void *buf)
{
struct ptlrpc_request *req = mdt_info_req(info);
- struct mdt_export_data *med = mdt_req2med(req);
struct mdt_device *mdt = info->mti_mdt;
struct ptlrpc_user_desc *pud = req->rq_user_desc;
struct md_ucred *ucred = mdt_ucred(info);
lnet_nid_t peernid = req->rq_peer.nid;
__u32 perm = 0;
+ __u32 remote = exp_connect_rmtclient(info->mti_exp);
int setuid;
int setgid;
int rc = 0;
}
/* sanity check: we expect the uid which client claimed is true */
- if (med->med_rmtclient) {
+ if (remote) {
if (req->rq_auth_mapped_uid == INVALID_UID) {
CDEBUG(D_SEC, "remote user not mapped, deny access!\n");
RETURN(-EACCES);
}
if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
- if (med->med_rmtclient) {
+ if (remote) {
CDEBUG(D_SEC, "remote client must run with identity_get "
"enabled!\n");
RETURN(-EACCES);
pud->pud_uid);
if (IS_ERR(identity)) {
if (unlikely(PTR_ERR(identity) == -EREMCHG &&
- !med->med_rmtclient)) {
+ !remote)) {
ucred->mu_identity = NULL;
perm = CFS_SETUID_PERM | CFS_SETGID_PERM |
CFS_SETGRP_PERM;
} else {
ucred->mu_identity = identity;
perm = mdt_identity_get_perm(ucred->mu_identity,
- med->med_rmtclient,
- peernid);
+ remote, peernid);
}
}
/*
* NB: remote client not allowed to setgroups anyway.
*/
- if (!med->med_rmtclient && perm & CFS_SETGRP_PERM) {
+ if (!remote && perm & CFS_SETGRP_PERM) {
if (pud->pud_ngroups) {
/* setgroups for local client */
ucred->mu_ginfo = groups_alloc(pud->pud_ngroups);
/* XXX: need to process root_squash here. */
mdt_root_squash(info);
- /* remove fs privilege for non-root user */
+ /* remove fs privilege for non-root user. */
if (ucred->mu_fsuid)
ucred->mu_cap = pud->pud_cap & ~CFS_CAP_FS_MASK;
else
ucred->mu_cap = pud->pud_cap;
+ if (remote && !(perm & CFS_RMTOWN_PERM))
+ ucred->mu_cap &= ~(CFS_CAP_SYS_RESOURCE_MASK |
+ CFS_CAP_CHOWN_MASK);
ucred->mu_valid = UCRED_NEW;
EXIT;
int mdt_check_ucred(struct mdt_thread_info *info)
{
struct ptlrpc_request *req = mdt_info_req(info);
- struct mdt_export_data *med = mdt_req2med(req);
struct mdt_device *mdt = info->mti_mdt;
struct ptlrpc_user_desc *pud = req->rq_user_desc;
struct md_ucred *ucred = mdt_ucred(info);
struct md_identity *identity = NULL;
lnet_nid_t peernid = req->rq_peer.nid;
__u32 perm = 0;
+ __u32 remote = exp_connect_rmtclient(info->mti_exp);
int setuid;
int setgid;
int rc = 0;
/* sanity check: if we use strong authentication, we expect the
* uid which client claimed is true */
- if (med->med_rmtclient) {
+ if (remote) {
if (req->rq_auth_mapped_uid == INVALID_UID) {
CDEBUG(D_SEC, "remote user not mapped, deny access!\n");
RETURN(-EACCES);
}
if (is_identity_get_disabled(mdt->mdt_identity_cache)) {
- if (med->med_rmtclient) {
+ if (remote) {
CDEBUG(D_SEC, "remote client must run with identity_get "
"enabled!\n");
RETURN(-EACCES);
identity = mdt_identity_get(mdt->mdt_identity_cache, pud->pud_uid);
if (IS_ERR(identity)) {
if (unlikely(PTR_ERR(identity) == -EREMCHG &&
- !med->med_rmtclient)) {
+ !remote)) {
RETURN(0);
} else {
CDEBUG(D_SEC, "Deny access without identity: uid %u\n",
}
}
- perm = mdt_identity_get_perm(identity, med->med_rmtclient, peernid);
+ perm = mdt_identity_get_perm(identity, remote, peernid);
/* find out the setuid/setgid attempt */
setuid = (pud->pud_uid != pud->pud_fsuid);
setgid = (pud->pud_gid != pud->pud_fsgid ||
/* XXX: need to process root_squash here. */
mdt_root_squash(info);
- /* remove fs privilege for non-root user */
+ /* remove fs privilege for non-root user. */
if (uc->mu_fsuid)
uc->mu_cap = body->capability & ~CFS_CAP_FS_MASK;
else
/* XXX: need to process root_squash here. */
mdt_root_squash(info);
- /* remove fs privilege for non-root user */
+ /* remove fs privilege for non-root user. */
if (uc->mu_fsuid)
uc->mu_cap &= ~CFS_CAP_FS_MASK;
uc->mu_valid = UCRED_OLD;
{
struct mdt_body *repbody;
const struct lu_attr *la = &ma->ma_attr;
+ int rc;
ENTRY;
repbody = req_capsule_server_get(info->mti_pill, &RMF_MDT_BODY);
repbody->valid |= OBD_MD_FLCOOKIE;
}
+ if (info->mti_mdt->mdt_opts.mo_oss_capa &&
+ info->mti_exp->exp_connect_flags & OBD_CONNECT_OSS_CAPA &&
+ repbody->valid & OBD_MD_FLEASIZE) {
+ struct lustre_capa *capa;
+
+ capa = req_capsule_server_get(info->mti_pill, &RMF_CAPA2);
+ LASSERT(capa);
+ capa->lc_opc = CAPA_OPC_OSS_DESTROY;
+ rc = mo_capa_get(info->mti_env, mdt_object_child(mo), capa, 0);
+ if (rc)
+ RETURN(rc);
+
+ repbody->valid |= OBD_MD_FLOSSCAPA;
+ }
+
RETURN(0);
}