viced: Restrict RXAFS_FlushCPS to administrators

RXAFS_FlushCPS currently can be run by anyone, including
unauthenticated users. Forcing CPS calculation can be a relatively
resource-intensive operation, though, if done frequently enough, and
only should need to be done by administrators. Thus, only let
administrators use it.

Reviewed-on: http://gerrit.openafs.org/7572
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
(cherry picked from commit 568adf7d18eb17a42caa263aabc92a686f0ae121)

Change-Id: I715e7ede7ea92be65a134116ecb4d1b7e2ccd264
Reviewed-on: http://gerrit.openafs.org/9485
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

diff --git a/src/viced/afsfileprocs.c b/src/viced/afsfileprocs.c
index 299864570a9a4adcc0d42427c4aa4b656df850ed..691a4ebda2b4c5b3c32b86e8af4aaedbd5ce7c26 100644 (file)
--- a/src/viced/afsfileprocs.c
+++ b/src/viced/afsfileprocs.c
@@ -6567,6 +6567,12 @@ SRXAFS_FlushCPS(struct rx_call * acall, struct ViceIds * vids,
     FS_LOCK;
     AFSCallStats.TotalCalls++;
     FS_UNLOCK;
+
+    if (!viced_SuperUser(acall)) {
+       errorCode = EPERM;
+       goto Bad_FlushCPS;
+    }
+
     nids = vids->ViceIds_len;  /* # of users in here */
     naddrs = addrs->IPAddrs_len;       /* # of hosts in here */
     if (nids < 0 || naddrs < 0) {

diff --git a/src/viced/viced.h b/src/viced/viced.h
index 09e2bf395a86ec6315fa7eb701e9e40b5e057106..06b75a107672cf507349e88ee10d8c1d0eb49556 100644 (file)
--- a/src/viced/viced.h
+++ b/src/viced/viced.h
@@ -254,5 +254,6 @@ extern struct fs_state fs_state;
 #define FS_MODE_SHUTDOWN  1
 #endif /* AFS_DEMAND_ATTACH_FS */
 
+extern int viced_SuperUser(struct rx_call *call);
 
 #endif /* _AFS_VICED_VICED_H */