From: Sage Weil Date: Thu, 3 Sep 2015 16:34:33 +0000 (-0400) Subject: mds/MDSAuthCap: verify the caller_gid is valid X-Git-Tag: v10.0.0~123^2~6 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=96ee6c9f6c6512d6dee07afe16b32d0813b8af54;p=ceph.git mds/MDSAuthCap: verify the caller_gid is valid Verify both the caller uid and gid are a match for the given rule. Signed-off-by: Sage Weil --- diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc index 483e0a18774d..9f1709f8715a 100644 --- a/src/mds/MDSAuthCaps.cc +++ b/src/mds/MDSAuthCaps.cc @@ -107,10 +107,13 @@ void MDSCapMatch::normalize_path() } bool MDSCapMatch::match(const std::string &target_path, - const int target_uid) const + const int caller_uid, + const int caller_gid) const { if (uid != MDS_AUTH_UID_ANY) { - if (uid != target_uid) + if (uid != caller_uid) + return false; + if (std::find(gids.begin(), gids.end(), caller_gid) == gids.end()) return false; } if (path.length()) { @@ -153,7 +156,7 @@ bool MDSAuthCaps::is_capable(const std::string &inode_path, i != grants.end(); ++i) { - if (i->match.match(inode_path, caller_uid) && + if (i->match.match(inode_path, caller_uid, caller_gid) && i->spec.allows(mask & (MAY_READ|MAY_EXECUTE), mask & MAY_WRITE)) { // check unix permissions? diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h index 7f361ecaefdd..68034ecc82fc 100644 --- a/src/mds/MDSAuthCaps.h +++ b/src/mds/MDSAuthCaps.h @@ -80,7 +80,11 @@ struct MDSCapMatch { { return uid == MDS_AUTH_UID_ANY && path == ""; } - bool match(const std::string &target_path, const int target_uid) const; + + // check whether this grant matches against a given file and caller uid:gid + bool match(const std::string &target_path, + const int caller_uid, + const int caller_gid) const; }; struct MDSCapGrant { diff --git a/src/test/mds/TestMDSAuthCaps.cc b/src/test/mds/TestMDSAuthCaps.cc index 49d91f21c03f..b7d3c0b0877a 100644 --- a/src/test/mds/TestMDSAuthCaps.cc +++ b/src/test/mds/TestMDSAuthCaps.cc @@ -16,6 +16,9 @@ #include "include/stringify.h" #include "mds/MDSAuthCaps.h" +#include "common/ceph_argparse.h" +#include "common/common_init.h" +#include "global/global_init.h" #include "gtest/gtest.h" @@ -114,10 +117,11 @@ TEST(MDSAuthCaps, AllowAll) { } TEST(MDSAuthCaps, AllowUid) { - MDSAuthCaps cap; - ASSERT_TRUE(cap.parse(g_ceph_context, "allow * uid=10", NULL)); + MDSAuthCaps cap(g_ceph_context); + ASSERT_TRUE(cap.parse(g_ceph_context, "allow * uid=10 gids=10,11", NULL)); ASSERT_FALSE(cap.allow_all()); - ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0777, 10, 0, MAY_READ | MAY_WRITE, 0, 0)); + ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0777, 10, 10, MAY_READ | MAY_WRITE, 0, 0)); + ASSERT_FALSE(cap.is_capable("foo", 0, 0, 0777, 10, 0, MAY_READ | MAY_WRITE, 0, 0)); ASSERT_FALSE(cap.is_capable("foo", 0, 0, 0777, -1, 0, MAY_READ | MAY_WRITE, 0, 0)); ASSERT_FALSE(cap.is_capable("foo", 0, 0, 0777, 0, 0, MAY_READ | MAY_WRITE, 0, 0)); ASSERT_TRUE(cap.is_capable("foo", 0, 10, 0775, 10, 10, MAY_READ, 0, 0)); @@ -129,7 +133,7 @@ TEST(MDSAuthCaps, AllowUid) { ASSERT_FALSE(cap.is_capable("foo", 0, 10, 0777, 10, 10, MAY_READ|MAY_CREATE, 0, 0)); ASSERT_TRUE(cap.is_capable("foo", 0, 10, 0557, 10, 10, MAY_READ, 0, 0)); ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0557, 10, 10, MAY_READ, 0, 0)); - ASSERT_FALSE(cap.is_capable("foo", 0, 0, 0557, 10, 10, MAY_CREATE, 0, 0)); + ASSERT_TRUE(cap.is_capable("foo", 0, 0, 0557, 10, 10, MAY_WRITE, 0, 0)); ASSERT_FALSE(cap.is_capable("foo", 10, 10, 0577, 10, 10, MAY_WRITE, 0, 0)); } @@ -182,3 +186,17 @@ TEST(MDSAuthCaps, OutputParsed) { ASSERT_EQ(test_values[i].output, stringify(cap)); } } + +int main(int argc, char **argv) +{ + ::testing::InitGoogleTest(&argc, argv); + + vector args; + argv_to_vec(argc, (const char **)argv, args); + env_to_vec(args, NULL); + + global_init(NULL, args, CEPH_ENTITY_TYPE_CLIENT, CODE_ENVIRONMENT_UTILITY, 0); + common_init_finish(g_ceph_context); + + return RUN_ALL_TESTS(); +}