diff --git a/share/etc/oned.conf b/share/etc/oned.conf index 65cfb004d3..566e6f5fd9 100644 --- a/share/etc/oned.conf +++ b/share/etc/oned.conf @@ -457,6 +457,10 @@ HM_MAD = [ # SESSION_EXPIRATION_TIME: Time in seconds to keep an authenticated token as # valid. During this time, the driver is not used. Use 0 to disable session # caching +# +# ENABLE_OTHER_PERMISSIONS: Whether or not to enable the permissions for +# 'other'. Users in the oneadmin group will still be able to change +# these permissions. Values: YES or NO #******************************************************************************* AUTH_MAD = [ @@ -467,3 +471,4 @@ AUTH_MAD = [ SESSION_EXPIRATION_TIME = 900 +ENABLE_OTHER_PERMISSIONS = "NO" \ No newline at end of file diff --git a/src/rm/RequestManagerChmod.cc b/src/rm/RequestManagerChmod.cc index 544a7f8197..ab76601387 100644 --- a/src/rm/RequestManagerChmod.cc +++ b/src/rm/RequestManagerChmod.cc @@ -42,7 +42,7 @@ void RequestManagerChmod::request_execute(xmlrpc_c::paramList const& paramList, PoolObjectSQL * object; string error_str; - if ( att.uid != 0 ) + if ( att.uid != 0 && att.gid != 0) { AuthRequest::Operation op = AuthRequest::MANAGE; PoolObjectAuth perms; @@ -71,6 +71,16 @@ void RequestManagerChmod::request_execute(xmlrpc_c::paramList const& paramList, group_a = -1; } + if ( other_u == perms.other_u ) + { + other_u = -1; + } + + if ( other_m == perms.other_m ) + { + other_m = -1; + } + if ( other_a == perms.other_a ) { other_a = -1; @@ -81,6 +91,23 @@ void RequestManagerChmod::request_execute(xmlrpc_c::paramList const& paramList, op = AuthRequest::ADMIN; } + if ( other_u != -1 || other_m != -1 || other_a != -1 ) + { + string enable_other; + + Nebula::instance().get_configuration_attribute( + "ENABLE_OTHER_PERMISSIONS", enable_other); + + if ( enable_other != "YES" ) + { + failure_response(AUTHORIZATION, + "Management of 'other' permissions is disabled in oned.conf", + att); + + return; + } + } + AuthRequest ar(att.uid, att.gid); ar.add_auth(op, perms);