Commit 4392020ba0 (fs: Restrict 'fs flushall' to root) changed the
fs_flushall manpage to document the new behavior, but now the manpage
lacks any information about old versions. Document the old behavior as
well, to be clear that "old" (current stable) versions do not require
root access.
Change-Id: Icbe6843d8ed0a523eb4df7136ad6f336f8b50fa6
Reviewed-on: https://gerrit.openafs.org/16030
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Analysis of the source for code for copyauth has flagged potential
string buffer overflows due to the use of strcpy. Attempting to fix the
use of strcpy, would require additional work since copyauth currently
fails to build due to unresolved external references during linking.
The copyauth command has not been built by default on non-Windows
systems since 2009, 'curpag-via-pioctl-20090603' (4af75fe96a), and never
has been built by default on Windows system since the initial git
commit for openafs.
According to the man page, the functionality of copyauth has been
superseded by aklog, there is also a caution noted about using copyauth
due to security concerns.
Remove the copyauth utility and the associated references.
Change-Id: I96ba9af341bc97a329132ed4fd39f3b567d0ea4a
Reviewed-on: https://gerrit.openafs.org/15480
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
The merge-pod script is our simple custom preprocessor for man-page pod
files. The merge-pod script expects one or more arguments to specify the
input files and generates the output files in the same directory as the
input files. Unfortunately, this precludes us from using merge-pod to
do out-of-tree builds (a.k.a. objdir builds) which generate man-pages,
since the output files are written to the source directory.
Change merge-pod so when no input files are specified, merge-pod will
scan the man-page pod<n> directories for *.in files, and put the pod
output files in pod<n> directories in the current working directory.
With this change, merge-pod remains compatible with the old method,
which is still in use by the NT makefile and the regen.sh script, but
provides support for a future commit to invoke merge-pod from the
man-pages Makefile.
Change-Id: I36b5b851cd1a09d050cf21c65ab3ae160a5c15cb
Reviewed-on: https://gerrit.openafs.org/15788
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
The generate-man script is currently a shell script which invokes the
pod2man command for each pod file to be converted into a man page. This
makes the pod conversion slow, since we load Perl and create a Pod::Man
parser for each pod file. In addition to being slow, generate-man
leaves behind a partially created man page when an error is
encountered during the pod2man execution.
To fix these issues, rewrite generate-man as a Perl script which uses
the Pod::Man module directly. The Pod::Man parser is created only once
and is reused to generate each man page. The Pod::Man module supports
this type of batch mode operation by clearing its internal state after
each man page is created.
We have some special processing to determine the man page names for the
pages in section 3, so create a sub class to handle the pod filename to
man page title determination, and add a helper function to support
processing more than one section with a single parser instance.
Be sure to cleanup any partially created man pages if an error is
encountered during the pod to man conversion. This will let us use this
script in the Makefiles in the future.
Change-Id: I8d3cce1edc62c490e93d05f72609dfde4b599a1b
Reviewed-on: https://gerrit.openafs.org/15774
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Commands like 'fs flush' and 'fs flushvolume' require the caller to be
able to lookup the target file, but 'fs flushall' has no access checks
at all, and hasn't since it was introduced in commit 4197bbecd9
(libafs: fs flushall for unix cm). This allows unauthenticated users
to flush the cache of files/volumes they have no access to, and means
flushing the entire cache requires less access than flushing parts of
the cache, which doesn't make much sense.
Change the command to only be runnable by the local superuser root,
and document the restriction.
Change-Id: I906d6c02a16b49ae31ab8e644a8ffb85c4e3434d
Reviewed-on: https://gerrit.openafs.org/15393
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Commit f5f8b933 (viced: add opt to allow admin writes on RO servers)
introduced an extra "the" in the description for the -admin-write
option in fileserver/dafileserver manpage. Remove it.
Change-Id: I98d7073f850a222969f373697ae263b6cef63c38
Reviewed-on: https://gerrit.openafs.org/14051
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Get rid of some remaining references to bcopy, bzero, and bcmp. In a
few places (such as ka-forwarder.c, and linked_list.c), these were
being called without including strings.h, which causes errors on AIX
when using the clang-based xlc 17.1 compiler.
Remove references even inside comments or documentation, to make it
easier to make sure they've all been removed.
Leave some references inside platform-specific or kernel code, since
those are more likely to need bcopy() et al, and tend to only impact
that platform.
Note that most references to bcopy() et al were removed by commit
c5c521af0e
(convert-from-bsd-to-posix-string-and-memory-functions-20010807).
Change-Id: I28d1b139348c2a4b2259a259de0c93997c684c40
Reviewed-on: https://gerrit.openafs.org/15432
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
The output for 'fs getfid' was changed in commit d390df097c (fs getfid
output changed for consistency with Windows implementation), but the
manpage still had the old output in its examples. Update the manpage
to reflect the current behavior of 'fs getfid'.
Change-Id: Iea7a92cdb30ca6f935121aba26a072288b404567
Reviewed-on: https://gerrit.openafs.org/15587
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Permissions granted by host-based ACLs and non-host-based ACLs are
calculated separately (and transmitted somewhat differently, via
AnonymousAccess). So, if a caller is granted permissions via normal
user-based access, those permissions cannot be removed by host-based
entries in a negative ACL. And conversely, permissions granted by
host-based entries cannot be removed by negative ACLs for
non-host-based entries.
Both negative ACLs and host-based ACLs are uncommon and recommended
against, so this should not be a common combination. But this
limitation is not documented anywhere, so try to mention it in the
fs_setacl manpage, near some other text related to negative ACLs, to
give affected users a chance to figure out why it isn't working.
Change-Id: I13ba2adda1474a5e72271d3e843bb03feec29b67
Reviewed-on: https://gerrit.openafs.org/15340
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The pod2man tool determines a man page title (set in the .TH macro) from
the input filename, unless the -n (--name) option is specified.
Our AFS::ukernel man page input file is named AFS.ukernel.pod to avoid
colons in the filename (since colon characters are not supported on
Windows), so the generated man page contains the title "AFS.ukernel"
instead of "AFS::ukernel".
Use the pod2man -n (--name) option when converting section 3 man pages
to override the automatic title naming. This fixes the .TH macro in the
generated AFS::ukernel.3 file. Fortunately, the -n (--name) option is
only needed for section 3 man pages.
Specifying the pod2man -n (--name) option is simpler and less invasive than
renaming pod3/AFS.ukernel.pod to pod3/lib/AFS/ukernel.pod (which would
also fix the embedded title).
Change-Id: I495ea2d30ce1b34698519ffa34a39362c449ba09
Reviewed-on: https://gerrit.openafs.org/15363
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Add an initialization retry in the bos, vos, and pts commands to
fallback to the server configuration directory when initialization fails
with the client configuration directory. This allows admins to run
unauthenticated bos, vos, and pts commands on servers without a client
configuration (including symlinks created by the bosserver) without
any extra command line options.
Perform the initialization retry only when the -localauth or -config
options are not given. The bos, vos, and pts commands already use the
server configuration path when the -localauth option is given, so there
is no point in retrying the same path. The vos and pts -config option
specifies the path to be used, so we do not fallback to a different
directory when the user specifies the configuration path to be used.
While here, change the scope of the confdir variable in vos.c from a
global to a local variable, since it is only used within the
MyBeforeProc() function.
This change does not add a vsu_ClientInit() retry in the bos salvage
command. That command always requires authorization, so when run without
-localauth requires a token (and therefore a cache manager and client
cell configuration).
Update the bos, vos, and pts man pages to describe this new fallback
method to lookup the configuration directory. (The AFSCONF environment
variable and .AFSCONF files are currently undocumented in the man pages.
They should be documented or removed from the code in a future change.)
Change-Id: I55c3109494db744e7bc2defcb54eaee3b4e30018
Reviewed-on: https://gerrit.openafs.org/15351
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The BosConfig.5 man page shows the incorrect path to the BosConfig file
when modern installation paths are used. For example, BosConfig.5 man
page distributed by Debian contains the text:
The file must reside in the /var/lib/openafs/local directory ...
which should read:
The file must reside in the /etc/openafs directory ...
The man page files contain Transarc-style paths which are translated to
the configured paths by the install target. The path /usr/afs/local in
the BosConfig pod file is interpreted as @afslocaldir@, not the correct
@afsbosconfigdir@.
Change the BosConfig POD text to trigger a special substitution case in
the install-man script. This case is is already in use to correctly
translate paths of the BosConfig.new and BosConfig files the bosserver
man page.
/usr/afs/local/BosConfig -> @afsbosconfigdir@/BosConfig
Using this rule requires a change to the text to show the fully
qualified path to the BosConfig file, instead of just the directory
name.
Change-Id: If1c5872dd86c7c1a5de98fb37daef903cd10b26b
Reviewed-on: https://gerrit.openafs.org/14908
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
There exist in the wild AFS3 clients that improperly construct access
control lists which are then stored to directories via RXAFS_StoreACL
(opcode 134). These clients add negative access control entries (if any)
to the normal rights list.
As there is no method by which a fileserver can determine that the
ACL is improperly constructed, the only method to defend the storage of
broken ACLs is to identify clients that are known to properly construct
ACLs by introducing a new RXAFS_StoreACL opcode (164).
This change:
* Renames RXAFS opcode 134 to RXAFS_OldStoreACL
* Introduces RXAFS opcode 164 as RXAFS_StoreACL
* Implements SRXAFS_OldStoreACL and SRXAFS_StoreACL in the fileserver
via a common_StoreACL() function that accepts the executed opcode
as input.
* To avoid breaking changes in stable release branches,
SRXAFS_OldStoreACL will still be allowed by default, with an option
to cause it to be failed by default with error EPERM/UAEPERM.
A follow-up commit will cause SRXAFS_OldStoreACL to fail by default
on the master branch.
* When opcode 134 is called, the a FileLog entry will be generated
at log level 0 instead of 1 and the entry will contain the string
"CVE-2018-7168".
* Modifies the format of the ACL logged to the FileLog and the audit
stream. Previously the AFSOpaque format was used directly. The
problem with this format is that it uses newlines as the ACE
separator. Since the FileLog and file audit log is intended to
be one line per log entry, the newlines break the file formats.
This change replaces the newlines with spaces for display purposes
unless the process is unable to allocate the additional memory.
* Introduces a new fileserver command line switch -cve-2018-7168-enforce
which when specified causes SRXAFS_OldStoreACL RPCs to be failed.
[kaduk@mit.edu: switch en/disable-by-default behavior and fix argument parsing]
Change-Id: Ic92ef45314d75fbc2b8ff574223fab2d398a1d60
FIXES: 134485
Reviewed-on: https://gerrit.openafs.org/12942
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Currently, several fs subcommands for Windows offer an option (-literal)
to evaluate symlink / mount point rather than the object it refers to.
Provide the same option on Unix for fs_getfid.
Change-Id: I55ab5f96d5b9e63efbe7e938647edba05a1787ed
Reviewed-on: https://gerrit.openafs.org/14542
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
As a debugging aid, add a -debug option to the dump subcommand to
display each trace record in raw hex format as well as the normal
decoded format.
Change-Id: I80dd675a07e048e25749a9afb584515effcbc08a
Reviewed-on: https://gerrit.openafs.org/14557
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Do not document that there are cases when this file should exist;
there are not.
Installation no longer needs this file, and key emergencies can
be handled using asetkey or, on 1.8.x, the kerberos tooling to modify
rxkad.keytab.
Change-Id: I0c3ba15f3ffca8660be2d8b092f10053258742e6
Reviewed-on: https://gerrit.openafs.org/12142
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
In several places, we look for documentation source files in e.g.
'doc/man-pages', 'doc/xml', etc. But if we are running an objdir
build, those directories won't exist relative to the current working
directory; we need to look in $srcdir to find them.
So, if we're running an objdir build, our man pages and other
documentation won't be installed. We don't report any error in this
case (the relevant steps are just skipped), since building the
documentation is optional, in case the doc sources are not present.
To fix this, look in $srcdir in the various places that reference doc
source files. Fixing the 'for' loops in the 'dest' and 'install'
targets in doc/man-pages requires some extra cd'ing around, because $M
is used as part of another path in the body of the loop.
Change-Id: Ic3c90ab5e64aeefe6235efb6f6ec26080d7b3a70
Reviewed-on: https://gerrit.openafs.org/14622
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
New functionality was added to the audit facility that allows multiple
audit logs. The updated audit interfaces require a specific calling
sequence even if multiple audit logs are not used.
Support for multiple auditlogs is not supported for kauth. Since kauth
does not use libcmd for processing the command line, and adding support
for multiple audit log instances requires additional effort, that is not
warranted.
Update kauth to follow the proper calling sequences for the audit
facility.
Update help message and manpage entries for -auditlog and
-audit-interface. Make note that multiple -auditlogs are not supported.
Change-Id: I98111b1e399e6687fde235bc2eadf0a28fa8acf4
Reviewed-on: https://gerrit.openafs.org/13782
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Gerrits #13774 (audit: Support multiple audit interfaces and interface
options) and #13775 (audit: Add cmd helper for processing audit options)
added support in the audit facility for multiple audit logs.
Add command line support to use multiple audit logs for daemons that use
libcmd for command line processing: bosserver, buserver, butc,
fileserver, volserver, ptserver, and vlserver.
Update the daemons to add a call to audit_open, and where possible add a
call to audit_close when shutting down the daemon.
Update help message and manpage entries for -auditlog and
-audit-interface
Change-Id: I4356e1aa84f580897a0e788e2a2829685be891aa
Reviewed-on: https://gerrit.openafs.org/13776
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Commit 0c03f8607e vos-command-enhancements-20011008 introduced the
'vos restore' -readonly option, which allows the restored volume to be
RO instead of the default RW. The commit message documents the
following restriction:
- ... This option causes the restored volume to be an RO volume. It is
not permitted to restore an RO volume when the associated RW volume
already exists. While it is possible to restore an RW volume where an
RO volume exists, caution should be used to avoid doing this with VLDB
entries created by 'vos restore -readonly', since such entries have
their ROVOL and RWVOL ID's set to the same thing.
Document this restriction in the 'vos restore' man page, and in a code
comment.
No functional change is incurred by this commit.
Change-Id: I34f6c5434b82da538a38a9d219207b33dcf62b17
Reviewed-on: https://gerrit.openafs.org/14348
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Numerous types and constants are defined in our various RPC-L files
that are never used or referenced by anything. Remove them.
Change-Id: I0b03be1ce0e186a88f80d2f3f7a66a1e25965ff3
Reviewed-on: https://gerrit.openafs.org/14404
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Historically xstat_cm_test and xstat_fs_test have supported option
'-period <mm>' to specify continuous operaiton for a length of time. If
'-period 0' was specified, both programs exited immediately.
Beginning with commits 2c1a7e4733 'xstat:
add xstat_*_Wait functions' and 6b67cac432
'convert xstat and friends to pthreads', xstat_cm_test and xstat_fs_test
now support -period 0 to run "forever". This support is implemented in
xstat_cm_Wait and xstat_fs_Wait, respectively. Although the "wait
forever" logic was added to allow consolidation of similar code in
afsmonitor, it also changed how xstat_cm_test and xstat_fs_test behave
for '-period 0'.
Unfortunately, there is a bug in this support, at least when running on
pthreads. After the initial 24 minute timer expires, the while (1) will
repeatedly run select with a timeout that is now 0. This causes the
while loop to consume 100% of the CPU on which this thread is
dispatched.
Instead, modify the wait-forever logic to specify NULL for the select()
timeout value. Also update the man page to document that '-period 0'
means forever.
Change-Id: I25d0d5be0eedb8bf3de495785b9b03a3e3d45221
Reviewed-on: https://gerrit.openafs.org/14366
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Currently, the volserver SAFSVolDump RPC and the 'voldump' utility
handle short reads from pread() for vnode payloads by padding the
missing data with NUL bytes. That is, if we request 4k of data for our
pread() call, and we only get back 1k of data, we'll write 1k of data
to the volume dump stream followed by 3k of NUL bytes, and log
messages like this:
1 Volser: DumpFile: Error reading inode 1234 for vnode 5678
1 Volser: DumpFile: Null padding file: 3072 bytes at offset 40960
This can happen if we hit EOF on the underlying file sooner than
expected, or if the OS just responds with fewer bytes than requested
for any reason.
The same code path tries to do the same NUL-padding if pread() returns
an error (for example, EIO), padding the entire e.g. 4k block with
NULs. However, in this case, the "padding" code often doesn't work as
intended, because we compare 'n' (set to -1) with 'howMany' (set to 4k
in this example), like so:
if (n < howMany)
Here, 'n' is signed (ssize_t), and 'howMany' is unsigned (size_t), and
so compilers will promote 'n' to the unsigned type, causing this
conditional to fail when n is -1. As a result, all of the relevant log
messages are skipped, and the data in the dumpstream gets corrupted
(we skip a block of data, and our 'howFar' offset goes back by 1). So
this can result in rare silent data corruption in volume dumps, which
can occur during volume releases, moves, etc.
To fix all of this, remove this bizarre NUL-padding behavior in the
volserver. Instead:
- For actual errors from pread(), return an error, like we do for I/O
errors in most other code paths.
- For short reads, just write out the amount of data we actually read,
and keep going.
- For premature EOF, treat it like a pread() error, but log a slightly
different message.
For the 'voldump' utility, the padding behavior can make sense if a
user is trying to recover volume data offline in a disaster recovery
scenario. So for voldump, add a new switch (-pad-errors) to enable the
padding behavior, but change the default behavior to bail out on
errors.
Change-Id: Ibd6e76c5ea0dea95e3354d9b34536296f81b4f67
Reviewed-on: https://gerrit.openafs.org/14255
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The UV_RenameVolume() function first updates the volume name in the
VLDB, then read-write volume header and backup volume header, and
finally all of the read-only volume headers. If this function is
interrupted or a remote site is not reachable, the names in some of the
volume headers will be out of sync with name in the VLDB entry.
The implementation of UV_RenameVolume() is idempotent, so can be safely
called with the same name as in the volume's VLDB entry. This could be
used to bring all the names in the volume headers in sync with the name
in the VLDB.
Unfortunately, due to the check of the -newname parameter, vos
rename will not invoke UV_RenameVolume() when the name in the VLDB has
already been changed. The vos rename command attempts to verify the
desired name (-newname) is available before invoking UV_RenameVolume()
by simply checking if a VLDB entry exists with that name, and
incorrectly assumes when a VLDB entry exists with that name it is an
entry for a different volume.
Change the -newname check to allow vos rename to proceed when name has
already been set in the VLDB entry of the volume being renamed. This
allows admins to run vos rename command to complete a previously
incomplete rename operation and bring the names in the volume headers in
sync with the name in the VLDB entry.
Note: Before this commit, administrators could workaround this vos
rename limitation by renaming the volume twice, first to an unused
volume name, then to the actual desired volume name.
Remove the useless checks of the code1 return code after exit in
the RenameVolume() function. These checks for code1 are never performed
since the function exits early when the first VLDB_GetEntryByName()
fails for any reason.
Update the vos rename man page to show vos rename can be used to fix
previously interrupted/failed rename. Also document the -oldname
parameter accepts a numeric volume id to specify the volume to be
renamed.
Change-Id: Ibb5dbe3148e9b8295347925a59cd7bdbccbe8fe0
Reviewed-on: https://gerrit.openafs.org/13720
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Commit e5b1e6f1 (Add rxgk client options to vl and pt utilities) added
a couple of new command-line options related to rxgk, but didn't add
them to the relevant man pages.
Add a brief description of these new options to the manpages for pts,
vos, ptserver, and vlserver.
Change-Id: I2d9bfdeb0a31d396740ca2a4d42e14c025b6f79e
Reviewed-on: https://gerrit.openafs.org/13947
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Add the new option -admin-write to allow write requests from superusers
on file servers running in readonly mode (-readonly). This lets sites
run fileservers in readonly mode for normal users, but allows members of
the system:administrators group to modify content.
Change-Id: Id8ed3513a748815c07cb98e426c1d21ac300b416
Reviewed-on: https://gerrit.openafs.org/13707
Reviewed-by: Andrew Deason <adeason@sinenomine.net>
Tested-by: Andrew Deason <adeason@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Since the introduction of rxkad-k5 in response to OPENAFS-SA-2013-003,
it is not strictly necessary to configure libkrb5 to allow weak crypto
in order to obtain an AFS token. A sufficient amount of time has passed
since then that it is safe to assume that the default behavior is the
more-secure one, and require opt-in for the insecure behavior.
To indicate that the use of single-DES is quite risky, add the
"-insecure_des" argument to both klog and aklog, to gate the
preexisting calls that enable weak crypto/single-DES.
These calls, and the -insecure_des option, may be removed entirely
in a future commit.
Change-Id: If175d0f95f0ede0f252844086a2a023da5580732
Reviewed-on: https://gerrit.openafs.org/13689
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
Add a new command, 'add-random', to allow the creation of a new key
with random data. This is helpful for certain rxgk keys, which only
need to exist in KeyFileExt and not in any other database (like a krb5
KDC), and so aren't derived from a krb5 keytab.
Change-Id: I1f3b27e074b0931deb8645f7550e0b315d82e249
Reviewed-on: https://gerrit.openafs.org/12768
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The current 'delete' command from asetkey only lets the user delete
old-style rxkad keys. Add a couple of new variants to allow specifying
the key type and subtype, so the user can delete specific key types
and enctypes if they want.
Change-Id: If0dfaa70ea0b749dadd52a6b7d62fd3ad2b61d18
Reviewed-on: https://gerrit.openafs.org/12767
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
This should fix a build failure reported on the openafs-devel list
today.
Change-Id: I227922f78aaa614b73dd1f5c1c61116168fc0b69
Reviewed-on: https://gerrit.openafs.org/13533
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The klog.krb5 -lifetime option was copied from earlier versions of log
and klog, which had the ability to set the krb4 token lifetime. However,
the -lifetime option is not feasible the krb5 version, and so is not
implemented in klog.krb5.
Update the klog.krb5 man page to document the -lifetime option has no
effect. Remove the code which unnecessarily checks the unused klog.krb5
-lifetime command line argument.
The unused lifetime variable was discovered by Pat Riehecky using the
clang scan-build static analyzer.
Change-Id: I5f459ec46eaff87a69ccdf7de386a671d0944a5a
Reviewed-on: https://gerrit.openafs.org/13309
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: PatRiehecky <jcpunk@gmail.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The last valid partition name supported by OpenAFS is /vicepiu, not
/vicepiv. Update the docs and man pages to say so.
Change-Id: I6e1cce775d332d76f605a26f16502c651461994b
Reviewed-on: https://gerrit.openafs.org/13177
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Use the standard routine to pick a client security object, instead of
always assuming rxnull. Respect -localauth as well as being able to
use the current user's tokens, but also provide a -nobutcauth argument
to fall back to the historical rxnull behavior (but only for the connections
to butc; vldb and budb connections are not affected).
Change-Id: Ibf8ebe5521bee8d0f7162527e26bc5541d07910d
The butc -localauth option is available to use the cell-wide key to
authenticate to the vlserver and buserver, which in normal deployments
will require incoming connections to be authenticated as a superuser.
In such cases, the cell-wide key is also available for use in
authenticating incoming connections to the butc, which would otherwise
have been completely unauthenticated.
Because of the security hazards of allowing unauthenticaed inbound
RPCs, especially ones that manipulate backup information and are allowed
to initiate outboud RPCs authenticated as the superuser, default to
not allowing unauthenticated inbound RPCs at all. Provide an opt-out
command-line argument for deployments that require this functionality
and have configured their network environment (firewall/etc.) appropriately.
Change-Id: Ia6349757a4c6d59d1853df1a844e210d32c14feb
Make the actual implementations into helper functions, with the RPC
stubs calling the helpers and doing the auditing on the results, akin
to most other server programs in the tree. This relies on support for
some additional types having been added to the audit framework.
Change-Id: Ic872d6dfc7854fa28bd3dc2277e92c7919d0d0c0
Make a few misc changes to the text for the new -volume-ttl option:
- Minor grammatical/typo fixes
- Emphasize a little more that the default behavior allows for vldb
info to be cached _forever_
- Provide some info on the effects of changing this value
- Provide a suggested "typical" value, to give some clue as to what
should be set here, so a curious user doesn't just set this to the
first value they see (10 minutes)
Change-Id: Ib6b2871b111c392260ea80e26273201b09d4c402
Reviewed-on: https://gerrit.openafs.org/12909
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Andrew Deason <adeason@sinenomine.net>
Commit dfceff1d3a added the
-preserve-vol-stats flag to the volume server. This enabled a change in
the volume server to preserve volume usage statistics during reclone and
restore operations. Otherwise, volume usage counters of read-only
volumes are cleared when volumes are released, making it difficult to
track usage with the volume stats.
Make this feature the default behavior of the volume server and provide
the option -clear-vol-stats to use the old behavior if so desired. This
change makes the -preserve-vol-stats the default, and keeps it as a
hidden flag for sites which may already have that flag set in the
BosConfig.
Since this changes a default behavior of the volume server, this change
is only appropriate on a major or minor release boundary, not in the
middle of a stable series.
Change-Id: I3706ede64b7b18a80b39ebd55f2e1824bb7dbc57
Reviewed-on: https://gerrit.openafs.org/12674
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
What's displayed by fs wscell is not necessarily the current content
of ThisCell, but that at the time of starting the client. Say so.
FIXES 133339
Change-Id: Id3351f1236e5061340eb07041d4ce3e4de69a1a1
Reviewed-on: https://gerrit.openafs.org/12537
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The unix cache manager caches VLDB information for read-only volumes as
long as a volume callback is held for a read-only volume. The volume
callback may be held as long as files in the read-only volume are being
accessed. The cache manager caches VLDB information for read/write
volumes as long as volume level errors (such as VMOVED) are not returned
by a fileserver while accessing files within the volume.
Add a new option to set the maximum amount of time VLDB information will
be cached, even if a callback is still held for a read-only volume, or
no volume errors have been encounted while accessing files in read/write
volumes.
This avoids situations where the vldb information is cached indefinitely
for read-only and read/write volumes. Instead, the VL servers will be
periodically probed for volume information.
Change-Id: I5f2a57cdaf5cbe7b1bc0440ed6408226cc988fed
Reviewed-on: https://gerrit.openafs.org/11898
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Clone the VLLog man page to create a man page for ptserver log as well.
Fix the spelling of the PtLog file and add a link to the new PtLog man
page in the ptserver man page.
Add the missing PtLog log file name to the bos getlog man page.
Change-Id: I95ad4a2cf380077780160ec78fd1f9bdec132ba7
Reviewed-on: https://gerrit.openafs.org/12294
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Fixes this error:
$ git clean -xdf
$ ./regen.sh -q
$ ./configure
$ make
[…]
make[3]: Entering directory '/…/openafs/doc/man-pages'
rm -f man*/*.noinstall
if [ "no" = "no" ] ; then \
for M in man1/klog.1 man1/knfs.1 […] man8/kpwvalid.8 man1/klog.krb.1; do \
touch $M.noinstall; \
done; \
fi
touch: cannot touch 'man1/klog.1.noinstall': No such file or directory
touch: cannot touch 'man1/knfs.1.noinstall': No such file or directory
[…]
touch: cannot touch 'man8/kpwvalid.8.noinstall': No such file or directory
touch: cannot touch 'man1/klog.krb.1.noinstall': No such file or directory
Makefile:34: recipe for target 'prep-noinstall' failed
make[3]: *** [prep-noinstall] Error 1
make[3]: Leaving directory '/…/openafs/doc/man-pages'
Change-Id: I95098fb2b27f1d87fc9769497b225e9f91f72266
Reviewed-on: https://gerrit.openafs.org/12492
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Mention the vlserver -d option can be used to set the initial logging
level.
Thanks to Mark Vitale for the suggestion.
Change-Id: Ia17a2063432343c2cf78e1b01c5897751625aae8
Reviewed-on: https://gerrit.openafs.org/12324
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Commit f085951d39 introduced an error in
the bos getlog helpfile.
Modify the helpfile to describe the actual restrictions imposed by
-restricted mode.
Change-Id: I8d8fedb558a1bdbd55d80046b2011f3aacc71b3f
Reviewed-on: https://gerrit.openafs.org/12454
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
This commit adds the afsd -inumcalc command line switch to specify the
inode number calculation method in a platform neutral way.
Inode numbers reported for files within the AFS filesystem are generated
by the cache manager using a calculation which derives a number from a
FID. Long ago, a new type of calculation was added which generates inode
numbers using a MD5 message digest of the FID. The MD5 inode number
calculation variant is computationally more expensive but greatly
reduces the chances for inode number collisions.
The MD5 calculation can be enabled on the Linux cache manager using the
Linux sysctl interface. Other than the sysctl method of selecting the
inode calculation type, the MD5 inode number calculation method is not
specific to Linux.
This change introduces a command-line option which accepts a value to
indicate the calculation method, instead of a simple flag to enable MD5
inode numbers. This should allow for new inode calculation methods
in the future without the need for additional afsd command-line flags.
Two values are currently accepted for -inumcalc. The value of 'compat'
specifies the legacy inode number calculation. The value 'md5' indicates
that the new MD5 calculation is to be used.
Change-Id: I0257c68ca1a32a7a4c55ca8174a4926ff78ddea4
Reviewed-on: https://gerrit.openafs.org/11855
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Don't mention it in the man pages.
Change-Id: I8a6d706f055545642116af5a98fa8c04f533b990
Reviewed-on: https://gerrit.openafs.org/11529
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
The ability to set the size of the volume hash table was added
at the same time that DAFS was introduced, and got caught up
in the same preprocessor conditional. However, -vhashsize can
be useful for the traditional fileserver as well (even though
we recommend DAFS over the traditional fileserver), so let it
be used in that case.
Update the man pages accordingly and fix some grammar while here.
Noted by Mark Vitale.
Change-Id: Ic3282c9d661d60cf36f9ffb197e723a3f71da167
Reviewed-on: https://gerrit.openafs.org/12287
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Add a -s2scrypt option to the volume server, with possible options:
* never -- the existing behavior
* always -- switch to using afsconf_ClientAuthSecure, which uses
rxkad_crypt, for ForwardVolume calls.
* inherit -- encrypt inter-server traffic if the causal client
connection is encrypted. This has the effect of "inheriting" the
"-encrypt" flag given to "vos release", for example.
Thanks to Jeffrey Altman for pointers and to Andrew Deason for noting
the existence of rxkad_GetServerInfo.
[mmeffie@sinenomine.net fix assertion and style update.]
Change-Id: Ia295ba3f29a8494c8250a480fb26594468d2116a
Reviewed-on: https://gerrit.openafs.org/11349
Reviewed-by: Mark Vitale <mvitale@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Thomas Keiser <tkeiser@gmail.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Add the ability to specify a range of addresses in both NetInfo and
NetRestrict.
Change-Id: Iecdcca8587aa2e6e7cd56cbbebb63eb41b5d6f40
Reviewed-on: https://gerrit.openafs.org/11313
Reviewed-by: Daria Phoebe Brashear <shadow@your-file-system.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
A simple utility to help with the 1.6-->1.8 upgrade by
bulk-converting keys, with some sanity checking.
Change-Id: Ibae9a1ea3b7c3bbad5ffbc02410fa7a4ff6c4d7f
Reviewed-on: https://gerrit.openafs.org/11786
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
