From: Derrick Brashear <shadow@dementia.org>
Date: Fri, 15 Apr 2005 20:40:43 +0000 (+0000)
Subject: STABLE14-ptserver-restricted-mode-20050415
X-Git-Tag: openafs-devel-1_3_82~53
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=937a757d0d77dfa0e8343460bc73d257806830c8;p=packages%2Fo%2Fopenafs.git

STABLE14-ptserver-restricted-mode-20050415


add restricted mode to pts
only admins can make changes


(cherry picked from commit 93ece98ccb1fd54c8c10848c574efe8932befc28)
---

diff --git a/src/ptserver/pt_util.c b/src/ptserver/pt_util.c
index 8e213f474..49a3b194d 100644
--- a/src/ptserver/pt_util.c
+++ b/src/ptserver/pt_util.c
@@ -44,6 +44,7 @@ RCSID
 extern char *optarg;
 extern int optind;
 
+int restricted = 0;
 int display_entry();
 void add_group();
 void display_groups();
diff --git a/src/ptserver/ptprocs.c b/src/ptserver/ptprocs.c
index c080935f0..91e505b54 100644
--- a/src/ptserver/ptprocs.c
+++ b/src/ptserver/ptprocs.c
@@ -86,6 +86,7 @@ RCSID
 
 #define	IP_WILDCARDS	1	/* XXX Should be defined outside of here XXX */
 
+extern int restricted;
 extern struct ubik_dbase *dbase;
 extern afs_int32 Initdb();
 extern int pr_noAuth;
@@ -119,6 +120,9 @@ CreateOK(ut, cid, oid, flag, admin)
      afs_int32 flag;		/* indicates type of entry */
      int admin;			/* sysadmin membership */
 {
+    if (restricted && !admin) 
+	return 0;
+
     if (flag & PRFOREIGN) {
 	/* Foreign users are recognized by the '@' sign and 
 	 * not by the PRFOREIGN flag.
@@ -346,7 +350,7 @@ newEntry(call, aname, flag, oid, aid)
 	    ABORT_WITH(tt, PRPERM);
 	admin = IsAMemberOf(tt, cid, SYSADMINID);
     } else {
-	admin = (!strcmp(aname, cname)) || IsAMemberOf(tt, cid, SYSADMINID);
+	admin = ((!restricted && !strcmp(aname, cname))) || IsAMemberOf(tt, cid, SYSADMINID);
 	oid = cid = SYSADMINID;
     }
     if (!CreateOK(tt, cid, oid, flag, admin))
diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c
index 3d797b4cd..7ddea76d6 100644
--- a/src/ptserver/ptserver.c
+++ b/src/ptserver/ptserver.c
@@ -163,6 +163,8 @@ extern int afsconf_CheckAuth();
 int pr_realmNameLen;
 char *pr_realmName;
 
+int restricted = 0;
+
 static struct afsconf_cell info;
 
 extern int prp_group_default;
@@ -296,6 +298,9 @@ main(int argc, char **argv)
 	    prp_user_default = prp_access_mask(argv[++a]);
 	    prp_group_default = prp_access_mask(argv[++a]);
 	}
+	else if (strncmp(arg, "-restricted", alen) == 0) {
+	    restricted = 1;
+	}
 	else if (strncmp(arg, "-enable_peer_stats", alen) == 0) {
 	    rx_enablePeerRPCStats();
 	} else if (strncmp(arg, "-enable_process_stats", alen) == 0) {
@@ -319,6 +324,7 @@ main(int argc, char **argv)
 		   "[-syslog[=FACILITY]] "
 		   "[-p <number of processes>] [-rebuild] "
 		   "[-groupdepth <depth>] "
+		   "[-restricted] "
 		   "[-enable_peer_stats] [-enable_process_stats] "
 		   "[-default_access default_user_access default_group_access] "
 		   "[-help]\n");
@@ -326,6 +332,7 @@ main(int argc, char **argv)
 	    printf("Usage: ptserver [-database <db path>] "
 		   "[-p <number of processes>] [-rebuild] "
 		   "[-default_access default_user_access default_group_access] "
+		   "[-restricted] "
 		   "[-groupdepth <depth>] " "[-help]\n");
 #endif
 #else
@@ -335,10 +342,12 @@ main(int argc, char **argv)
 		   "[-p <number of processes>] [-rebuild] "
 		   "[-enable_peer_stats] [-enable_process_stats] "
 		   "[-default_access default_user_access default_group_access] "
+		   "[-restricted] "
 		   "[-help]\n");
 #else /* AFS_NT40_ENV */
 	    printf("Usage: ptserver [-database <db path>] "
 		   "[-default_access default_user_access default_group_access] "
+		   "[-restricted] "
 		   "[-p <number of processes>] [-rebuild] " "[-help]\n");
 #endif
 #endif
diff --git a/src/ptserver/ptutils.c b/src/ptserver/ptutils.c
index 76bcb69e5..bc2a73bac 100644
--- a/src/ptserver/ptutils.c
+++ b/src/ptserver/ptutils.c
@@ -53,7 +53,7 @@ RCSID
 /* Foreign cells are represented by the group system:authuser@cell*/
 #define AUTHUSER_GROUP "system:authuser"
 
-
+extern int restricted;
 extern struct ubik_dbase *dbase;
 extern struct afsconf_dir *prdir;
 extern int pr_noAuth;
@@ -319,6 +319,8 @@ AccessOK(struct ubik_trans *ut, afs_int32 cid,		/* caller id */
 	return 1;
     if (cid == SYSADMINID)
 	return 1;		/* special case fileserver */
+    if (restricted && ((mem == PRP_ADD_MEM) || (mem == any == 0)))
+	return 0;
     if (tentry) {
 	flags = tentry->flags;
 	oid = tentry->owner;
@@ -1866,6 +1868,8 @@ ChangeEntry(struct ubik_trans *at, afs_int32 aid, afs_int32 cid, char *name, afs
     code = pr_ReadEntry(at, 0, loc, &tentry);
     if (code)
 	return PRDBFAIL;
+    if (restricted && !IsAMemberOf(at, cid, SYSADMINID)) 
+	return PRPERM;
     if (tentry.owner != cid && !IsAMemberOf(at, cid, SYSADMINID)
 	&& !IsAMemberOf(at, cid, tentry.owner) && !pr_noAuth)
 	return PRPERM;