Skip to content

Commit

Permalink
Have built-in audit DB / Acc framework handle new access operations.
Browse files Browse the repository at this point in the history 
This properly logs and denies the newly introduced exclusive access/insert
permissions.  Without this, there's an undefined memory read which can
result in permissions to create files.

(cherry picked from commit 5661241)
  • Loading branch information
@bbockelm
bbockelm committed Aug 17, 2022
1 parent 3756f1b commit bfc81cc
Showing 1 changed file with 9 additions and 3 deletions.
12 changes: 9 additions & 3 deletions src/XrdAcc/XrdAccAccess.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,8 +300,10 @@ int XrdAccAccess::Audit(const int accok,
"read", // 8
"readdir", // 9
"rename", // 10
"stat", // 10
"update" // 12
"stat", // 11
"update", // 12
"excl_create", // 13
"excl_insert" // 14
};
const char *opname = (oper > AOP_LastOp ? "???" : Opername[oper]);
std::string username;
Expand Down Expand Up @@ -427,8 +429,12 @@ int XrdAccAccess::Test(const XrdAccPrivs priv,const Access_Operation oper)
XrdAccPriv_Readdir, // 9
XrdAccPriv_Rename, // 10
XrdAccPriv_Lookup, // 11
XrdAccPriv_Update // 12
XrdAccPriv_Update, // 12
(XrdAccPrivs)0xffff, // 13
(XrdAccPrivs)0xffff // 14
};
// Note AOP_Excl* does not have a corresponding XrdAccPrivs; this is on
// purpose as the Excl* privilege is not modelled within the AuditDB framework.
if (oper < 0 || oper > AOP_LastOp) return 0;
return (int)(need[oper] & priv) == need[oper];
}
Expand Down

0 comments on commit bfc81cc

Please sign in to comment.