Feature #862: Add configuration option in oned.conf to enable/disable the management of the permissions for 'other'

2025-03-21 14:50:08 +03:00 · 2012-01-11 16:46:57 +01:00 · 2012-01-11 16:46:57 +01:00 · 1ad6aca0ef
commit 1ad6aca0ef
parent d88fc7fc9b
2 changed files with 33 additions and 1 deletions
--- a/share/etc/oned.conf
+++ b/share/etc/oned.conf
@ -457,6 +457,10 @@ HM_MAD = [
 # SESSION_EXPIRATION_TIME: Time in seconds to keep an authenticated token as
 # valid. During this time, the driver is not used. Use 0 to disable session 
 # caching
+#
+# ENABLE_OTHER_PERMISSIONS: Whether or not to enable the permissions for
+# 'other'. Users in the oneadmin group will still be able to change
+# these permissions. Values: YES or NO
 #*******************************************************************************

 AUTH_MAD = [
@ -467,3 +471,4 @@ AUTH_MAD = [

 SESSION_EXPIRATION_TIME = 900

+ENABLE_OTHER_PERMISSIONS = "NO"
--- a/src/rm/RequestManagerChmod.cc
+++ b/src/rm/RequestManagerChmod.cc
@ -42,7 +42,7 @@ void RequestManagerChmod::request_execute(xmlrpc_c::paramList const& paramList,
    PoolObjectSQL * object;
    string          error_str;

-    if ( att.uid != 0 )
+    if ( att.uid != 0 && att.gid != 0)
    {
        AuthRequest::Operation op = AuthRequest::MANAGE;
        PoolObjectAuth  perms;
@ -71,6 +71,16 @@ void RequestManagerChmod::request_execute(xmlrpc_c::paramList const& paramList,
            group_a = -1;
        }

+        if ( other_u == perms.other_u )
+        {
+            other_u = -1;
+        }
+
+        if ( other_m == perms.other_m )
+        {
+            other_m = -1;
+        }
+
        if ( other_a == perms.other_a )
        {
            other_a = -1;
@ -81,6 +91,23 @@ void RequestManagerChmod::request_execute(xmlrpc_c::paramList const& paramList,
            op = AuthRequest::ADMIN;
        }

+        if ( other_u != -1 || other_m != -1 || other_a != -1 )
+        {
+            string enable_other;
+
+            Nebula::instance().get_configuration_attribute(
+                    "ENABLE_OTHER_PERMISSIONS", enable_other);
+
+            if ( enable_other != "YES" )
+            {
+                failure_response(AUTHORIZATION,
+                         "Management of 'other' permissions is disabled in oned.conf",
+                         att);
+
+                return;
+            }
+        }
+
        AuthRequest ar(att.uid, att.gid);

        ar.add_auth(op, perms);