Do not try to execute programs that are supposed to be unreadable

Mitchell E Berger · Mitchell E Berger · commit d0a755b63063 · 2025-02-01T21:32:52.000-05:00
Stock AFS has code that, in the case of an attempt to execute a file,
first asks afs_AccessOK() if the user has permission to read that file,
and then if the answer is "no," overrides that decision if the Unix mode
of the file has the read permission bit set, allowing an attempt to
execute the program anyway.  If the read permission is really absent, in
normal AFS, the AFS server won't provide the file content and will
prevent this from working.  The code may be related to the NFS2AFS
translator, where it might work.

On Scripts, if a user tries to run a program from a volume other than
their own where daemon.scripts has the AFS 'r' and 'l' permissions, the
AFS server will not block this from working, and the result will be that
a user can run (and therefore read) programs they aren't supposed to be
able to, and that the patch we've had since the beginning of time is
trying to deny them permission to do, yet its decision is being overridden.

Remove the logic that allows this to be attempted.
diff --git a/server/common/patches/openafs-scripts.patch b/server/common/patches/openafs-scripts.patch
@@ -5,6 +5,7 @@
 # and Edward Z. Yang <ezyang@mit.edu>
 # and Benjamin Kaduk <kaduk@mit.edu>
 # and Alexander Chernyakhovsky <achernya@mit.edu>
+# and Mitchell Berger <mitchb@mit.edu>
 #
 # This file is available under both the MIT license and the GPL.
 #
@@ -119,6 +120,24 @@ index 0087073..df3e4ef 100644
  	return ((fileBits & arights) == arights);	/* true if all rights bits are on */
      }
  }
+@@ -305,7 +329,16 @@ afs_access(OSI_VC_DECL(avc), afs_int32 amode,
+ 			if ((avc->f.m.Mode & 0100) == 0)
+ 			    code = 0;
+ 		} else if (avc->f.m.Mode & 0100)
+-		    code = 1;
++		    /* [scripts] Stock AFS sets code to 1 here and allows an
++		     * attempt at execution even if the AFS permissions don't
++		     * allow reading.  If the read permission is really
++		     * missing, the server would prevent this.  Because we
++		     * return 0 from afs_AccessOK when the read permission is
++		     * present but the UID doesn't match the VID, setting code
++		     * to 1 here would allow any user to execute (and
++		     * therefore read) any program Scripts can read, even if
++		     * it's in the wrong volume. */
++		    ;
+ 	    }
+ 	    if (code && (amode & VWRITE)) {
+ 		code = afs_AccessOK(avc, PRSFS_WRITE, treq, CHECK_MODE_BITS);
 diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c
 index 2eb228f..d5d6e4a 100644
 --- a/src/afs/VNOPS/afs_vnop_attrs.c
