Backed out the change by request from rwatson.

PR: kern/14584
2006-06-26 22:03:22 +00:00 · 2006-06-26 22:03:22 +00:00 · f0555f2de9
commit f0555f2de9
parent d1da54538c
9 changed files with 0 additions and 143 deletions
--- a/sys/amd64/conf/GENERIC
+++ b/sys/amd64/conf/GENERIC
@ -59,7 +59,6 @@ options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
 options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
 options 	ADAPTIVE_GIANT		# Giant mutex is adaptive.
 options 	STOP_NMI		# Stop CPUS using NMI instead of IPI
-#options 	COMMONID		# Enable support for common UID/GID space

 # Debugging for use in -current
 options 	KDB			# Enable kernel debugger support.
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@ -905,70 +905,6 @@ options 	QUOTA			#enable disk quotas
 #
 options 	SUIDDIR

-# The common user and group ID space for the local filesystems 
-# (see PR kern/14584), AKA "poor man's ACLs".
-#
-# From the systems administration standpoint ACLs are a pain to use:
-#  * they are not supported by the classic file formats like tar and cpio
-#  * they need lots of ugly flags to commands like chown or ls
-#  * they are just by themselves difficult to show in ls
-#  * they promote ad-hoc and messy assignment of permissions
-#
-# But in fact the classic Unix permissions seem to have only one real problem:
-# sometimes it's neccessary to give read permissions to one group of
-# users and read-write permissions to another group of users. But only
-# one group is supported and that makes a problem. The common ID
-# support solves this problem without breaking any compatibility.
-#
-# Controlled by the sysctl:
-# vfs.commonid.local.enabled: Enable common UID/GID space for local filesystems
-# vfs.commonid.local.low: Lowest common UID/GID value for local filesystems
-# vfs.commonid.local.high: Highest common UID/GID value for local filesystems
-#
-# When enabled, the user and group ID space in the range [low, high] 
-# becomes common. That is, if there is an user with some ID in this range, 
-# there must not be a group with the same ID (except for a special case 
-# described later). Traditionally this kind of overlapping exists in the 
-# low values of system IDs, so the implementation won't allow to set the
-# low border below 100. If it's set manually below 100, the first time 
-# an access check is done, the system will reset it to 100.
-#
-# The special case is that for the symbolic group and user names to work
-# correctly, every time a user is created, a pseudo-group with the same
-# ID and name must be created. And the other way around - every time
-# a group is created, a pseudo-user with the same name and ID must be created.
-# Otherwise command like "ls" won't show the user/group names correctly
-# and command like "chown" won't understand the symbolic names correctly.
-#
-# The IDs in the common range can be used interchangeably in both the
-# user and group fields of file permissions. For example, if you have
-# groups group1 and group2 with IDs in the common range, you can do:
-#   chmod 240 file
-#   chown group1:group2 file
-# This would allow the group1 to write to the file and group2 to read
-# the file.
-#
-# This semantics works only for the access but not for modification of
-# the permissions. In the example above the members of group1 aren't allowed
-# to call chmod on the file. Such changes must be done either by root
-# or through the pseudo-user group1.
-#
-# If it's desiable to give the "owner group" of some files (like group1
-# in this example) the rights to change the permissions of all the files
-# it owns, it can be achieved through cloning the chmod binary and
-# adding the pseudo-user setuid rights to it:
-#   cp /bin/chmod /usr/local/bin/group1chmod
-#   chown group1 /usr/local/bin/group1chmod
-#   chmod u=xs,g=,o= /usr/local/bin/group1chmod
-# A similar thing can be done for chown.
-# In result all the members of group1 would be able to execute group1chmod,
-# which would assume the ID of pseudo-user "group1" and will be able
-# to change the file permissions.
-#
-# This logic does not work on the remote filesystems (such as NFS).
-
-options 	COMMONID	# Enable support for common UID/GID space
-
 # NFS options:
 options 	NFS_MINATTRTIMO=3	# VREG attrib cache timeout in sec
 options 	NFS_MAXATTRTIMO=60
--- a/sys/conf/options
+++ b/sys/conf/options
@ -163,7 +163,6 @@ VFS_AIO
 VERBOSE_SYSINIT	opt_global.h
 WLCACHE		opt_wavelan.h
 WLDEBUG		opt_wavelan.h
-COMMONID	opt_commonid.h

 # POSIX kernel options
 P1003_1B_MQUEUE			opt_posix.h
--- a/sys/i386/conf/GENERIC
+++ b/sys/i386/conf/GENERIC
@ -59,7 +59,6 @@ options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
 options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
 options 	ADAPTIVE_GIANT		# Giant mutex is adaptive.
 options 	STOP_NMI		# Stop CPUS using NMI instead of IPI
-#options 	COMMONID		# Enable support for common UID/GID space

 # Debugging for use in -current
 options 	KDB			# Enable kernel debugger support.
--- a/sys/ia64/conf/GENERIC
+++ b/sys/ia64/conf/GENERIC
@ -53,7 +53,6 @@ options 	SYSVSHM		# SYSV-style shared memory
 options 	UFS_ACL		# Support for access control lists
 options 	UFS_DIRHASH	# Hash-based directory lookup scheme
 options 	_KPOSIX_PRIORITY_SCHEDULING	# Posix P1003_1B RT extensions
-#options 	COMMONID		# Enable support for common UID/GID space

 # Various "busses"
 device		firewire	# FireWire bus code
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@ -43,7 +43,6 @@ __FBSDID("$FreeBSD$");

 #include "opt_ddb.h"
 #include "opt_mac.h"
-#include "opt_commonid.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -279,36 +278,6 @@ SYSCTL_INT(_debug, OID_AUTO, vnlru_nowhere, CTLFLAG_RW,
 #define VSHOULDFREE(vp) (!((vp)->v_iflag & VI_FREE) && !(vp)->v_holdcnt)
 #define VSHOULDBUSY(vp) (((vp)->v_iflag & VI_FREE) && (vp)->v_holdcnt)

-#ifdef COMMONID
-/*
- * Sysctl variables to control the unified user and group ID space.
- */
-
-/* ID below that are the traditional system IDs that 
- * can't be in the common space 
- */
-#define MINCOMMONID	100
-
-typedef struct {
-	int	enabled; /* flag: commonid is enabled */
-	int	low; /* the lowest common ID */
-	int	high; /* the highest common ID */
-} commonid_ctl_t;
-
-static commonid_ctl_t commonid = { 0, 1000, 60000 };  /* safe values */
-
-SYSCTL_NODE(_vfs, OID_AUTO, commonid, CTLFLAG_RW, 0, "Common UID/GID space");
-SYSCTL_NODE(_vfs_commonid, OID_AUTO, local, CTLFLAG_RW, 0, 
-	"Common UID/GID space for local filesystems");
-SYSCTL_INT(_vfs_commonid_local, OID_AUTO, enabled, CTLFLAG_RW, 
-	&commonid.enabled, 0, 
-	"Enable common UID/GID space for local filesystems");
-SYSCTL_INT(_vfs_commonid_local, OID_AUTO, low, CTLFLAG_RW, &commonid.low,
-	0, "Lowest common UID/GID value for local filesystems");
-SYSCTL_INT(_vfs_commonid_local, OID_AUTO, high, CTLFLAG_RW, &commonid.high,
-	0, "Highest common UID/GID value for local filesystems");
-
-#endif /* COMMONID */

 /*
 * Initialize the vnode management data structures.
@ -3202,47 +3171,6 @@ vaccess(enum vtype type, mode_t file_mode, uid_t file_uid, gid_t file_gid,
 		goto privcheck;
 	}

-#ifdef COMMONID
-	/* If the common UID/GID is enabled, check the user agains the
-	 * file GID and groups against file UID 
-	 */
-	if (commonid.enabled) {
-		if (commonid.low < MINCOMMONID) 
-			commonid.low = MINCOMMONID;
-
-		if (cred->cr_uid == file_gid 
-		    && file_gid >= commonid.low && file_gid <= commonid.high) {
-			/* no VADMIN in this case */
-			if (file_mode & S_IXGRP)
-				dac_granted |= VEXEC;
-			if (file_mode & S_IRGRP)
-				dac_granted |= VREAD;
-			if (file_mode & S_IWGRP)
-				dac_granted |= (VWRITE | VAPPEND);
-
-			if ((acc_mode & dac_granted) == acc_mode)
-				return (0);
-
-			goto privcheck;
-		}
-		if (file_uid >= commonid.low && file_uid <= commonid.high
-		    && groupmember(file_uid, cred)) {
-			/* no VADMIN in this case */
-			if (file_mode & S_IXUSR)
-				dac_granted |= VEXEC;
-			if (file_mode & S_IRUSR)
-				dac_granted |= VREAD;
-			if (file_mode & S_IWUSR)
-				dac_granted |= (VWRITE | VAPPEND);
-
-			if ((acc_mode & dac_granted) == acc_mode)
-				return (0);
-
-			goto privcheck;
-		}
-	}
-#endif /* COMMONID */
-
 	/* Otherwise, check the groups (first match) */
 	if (groupmember(file_gid, cred)) {
 		if (file_mode & S_IXGRP)
--- a/sys/pc98/conf/GENERIC
+++ b/sys/pc98/conf/GENERIC
@ -59,7 +59,6 @@ options 	SYSVMSG			# SYSV-style message queues
 options 	SYSVSEM			# SYSV-style semaphores
 options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
 options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
-#options 	COMMONID		# Enable support for common UID/GID space

 # Debugging for use in -current
 options 	KDB			# Enable kernel debugger support.
--- a/sys/powerpc/conf/GENERIC
+++ b/sys/powerpc/conf/GENERIC
@ -57,7 +57,6 @@ options 	SYSVSHM			#SYSV-style shared memory
 options 	SYSVMSG			#SYSV-style message queues
 options 	SYSVSEM			#SYSV-style semaphores
 options 	_KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions
-#options 	COMMONID		# Enable support for common UID/GID space

 # Debugging for use in -current
 options 	KDB			#Enable the kernel debugger
--- a/sys/sparc64/conf/GENERIC
+++ b/sys/sparc64/conf/GENERIC
@ -58,7 +58,6 @@ options 	SYSVMSG			# SYSV-style message queues
 options 	SYSVSEM			# SYSV-style semaphores
 options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
 options 	ADAPTIVE_GIANT		# Giant mutex is adaptive.
-#options 	COMMONID		# Enable support for common UID/GID space

 # Debugging for use in -current
 options 	KDB			# Enable kernel debugger support.