From f085951d39c0d6c1e6a626177c30235704317600 Mon Sep 17 00:00:00 2001 From: Simon Wilkinson Date: Thu, 24 Dec 2009 13:00:53 +0000 Subject: [PATCH] Turn on bos restricted code Remove the #ifdef's around the bos restricted mode code. This makes restricted mode available as part of the standard build, but a server will not go into restricted mode unless the relevant command line options are specified, or bos setrestricted is run. Document bos_setrestricted and bos_getrestricted, and the new '-restricted' command line option. Add a note to the man pages of all of the commands whose behaviour is affected by restricted mode. Add 'setr' and 'getr' aliases for setrestart and getrestart so that these documented shortcuts continue to work (otherwise they'd be ambiguous against setrestricted and getrestricted). Note that setre, setres, and setrest will not work once this patch is applied. Change-Id: Ie69d21493ea5f78757f0a3d478de43fdaabd3c31 Reviewed-on: http://gerrit.openafs.org/1028 Reviewed-by: Michael Meffie Reviewed-by: Andrew Deason Tested-by: Andrew Deason Reviewed-by: Derrick Brashear Tested-by: Derrick Brashear --- acinclude.m4 | 11 --- doc/man-pages/pod8/bos.pod | 6 +- doc/man-pages/pod8/bos_create.pod | 3 + doc/man-pages/pod8/bos_delete.pod | 3 + doc/man-pages/pod8/bos_exec.pod | 3 + doc/man-pages/pod8/bos_getlog.pod | 3 + doc/man-pages/pod8/bos_getrestricted.pod | 88 ++++++++++++++++++++++++ doc/man-pages/pod8/bos_install.pod | 3 + doc/man-pages/pod8/bos_prune.pod | 3 + doc/man-pages/pod8/bos_setrestricted.pod | 88 ++++++++++++++++++++++++ doc/man-pages/pod8/bos_uninstall.pod | 3 + doc/man-pages/pod8/bosserver.pod | 13 +++- src/bozo/bos.c | 6 +- src/bozo/bosoprocs.c | 32 +-------- src/bozo/bosserver.c | 17 +---- src/config/afsconfig-windows.h | 1 - 16 files changed, 219 insertions(+), 64 deletions(-) create mode 100644 doc/man-pages/pod8/bos_getrestricted.pod create mode 100644 doc/man-pages/pod8/bos_setrestricted.pod diff --git a/acinclude.m4 b/acinclude.m4 index 58495705e..dd37867d5 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -51,7 +51,6 @@ AH_VERBATIM([OPENAFS_HEADER], #undef AFS_LARGEFILE_ENV #undef AFS_NAMEI_ENV #undef BITMAP_LATER -#undef BOS_RESTRICTED_MODE #undef FAST_RESTART #undef FULL_LISTVOL_SWITCH #undef COMPLETION_H_EXISTS @@ -104,12 +103,6 @@ AC_ARG_ENABLE([pam], [AS_HELP_STRING([--disable-pam], [disable PAM support])], , [enable_pam="yes"]) -AC_ARG_ENABLE([bos-restricted-mode], - [AS_HELP_STRING([--enable-bos-restricted-mode], - [enable bosserver restricted mode which disables certain bosserver - functionality])], - , - [enable_bos_restricted_mode="no"]) AC_ARG_ENABLE([largefile-fileserver], [AS_HELP_STRING([--disable-largefile-fileserver], [disable large file support in fileserver])], @@ -1478,10 +1471,6 @@ if test "$enable_icmp_pmtu_discovery" = "yes"; then fi fi -if test "$enable_bos_restricted_mode" = "yes"; then - AC_DEFINE(BOS_RESTRICTED_MODE, 1, [define if you want to want bos restricted mode]) -fi - if test "$enable_largefile_fileserver" = "yes"; then AC_DEFINE(AFS_LARGEFILE_ENV, 1, [define if you want large file fileserver]) fi diff --git a/doc/man-pages/pod8/bos.pod b/doc/man-pages/pod8/bos.pod index ce875a298..adeabca4e 100644 --- a/doc/man-pages/pod8/bos.pod +++ b/doc/man-pages/pod8/bos.pod @@ -36,8 +36,8 @@ restart>, B, B, B, and B. =item * Commands to set and verify server process and server machine status: B, B, B, B, and B. +getlog>, B, B, B, +B, B and B. =item * @@ -252,6 +252,7 @@ L, L, L, L, +L, L, L, L, @@ -266,6 +267,7 @@ L, L, L, L, +L, L, L, L, diff --git a/doc/man-pages/pod8/bos_create.pod b/doc/man-pages/pod8/bos_create.pod index 1f1001ad0..a0afefd72 100644 --- a/doc/man-pages/pod8/bos_create.pod +++ b/doc/man-pages/pod8/bos_create.pod @@ -290,6 +290,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command cannot be run against servers which are in +restricted mode. + =head1 NOTES If the B<-notifier> argument is included when this command is used to diff --git a/doc/man-pages/pod8/bos_delete.pod b/doc/man-pages/pod8/bos_delete.pod index 9b4d55818..6982d058c 100644 --- a/doc/man-pages/pod8/bos_delete.pod +++ b/doc/man-pages/pod8/bos_delete.pod @@ -87,6 +87,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command cannot be run against servers which are in +restricted mode. + =head1 SEE ALSO L, diff --git a/doc/man-pages/pod8/bos_exec.pod b/doc/man-pages/pod8/bos_exec.pod index 4cdbe4e63..fb65d535d 100644 --- a/doc/man-pages/pod8/bos_exec.pod +++ b/doc/man-pages/pod8/bos_exec.pod @@ -79,6 +79,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command is not available on servers running in restricted +mode. + =head1 SEE ALSO L diff --git a/doc/man-pages/pod8/bos_getlog.pod b/doc/man-pages/pod8/bos_getlog.pod index 75d52eb3a..b397963c4 100644 --- a/doc/man-pages/pod8/bos_getlog.pod +++ b/doc/man-pages/pod8/bos_getlog.pod @@ -141,6 +141,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +When a server is in restricted mode, B can only return the +contents of the salvager's log. + =head1 SEE ALSO L diff --git a/doc/man-pages/pod8/bos_getrestricted.pod b/doc/man-pages/pod8/bos_getrestricted.pod new file mode 100644 index 000000000..f9706a99b --- /dev/null +++ b/doc/man-pages/pod8/bos_getrestricted.pod @@ -0,0 +1,88 @@ +=head1 NAME + +bos_getrestricted - Displays whether a bos server is restricted or not + +=head1 SYNOPSIS + +=for html +
+ +B S<<< B<-server> > >>> S<<< [B<-cell> >] >>> + [B<-noauth>] [B<-localauth>] [B<-help>] + +=for html +
+ +=head1 DESCRIPTION + +The bos getrestricted command shows whether the server machine named by +the B<-server> argument is running in restricted mode. + +Restricted mode limits access to certain bos commands. See +L for details of which commands are disabled by +restricting a server. + +Use the B command to restrict, or un-restrict, a server. + +=head1 OPTIONS + +=over 4 + +=item B<-server> > + +Indicates the server machine for which to display the restart +times. Identify the machine by IP address or its host name (either +fully-qualified or abbreviated unambiguously). For details, see L. + +=item B<-cell> > + +Names the cell in which to run the command. Do not combine this argument +with the B<-localauth> flag. For more details, see L. + +=item B<-noauth> + +Assigns the unprivileged identity C to the issuer. Do not +combine this flag with the B<-localauth> flag. For more details, see +L. + +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. The B command interpreter presents the +ticket to the BOS Server during mutual authentication. Do not combine this +flag with the B<-cell> or B<-noauth> options. For more details, see +L. + +=item B<-help> + +Prints the online help for this command. All other valid options are +ignored. + +=back + +=head1 OUTPUT + +The output consists of a single line + + Restricted mode is + +Where is "on" or "off" + +=head1 PRIVILEGE REQUIRED + +None + +=head1 SEE ALSO + +L, +L, +L, + +=head1 COPYRIGHT + +Copyright 2009 Simon Wilkinson + +This documentation is covered by the BSD License as written in the +doc/LICENSE file. This man page was written by Simon Wilkinson for +OpenAFS. + diff --git a/doc/man-pages/pod8/bos_install.pod b/doc/man-pages/pod8/bos_install.pod index 3b1307b00..4ccbca254 100644 --- a/doc/man-pages/pod8/bos_install.pod +++ b/doc/man-pages/pod8/bos_install.pod @@ -118,6 +118,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command cannot be run against servers which are in +restricted mode. + =head1 SEE ALSO L, diff --git a/doc/man-pages/pod8/bos_prune.pod b/doc/man-pages/pod8/bos_prune.pod index b85f96f06..fe6896c71 100644 --- a/doc/man-pages/pod8/bos_prune.pod +++ b/doc/man-pages/pod8/bos_prune.pod @@ -129,6 +129,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command cannot be run against servers which are in +restricted mode. + =head1 SEE ALSO L, diff --git a/doc/man-pages/pod8/bos_setrestricted.pod b/doc/man-pages/pod8/bos_setrestricted.pod new file mode 100644 index 000000000..4edef6846 --- /dev/null +++ b/doc/man-pages/pod8/bos_setrestricted.pod @@ -0,0 +1,88 @@ +=head1 NAME + +bos_setrestricted - place a server in restricted mode + +=head1 SYNOPSIS + +=for html +
+ +B S<<< B<-server> > >>> S<<< B<-mode> 1 >>> + S<<< [B<-cell> >] >>> [B<-noauth>] [B<-localauth>] [B<-help>] + +=for html +
+ +=head1 DESCRIPTION + +The B command places the server in restricted mode. This +mode increases the security of the bos server by removing access to a +number of bos commands that are only used whilst configuring a system. + +When a server is in restricted mode, access to B, B, +B, B, B, B, B +is denied, and the use of B is limited. + +=head1 CAUTIONS + +Once a server has been placed in restricted mode, it may not be opened up +again using a remote command. That is, B has no method +of setting an unrestricted mode. Once a server is restricted, it can only +be opened up again by sending it a SIGFPE, which must be done as root on +the local machine. + +=head1 OPTIONS + +=over 4 + +=item B<-server> > + +Indicates the server machine to restrict. + +=item B<-cell> > + +Names the cell in which to run the command. Do not combine this argument +with the B<-localauth> flag. For more details, see L. + +=item B<-noauth> + +Assigns the unprivileged identity C to the issuer. Do not +combine this flag with the B<-localauth> flag. For more details, see +L. + +=item B<-localauth> + +Constructs a server ticket using a key from the local +F file. The B command interpreter presents the +ticket to the BOS Server during mutual authentication. Do not combine this +flag with the B<-cell> or B<-noauth> options. For more details, see +L. + +=item B<-help> + +Prints the online help for this command. All other valid options are +ignored. + +=back + +=head1 PRIVILEGE REQUIRED + +The issuer must be listed in the F file on the +machine named by the B<-server> argument, or must be logged in as the +local superuser C if the B<-localauth> flag is included. + +As noted above, this command cannot be run against servers which are +already in restricted mode. + +=head1 SEE ALSO + +L + +=head1 COPYRIGHT + +Copyright 2009 Simon wilkinson + +This documentation is covered by the BSD License as written in the +doc/LICENSE file. This man page was written by Simon Wilkinson for +OpenAFS. + diff --git a/doc/man-pages/pod8/bos_uninstall.pod b/doc/man-pages/pod8/bos_uninstall.pod index fe20ba500..4b4995f5b 100644 --- a/doc/man-pages/pod8/bos_uninstall.pod +++ b/doc/man-pages/pod8/bos_uninstall.pod @@ -101,6 +101,9 @@ machine named by the B<-server> argument, or must be logged onto a server machine as the local superuser C if the B<-localauth> flag is included. +The B command cannot be run against servers running in +restricted mode. + =head1 SEE ALSO L, diff --git a/doc/man-pages/pod8/bosserver.pod b/doc/man-pages/pod8/bosserver.pod index aa75e9b7c..8c7181df8 100644 --- a/doc/man-pages/pod8/bosserver.pod +++ b/doc/man-pages/pod8/bosserver.pod @@ -9,7 +9,8 @@ bosserver - Initializes the BOS Server B [B<-noauth>] [B<-log>] [B<-enable_peer_stats>] S<<< [B<-auditlog> >] >>> [B<-audit-interface> (file | sysvmq)] - [B<-enable_process_stats>] [B<-allow-dotted-principals>] [B<-help>] + [B<-enable_process_stats>] [B<-allow-dotted-principals>] + [B<-restricted>] [B<-help>] =for html @@ -154,6 +155,15 @@ user.admin PTS entry. Sites whose Kerberos realms don't have these collisions between principal names may disable this check by starting the server with this option. +=item B<-restricted> + +In normal operation, the bos server allows a super user to run any command. +When the bos server is running in restricted mode (either due to this +command line flag, or when configured by L) a number +of commands are unavailable. Note that this flag persists across reboots. +Once a server has been placed in restricted mode, it can only be opened up +by sending the SIGFPE signal. + =item B<-help> Prints the online help for this command. All other valid options are @@ -183,6 +193,7 @@ L, L, L, L, +L, L, L, L, diff --git a/src/bozo/bos.c b/src/bozo/bos.c index fd79e4ff9..411e64dec 100644 --- a/src/bozo/bos.c +++ b/src/bozo/bos.c @@ -1876,7 +1876,6 @@ DoStat(IN char *aname, return 0; } -#ifdef BOS_RESTRICTED_MODE static int GetRestrict(struct cmd_syndesc *as, void *arock) { @@ -1906,7 +1905,6 @@ SetRestrict(struct cmd_syndesc *as, void *arock) printf("bos: failed to set restricted mode (%s)\n", em(code)); return 0; } -#endif static void add_std_args(register struct cmd_syndesc *ts) @@ -2135,11 +2133,13 @@ main(int argc, char **argv) cmd_AddParm(ts, "-newbinary", CMD_FLAG, CMD_OPTIONAL, "set new binary restart time"); add_std_args(ts); + cmd_CreateAlias(ts, "setr"); ts = cmd_CreateSyntax("getrestart", GetRestartCmd, NULL, "get restart times"); cmd_AddParm(ts, "-server", CMD_SINGLE, CMD_REQUIRED, "machine name"); add_std_args(ts); + cmd_CreateAlias(ts, "getr"); ts = cmd_CreateSyntax("salvage", SalvageCmd, NULL, "salvage partition or volumes"); @@ -2209,7 +2209,6 @@ main(int argc, char **argv) cmd_AddParm(ts, "-server", CMD_SINGLE, CMD_REQUIRED, "machine name"); add_std_args(ts); -#ifdef BOS_RESTRICTED_MODE ts = cmd_CreateSyntax("getrestricted", GetRestrict, NULL, "get restrict mode"); cmd_AddParm(ts, "-server", CMD_SINGLE, 0, "machine name"); @@ -2220,7 +2219,6 @@ main(int argc, char **argv) cmd_AddParm(ts, "-server", CMD_SINGLE, 0, "machine name"); cmd_AddParm(ts, "-mode", CMD_SINGLE, 0, "mode to set"); add_std_args(ts); -#endif #endif code = cmd_Dispatch(argc, argv); diff --git a/src/bozo/bosoprocs.c b/src/bozo/bosoprocs.c index 9bd56a0b2..66e10f54c 100644 --- a/src/bozo/bosoprocs.c +++ b/src/bozo/bosoprocs.c @@ -47,9 +47,7 @@ extern struct ktime bozo_nextRestartKT, bozo_nextDayKT; extern struct afsconf_dir *bozo_confdir; extern int bozo_newKTs; extern int DoLogging; -#ifdef BOS_RESTRICTED_MODE extern int bozo_isrestricted; -#endif afs_int32 SBOZO_GetRestartTime(struct rx_call *acall, afs_int32 atype, struct bozo_netKTime *aktime) @@ -125,12 +123,10 @@ SBOZO_Exec(struct rx_call *acall, char *acmd) code = BZACCESS; goto fail; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) { code = BZACCESS; goto fail; } -#endif if (DoLogging) bozo_Log("%s is executing the shell command '%s'\n", caller, acmd); @@ -192,13 +188,11 @@ SBOZO_UnInstall(struct rx_call *acall, register char *aname) osi_auditU(acall, BOS_UnInstallEvent, code, AUD_STR, aname, AUD_END); return code; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) { code = BZACCESS; osi_auditU(acall, BOS_UnInstallEvent, code, AUD_STR, aname, AUD_END); return code; } -#endif /* construct local path from canonical (wire-format) path */ if (ConstructLocalBinPath(aname, &filepath)) { @@ -291,10 +285,8 @@ SBOZO_Install(struct rx_call *acall, char *aname, afs_int32 asize, afs_int32 mod if (!afsconf_SuperUser(bozo_confdir, acall, caller)) return BZACCESS; -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) return BZACCESS; -#endif /* construct local path from canonical (wire-format) path */ if (ConstructLocalBinPath(aname, &fpp)) { @@ -782,7 +774,6 @@ SBOZO_CreateBnode(struct rx_call *acall, char *atype, char *ainstance, code = BZACCESS; goto fail; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) { if (strcmp(atype, "cron") || strcmp(ainstance, "salvage-tmp") || strcmp(ap2, "now") @@ -792,7 +783,6 @@ SBOZO_CreateBnode(struct rx_call *acall, char *atype, char *ainstance, goto fail; } } -#endif code = bnode_Create(atype, ainstance, &tb, ap1, ap2, ap3, ap4, ap5, notifier, @@ -836,12 +826,10 @@ SBOZO_DeleteBnode(struct rx_call *acall, char *ainstance) code = BZACCESS; goto fail; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) { code = BZACCESS; goto fail; } -#endif if (DoLogging) bozo_Log("%s is executing DeleteBnode '%s'\n", caller, ainstance); @@ -1174,12 +1162,10 @@ SBOZO_Prune(struct rx_call *acall, afs_int32 aflags) code = BZACCESS; goto fail; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted) { code = BZACCESS; goto fail; } -#endif if (DoLogging) bozo_Log("%s is executing Prune (flags=%d)\n", caller, aflags); @@ -1436,13 +1422,11 @@ SBOZO_GetLog(register struct rx_call *acall, char *aname) code = BZACCESS; goto fail; } -#ifdef BOS_RESTRICTED_MODE if (bozo_isrestricted && strchr(aname, '/') && strcmp(aname, AFSDIR_CANONICAL_SERVER_SLVGLOG_FILEPATH)) { code = BZACCESS; goto fail; } -#endif /* construct local path from canonical (wire-format) path */ if (ConstructLocalLogPath(aname, &logpath)) { @@ -1517,7 +1501,6 @@ SBOZO_GetInstanceStrings(struct rx_call *acall, char *abnodeName, return BZNOENT; } -#ifdef BOS_RESTRICTED_MODE afs_int32 SBOZO_GetRestrictedMode(struct rx_call *acall, afs_int32 *arestmode) { @@ -1542,22 +1525,9 @@ SBOZO_SetRestrictedMode(struct rx_call *acall, afs_int32 arestmode) } bozo_isrestricted = arestmode; code = WriteBozoFile(0); - fail: - return code; -} -#else -afs_int32 -SBOZO_GetRestrictedMode(struct rx_call *acall, afs_int32 *arestmode) -{ - return RXGEN_OPCODE; -} -afs_int32 -SBOZO_SetRestrictedMode(struct rx_call *acall, afs_int32 arestmode) -{ - return RXGEN_OPCODE; + return code; } -#endif void * bozo_ShutdownAndExit(void *param) diff --git a/src/bozo/bosserver.c b/src/bozo/bosserver.c index df369028a..49bc39b11 100644 --- a/src/bozo/bosserver.c +++ b/src/bozo/bosserver.c @@ -78,7 +78,6 @@ int rxkadDisableDotCheck = 0; #define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */ afs_uint32 SHostAddrs[ADDRSPERSITE]; -#ifdef BOS_RESTRICTED_MODE int bozo_isrestricted = 0; int bozo_restdisable = 0; @@ -89,7 +88,6 @@ bozo_insecureme(int sig) bozo_isrestricted = 0; bozo_restdisable = 1; } -#endif struct bztemp { FILE *file; @@ -281,9 +279,7 @@ ReadBozoFile(char *aname) afs_int32 i, goal; struct bnode *tb; char *parms[MAXPARMS]; -#ifdef BOS_RESTRICTED_MODE int rmode; -#endif /* rename BozoInit to BosServer for the user */ if (!aname) { @@ -367,7 +363,7 @@ ReadBozoFile(char *aname) bozo_nextDayKT.sec = ktsec; continue; } -#ifdef BOS_RESTRICTED_MODE + if (strncmp(tbuffer, "restrictmode", 12) == 0) { code = sscanf(tbuffer, "restrictmode %d", &rmode); if (code != 1) { @@ -381,7 +377,6 @@ ReadBozoFile(char *aname) bozo_isrestricted = rmode; continue; } -#endif if (strncmp("bnode", tbuffer, 5) != 0) { code = -1; @@ -466,9 +461,8 @@ WriteBozoFile(char *aname) if (!tfile) return -1; btemp.file = tfile; -#ifdef BOS_RESTRICTED_MODE + fprintf(tfile, "restrictmode %d\n", bozo_isrestricted); -#endif fprintf(tfile, "restarttime %d %d %d %d %d\n", bozo_nextRestartKT.mask, bozo_nextRestartKT.day, bozo_nextRestartKT.hour, bozo_nextRestartKT.min, bozo_nextRestartKT.sec); @@ -526,12 +520,11 @@ BozoDaemon(void *unused) IOMGR_Sleep(60); now = FT_ApproxTime(); -#ifdef BOS_RESTRICTED_MODE if (bozo_restdisable) { bozo_Log("Restricted mode disabled by signal\n"); bozo_restdisable = 0; } -#endif + if (bozo_newKTs) { /* need to recompute restart times */ bozo_newKTs = 0; /* done for a while */ nextRestart = ktime_next(&bozo_nextRestartKT, BOZO_MINSKIP); @@ -753,9 +746,7 @@ main(int argc, char **argv, char **envp) sigaction(SIGABRT, &nsa, NULL); #endif osi_audit_init(); -#ifdef BOS_RESTRICTED_MODE signal(SIGFPE, bozo_insecureme); -#endif #ifdef AFS_NT40_ENV /* Initialize winsock */ @@ -816,11 +807,9 @@ main(int argc, char **argv, char **envp) } else if (strcmp(argv[code], "-enable_process_stats") == 0) { rx_enableProcessRPCStats(); } -#ifdef BOS_RESTRICTED_MODE else if (strcmp(argv[code], "-restricted") == 0) { bozo_isrestricted = 1; } -#endif else if (strcmp(argv[code], "-rxbind") == 0) { rxBind = 1; } diff --git a/src/config/afsconfig-windows.h b/src/config/afsconfig-windows.h index 05de66a82..7248592e8 100644 --- a/src/config/afsconfig-windows.h +++ b/src/config/afsconfig-windows.h @@ -213,7 +213,6 @@ /*#undef AFS_AFSDB_ENV*/ #define AFS_AFSDB_ENV 1 #undef AFS_NAMEI_ENV -#define BOS_RESTRICTED_MODE #undef FAST_RESTART #undef BITMAP_LATER -- 2.39.5