diff options
author | Anand Avati <avati@gluster.com> | 2011-08-31 22:57:34 +0530 |
---|---|---|
committer | Anand Avati <avati@gluster.com> | 2011-09-08 07:08:13 -0700 |
commit | 4d2afaae2f3c42b710acf8c7ebdb4b50d502b813 (patch) | |
tree | 2c5ae7c1b400bdcf53d0445f9f7f4a809128f167 | |
parent | c83856797fd55fa59c885ba5efd3ac912fcb9a96 (diff) |
posix-acl: configurable super user ID
In configurations with a uid mapper, super user ID could be mapped
to a non-zero value. Hence making it configurable in access control
would be necessary for proper super-user semantics.
Change-Id: I51e8e0395680e9b96a99657a0af547659bd9affe
BUG: 2815
Reviewed-on: http://review.gluster.com/332
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Anand Avati <avati@gluster.com>
-rw-r--r-- | xlators/system/posix-acl/src/posix-acl.c | 67 | ||||
-rw-r--r-- | xlators/system/posix-acl/src/posix-acl.h | 1 |
2 files changed, 61 insertions, 7 deletions
diff --git a/xlators/system/posix-acl/src/posix-acl.c b/xlators/system/posix-acl/src/posix-acl.c index cd6fa11bb..7a80d1195 100644 --- a/xlators/system/posix-acl/src/posix-acl.c +++ b/xlators/system/posix-acl/src/posix-acl.c @@ -31,6 +31,17 @@ #define PTR(num) ((void *)((long)(num))) +static uid_t +r00t () +{ + struct posix_acl_conf *conf = NULL; + + conf = THIS->private; + + return conf->super_uid; +} + + int whitelisted_xattr (const char *key) { @@ -53,6 +64,19 @@ frame_is_user (call_frame_t *frame, uid_t uid) int +frame_is_super_user (call_frame_t *frame) +{ + int ret; + + ret = frame_is_user (frame, r00t()); + if (!ret) + ret = frame_is_user (frame, 0); + + return ret; +} + + +int frame_in_group (call_frame_t *frame, gid_t gid) { int i = 0; @@ -127,7 +151,7 @@ sticky_permits (call_frame_t *frame, inode_t *parent, inode_t *inode) par = posix_acl_ctx_get (parent, frame->this); ctx = posix_acl_ctx_get (inode, frame->this); - if (frame_is_user (frame, 0)) + if (frame_is_super_user (frame)) return 1; if (!(par->perm & S_ISVTX)) @@ -163,7 +187,7 @@ acl_permits (call_frame_t *frame, inode_t *inode, int want) if (!ctx) goto red; - if (frame->root->uid == 0) + if (frame_is_super_user (frame)) goto green; ret = posix_acl_get (inode, frame->this, &acl, NULL); @@ -176,7 +200,7 @@ acl_permits (call_frame_t *frame, inode_t *inode, int want) if (acl->count > 3) acl_present = 1; - + for (i = 0; i < acl->count; i++) { switch (ace->tag) { case POSIX_ACL_USER_OBJ: @@ -1414,7 +1438,7 @@ setattr_scrutiny (call_frame_t *frame, inode_t *inode, struct iatt *buf, { struct posix_acl_ctx *ctx = NULL; - if (frame->root->uid == 0) + if (frame_is_super_user (frame)) return 0; ctx = posix_acl_ctx_get (inode, frame->this); @@ -1453,7 +1477,7 @@ setattr_scrutiny (call_frame_t *frame, inode_t *inode, struct iatt *buf, } if (valid & GF_SET_ATTR_UID) { - if ((frame->root->uid != 0) && + if ((!frame_is_super_user (frame)) && (buf->ia_uid != ctx->uid)) return EPERM; } @@ -1565,7 +1589,7 @@ setxattr_scrutiny (call_frame_t *frame, inode_t *inode, dict_t *xattr) struct posix_acl_ctx *ctx = NULL; int found = 0; - if (frame->root->uid == 0) + if (frame_is_super_user (frame)) return 0; ctx = posix_acl_ctx_get (inode, frame->this); @@ -1806,7 +1830,7 @@ posix_acl_removexattr (call_frame_t *frame, xlator_t *this, loc_t *loc, struct posix_acl_ctx *ctx = NULL; int op_errno = EACCES; - if (frame_is_user (frame, 0)) + if (frame_is_super_user (frame)) goto green; ctx = posix_acl_ctx_get (loc->inode, this); @@ -1860,6 +1884,21 @@ out: int +reconfigure (xlator_t *this, dict_t *options) +{ + struct posix_acl_conf *conf = NULL; + + conf = this->private; + + GF_OPTION_RECONF ("super-uid", conf->super_uid, options, uint32, err); + + return 0; +err: + return -1; +} + + +int init (xlator_t *this) { struct posix_acl_conf *conf = NULL; @@ -1888,7 +1927,11 @@ init (xlator_t *this) conf->minimal_acl = minacl; + GF_OPTION_INIT ("super-uid", conf->super_uid, uint32, err); + return 0; +err: + return -1; } @@ -1933,3 +1976,13 @@ struct xlator_fops fops = { struct xlator_cbks cbks = { .forget = posix_acl_forget }; + + +struct volume_options options[] = { + { .key = {"super-uid"}, + .type = GF_OPTION_TYPE_INT, + .default_value = "0", + .description = "UID to be treated as super user's id instead of 0", + }, + { .key = {NULL} }, +}; diff --git a/xlators/system/posix-acl/src/posix-acl.h b/xlators/system/posix-acl/src/posix-acl.h index 1f15c7147..d7619bee8 100644 --- a/xlators/system/posix-acl/src/posix-acl.h +++ b/xlators/system/posix-acl/src/posix-acl.h @@ -68,6 +68,7 @@ struct posix_acl_ctx { struct posix_acl_conf { gf_lock_t acl_lock; + uid_t super_uid; struct posix_acl *minimal_acl; }; |