From 568adf7d18eb17a42caa263aabc92a686f0ae121 Mon Sep 17 00:00:00 2001
From: Andrew Deason <adeason@sinenomine.net>
Date: Fri, 15 Jun 2012 16:58:42 -0500
Subject: [PATCH] viced: Restrict RXAFS_FlushCPS to administrators

RXAFS_FlushCPS currently can be run by anyone, including
unauthenticated users. Forcing CPS calculation can be a relatively
resource-intensive operation, though, if done frequently enough, and
only should need to be done by administrators. Thus, only let
administrators use it.

Change-Id: Iaedd1e72e542b637070930bf1a0a9eba83a9ab64
Reviewed-on: http://gerrit.openafs.org/7572
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>
---
 src/viced/afsfileprocs.c | 6 ++++++
 src/viced/viced.h        | 1 +
 2 files changed, 7 insertions(+)

diff --git a/src/viced/afsfileprocs.c b/src/viced/afsfileprocs.c
index 2bcab1b982..f343dd6daa 100644
--- a/src/viced/afsfileprocs.c
+++ b/src/viced/afsfileprocs.c
@@ -5631,6 +5631,12 @@ SRXAFS_FlushCPS(struct rx_call * acall, struct ViceIds * vids,
     FS_LOCK;
     AFSCallStats.TotalCalls++;
     FS_UNLOCK;
+
+    if (!viced_SuperUser(acall)) {
+	errorCode = EPERM;
+	goto Bad_FlushCPS;
+    }
+
     nids = vids->ViceIds_len;	/* # of users in here */
     naddrs = addrs->IPAddrs_len;	/* # of hosts in here */
     if (nids < 0 || naddrs < 0) {
diff --git a/src/viced/viced.h b/src/viced/viced.h
index 64a03d4b3c..d65575fa1f 100644
--- a/src/viced/viced.h
+++ b/src/viced/viced.h
@@ -246,5 +246,6 @@ extern struct fs_state fs_state;
 #define FS_MODE_SHUTDOWN  1
 #endif /* AFS_DEMAND_ATTACH_FS */
 
+extern int viced_SuperUser(struct rx_call *call);
 
 #endif /* _AFS_VICED_VICED_H */