAG_ONEGROUP_ENV in param.h.]

Reviewed-on: https://gerrit.openafs.org/11979
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit aab1e71628e6a4ce68c5e59e2f815867438280d1)

Change-Id: I54c1f4c1be4eed1804293aebae795b165954a3a4
Reviewed-on: https://gerrit.openafs.org/12526
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
src/afs/SOLARIS/osi_groups.c diff | blob | history
src/afs/afs_osi_pag.c diff | blob | history
src/afs/afs_pioctl.c diff | blob | history
src/afs/afs_prototypes.h diff | blob | history
src/config/param.sun4x_511.h diff | blob | history
src/config/param.sunx86_511.h diff | blob | history