OPENAFS-SA-2016-001 group creation by foreign users

CVE-2016-2860:

The ptserver permits foreign-cell users to create groups as if they were
system:administrators.  In particular, groups in the user namespace
(with no colon) and the system: namespace can be created.  No group
quota is enforced for the creation of these groups, but they will be
owned by system:administrators and cannot be changed by the user that
created them.  When processing requests from foreign users, the
creator ID is overwritten with the ID of system:administrators, and
that field is later used for access control checks in
CorrectGroupName(), called from CreateEntry().

The access-control bypass is not possible for creating user entries,
since there is an early check in CreateOK() that only permits
administrators to create users, using a correct test for whether
the call is being made by an administrator.

FIXES 132822

[Based on a patch by Jeffrey Altman.]

Change-Id: I77dcf4a2f7d9c770c805a649f2ddc6bee5f83389

src/ptserver/ptprocs.c

@@ -345,13 +345,19 @@ newEntry(struct rx_call *call, char aname[], afs_int32 flag, afs_int32 oid,
      * automatic id assignment.
      */
     code = WhoIsThisWithName(call, tt, cid, cname);
-    if (code != 2) {		/* 2 specifies that this is a foreign cell request */
-	if (code)
-	    ABORT_WITH(tt, PRPERM);
-	admin = IsAMemberOf(tt, *cid, SYSADMINID);
-    } else {
-	admin = ((!restricted && !strcmp(aname, cname))) || IsAMemberOf(tt, *cid, SYSADMINID);
-	oid = *cid = SYSADMINID;
+    if (code && code != 2)
+	ABORT_WITH(tt, PRPERM);
+    admin = IsAMemberOf(tt, *cid, SYSADMINID);
+    if (code == 2 /* foreign cell request */) {
+	if (!restricted && (strcmp(aname, cname) == 0)) {
+	    /* can't autoregister while providing an owner id */
+	    if (oid != 0)
+		ABORT_WITH(tt, PRPERM);
+
+	    admin = 1;
+	    oid = SYSADMINID;
+	    *cid = SYSADMINID;
+	}
     }
     if (!CreateOK(tt, *cid, oid, flag, admin))
 	ABORT_WITH(tt, PRPERM);