From: Derrick Brashear <shadow@dementia.org>
Date: Fri, 6 Jan 2006 03:03:26 +0000 (+0000)
Subject: STABLE14-macos-104-change-access-enforcement-20060105
X-Git-Tag: openafs-stable-1_4_1-rc4~14
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=76c8adf14b080d7936229551ee3b247ddeb39965;p=packages%2Fo%2Fopenafs.git

STABLE14-macos-104-change-access-enforcement-20060105


don't improperly enforce read attribute restriction on child instead of parent
when it's a directory

avoid screwing ourselves on mode 0 files, also


(cherry picked from commit e07a781b20272a629f73cf8b2377ee8e3bd6cd99)
---

diff --git a/src/afs/DARWIN/osi_vnodeops.c b/src/afs/DARWIN/osi_vnodeops.c
index 97741b093..3cb550563 100644
--- a/src/afs/DARWIN/osi_vnodeops.c
+++ b/src/afs/DARWIN/osi_vnodeops.c
@@ -583,10 +583,12 @@ afs_vop_access(ap)
           bits |= PRSFS_INSERT;
        if (ap->a_action & KAUTH_VNODE_DELETE_CHILD)
           bits |= PRSFS_DELETE;
+#if 0 /* I'd argue this should be enforced on the parent. But that's ugly */
        if (ap->a_action & KAUTH_VNODE_READ_ATTRIBUTES)
           bits |= PRSFS_LOOKUP;
        if (ap->a_action & KAUTH_VNODE_READ_SECURITY) /* mode bits/gid, not afs acl */
           bits |= PRSFS_LOOKUP;
+#endif
     } else {
        if (ap->a_action & KAUTH_VNODE_READ_DATA)
           bits |= PRSFS_READ;
@@ -595,9 +597,9 @@ afs_vop_access(ap)
        if (ap->a_action & KAUTH_VNODE_EXECUTE)
           bits |= PRSFS_READ; /* and mode bits.... */
        if (ap->a_action & KAUTH_VNODE_READ_ATTRIBUTES)
-          bits |= PRSFS_READ;
+          bits |= PRSFS_LOOKUP;
        if (ap->a_action & KAUTH_VNODE_READ_SECURITY) /* mode bits/gid, not afs acl */
-          bits |= PRSFS_READ;
+          bits |= PRSFS_LOOKUP;
     }
     if (ap->a_action & KAUTH_VNODE_WRITE_ATTRIBUTES)
        bits |= PRSFS_WRITE;