posix-acl: configurable super user ID

In configurations with a uid mapper, super user ID could be mapped to a non-zero value. Hence making it configurable in access control would be necessary for proper super-user semantics. Change-Id: I51e8e0395680e9b96a99657a0af547659bd9affe BUG: 2815 Reviewed-on: http://review.gluster.com/332 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Anand Avati <avati@gluster.com>
author: Anand Avati <avati@gluster.com> 2011-08-31 22:57:34 +0530
committer: Anand Avati <avati@gluster.com> 2011-09-08 07:08:13 -0700
commit: 4d2afaae2f3c42b710acf8c7ebdb4b50d502b813 (patch)
tree: 2c5ae7c1b400bdcf53d0445f9f7f4a809128f167 /xlators
parent: c83856797fd55fa59c885ba5efd3ac912fcb9a96 (diff)
2 files changed, 61 insertions, 7 deletions
diff --git a/xlators/system/posix-acl/src/posix-acl.c b/xlators/system/posix-acl/src/posix-acl.c
index cd6fa11bb3f..7a80d119577 100644
--- a/xlators/system/posix-acl/src/posix-acl.c
+++ b/xlators/system/posix-acl/src/posix-acl.c
@@ -31,6 +31,17 @@
 #define PTR(num) ((void *)((long)(num)))
 
 
+static uid_t
+r00t ()
+{
+        struct posix_acl_conf *conf = NULL;
+
+        conf = THIS->private;
+
+        return conf->super_uid;
+}
+
+
 int
 whitelisted_xattr (const char *key)
 {
@@ -53,6 +64,19 @@ frame_is_user (call_frame_t *frame, uid_t uid)
 
 
 int
+frame_is_super_user (call_frame_t *frame)
+{
+        int ret;
+
+        ret = frame_is_user (frame, r00t());
+        if (!ret)
+                ret = frame_is_user (frame, 0);
+
+        return ret;
+}
+
+
+int
 frame_in_group (call_frame_t *frame, gid_t gid)
 {
         int  i = 0;
@@ -127,7 +151,7 @@ sticky_permits (call_frame_t *frame, inode_t *parent, inode_t *inode)
         par = posix_acl_ctx_get (parent, frame->this);
         ctx = posix_acl_ctx_get (inode, frame->this);
 
-        if (frame_is_user (frame, 0))
+        if (frame_is_super_user (frame))
                 return 1;
 
         if (!(par->perm & S_ISVTX))
@@ -163,7 +187,7 @@ acl_permits (call_frame_t *frame, inode_t *inode, int want)
         if (!ctx)
                 goto red;
 
-        if (frame->root->uid == 0)
+        if (frame_is_super_user (frame))
                 goto green;
 
         ret = posix_acl_get (inode, frame->this, &acl, NULL);
@@ -176,7 +200,7 @@ acl_permits (call_frame_t *frame, inode_t *inode, int want)
 
         if (acl->count > 3)
                 acl_present = 1;
-        
+
         for (i = 0; i < acl->count; i++) {
                 switch (ace->tag) {
                 case POSIX_ACL_USER_OBJ:
@@ -1414,7 +1438,7 @@ setattr_scrutiny (call_frame_t *frame, inode_t *inode, struct iatt *buf,
 {
         struct posix_acl_ctx   *ctx = NULL;
 
-        if (frame->root->uid == 0)
+        if (frame_is_super_user (frame))
                 return 0;
 
         ctx = posix_acl_ctx_get (inode, frame->this);
@@ -1453,7 +1477,7 @@ setattr_scrutiny (call_frame_t *frame, inode_t *inode, struct iatt *buf,
         }
 
         if (valid & GF_SET_ATTR_UID) {
-                if ((frame->root->uid != 0) &&
+                if ((!frame_is_super_user (frame)) &&
                     (buf->ia_uid != ctx->uid))
                         return EPERM;
         }
@@ -1565,7 +1589,7 @@ setxattr_scrutiny (call_frame_t *frame, inode_t *inode, dict_t *xattr)
         struct posix_acl_ctx   *ctx = NULL;
         int                     found = 0;
 
-        if (frame->root->uid == 0)
+        if (frame_is_super_user (frame))
                 return 0;
 
         ctx = posix_acl_ctx_get (inode, frame->this);
@@ -1806,7 +1830,7 @@ posix_acl_removexattr (call_frame_t *frame, xlator_t *this, loc_t *loc,
         struct  posix_acl_ctx  *ctx = NULL;
         int                     op_errno = EACCES;
 
-        if (frame_is_user (frame, 0))
+        if (frame_is_super_user (frame))
                 goto green;
 
         ctx = posix_acl_ctx_get (loc->inode, this);
@@ -1860,6 +1884,21 @@ out:
 
 
 int
+reconfigure (xlator_t *this, dict_t *options)
+{
+        struct posix_acl_conf *conf = NULL;
+
+        conf = this->private;
+
+        GF_OPTION_RECONF ("super-uid", conf->super_uid, options, uint32, err);
+
+        return 0;
+err:
+        return -1;
+}
+
+
+int
 init (xlator_t *this)
 {
         struct posix_acl_conf   *conf = NULL;
@@ -1888,7 +1927,11 @@ init (xlator_t *this)
 
         conf->minimal_acl = minacl;
 
+        GF_OPTION_INIT ("super-uid", conf->super_uid, uint32, err);
+
         return 0;
+err:
+        return -1;
 }
 
 
@@ -1933,3 +1976,13 @@ struct xlator_fops fops = {
 struct xlator_cbks cbks = {
         .forget           = posix_acl_forget
 };
+
+
+struct volume_options options[] = {
+        { .key  = {"super-uid"},
+          .type = GF_OPTION_TYPE_INT,
+          .default_value = "0",
+          .description = "UID to be treated as super user's id instead of 0",
+        },
+        { .key = {NULL} },
+};
diff --git a/xlators/system/posix-acl/src/posix-acl.h b/xlators/system/posix-acl/src/posix-acl.h
index 1f15c714772..d7619bee8ca 100644
--- a/xlators/system/posix-acl/src/posix-acl.h
+++ b/xlators/system/posix-acl/src/posix-acl.h
@@ -68,6 +68,7 @@ struct posix_acl_ctx {
 
 struct posix_acl_conf {
         gf_lock_t         acl_lock;
+        uid_t             super_uid;
         struct posix_acl *minimal_acl;
 };
author	Anand Avati <avati@gluster.com>	2011-08-31 22:57:34 +0530
committer	Anand Avati <avati@gluster.com>	2011-09-08 07:08:13 -0700
commit	4d2afaae2f3c42b710acf8c7ebdb4b50d502b813 (patch)
tree	2c5ae7c1b400bdcf53d0445f9f7f4a809128f167 /xlators
parent	c83856797fd55fa59c885ba5efd3ac912fcb9a96 (diff)