Andrew Deason [Thu, 20 May 2010 20:22:11 +0000 (15:22 -0500)]
ubik: add interface for reading during write locks
Add ubik_BeginTransReadAnyWrite, which allows for reading from the
database, even while there is a conflicting ubik write lock. Reads are
still blocked while the local database is updating due to a write
transaction commit.
Derrick Brashear [Thu, 10 Jun 2010 18:37:39 +0000 (14:37 -0400)]
rx mtu ping handling
engage mtu pings. only occur while a call is active but results are
cached per-peer. requires idle dead time to be in use, or does not
activate. (needed to time out the call, otherwise, keepalives will
succeed and the call will thus not hit regular "down server" timeout)
Derrick Brashear [Thu, 10 Jun 2010 15:41:23 +0000 (11:41 -0400)]
path mtu don't track nonsequenced packets
for the purpose of mtu discovery, we need a sequence number to
correlate if a large packet is acked. don't track sequence number
0 packets. a later change adds the mechanics needed for MTU pings
Simon Wilkinson [Sat, 12 Jun 2010 09:42:43 +0000 (10:42 +0100)]
libadmin: Don't dereference NULL pointer in cmd
If DoBosHostList ends up being called without the -server argument
in its command structure, then a printf will attempt to dereference
a NULL pointer to the -server field.
Simon Wilkinson [Sat, 12 Jun 2010 09:35:34 +0000 (10:35 +0100)]
fs: Can't use store behind data if pioctl errored
If the call to a pioctl returns an error, it's possible to reach
the end of the storebehind function and try and print an old, or
bogus, value from the pioctl data block.
Simon Wilkinson [Sat, 12 Jun 2010 09:26:09 +0000 (10:26 +0100)]
viced: CopyOnWrite2 shouldn't return undefined val
Unless CopyOnWrite2 encounters the condition where
(rdlen != length) || (wrlen !=length) it will never set a value
for the 'rc' return code, and so return with an undefined value.
Looking at the code, it looks like rc should be 0 in all other
situations, so this patch provides a default value.
Simon Wilkinson [Fri, 11 Jun 2010 23:23:22 +0000 (00:23 +0100)]
vol: open() needs mode if called with O_CREAT
If open() is called with a the O_CREAT flag, then it requires a
3rd argument, containing the mode with which to create the file.
On DARWIN (when we always use O_CREAT), and on other platforms
where the first call to open returned E_NOENT, we weren't doing this,
and so were presumably getting a random mode of whatever garbage was
on the stack.
Russ Allbery [Sat, 12 Jun 2010 23:07:52 +0000 (16:07 -0700)]
Avoid off-by-one error when saving the password in klog
When klog saved the password entered by the user to allow attempts
at multiple AFS principals without reprompting, it copied the whole
buffer according to the declared reply length into local storage.
This was done without regard to the local allocated storage size,
and was then nul-terminated without regard to the allocated storage
size. Both klog and Heimdal use a size of BUFSIZ for the reply
buffer by default, which meant that klog on Heimdal was writing past
the end of the allocated structure when nul-terminating the password.
Store our allocated buffer size in the struct and only copy at most
one fewer than that many characters, and then nul-terminate
accordingly.
(The assumption that BUFSIZ is always long enough is still bogus,
but that's larger surgery.)
Marc Dionne [Sun, 13 Jun 2010 00:43:25 +0000 (20:43 -0400)]
Linux s390x: replace AFS_64BIT_KERNEL with AFS_LINUX_64BIT_KERNEL
The s390x param.h file defines AFS_64BIT_KERNEL, but this looks to
be AIX specific, and some Linux headers expect AFS_LINUX_64BIT_KERNEL.
This causes many errors because we end up trying to use struct flock64
instead of struct flock.
Simon Wilkinson [Sun, 13 Jun 2010 00:44:27 +0000 (01:44 +0100)]
bucoord: Use mkstemp properly
Use mkstemp wherever we have it available, to silence warnings
about mktemp's safety.
When we do use mkstemp, use it properly. It doesn't return void,
it returns an open filehandle. Convert this filehandle into a FILE *,
rather than throwing it away, and leaking an open file descriptor.
Simon Wilkinson [Fri, 11 Jun 2010 22:50:29 +0000 (23:50 +0100)]
libadmin: Don't use undefined value
If IsValidCellHandle returns false, then we can jump to
fail_pts_GroupMemberRemove, and end up using a value for
ids.idlist_val which hasn't been defined. Fix this.
Simon Wilkinson [Fri, 11 Jun 2010 22:49:34 +0000 (23:49 +0100)]
Add support for clang compiler attributes
Rearrange the way that we define compiler attributes so that we
can define them for clang, too. Don't assume that clang will support
all of the attributes that gcc does, so split them up into separate
sections.
Simon Wilkinson [Fri, 11 Jun 2010 22:46:29 +0000 (23:46 +0100)]
Add AFS_NORETURN macro and use it
Add the AFS_NORETURN macro which can be used with gcc compatible
compilers to indicate that a particular funciton prototype will
not return control to the caller. This both improves code quality,
and helps with static analysis.
Use this to flag afsmon_Exit, db_panic, osi_Panic, Abort, Exit
and the error handlers for osi_Assert and our local assert fn
all as being noreturn.
Simon Wilkinson [Fri, 11 Jun 2010 22:33:07 +0000 (23:33 +0100)]
rxgen: Remove inlist from autogenerated code
The 'inlist' variable is only used by code that is #if 0, and never
emitted by the rxgen source. Remove the definition, and assignment,
to this variable.
Simon Wilkinson [Fri, 11 Jun 2010 21:25:35 +0000 (22:25 +0100)]
Changes to build with clang on Mac OS 10.5
clang defines __x86_64__ and doesn't define __i386__ when building
on a 64bit Leopard machine. Change the defines in param.h so we
can build on this platform.
Simon Wilkinson [Sat, 12 Jun 2010 21:59:23 +0000 (22:59 +0100)]
Linux: Fix set_cr_group_info and cr_group_info
Commit dc85abca renamed set_cr_group_info to afs_set_cr_group_info
and cr_group_info to afs_cr_group_info, but didn't catch all call
sites. In particular, those in the NFS translator, in non-keyring
code paths, and in the 2.4 code, were missed.
Thanks to Adam Megacz for the bug report on openafs-info.
Andrew Deason [Thu, 10 Jun 2010 16:51:57 +0000 (11:51 -0500)]
Do not set inUse for non-fileserver non-DAFS
Setting inUse in a volume header to anything besides 1 is a
DAFS-specific change. For non-DAFS, non-fileserver programs do not
touch inUse. Since inUse is not cleared for non-fileserver non-DAFS,
make sure not to set it for non-fileserver non-DAFS.
Andrew Deason [Fri, 11 Jun 2010 21:51:02 +0000 (16:51 -0500)]
vlclient: work with non-space whitespace
Make vlclient work with non-space whitespace separating arguments.
This also makes it cope with a trailing newline that fgets() gives us,
making this more intuitive to use.
Matt Benjamin [Thu, 27 May 2010 23:14:20 +0000 (19:14 -0400)]
windows cm_BeginDirOp add flags (nobuildtree)
Add a flags argument to cm_BeginDirOp, and define a flag
CM_DIROP_FLAG_NOBUILDTREE which asserts that the operation
being synchronized does not require scp->dirPlus to be
constructed.
Simon Wilkinson [Fri, 11 Jun 2010 09:48:37 +0000 (10:48 +0100)]
RX: Can't assert a void result
We can't assert(MUTEX_DESTROY(blah) == 0) when the MUTEX_DESTROY
macro already returns void (and asserts), as it does in the
pthread case. This fixes the build failure introduced by 53c9258cd7300c03be3f3e50003cad3dfc59baf3
Matt Benjamin [Tue, 8 Jun 2010 22:29:13 +0000 (18:29 -0400)]
rx service specific data
Adds rx_GetServiceSpecific and rx_SetServiceSpecific to the rx_service interface,
conforming to the equivalent calls in the rx_connection interface.
For consistency, the implementation strategy is the same. The intended
use is to more cleanly support server multiplexing within an RPC-based
test dispatch library.
Andrew Deason [Thu, 22 Oct 2009 03:16:38 +0000 (22:16 -0500)]
Break origin's callback for RXAFS_Rename target
When we RXAFS_Rename something, the status of the renamed FID can
sometimes change, and thus we break callbacks on it. Currently, however,
we do not break the callback for the originating client, even though the
status of the target changes and we do not return an AFSFetchStatus to
the caller.
Since the callback is not always broken for the target, it may not be
immediately obvious to client implementations to implicitly break the
target's callback. Since we do not have an explicit protocol
specification saying that the callback is implicitly broken, break the
callback for the origin client as well, to be safe.
Andrew Deason [Wed, 9 Sep 2009 20:56:26 +0000 (15:56 -0500)]
Avoid unnecessarily updating .. in SAFSS_Rename
Currently the .. entry for a directory is always recreated on a Rename
operation, even if the parent directory does not change. Now, avoid
altering the directory at all (including no COW nor DV bump nor vnode
modify time update) when we don't need to.
Jeffrey Altman [Wed, 9 Jun 2010 17:55:14 +0000 (13:55 -0400)]
Windows: Revise SMB QuerySecurityInfo for MS10-020
MS10-020 (http://support.microsoft.com/kb/980232) has caused
many problems for implementors of SMB 1.0 servers and applications
that call GetFileSecurity() without checking the return code to
determine if the call succeeded. The gist of the vulnerability
was that the SMB redirector would pass any buffer it received
to the application regardless of whether or not it was valid.
MS10-020 protects the applications by strictly validating the
SMB response data structure and the data in the security descriptor
that is returned.
The problem for SMB 1.0 server implementors is that there have
been at least three different protocol descriptions for
NT_TRANSACT_QUERY_SECURITY_DESC published over the last decade
and all of them are incomplete. Therefore, just about no one but
Microsoft has an SMB 1.0 server implementation that produces the
exact out that they are expecting to validate.
The end result is that in an attempt to protect applications from
crashing due to invalid input being passed in directly caused
dozens of applications to crash by not returning any security
descriptor data at all. Even when the applications didn't crash
they might not have been able to save their data. Cisco WAAS
and NetApp DataOnTap systems were most adversely affected and
they have had CIFS protocol licenses for many many years.
To fix OpenAFS here is what needed to be done:
1. Instead of returning a security descriptor that gives ownership
to the NUL SID, give it to the Everyone SID and set the flag
that states that everyone has full access.
2. Validate the input parameters. In particular, check to ensure
that the SMB file descriptor is valid and the file has not
been deleted.
3. Enforce the maximum output data and parameter counts.
4. Handle buffer overflow and buffertoosmall conditions
in the manner that Microsoft expects them to be handled.
In particular, note that the parameter data which is returned
in the SMB Data Region is not counted in the Data Count.
Even if MaxData is 0, we can still return parameters values
as long as MaxParm is large enough.
Andrew Deason [Fri, 21 May 2010 16:47:42 +0000 (11:47 -0500)]
Install pthreaded ptserver and vlserver
When --enable-pthreaded-ubik is specified, install the pthreaded
versions of ptserver and vlserver instead of the non-pthreaded
versions. Previously, the pthreaded versions were getting built but
not installed with 'make dest' or 'make install'.
Andrew Deason [Fri, 21 May 2010 16:19:53 +0000 (11:19 -0500)]
Move FreeBlock prototype to vlserver_internal.h
FreeBlock is only used in internal vlserver code and should not be
called by anything else; it should not be prototyped in a public
header. Move its prototype to go along with the other vlserver
internal prototypes.
Russ Allbery [Wed, 9 Jun 2010 01:40:11 +0000 (18:40 -0700)]
Add okv function to the TAP test library
Add an okv() varient of the ok() function that takes the arguments as
a va_list instead of as a variable argument list. This makes it easier
to reuse ok() when writing other tests.
Jeffrey Altman [Mon, 7 Jun 2010 22:18:39 +0000 (18:18 -0400)]
Windows: Detect if AFSCache is memory mapped to a new address
The Windows AFSCache paging file contains pointer addresses
that are only valid if the file is memory mapped at a specific
memory address. If the file is mapped at a new address, the
pointer values will be invalid and the service will crash with
an invalid memory access.
Check for address consistency and force the cache to be rebuilt
if the consistency is lost.
Andrew Deason [Tue, 8 Jun 2010 15:38:07 +0000 (10:38 -0500)]
Solaris: lookup "" like "."
At least on some versions of solaris, we can get passed an empty
string to afs_lookup, if the root directory is in AFS (e.g. after a
chroot). Interpret this as the same as looking up the "." entry;
otherwise we return ENOENT, implying that the "/" directory does not
exist, even if its subdirectories do.
FIXES 127356
Change-Id: I84283e78fbf33b946afaf3c80ef4a1a679e8fc93
Reviewed-on: http://gerrit.openafs.org/2096 Tested-by: Andrew Deason <adeason@sinenomine.net> Reviewed-by: Simon Wilkinson <sxw@inf.ed.ac.uk> Reviewed-by: Derrick Brashear <shadow@dementia.org> Tested-by: Derrick Brashear <shadow@dementia.org>
Andrew Deason [Tue, 18 May 2010 16:39:21 +0000 (11:39 -0500)]
libafs: consistently hold vnode refs
Make all common libafs code call AFS_FAST_HOLD to hold an afs vnode
reference, instead of sometimes calling VN_HOLD(AFSTOV(tvc)) directly.
Make AFS_FAST_HOLD always call osi_vnhold, and have each platform
define osi_vnhold for their platform-specific quirks (as it was doing
before).
This way, if a platform has an osi_vnhold that is special somehow (on
solaris, we bump a VFS refcount if the vnode refcount goes from 0->1),
it will always be called on vnode references.
Andrew Deason [Mon, 7 Jun 2010 16:42:02 +0000 (11:42 -0500)]
AIX: make osi_procname a stub
'curproc', 'curthread', or other such conveniences do not exist on
AIX, so the current osi_procname implementation breaks the build.
Determining the current process name on AIX is, while possible,
difficult and error-prone. Since we only need the process name for
informational messages to users, don't bother trying to determine it,
and just return the empty string so we can build.
Andrew Deason [Mon, 7 Jun 2010 17:18:53 +0000 (12:18 -0500)]
Make lib/afs.exp in sys_depinstall
The AIX libafs uses lib/afs.exp to build, and libafs depends on
sys_depinstall. So, make lib/afs.exp in addition to
include/afs/afs.exp in sys_depinstall.
Jeffrey Altman [Thu, 3 Jun 2010 16:04:15 +0000 (12:04 -0400)]
Windows: Update fs newcell and add VIOCNEWCELL2
The Windows version of "fs newcell" did not accept any parameters
and behaved quite differently from the Unix version. Instead of
permitting new cell information to be added, the Windows version
simply forced the existing cell information to be reacquired.
This update adds a new pioctl, VIOCNEWCELL2, to support the
implementation of a Unix-style "fs newcell". The functionality
added here differs from the Unix version in the following ways:
1. "fs newcell" with no arguments is still accepted
in order to maintain compatibility with prior Windows
behavior.
2. "fs newcell -cell <cell> -dns" instructs the cache manager
to add the new cell but obtain the vldb server info from
DNS.
3. "fs newcell -cell <cell> ... -registry" instructs the cache
manager to add the new cell and also save the cell configuration
data in the registry for use the next time the service restarts.
4. The -vlport and -fsport options are accepted although the
-fsport value is currently unsupported by the cache manager.
Jeffrey Altman [Thu, 3 Jun 2010 15:59:45 +0000 (11:59 -0400)]
Windows: Freelance Import CellServDB
Add a new registry option that permits automatic generation of
Freelance mountpoints for every cell listed in the CellServDB info
(file and registry). "FreelanceImportCellServDB". This functionality
is only triggered when the afsd_service is started. The operation
is performed in the background by the daemon thread after the firewall
configuration is set.
Russ Allbery [Sat, 29 May 2010 21:45:04 +0000 (16:45 -0500)]
Comprehensive edit of Admin Guide chapter two (first 20%)
Update and revise chapter two (Issues in Cell Configuration and
Administration) of the Administration Guide for current AFS and current
computing concepts.
Remove references to an AFS-provided login utility and discuss local login
configuration for Kerberos more generically. Further clarify the role of
ssh in ensuring the user has access to files in AFS during remote login.
Improve the inode and namei discussion slightly. Update the setuid
discussion for the new default of disabling setuid for cells and for the
known security flaws in enabling setuid. Modernize terminology for DNS
around cell naming and remove the descriptions of TLDs. We can now assume
our target audience knows this stuff.
Move index terms into the appropriate section for what's being indexed in
a few more cases.
Lots of other, more minor wording changes and updates.
this code makes us work in the face of a sub1500 mtu network.
a subsequent commit is needed to make it more effective: attempts
to grow the mtu must be scheduled so we aren't forced to heavily
brute-force on failure to discover the exact mtu immediately;
for performance, we do want to grow to the real mtu.
Asanka Herath [Fri, 4 Jun 2010 03:58:42 +0000 (23:58 -0400)]
Windows: Support building a lite-client installer
If LITECLIENT is defined when invoking the WiX based MSI installer
build, we will build a light-weight client installer MSI. This
minimizes the size of the installer for users who only need client
functionality from OpenAFS.
The light-weight client excludes:
- Server components
- Control center components
- Administration utilities
- Debug symbols
Lite-client installer can also be built by invoking target wix-lite
from the root NTMakefile.
"fs checkservers" during cache creation can crash client
Many pioctl calls pass as soon as the afs_resourceinit_flag is set,
which happens relatively early, alas before the cell name is set.
PCheckServers and others need the latter and dereference NULL.
Easiest: set the cell name as soon as it is known and the dynroot initialisation
piggy-backed to it can be done.
Jeffrey Altman [Thu, 3 Jun 2010 15:54:04 +0000 (11:54 -0400)]
Windows: Fix usage of cm_FreeServerList
cm_FreeServerList will set the input variable to NULL if the
contents of the list could in fact be freed. If they could not
be freed, the individual entries are marked for deletion and will
not be subsequently used. Do not set the list variable to NULL
after calling cm_FreeServerList otherwise memory can be leaked.
afs_vop_access->afs_VerifyVCache2->afs_GetVCache->afs_FetchStatus->
afs_Analyze->afs_NotifyUser can recurse and try to notify us. Don't
worry about it; we're best-effort.
we lack a lock primitive to see if we own this lock.
Andrew Deason [Thu, 3 Jun 2010 14:54:28 +0000 (09:54 -0500)]
up: refuse multicharacter arguments
The 'up' command currently silently accepts and discards extra
characters when specifying arguments. This can produce rather
confusing behavior such as mistyping '-v -1' as '-v-1' resulting in
the '-v' switch being honored, but the '-1' being ignored. The same
thing occurs for specifying '-v1', even though the usage message
implies that you can combine arguments.
So instead, report an error message for any arguments specified that
are longer than 2 characters, since they are never valid.
Asanka Herath [Wed, 26 May 2010 16:34:08 +0000 (12:34 -0400)]
Windows: Fix midl options for generating stub code
MIDL is used to generate server stub code for implementing SMB RPC.
Fix the invocation of MIDL so that MIDL can locate include files and
respect AFSDEV_AUXMIDLFLAGS.
modify setpeermtu to work when a peer is passed in. modify existing
callers. note solaris caches a whole host's pmtu, so use that
on all peers at the host.
Russ Allbery [Thu, 27 May 2010 21:40:21 +0000 (16:40 -0500)]
Add warnings for Authentication Server commands
For each command only useful with the Authentication Server, add
warnings that the Authentication Server is obsolete and will be
removed in a future version of OpenAFS. Encourage people who care
to update uss to work with a modern Kerberos KDC, recommend kinit
and aklog or klog.krb5 over klog, and warn that klog will be of
limited use without an Authentication Server.
Rod Widdowson [Thu, 20 May 2010 17:27:11 +0000 (18:27 +0100)]
Rewrite vldb_check -fix
vldb_check -fix was very 'topical' in nature. It showed signs that
each sucessive corruption had been treated as a one off needing a
specific fix. This made the code difficult to understand and
incomplete: for instance a single volume on the wrong hash only was
not corrected. Further there was some rather unfortunately code which
would under certain circumstances stamp the last volume at various
places across the file.
This checkin removes all the old code and replaces it with a
'systematic' fix. During the last scan across all the volumes, all
four of the hash chains are rebuild from the ground up. We can then
get rid of the outer 'Mung Until Now Good' iteration and further we
benefit from a linear run time.
Tested by building several different forms of broken-ness in all three
chains and then fixing it.
Now with improved logging and correct non insertion of nonexistant elements
and clean compiled with extra warning.
Rod Widdowson [Wed, 19 May 2010 09:45:57 +0000 (10:45 +0100)]
Add bounds checking prior to IOs in vldb_check
vldb_check would just read where it was sent. This means that if a
hash entry was beyond the end of file the read would fail and halt the
program dead.
This change adds checks for that so we can go limping on.
There is no code to fix this sort of corruption. I have another
(preexisting) checkin to do that which will happen once I can get a
clean test run.
This checkin also removes a some pointless debugging printfs.
Russ Allbery [Fri, 28 May 2010 16:35:28 +0000 (11:35 -0500)]
Import C TAP Harness 1.2 as a testing harness
Creates a new top-level tests directory that will be used for all
future automated test code eventually. Import runtests and the
basic TAP library from C TAP Harness 1.2. Add top-level check and
test targets that build the full source tree and then the new tests
directory, and then runs runtests on the test list.
Russ Allbery [Fri, 28 May 2010 16:03:50 +0000 (11:03 -0500)]
Clean up warnings in the tests directory
Build repair.o with strict aliasing disabled because it addresses the
same data structure via two different structs at the same time. Fix
various other, more minor warnings.
Several fixes here require more Autoconf glue to work properly, but
that's deferred to future work (such as some HAVE_* defines that we
don't probe for and the handling of non-native 64-bit integers in
some of the code).
Russ Allbery [Thu, 27 May 2010 16:45:06 +0000 (11:45 -0500)]
Comprehensive edit of chapter one of the Administration Guide
Update and revise chapter one (An Overview of OpenAFS Administration)
of the Administration Guide for current AFS and current computing
concepts.
Replace the Kerberos Server terminology with Kerberos KDC and add
additional details about the relationship between AFS and a Kerberos
KDC. Remove some remaining Authentication Server references. Add
some details about the Protection Server management of the mapping
from Kerberos principals to AFS IDs.
Remove some now-obsolete distinctions and concepts between mainframes
and workstations and recommendations for server systems.
Reorganize the order in which the servers are discussed to follow a
somewhat more natural order.
Be clear that the Backup Server is optional and that there are other
methods available to back up AFS. Mention backing up to disk as well
as tape in a few places.
Russ Allbery [Thu, 27 May 2010 04:23:10 +0000 (23:23 -0500)]
Add k_haspag to libkopenafs
Add the k_haspag function to libkopenafs, which returns true if the
current process is in a PAG and false otherwise.
The implementation currently duplicates code from the ktc_curpag
function since the latter calls the regular pioctl() interface and
hence introduces an Rx dependency that we're avoiding for libkopenafs.
This should be refactored to avoid the code duplication at some point,
but that will require building a utility library that can be reasonably
linked into libkopenafs and is therefore deferred for future work.
Russ Allbery [Thu, 27 May 2010 17:33:57 +0000 (12:33 -0500)]
Clean up warnings in libadmin/bos/afs_bosAdmin.c
Use the correct data structures for BOS timestamps. Use afs_int32 for
the expressed timestamps for executables since that's what the BOS RPC
says it's using for right now; we should change this, but when we do,
warnings will catch this use along with the others. Cast some const
char *'s that are passed into BOS functions that take char *'s.
Change-Id: Iff3a6c42241953ed086f8e739cdb344a41a44635
Reviewed-on: http://gerrit.openafs.org/2050 Reviewed-by: Marc Dionne <marc.c.dionne@gmail.com> Tested-by: Marc Dionne <marc.c.dionne@gmail.com> Reviewed-by: Derrick Brashear <shadow@dementia.org> Tested-by: Derrick Brashear <shadow@dementia.org>
Russ Allbery [Thu, 27 May 2010 14:41:38 +0000 (09:41 -0500)]
Clean up the introduction to the Administration Guide
Provide a more useful abstract and remove the (outdated) specific list
of supported platforms and the M.m version number placeholders. Update
the list of associated documents to match their current titles, and
provide a better description of the Reference Manual.
Reformat the parent document and preface for easier maintenance in the
future.
Andrew Deason [Mon, 17 May 2010 00:47:04 +0000 (19:47 -0500)]
libuafs: Remove afsd symlink in setup
Remove the 'afsd' symlink in the build setup, along with the other
symlinks. Otherwise, we try to recreate it every time and fail, since
it already exists.
projects / packages / o / openafs.git / log