OPENAFS-SA-2018-001 backup: use authenticated connection to butc

Use the standard routine to pick a client security object, instead of always assuming rxnull. Respect -localauth as well as being able to use the current user's tokens, but also provide a -nobutcauth argument to fall back to the historical rxnull behavior (but only for the connections to butc; vldb and budb connections are not affected). Change-Id: Ibf8ebe5521bee8d0f7162527e26bc5541d07910d
2025-01-18 15:00:12 +00:00 · 2018-09-09 10:44:38 -05:00 · 2018-09-09 10:44:38 -05:00 · 345ee34236
commit 345ee34236
parent 736364f1e3
4 changed files with 48 additions and 5 deletions
--- a/doc/man-pages/pod8/backup.pod
+++ b/doc/man-pages/pod8/backup.pod
@ -194,6 +194,18 @@ interactive mode. The local identity and AFS tokens with which the
 B<backup> command interpreter enters interactive mode apply to all
 commands issued during the interactive session.

+=item B<-nobutcauth>
+
+Prior to the fix for OPENAFS-SA-2018-001, B<butc> did not allow incoming
+connections to be authenticated.  As part of that fix, B<backup> was modified
+to authenticate to the B<butc> services when possible, but a B<backup> utility
+with the security fix will not interoperate with a B<butc> that lacks the fix
+unless this option is passed, which forces the use of unauthenticated
+connections to the B<butc>.  Use of this option is strongly disrecommended,
+and it is provided only for backwards compatibility in environments where
+B<backup> and B<butc> communicate over a secure network environment that denies
+access to untrusted parties.
+
 =item B<-portoffset> <I<TC port offset>>

 Specifies the port offset number of the Tape Coordinator that is to
--- a/src/bucoord/bucoord_internal.h
+++ b/src/bucoord/bucoord_internal.h
@ -117,6 +117,8 @@ extern afs_int32 bc_UpdateDumpSchedule(void);
 extern int bc_SaveDumpSchedule(void);

 /* main.c */
+extern int localauth, nobutcauth;
+extern char tcell[];
 extern time_t tokenExpires;
 extern afs_int32 doDispatch(afs_int32, char *[], afs_int32);
 extern void bc_HandleMisc(afs_int32 code);
--- a/src/bucoord/dump.c
+++ b/src/bucoord/dump.c
@ -17,6 +17,7 @@
 #include <roken.h>

 #include <afs/cmd.h>
+#include <afs/cellconfig.h>
 #include <lwp.h>
 #include <rx/rx.h>
 #include <afs/bubasics.h>
@ -470,15 +471,40 @@ bc_GetConn(struct bc_config *aconfig, afs_int32 aport,
 	   struct rx_connection **tconn)
 {
    afs_uint32 host;
+    afs_int32 code;
    unsigned short port;
    static struct rx_securityClass *rxsc;
+    static afs_int32 scIndex;
    struct bc_hostEntry *te;

    *tconn = (struct rx_connection *)0;

    /* use non-secure connections to butc */
-    if (!rxsc)
-	rxsc = rxnull_NewClientSecurityObject();
+    if (!rxsc) {
+	struct afsconf_dir *dir;
+	afsconf_secflags flags = AFSCONF_SECOPTS_FALLBACK_NULL;
+	char *cname;
+
+	if (nobutcauth)
+	    flags |= AFSCONF_SECOPTS_NOAUTH;
+	if (localauth) {
+	    flags |= AFSCONF_SECOPTS_LOCALAUTH;
+	    dir = afsconf_Open(AFSDIR_SERVER_ETC_DIRPATH);
+	} else {
+	    dir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH);
+	}
+	if (tcell[0] == '\0')
+	    cname = NULL;
+	else
+	    cname = tcell;
+	/* No need for cell info since butc is not a registered service */
+	code = afsconf_PickClientSecObj(dir, flags, NULL, cname, &rxsc, &scIndex,
+					NULL);
+	if (dir)
+	    afsconf_Close(dir);
+	if (code)
+	    return -1;
+    }
    if (!rxsc || !aconfig)
 	return (-1);

@ -491,8 +517,8 @@ bc_GetConn(struct bc_config *aconfig, afs_int32 aport,

 	    port = htons(BC_TAPEPORT + aport);

-	    /* servers is 1; sec index is 0 */
-	    *tconn = rx_NewConnection(host, port, 1, rxsc, 0);
+	    /* servers is 1 */
+	    *tconn = rx_NewConnection(host, port, 1, rxsc, scIndex);
 	    return ((*tconn ? 0 : -1));
 	}
    }
--- a/src/bucoord/main.c
+++ b/src/bucoord/main.c
@ -41,7 +41,7 @@
 #include "bucoord_internal.h"
 #include "bucoord_prototypes.h"

-int localauth, interact;
+int localauth, interact, nobutcauth;
 char tcell[64];

 /*
@ -292,6 +292,7 @@ MyBeforeProc(struct cmd_syndesc *as, void *arock)
    /* Handling the command line opcode */
    if (!bcInit) {
 	localauth = ((as && as->parms[14].items) ? 1 : 0);
+	nobutcauth = ((as && as->parms[16].items) ? 1 : 0);
 	if (as && as->parms[15].items)
 	    strcpy(tcell, as->parms[15].items->data);
 	else
@ -432,6 +433,8 @@ add_std_args(struct cmd_syndesc *ts)
    cmd_AddParm(ts, "-localauth", CMD_FLAG, CMD_OPTIONAL,
 		"local authentication");
    cmd_AddParm(ts, "-cell", CMD_SINGLE, CMD_OPTIONAL, "cell name");
+    cmd_AddParm(ts, "-nobutcauth", CMD_FLAG, CMD_OPTIONAL,
+		"no authentication to butc");
 }

 int