summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnand Avati <avati@gluster.com>2011-08-31 22:57:34 +0530
committerAnand Avati <avati@gluster.com>2011-09-08 07:08:13 -0700
commit4d2afaae2f3c42b710acf8c7ebdb4b50d502b813 (patch)
tree2c5ae7c1b400bdcf53d0445f9f7f4a809128f167
parentc83856797fd55fa59c885ba5efd3ac912fcb9a96 (diff)
posix-acl: configurable super user ID
In configurations with a uid mapper, super user ID could be mapped to a non-zero value. Hence making it configurable in access control would be necessary for proper super-user semantics. Change-Id: I51e8e0395680e9b96a99657a0af547659bd9affe BUG: 2815 Reviewed-on: http://review.gluster.com/332 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Anand Avati <avati@gluster.com>
-rw-r--r--xlators/system/posix-acl/src/posix-acl.c67
-rw-r--r--xlators/system/posix-acl/src/posix-acl.h1
2 files changed, 61 insertions, 7 deletions
diff --git a/xlators/system/posix-acl/src/posix-acl.c b/xlators/system/posix-acl/src/posix-acl.c
index cd6fa11bb..7a80d1195 100644
--- a/xlators/system/posix-acl/src/posix-acl.c
+++ b/xlators/system/posix-acl/src/posix-acl.c
@@ -31,6 +31,17 @@
#define PTR(num) ((void *)((long)(num)))
+static uid_t
+r00t ()
+{
+ struct posix_acl_conf *conf = NULL;
+
+ conf = THIS->private;
+
+ return conf->super_uid;
+}
+
+
int
whitelisted_xattr (const char *key)
{
@@ -53,6 +64,19 @@ frame_is_user (call_frame_t *frame, uid_t uid)
int
+frame_is_super_user (call_frame_t *frame)
+{
+ int ret;
+
+ ret = frame_is_user (frame, r00t());
+ if (!ret)
+ ret = frame_is_user (frame, 0);
+
+ return ret;
+}
+
+
+int
frame_in_group (call_frame_t *frame, gid_t gid)
{
int i = 0;
@@ -127,7 +151,7 @@ sticky_permits (call_frame_t *frame, inode_t *parent, inode_t *inode)
par = posix_acl_ctx_get (parent, frame->this);
ctx = posix_acl_ctx_get (inode, frame->this);
- if (frame_is_user (frame, 0))
+ if (frame_is_super_user (frame))
return 1;
if (!(par->perm & S_ISVTX))
@@ -163,7 +187,7 @@ acl_permits (call_frame_t *frame, inode_t *inode, int want)
if (!ctx)
goto red;
- if (frame->root->uid == 0)
+ if (frame_is_super_user (frame))
goto green;
ret = posix_acl_get (inode, frame->this, &acl, NULL);
@@ -176,7 +200,7 @@ acl_permits (call_frame_t *frame, inode_t *inode, int want)
if (acl->count > 3)
acl_present = 1;
-
+
for (i = 0; i < acl->count; i++) {
switch (ace->tag) {
case POSIX_ACL_USER_OBJ:
@@ -1414,7 +1438,7 @@ setattr_scrutiny (call_frame_t *frame, inode_t *inode, struct iatt *buf,
{
struct posix_acl_ctx *ctx = NULL;
- if (frame->root->uid == 0)
+ if (frame_is_super_user (frame))
return 0;
ctx = posix_acl_ctx_get (inode, frame->this);
@@ -1453,7 +1477,7 @@ setattr_scrutiny (call_frame_t *frame, inode_t *inode, struct iatt *buf,
}
if (valid & GF_SET_ATTR_UID) {
- if ((frame->root->uid != 0) &&
+ if ((!frame_is_super_user (frame)) &&
(buf->ia_uid != ctx->uid))
return EPERM;
}
@@ -1565,7 +1589,7 @@ setxattr_scrutiny (call_frame_t *frame, inode_t *inode, dict_t *xattr)
struct posix_acl_ctx *ctx = NULL;
int found = 0;
- if (frame->root->uid == 0)
+ if (frame_is_super_user (frame))
return 0;
ctx = posix_acl_ctx_get (inode, frame->this);
@@ -1806,7 +1830,7 @@ posix_acl_removexattr (call_frame_t *frame, xlator_t *this, loc_t *loc,
struct posix_acl_ctx *ctx = NULL;
int op_errno = EACCES;
- if (frame_is_user (frame, 0))
+ if (frame_is_super_user (frame))
goto green;
ctx = posix_acl_ctx_get (loc->inode, this);
@@ -1860,6 +1884,21 @@ out:
int
+reconfigure (xlator_t *this, dict_t *options)
+{
+ struct posix_acl_conf *conf = NULL;
+
+ conf = this->private;
+
+ GF_OPTION_RECONF ("super-uid", conf->super_uid, options, uint32, err);
+
+ return 0;
+err:
+ return -1;
+}
+
+
+int
init (xlator_t *this)
{
struct posix_acl_conf *conf = NULL;
@@ -1888,7 +1927,11 @@ init (xlator_t *this)
conf->minimal_acl = minacl;
+ GF_OPTION_INIT ("super-uid", conf->super_uid, uint32, err);
+
return 0;
+err:
+ return -1;
}
@@ -1933,3 +1976,13 @@ struct xlator_fops fops = {
struct xlator_cbks cbks = {
.forget = posix_acl_forget
};
+
+
+struct volume_options options[] = {
+ { .key = {"super-uid"},
+ .type = GF_OPTION_TYPE_INT,
+ .default_value = "0",
+ .description = "UID to be treated as super user's id instead of 0",
+ },
+ { .key = {NULL} },
+};
diff --git a/xlators/system/posix-acl/src/posix-acl.h b/xlators/system/posix-acl/src/posix-acl.h
index 1f15c7147..d7619bee8 100644
--- a/xlators/system/posix-acl/src/posix-acl.h
+++ b/xlators/system/posix-acl/src/posix-acl.h
@@ -68,6 +68,7 @@ struct posix_acl_ctx {
struct posix_acl_conf {
gf_lock_t acl_lock;
+ uid_t super_uid;
struct posix_acl *minimal_acl;
};