diff --git a/src/bozo/bosoprocs.c b/src/bozo/bosoprocs.c index dad5f5ad56..e528cad34b 100644 --- a/src/bozo/bosoprocs.c +++ b/src/bozo/bosoprocs.c @@ -38,7 +38,6 @@ extern struct ktime bozo_nextRestartKT, bozo_nextDayKT; extern struct afsconf_dir *bozo_confdir; extern int bozo_newKTs; extern int DoLogging; -extern int bozo_isrestricted; afs_int32 SBOZO_GetRestartTime(struct rx_call *acall, afs_int32 atype, struct bozo_netKTime *aktime) @@ -121,7 +120,7 @@ SBOZO_Exec(struct rx_call *acall, char *acmd) code = BZACCESS; goto fail; } - if (bozo_isrestricted) { + if (bozo_IsRestricted()) { code = BZACCESS; goto fail; } @@ -191,7 +190,7 @@ SBOZO_UnInstall(struct rx_call *acall, char *aname) osi_auditU(acall, BOS_UnInstallEvent, code, AUD_STR, aname, AUD_END); return code; } - if (bozo_isrestricted) { + if (bozo_IsRestricted()) { code = BZACCESS; osi_auditU(acall, BOS_UnInstallEvent, code, AUD_STR, aname, AUD_END); return code; @@ -305,7 +304,7 @@ SBOZO_Install(struct rx_call *acall, char *aname, afs_int32 asize, afs_int32 mod if (!afsconf_SuperUser(bozo_confdir, acall, caller)) return BZACCESS; - if (bozo_isrestricted) + if (bozo_IsRestricted()) return BZACCESS; /* construct local path from canonical (wire-format) path */ @@ -811,7 +810,7 @@ SBOZO_CreateBnode(struct rx_call *acall, char *atype, char *ainstance, code = BZACCESS; goto fail; } - if (bozo_isrestricted) { + if (bozo_IsRestricted()) { const char *salvpath = AFSDIR_CANONICAL_SERVER_SALVAGER_FILEPATH; /* for DAFS, 'bos salvage' will pass "salvageserver -client" instead */ const char *salsrvpath = AFSDIR_CANONICAL_SERVER_SALSRV_FILEPATH " -client "; @@ -875,7 +874,7 @@ SBOZO_DeleteBnode(struct rx_call *acall, char *ainstance) code = BZACCESS; goto fail; } - if (bozo_isrestricted) { + if (bozo_IsRestricted()) { code = BZACCESS; goto fail; } @@ -1228,7 +1227,7 @@ SBOZO_Prune(struct rx_call *acall, afs_int32 aflags) code = BZACCESS; goto fail; } - if (bozo_isrestricted) { + if (bozo_IsRestricted()) { code = BZACCESS; goto fail; } @@ -1503,7 +1502,7 @@ SBOZO_GetLog(struct rx_call *acall, char *aname) code = BZACCESS; goto fail; } - if (bozo_isrestricted && strchr(aname, '/') + if (bozo_IsRestricted() && strchr(aname, '/') != NULL && strcmp(aname, AFSDIR_CANONICAL_SERVER_SLVGLOG_FILEPATH)) { code = BZACCESS; goto fail; @@ -1588,7 +1587,7 @@ SBOZO_GetInstanceStrings(struct rx_call *acall, char *abnodeName, afs_int32 SBOZO_GetRestrictedMode(struct rx_call *acall, afs_int32 *arestmode) { - *arestmode = bozo_isrestricted; + *arestmode = bozo_IsRestricted(); return 0; } @@ -1604,7 +1603,7 @@ SBOZO_SetRestrictedMode(struct rx_call *acall, afs_int32 arestmode) code = BZACCESS; goto done; } - if (bozo_isrestricted) { + if (bozo_IsRestricted()) { code = BZACCESS; goto done; } @@ -1612,7 +1611,7 @@ SBOZO_SetRestrictedMode(struct rx_call *acall, afs_int32 arestmode) code = BZDOM; goto done; } - bozo_isrestricted = arestmode; + bozo_SetRestricted(arestmode); code = WriteBozoFile(0); done: diff --git a/src/bozo/bosprototypes.h b/src/bozo/bosprototypes.h index 4eb0fdaaae..4d6e64fce9 100644 --- a/src/bozo/bosprototypes.h +++ b/src/bozo/bosprototypes.h @@ -43,6 +43,8 @@ int bozo_ReBozo(void); int WriteBozoFile(char *aname); int bozo_CreatePidFile(char *ainst, char *aname, pid_t apid); int bozo_DeletePidFile(char *ainst, char *aname); +int bozo_IsRestricted(void); +void bozo_SetRestricted(int mode); /* bosoprocs.c */ int GetRequiredDirPerm(const char *path); diff --git a/src/bozo/bosserver.c b/src/bozo/bosserver.c index 7c74d53b56..ec0edba907 100644 --- a/src/bozo/bosserver.c +++ b/src/bozo/bosserver.c @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -96,8 +97,20 @@ int bozo_newKTs = 1; int rxBind = 0; int rxkadDisableDotCheck = 0; -int bozo_isrestricted = 0; -int bozo_restdisable = 0; +static rx_atomic_t bozo_restricted; +static rx_atomic_t bozo_restricted_disabled; + +int +bozo_IsRestricted(void) +{ + return rx_atomic_read(&bozo_restricted); +} + +void +bozo_SetRestricted(int mode) +{ + rx_atomic_set(&bozo_restricted, mode); +} void bozo_insecureme(int sig) @@ -105,8 +118,8 @@ bozo_insecureme(int sig) #ifndef AFS_PTHREAD_ENV signal(SIGFPE, bozo_insecureme); #endif - bozo_isrestricted = 0; - bozo_restdisable = 1; + bozo_SetRestricted(0); + rx_atomic_set(&bozo_restricted_disabled, 1); } struct bztemp { @@ -453,7 +466,7 @@ ReadBozoFile(char *aname) code = -1; goto fail; } - bozo_isrestricted = rmode; + bozo_SetRestricted(rmode); continue; } @@ -557,7 +570,7 @@ WriteBozoFile(char *aname) } btemp.file = tfile; - fprintf(tfile, "restrictmode %d\n", bozo_isrestricted); + fprintf(tfile, "restrictmode %d\n", bozo_IsRestricted()); fprintf(tfile, "restarttime %d %d %d %d %d\n", bozo_nextRestartKT.mask, bozo_nextRestartKT.day, bozo_nextRestartKT.hour, bozo_nextRestartKT.min, bozo_nextRestartKT.sec); @@ -628,9 +641,9 @@ BozoDaemon(void *unused) now = FT_ApproxTime(); - if (bozo_restdisable) { + if (rx_atomic_read(&bozo_restricted_disabled)) { bozo_Log("Restricted mode disabled by signal\n"); - bozo_restdisable = 0; + rx_atomic_set(&bozo_restricted_disabled, 0); } if (bozo_newKTs) { /* need to recompute restart times */ @@ -906,6 +919,7 @@ main(int argc, char **argv, char **envp) int DoProcessRPCStats = 0; struct stat sb; struct afsconf_bsso_info bsso; + int restricted = 0; #ifdef AFS_PTHREAD_ENV pthread_attr_t tattr; pthread_t bozo_pid; @@ -1052,7 +1066,9 @@ main(int argc, char **argv, char **envp) /* bosserver options */ cmd_OptionAsFlag(opts, OPT_noauth, &noAuth); cmd_OptionAsFlag(opts, OPT_log, &DoLogging); - cmd_OptionAsFlag(opts, OPT_restricted, &bozo_isrestricted); + + cmd_OptionAsFlag(opts, OPT_restricted, &restricted); + bozo_SetRestricted(restricted); if (cmd_OptionPresent(opts, OPT_pidfiles)) { if (cmd_OptionAsString(opts, OPT_pidfiles, &DoPidFiles) != 0) { @@ -1222,7 +1238,7 @@ main(int argc, char **argv, char **envp) exit(code); } - if (bozo_isrestricted) { + if (bozo_IsRestricted()) { bozo_Log("NOTICE: bosserver is running in restricted mode.\n"); } else { bozo_Log("WARNING: bosserver is not running in restricted mode.\n");