add roots: support; disable arbitrary local path access

wyang007 · Nov 10, 2020 · b248fe9 · b248fe9
1 parent 13d68e4
commit b248fe9
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 4 deletions.
diff --git a/Makefile b/Makefile
@@ -20,7 +20,7 @@ OBJECTS=XrdOucName2NameDCP4RUCIO.o XrdOssStatInfoDCP.o rucioGetMetaLink.o pfn2ca
 DEBUG=-g
 
 XrdName2NameDCP4RUCIO.so: $(OBJECTS) Makefile
-	g++ ${DEBUG} -shared -fPIC -o $@ $(OBJECTS) -L${XRD_LIB} -L${XRD_LIB}/XrdCl -ldl -lssl -lcurl -lXrdCl -lXrdFileCache-4 -lXrdPosix -lstdc++
+	g++ ${DEBUG} -shared -fPIC -o $@ $(OBJECTS) -L${XRD_LIB} -L${XRD_LIB}/XrdCl -ldl -lssl -lcurl -lXrdCl -lXrdPosix -lstdc++
 
 XrdOucName2NameDCP4RUCIO.o: XrdOucName2NameDCP4RUCIO.cc ${HEADERS} Makefile
 	g++ ${DEBUG} ${FLAGS} -fPIC -I ${XRD_INC} -I ${XRD_LIB} -c -o $@ $<

diff --git a/XrdOssStatInfoDCP.cc b/XrdOssStatInfoDCP.cc
@@ -37,6 +37,7 @@ int XrdOssStatInfo(const char *path, struct stat *buff,
      else 
      {
          i = tmp.find("/root:/");
+         if (i == string::npos) i = tmp.find("/roots:/");
          if (i == string::npos) i = tmp.find("/http:/");
          if (i == string::npos) i = tmp.find("/https:/");
 

diff --git a/XrdOucName2NameDCP4RUCIO.cc b/XrdOucName2NameDCP4RUCIO.cc
@@ -128,13 +128,18 @@ int XrdOucName2NameDiskCacheProxy4Rucio::lfn2pfn(const char* lfn, char* buff, in
         return EFAULT;
     }
 
-    if (myLfn.find("/root:/") == 0 || myLfn.find("/http:/") == 0 || myLfn.find("/https:/") == 0) 
+    if (myLfn.find("/root:/") == 0 || myLfn.find("/roots:/") == 0 ||
+        myLfn.find("/http:/") == 0 || myLfn.find("/https:/") == 0) 
         myPfn = makeMetaLink(eDest, myName, lfn);  // Assume the client know the data source...
     else if ((i = myLfn.rfind(gLFNprefix)) != 0)
     {
         // client want so access a local file that is permitted by the xcache configuration
+
+        /* Do not allow this kind of access (security)
         myLfn = "/file:/localhost" + myLfn;
         myPfn = makeMetaLink(eDest, myName, myLfn.c_str());
+        */
+        myPfn = "EFAULT";
     }
     else // gLFN
     {

diff --git a/rucioGetMetaLink.cc b/rucioGetMetaLink.cc
@@ -128,14 +128,16 @@ std::string makeMetaLink(XrdSysError* eDest, const std::string myName, const std
     myPfn = pfn;
     proto = myPfn.substr(1, myPfn.find(":/")); // "root:", not "root"
     myPfn.replace(0, proto.length()+2, "");
-    if (proto == "root:") myPfn.replace(myPfn.find("/"), 1, "//"); // this is the / or // right before path
+    if (proto == "root:" || proto == "roots:") 
+        myPfn.replace(myPfn.find("/"), 1, "//"); // this is the / or // right before path
     myPfn = proto + "//" + myPfn;
 
     XrdCl::URL rootURL = myPfn;
     if (proto == "root:" && !rootURL.IsValid()) return "EFAULT"; 
+    if (proto == "roots:" && !rootURL.IsValid()) return "EFAULT"; 
 
     metaLinkFile = myPfn;
-    metaLinkFile = metaLinkFile.replace(0, proto.length()+2, "");         // remove "root://"
+    metaLinkFile = metaLinkFile.replace(0, proto.length()+2, "");         // remove "root://" or "roots://"
     metaLinkFile = metaLinkFile.replace(0, metaLinkFile.find("/"), "");   // remove loginid@hostnaem:port/
     if (metaLinkFile.substr(0, 1) == "/") metaLinkFile.replace(0, 1, ""); // remove the next leading /