Log that it's xrootd-multiuser denying access, not the file system

matyasselmeci · matyasselmeci · commit c309461a1676 · 2023-12-27T11:56:51.000-06:00
Since the various operations just return -EACCES when xrootd-multiuser
couldn't change users (or groups), it's confusing whether access is denied
by the file system, or by xrootd-multiuser itself.  Make it explicit
via a log message.
diff --git a/src/UserSentry.hh b/src/UserSentry.hh
@@ -153,17 +153,21 @@ public:
         if (result == nullptr) {
             if (retval) {  // There's an actual error in the lookup.
                 m_log.Emsg("UserSentry", "Failure when looking up UID for username", username.c_str(), strerror(retval));
+                m_log.Emsg("UserSentry", "Multiuser denying access");
             } else {  // Username doesn't exist.
                 m_log.Emsg("UserSentry", "XRootD mapped request to username that does not exist:", username.c_str());
+                m_log.Emsg("UserSentry", "Multiuser denying access");
             }
             return;
         }
         if (pwd.pw_uid < g_minimum_uid) {
             m_log.Emsg("UserSentry", "Username", username.c_str(), "maps to a system UID; rejecting lookup");
+            m_log.Emsg("UserSentry", "Multiuser denying access");
             return;
         }
         if (pwd.pw_gid < g_minimum_gid) {
             m_log.Emsg("UserSentry", "Username", username.c_str(), "maps to a system GID; rejecting lookup");
+            m_log.Emsg("UserSentry", "Multiuser denying access");
             return;
         }
 
@@ -182,6 +186,7 @@ public:
         } while (1);
         if (-1 == retval) {
             m_log.Emsg("UserSentry", "Failure when looking up supplementary groups for username", username.c_str());
+            m_log.Emsg("UserSentry", "Multiuser denying access");
             return;
         }
 
@@ -193,6 +198,7 @@ public:
         m_orig_uid = setfsuid(result->pw_uid);
         if (m_orig_uid < 0) {
             m_log.Emsg("UserSentry", "Failed to switch FS uid for user", username.c_str());
+            m_log.Emsg("UserSentry", "Multiuser denying access");
             return;
         }
         m_orig_gid = setfsgid(result->pw_gid);

Original file line number	Diff line number	Diff line change
`@@ -153,17 +153,21 @@ public:`
`153`	`153`	`if (result == nullptr) {`
`154`	`154`	`if (retval) { // There's an actual error in the lookup.`
`155`	`155`	`m_log.Emsg("UserSentry", "Failure when looking up UID for username", username.c_str(), strerror(retval));`
	`156`	`+ m_log.Emsg("UserSentry", "Multiuser denying access");`
`156`	`157`	`} else { // Username doesn't exist.`
`157`	`158`	`m_log.Emsg("UserSentry", "XRootD mapped request to username that does not exist:", username.c_str());`
	`159`	`+ m_log.Emsg("UserSentry", "Multiuser denying access");`
`158`	`160`	`}`
`159`	`161`	`return;`
`160`	`162`	`}`
`161`	`163`	`if (pwd.pw_uid < g_minimum_uid) {`
`162`	`164`	`m_log.Emsg("UserSentry", "Username", username.c_str(), "maps to a system UID; rejecting lookup");`
	`165`	`+ m_log.Emsg("UserSentry", "Multiuser denying access");`
`163`	`166`	`return;`
`164`	`167`	`}`
`165`	`168`	`if (pwd.pw_gid < g_minimum_gid) {`
`166`	`169`	`m_log.Emsg("UserSentry", "Username", username.c_str(), "maps to a system GID; rejecting lookup");`
	`170`	`+ m_log.Emsg("UserSentry", "Multiuser denying access");`
`167`	`171`	`return;`
`168`	`172`	`}`
`169`	`173`
`@@ -182,6 +186,7 @@ public:`
`182`	`186`	`} while (1);`
`183`	`187`	`if (-1 == retval) {`
`184`	`188`	`m_log.Emsg("UserSentry", "Failure when looking up supplementary groups for username", username.c_str());`
	`189`	`+ m_log.Emsg("UserSentry", "Multiuser denying access");`
`185`	`190`	`return;`
`186`	`191`	`}`
`187`	`192`
`@@ -193,6 +198,7 @@ public:`
`193`	`198`	`m_orig_uid = setfsuid(result->pw_uid);`
`194`	`199`	`if (m_orig_uid < 0) {`
`195`	`200`	`m_log.Emsg("UserSentry", "Failed to switch FS uid for user", username.c_str());`
	`201`	`+ m_log.Emsg("UserSentry", "Multiuser denying access");`
`196`	`202`	`return;`
`197`	`203`	`}`
`198`	`204`	`m_orig_gid = setfsgid(result->pw_gid);`