From 496b5e4c978dec000c5f1e318968d74f8818d60b Mon Sep 17 00:00:00 2001 From: Simon Wilkinson Date: Mon, 4 Feb 2008 19:41:49 +0000 Subject: [PATCH] pts-localauth-20080204 LICENSE IPL10 distilled from changes by mdw@umich.edu --- doc/man-pages/pod1/pts.pod | 29 ++++++++++ doc/man-pages/pod1/pts_adduser.pod | 12 +++- doc/man-pages/pod1/pts_chown.pod | 10 +++- doc/man-pages/pod1/pts_creategroup.pod | 12 +++- doc/man-pages/pod1/pts_createuser.pod | 13 ++++- doc/man-pages/pod1/pts_delete.pod | 11 +++- doc/man-pages/pod1/pts_examine.pod | 15 +++-- doc/man-pages/pod1/pts_interactive.pod | 14 ++++- doc/man-pages/pod1/pts_listentries.pod | 11 +++- doc/man-pages/pod1/pts_listmax.pod | 11 +++- doc/man-pages/pod1/pts_listowned.pod | 10 +++- doc/man-pages/pod1/pts_membership.pod | 15 +++-- doc/man-pages/pod1/pts_quit.pod | 11 +++- doc/man-pages/pod1/pts_removeuser.pod | 11 +++- doc/man-pages/pod1/pts_rename.pod | 11 +++- doc/man-pages/pod1/pts_setfields.pod | 11 +++- doc/man-pages/pod1/pts_setmax.pod | 10 +++- doc/man-pages/pod1/pts_sleep.pod | 12 +++- doc/man-pages/pod1/pts_source.pod | 10 +++- src/ptserver/pts.c | 79 +++++++++++++++++++++----- src/ptserver/ptuser.c | 47 ++++++++------- src/ptserver/utils.c | 3 + 22 files changed, 294 insertions(+), 74 deletions(-) diff --git a/doc/man-pages/pod1/pts.pod b/doc/man-pages/pod1/pts.pod index 476117485..913a9ff18 100644 --- a/doc/man-pages/pod1/pts.pod +++ b/doc/man-pages/pod1/pts.pod @@ -91,6 +91,12 @@ The value of the AFSCELL environment variable. The local F file. +Do not combine the B<-cell> and B<-localauth> options. A command on which +the B<-localauth> flag is included always runs in the local cell (as +defined in the server machine's local F file), +whereas a command on which the B<-cell> argument is included runs in the +specified foreign cell. + =back =item B<-force> @@ -123,6 +129,29 @@ privileged users to issue commands that change the Protection Database, and refuses to perform such an action even if the B<-noauth> flag is provided. +=item B<-localauth> + +Constructs a server ticket using the server encryption key with the +highest key version number in the local F file. The +B command interpreter presents the ticket, which never expires, to +the BOS Server during mutual authentication. + +Use this flag only when issuing a command on a server machine; client +machines do not usually have a F file. The issuer +of a command that includes this flag must be logged on to the server +machine as the local superuser C. The flag is useful for commands +invoked by an unattended application program, such as a process controlled +by the UNIX B utility. It is also useful if an administrator is +unable to authenticate to AFS but is logged in as the local superuser +C. + +Do not combine the B<-cell> and B<-localauth> options. A command on which +the B<-localauth> flag is included always runs in the local cell (as +defined in the server machine's local F file), +whereas a command on which the B<-cell> argument is included runs in the +specified foreign cell. Also, do not combine the B<-localauth> and +B<-noauth> flags. + =back =head1 PRIVILEGE REQUIRED diff --git a/doc/man-pages/pod1/pts_adduser.pod b/doc/man-pages/pod1/pts_adduser.pod index ac2f332f6..cefc97099 100644 --- a/doc/man-pages/pod1/pts_adduser.pod +++ b/doc/man-pages/pod1/pts_adduser.pod @@ -8,10 +8,10 @@ pts_adduser - Adds a user or machine to a Protection Database group
B S<<< B<-user> >+ >>> S<<< B<-group> >+ >>> - S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] [B<-force>] [B<-help>] B S<<< B<-u> >+ >>> S<<< B<-g> >+ >>> - S<<< [B<-c> >] >>> [B<-n>] [B<-f>] [B<-h>] + S<<< [B<-c> >] >>> [B<-n>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -60,6 +60,14 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. The B command interpreter presents the +ticket to the Protection Server during mutual authentication. Do not combine +this flag with the B<-cell> or B<-noauth> options. For more details, see +L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_chown.pod b/doc/man-pages/pod1/pts_chown.pod index cde8b98c2..c3de2c398 100644 --- a/doc/man-pages/pod1/pts_chown.pod +++ b/doc/man-pages/pod1/pts_chown.pod @@ -8,10 +8,10 @@ pts_chown - Changes the owner of a Protection Database entry
B S<<< B<-name> > >>> S<<< B<-owner> > >>> - S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] [B<-force>] [B<-help>] B S<<< B<-na> > >>> S<<< B<-o> > >>> - S<<< [B<-c> >] >>> [B<-no>] [B<-f>] [B<-h>] + S<<< [B<-c> >] >>> [B<-no>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -62,6 +62,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the B<-cell> +or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_creategroup.pod b/doc/man-pages/pod1/pts_creategroup.pod index d2886e954..ed78053b8 100644 --- a/doc/man-pages/pod1/pts_creategroup.pod +++ b/doc/man-pages/pod1/pts_creategroup.pod @@ -10,15 +10,15 @@ pts_creategroup - Creates an (empty) Protection Database group entry B S<<< B<-name> >+ >>> S<<< [B<-owner> >] >>> S<<< [B<-id> >+] >>> S<<< [B<-cell> >] >>> - [B<-noauth>] [B<-force>] [B<-help>] + [B<-noauth>] [B<-localauth>] [B<-force>] [B<-help>] B S<<< B<-na> >+ >>> S<<< [B<-o> >] >>> S<<< [B<-i> >+] >>> S<<< [B<-c> >] >>> - [B<-no>] [B<-f>] [B<-h>] + [B<-no>] [B<-l>] [B<-f>] [B<-h>] B S<<< B<-na> >+ >>> S<<< [B<-o> >] >>> S<<< [B<-i> >+] >>> S<<< [B<-c> >] >>> - [B<-no>] [B<-f>] [B<-h>] + [B<-no>] [B<-l>] [B<-f>] [B<-h>] =for html @@ -154,6 +154,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_createuser.pod b/doc/man-pages/pod1/pts_createuser.pod index 64abd2323..75c8bff14 100644 --- a/doc/man-pages/pod1/pts_createuser.pod +++ b/doc/man-pages/pod1/pts_createuser.pod @@ -8,13 +8,14 @@ pts_createuser - Creates a user or machine entry in the Protection Database
B S<<< B<-name> >+ >>> S<<< [B<-id> >+] >>> - S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] [B<-force>] + [B<-help>] B S<<< B<-na> >+ >>> S<<< [B<-i> >+] >>> - S<<< [B<-c> >] >>> [B<-no>] [B<-f>] [B<-h>] + S<<< [B<-c> >] >>> [B<-no>] [B<-l>] [B<-f>] [B<-h>] B S<<< B<-na> >+ >>> S<<< [B<-i> >+] >>> - S<<< [B<-c> >] >>> [B<-no>] [B<-f>] [B<-h>] + S<<< [B<-c> >] >>> [B<-no>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -137,6 +138,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_delete.pod b/doc/man-pages/pod1/pts_delete.pod index 6af95427c..b06b35b0a 100644 --- a/doc/man-pages/pod1/pts_delete.pod +++ b/doc/man-pages/pod1/pts_delete.pod @@ -8,10 +8,11 @@ pts_delete - Deletes a Protection Database entry
B S<<< B<-nameorid> >+ >>> - S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] + [B<-force>] [B<-help>] B S<<< B<-na> >+ >>> - S<<< [B<-c> >] >>> [B<-no>] [B<-f>] [-h] + S<<< [B<-c> >] >>> [B<-no>] [B<-l>] [B<-f>] [-h] =for html
@@ -71,6 +72,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_examine.pod b/doc/man-pages/pod1/pts_examine.pod index 068e1eb30..6921d979b 100644 --- a/doc/man-pages/pod1/pts_examine.pod +++ b/doc/man-pages/pod1/pts_examine.pod @@ -8,16 +8,17 @@ pts_examine - Displays a Protection Database entry
B S<<< B<-nameorid> >+ >>> - S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] + [B<-force>] [B<-help>] B S<<< B<-na> >+ >>> S<<< [B<-c> >] >>> - [B<-no>] [B<-f>] [B<-h>] + [B<-no>] [B<-l>] [B<-f>] [B<-h>] B S<<< B<-na> >+ >>> S<<< [B<-c> >] >>> - [B<-no>] [B<-f>] [B<-h>] + [B<-no>] [B<-l>] [B<-f>] [B<-h>] B S<<< B<-na> >+ >>> S<<< [B<-c> >] >>> - [B<-no>] [B<-f>] [B<-h>] + [B<-no>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -51,6 +52,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_interactive.pod b/doc/man-pages/pod1/pts_interactive.pod index 583970300..6c8a64127 100644 --- a/doc/man-pages/pod1/pts_interactive.pod +++ b/doc/man-pages/pod1/pts_interactive.pod @@ -8,7 +8,7 @@ pts_interactive - Enters interactive mode
B S<<< [B<-cell>] > >>> [B<-noauth>] - [B<-force>] + [B<-auth>] [B<-localauth>] [B<-force>] B S<<< [B<-c>] > >>> [B<-n>] [B<-f>] @@ -20,6 +20,12 @@ B S<<< [B<-c>] > >>> [B<-n>] [B<-f>] The B command allows the user to enter an interactive mode, useful for running bulk commands like creating new users or groups. +B uses the authentication state supplied on its command +line to run all bulk commands. However, if a bulk command is supplied +with authentication options such as B<-cell>, B<-localauth>, B<-auth> +or B<-noauth> then it, and all subsequent bulk commands, will be run with +those options. + =head1 CAUTIONS Prior to OpenAFS 1.4.5 and OpenAFS 1.5.23, the B command @@ -56,6 +62,12 @@ if one of many operations fails. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =back =head1 OUTPUT diff --git a/doc/man-pages/pod1/pts_listentries.pod b/doc/man-pages/pod1/pts_listentries.pod index 99b71072c..79d53c13a 100644 --- a/doc/man-pages/pod1/pts_listentries.pod +++ b/doc/man-pages/pod1/pts_listentries.pod @@ -8,9 +8,10 @@ pts_listentries - Displays all users or groups in the Protection Database
B [B<-users>] [B<-groups>] S<<< [B<-cell> >] >>> - [B<-noauth>] [B<-force>] [B<-help>] + [B<-noauth>] [B<-localauth>] [B<-force>] [B<-help>] -B [B<-u>] [B<-g>] S<<< [B<-c> >] >>> [B<-n>] [B<-f>] [B<-h>] +B [B<-u>] [B<-g>] S<<< [B<-c> >] >>> [B<-n>] [B<-l>] + [B<-f>] [B<-h>] =for html
@@ -47,6 +48,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_listmax.pod b/doc/man-pages/pod1/pts_listmax.pod index 151ac68c9..4fec04e46 100644 --- a/doc/man-pages/pod1/pts_listmax.pod +++ b/doc/man-pages/pod1/pts_listmax.pod @@ -7,9 +7,10 @@ pts_listmax - Displays the max user id and max group id counters =for html
-B S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] +B S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] + [B<-force>] [B<-help>] -B S<<< [B<-c> >] >>> [B<-n>] [B<-f>] [B<-h>] +B S<<< [B<-c> >] >>> [B<-n>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -44,6 +45,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_listowned.pod b/doc/man-pages/pod1/pts_listowned.pod index fc0d464b2..5baf3a618 100644 --- a/doc/man-pages/pod1/pts_listowned.pod +++ b/doc/man-pages/pod1/pts_listowned.pod @@ -8,10 +8,10 @@ pts_listowned - Show the Protection Database groups owned by a user or group
B S<<< B<-nameorid> >+ >>> - [-cell >] [B<-noauth>] [B<-force>] [B<-help>] + [-cell >] [B<-noauth>] [B<-localauth>] [B<-force>] [B<-help>] B S<<< B<-na> >+ >>> - [-c >] [B<-no>] [B<-f>] [B<-h>] + [-c >] [B<-no>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -51,6 +51,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_membership.pod b/doc/man-pages/pod1/pts_membership.pod index 7bacc0b8f..e5cbdc48e 100644 --- a/doc/man-pages/pod1/pts_membership.pod +++ b/doc/man-pages/pod1/pts_membership.pod @@ -8,16 +8,17 @@ pts_membership - Displays the membership list for a user or group
B S<<< B<-nameorid> >+ >>> - S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] + S<<< [B<-cell> >] >>> [B<-localauth>] [B<-noauth>] + [B<-force>] [B<-help>] B S<<< B<-na> >+ >>> S<<< [B<-c> >] >>> - [B<-no>] [B<-f>] [B<-h>] + [B<-no>] [B<-l>] [B<-f>] [B<-h>] B S<<< B<-na> >+ >>> [-c >] - [B<-no>] [B<-f>] [B<-h>] + [B<-no>] [B<-l>] [B<-f>] [B<-h>] B S<<< B<-na> >+ >>> S<<< [B<-c> >] >>> - [B<-no>] [B<-f>] [B<-h>] + [B<-no>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -59,6 +60,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_quit.pod b/doc/man-pages/pod1/pts_quit.pod index 102e8853f..a7a25107e 100644 --- a/doc/man-pages/pod1/pts_quit.pod +++ b/doc/man-pages/pod1/pts_quit.pod @@ -7,9 +7,10 @@ pts_quit - Exit from pts interactive mode =for html
-B S<<< [B<-cell>] > >>> [B<-noauth>] [B<-force>] +B S<<< [B<-cell>] > >>> [B<-noauth>] [B<-localauth>] + [B<-force>] -B S<<< [B<-c>] > >>> [B<-n>] [B<-f>] +B S<<< [B<-c>] > >>> [B<-n>] [B<-l>] [B<-f>] =for html
@@ -44,6 +45,12 @@ L. Enables the command to continue executing as far as possible when errors or other problems occur, rather than halting execution at the first error. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-noauth> Assigns the unprivileged identity anonymous to the issuer. For more diff --git a/doc/man-pages/pod1/pts_removeuser.pod b/doc/man-pages/pod1/pts_removeuser.pod index eb7bc9f6a..f60a66400 100644 --- a/doc/man-pages/pod1/pts_removeuser.pod +++ b/doc/man-pages/pod1/pts_removeuser.pod @@ -8,10 +8,11 @@ pts_removeuser - Removes a user from a Protection Database group
B S<<< B<-user> >+ >>> S<<< B<-group> >+ >>> - S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] [B<-force>] + [B<-help>] B S<<< B<-u> >+ >>> S<<< B<-g> >+ >>> - S<<< [B<-c> >] >>> [B<-n>] [B<-f>] [B<-h>] + S<<< [B<-c> >] >>> [B<-n>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -56,6 +57,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_rename.pod b/doc/man-pages/pod1/pts_rename.pod index aef05eab3..3d461e818 100644 --- a/doc/man-pages/pod1/pts_rename.pod +++ b/doc/man-pages/pod1/pts_rename.pod @@ -8,10 +8,11 @@ pts_rename - Changes the name of a Protection Database entry
B S<<< B<-oldname> > >>> S<<< B<-newname> > >>> - S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] + [B<-force>] [B<-help>] B S<<< B<-o> > >>> S<<< B<-ne> > >>> S<<< [B<-c> >] >>> - [B<-no>] [B<-f>] [B<-h>] + [B<-no>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -69,6 +70,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_setfields.pod b/doc/man-pages/pod1/pts_setfields.pod index f530d1026..ac7bf0edd 100644 --- a/doc/man-pages/pod1/pts_setfields.pod +++ b/doc/man-pages/pod1/pts_setfields.pod @@ -10,12 +10,13 @@ pts_setfields - Sets privacy flags or quota for a Protection Database entry B S<<< B<-nameorid> >+ >>> S<<< [B<-access> >] >>> S<<< [B<-groupquota> >] >>> - S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] + [B<-force>] [B<-help>] B S<<< B<-na> >+ >>> S<<< [B<-a> >] >>> S<<< [B<-g> >] >>> S<<< [B<-c> >] >>> - [B<-no>] [B<-f>] [B<-h>] + [B<-no>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -203,6 +204,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_setmax.pod b/doc/man-pages/pod1/pts_setmax.pod index 09df9de1c..97498480b 100644 --- a/doc/man-pages/pod1/pts_setmax.pod +++ b/doc/man-pages/pod1/pts_setmax.pod @@ -8,10 +8,10 @@ pts_setmax - Sets the value of the max group id or max user id counter
B S<<< [B<-group> >] >>> S<<< [B<-user> >] >>> - S<<< [B<-cell> >] >>> [B<-noauth>] [B<-force>] [B<-help>] + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] [B<-force>] [B<-help>] B [B<-g> I>] S<<< [B<-u> >] >>> - S<<< [B<-c> >] >>> [B<-n>] [B<-f>] [B<-h>] + S<<< [B<-c> >] >>> [B<-n>] [B<-l>] [B<-f>] [B<-h>] =for html
@@ -56,6 +56,12 @@ L. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =item B<-force> Enables the command to continue executing as far as possible when errors diff --git a/doc/man-pages/pod1/pts_sleep.pod b/doc/man-pages/pod1/pts_sleep.pod index 363b4a2e6..4c009081e 100644 --- a/doc/man-pages/pod1/pts_sleep.pod +++ b/doc/man-pages/pod1/pts_sleep.pod @@ -8,10 +8,10 @@ pts_sleep - Pauses for a few seconds
B S<<< [B<-delay>] > >>> - S<<< [B<-cell>] > >>> [B<-noauth>] [B<-force>] + S<<< [B<-cell>] > >>> [B<-noauth>] [B<-localauth>] [B<-force>] B S<<< [B<-d>] > >>> S<<< [B<-c>] > >>> - [B<-n>] [B<-f>] + [B<-n>] [B<-l>] [B<-f>] =for html
@@ -33,7 +33,7 @@ it is always available. =head1 OPTIONS -Although they have no effect, B takes the following standard +Although they have no effect, B takes the following standard B options: =over 4 @@ -53,6 +53,12 @@ or other problems occur, rather than halting execution at the first error. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =back =head1 OUTPUT diff --git a/doc/man-pages/pod1/pts_source.pod b/doc/man-pages/pod1/pts_source.pod index c1859fc30..ccaffd69f 100644 --- a/doc/man-pages/pod1/pts_source.pod +++ b/doc/man-pages/pod1/pts_source.pod @@ -8,10 +8,10 @@ pts_source - Read pts commands from a file
B S<<< [B<-file>] > >>> S<<< [B<-cell>] > >>> - [B<-noauth>] [B<-force>] + [B<-noauth>] [B<-localauth>] [B<-force>] B S<<< [B<-f>] > >>> S<<< [B<-c>] > >>> - [B<-n>] [B<-f>] + [B<-n>] [B<-l>] [B<-f>] =for html
@@ -56,6 +56,12 @@ if one of many operations fails. Assigns the unprivileged identity anonymous to the issuer. For more details, see L. +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. Do not combine this flag with the +B<-cell> or B<-noauth> options. For more details, see L. + =back =head1 OUTPUT diff --git a/src/ptserver/pts.c b/src/ptserver/pts.c index 66146855d..60809d981 100644 --- a/src/ptserver/pts.c +++ b/src/ptserver/pts.c @@ -50,6 +50,12 @@ struct sourcestack { FILE *s_file; } *shead; +struct authstate { + int sec; + const char *confdir; + char cell[MAXCELLCHARS]; +}; + int pts_Interactive(struct cmd_syndesc *as, void *arock) { @@ -132,32 +138,71 @@ osi_audit() int GetGlobals(struct cmd_syndesc *as, void *arock) { - register afs_int32 code; - char *cell; - afs_int32 sec = 1; + struct authstate *state = (struct authstate *) arock; + afs_int32 code; + char *cell = NULL; + afs_int32 sec; + int changed = 0; + const char* confdir; whoami = as->a0name; if (!strcmp(as->name, "help")) return 0; - if (as->parms[16].items) + + if (*state->cell) { + cell = state->cell; + } + sec = state->sec; + + if (state->confdir == NULL) { + changed = 1; + } + + if (as->parms[16].items) { + changed = 1; cell = as->parms[16].items->data; - else - cell = 0; - if (as->parms[17].items) + } + if (as->parms[17].items) { /* -noauth */ + changed = 1; sec = 0; - - if (as->parms[18].items) { /* testing? */ - code = pr_Initialize(sec, AFSDIR_SERVER_ETC_DIRPATH, cell); + } + if (as->parms[20].items) { /* -localauth */ + changed = 1; + sec = 2; + } + if (as->parms[21].items) { /* -auth */ + changed = 1; + sec = 1; + } + if (as->parms[18].items || as->parms[20].items) { /* -test, -localauth */ + changed = 1; + confdir = AFSDIR_SERVER_ETC_DIRPATH; } else { - code = pr_Initialize(sec, AFSDIR_CLIENT_ETC_DIRPATH, cell); + if (sec == 2) + confdir = AFSDIR_SERVER_ETC_DIRPATH; + else + confdir = AFSDIR_CLIENT_ETC_DIRPATH; + } + if (changed) { + CleanUp(as, arock); + code = pr_Initialize(sec, confdir, cell); + } else { + code = 0; } if (code) { afs_com_err(whoami, code, "while initializing"); return code; } + state->sec = sec; + state->confdir = confdir; + if (cell && cell != state->cell) + strncpy(state->cell, cell, MAXCELLCHARS-1); + + force = 0; if (as->parms[19].items) force = 1; + return code; } @@ -704,7 +749,7 @@ ListEntries(struct cmd_syndesc *as, void *arock) pr_ListEntries(flag, startindex, &nentries, &entriesp, &nextstartindex); if (code) { - afs_com_err(whoami, code, "; unable to list entries\n"); + afs_com_err(whoami, code, "; unable to list entries"); if (entriesp) free(entriesp); break; @@ -972,6 +1017,10 @@ add_std_args(register struct cmd_syndesc *ts) cmd_AddParm(ts, "-test", CMD_FLAG, CMD_OPTIONAL | CMD_HIDE, test_help); cmd_AddParm(ts, "-force", CMD_FLAG, CMD_OPTIONAL, "Continue oper despite reasonable errors"); + cmd_AddParm(ts, "-localauth", CMD_FLAG, CMD_OPTIONAL, + "use local authentication"); + cmd_AddParm(ts, "-auth", CMD_FLAG, CMD_OPTIONAL, + "use user's authentication (default)"); } /* @@ -996,6 +1045,7 @@ main(int argc, char **argv) int parsec; char *parsev[CMD_MAXPARMS]; char *savec; + struct authstate state; #ifdef WIN32 WSADATA WSAjunk; @@ -1020,6 +1070,9 @@ main(int argc, char **argv) sigaction(SIGSEGV, &nsa, NULL); #endif + memset(&state, 0, sizeof(state)); + state.sec = 1; /* default is auth */ + ts = cmd_CreateSyntax("creategroup", CreateGroup, NULL, "create a new group"); cmd_AddParm(ts, "-name", CMD_LIST, 0, "group name"); @@ -1121,7 +1174,7 @@ main(int argc, char **argv) cmd_AddParm(ts, "-delay", CMD_SINGLE, 0, "seconds"); add_std_args(ts); - cmd_SetBeforeProc(GetGlobals, 0); + cmd_SetBeforeProc(GetGlobals, &state); finished = 1; source = stdin; diff --git a/src/ptserver/ptuser.c b/src/ptserver/ptuser.c index 7635319b8..0c4eaf119 100644 --- a/src/ptserver/ptuser.c +++ b/src/ptserver/ptuser.c @@ -91,11 +91,12 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell) if (!tdir) { if (confDir && strcmp(confDir, "")) fprintf(stderr, - "libprot: Could not open configuration directory: %s.\n", - confDir); + "%s: Could not open configuration directory: %s.\n", + whoami, confDir); else fprintf(stderr, - "libprot: No configuration directory specified.\n"); + "%s: No configuration directory specified.\n", + whoami); return -1; } gottdir = 1; @@ -173,16 +174,22 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell) /* Most callers use secLevel==1, however, the fileserver uses secLevel==2 * to force use of the KeyFile. secLevel == 0 implies -noauth was * specified. */ - if ((secLevel == 2) && (afsconf_GetLatestKey(tdir, 0, 0) == 0)) { - /* If secLevel is two assume we're on a file server and use - * ClientAuthSecure if possible. */ - code = afsconf_ClientAuthSecure(tdir, &sc[2], &scIndex); - if (code) - fprintf(stderr, - "libprot: clientauthsecure returns %d %s" - " (so trying noauth)\n", code, afs_error_message(code)); - if (code) - scIndex = 0; /* use noauth */ + if (secLevel == 2) { + code = afsconf_GetLatestKey(tdir, 0, 0); + if (code) { + afs_com_err(whoami, code, + "(getting key from local KeyFile)\n"); + scIndex = 0; /* use noauth */ + } else { + /* If secLevel is two assume we're on a file server and use + * ClientAuthSecure if possible. */ + code = afsconf_ClientAuthSecure(tdir, &sc[2], &scIndex); + if (code) { + afs_com_err(whoami, code, + "(calling client secure)\n"); + scIndex = 0; /* use noauth */ + } + } if (scIndex != 2) /* if there was a problem, an unauthenticated conn is returned */ sc[scIndex] = sc[2]; @@ -192,16 +199,17 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell) sname.instance[0] = 0; strcpy(sname.name, "afs"); code = ktc_GetToken(&sname, &ttoken, sizeof(ttoken), NULL); - if (code) + if (code) { + afs_com_err(whoami, code, "(getting token)"); scIndex = 0; - else { + } else { if (ttoken.kvno >= 0 && ttoken.kvno <= 256) /* this is a kerberos ticket, set scIndex accordingly */ scIndex = 2; else { fprintf(stderr, - "libprot: funny kvno (%d) in ticket, proceeding\n", - ttoken.kvno); + "%s: funny kvno (%d) in ticket, proceeding\n", + whoami, ttoken.kvno); scIndex = 2; } sc[2] = @@ -216,8 +224,9 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell) if ((scIndex == 0) && (sc[0] == 0)) sc[0] = rxnull_NewClientSecurityObject(); if ((scIndex == 0) && (secLevel != 0)) - afs_com_err(whoami, code, - "Could not get afs tokens, running unauthenticated."); + fprintf(stderr, + "%s: Could not get afs tokens, running unauthenticated\n", + whoami); memset(serverconns, 0, sizeof(serverconns)); /* terminate list!!! */ for (i = 0; i < info.numServers; i++) diff --git a/src/ptserver/utils.c b/src/ptserver/utils.c index ee01ac38c..a127e3cbc 100644 --- a/src/ptserver/utils.c +++ b/src/ptserver/utils.c @@ -824,6 +824,9 @@ IsAMemberOf(struct ubik_trans *at, afs_int32 aid, afs_int32 gid) return 1; if (gid == AUTHUSERID && aid != ANONYMOUSID) return 1; + /* check -localauth case */ + if (gid == SYSADMINID && aid == SYSADMINID) + return 1; if ((gid == 0) || (aid == 0)) return 0; #if defined(SUPERGROUPS) -- 2.39.5