Changeset 1134


Ignore:
Timestamp:
May 26, 2009, 10:57:18 PM (15 years ago)
Author:
ezyang
Message:
Update OpenAFS patch to not need 777 for .htaccess files.

Symlinks to files that are not named .htaccess still need to be
777; if a file is hard linked, Apache can access it through its
.htaccess name but not through any other name.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/common/patches/openafs-scripts.patch

    r1070 r1134  
    33# with modifications by Joe Presbrey <presbrey@mit.edu>
    44# and Anders Kaseorg <andersk@mit.edu>
     5# and Edward Z. Yang <ezyang@mit.edu>
    56#
    67# This file is available under both the MIT license and the GPL.
     
    4344#
    4445diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
    45 --- openafs-1.4/src/afs/afs_analyze.c   2008-10-27 19:54:06.000000000 -0400
    46 +++ openafs-1.4+scripts/src/afs/afs_analyze.c   2009-04-08 08:07:22.000000000 -0400
     46--- openafs-1.4/src/afs/afs_analyze.c
     47+++ openafs-1.4+scripts/src/afs/afs_analyze.c
    4748@@ -585,7 +585,7 @@
    4849                         (afid ? afid->Fid.Volume : 0));
     
    5455                (aerrP->err_Volume)++;
    5556            areq->volumeError = VOLBUSY;
     57diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
     58--- openafs-1.4/src/afs/LINUX/osi_vnodeops.c
     59+++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
     60@@ -875,6 +875,28 @@
     61        /* should we always update the attributes at this point? */
     62        /* unlikely--the vcache entry hasn't changed */
     63 
     64+       /* [scripts] This code makes hardlinks work correctly.
     65+        *
     66+        * We want Apache to be able to read a file with hardlinks
     67+        * named .htaccess and foo to be able to read it via .htaccess
     68+        * and not via foo, regardless of which name was looked up
     69+        * (remember, inodes do not have filenames associated with them.)
     70+        *
     71+        * It is important that we modify the existing cache entry even
     72+        * if it is otherwise totally valid and would not be reloaded.
     73+        * Otherwise, it won't recover from repeatedly reading the same
     74+        * inode via multiple hardlinks or different names.  Specifically,
     75+        * Apache will be able to read both names if it was first looked
     76+        * up (by anyone!) via .htaccess, and neither if it was first
     77+        * looked up via foo.
     78+        *
     79+        * With regards to performance, the strncmp() is bounded by
     80+        * three characters, so it takes O(3) operations.  If this code
     81+        * is extended to all static-cat extensions, we'll want to do
     82+        * some clever hashing using gperf here.
     83+        */
     84+       vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0;
     85+
     86     } else {
     87 #ifdef notyet
     88        pvcp = VTOAFS(dp->d_parent->d_inode);           /* dget_parent()? */
     89diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
     90--- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c
     91+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
     92@@ -1572,6 +1572,12 @@
     93     }
     94 
     95   done:
     96+    if (tvc) {
     97+       /* [scripts] check Apache's ability to read this file, so that
     98+        * we can figure this out on an access() call */
     99+       tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
     100+    }
     101+
     102     /* put the network buffer back, if need be */
     103     if (tname != aname && tname)
     104        osi_FreeLargeSpace(tname);
    56105diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
    57 --- openafs-1.4/src/afs/afs.h   2009-01-19 14:27:19.000000000 -0500
    58 +++ openafs-1.4+scripts/src/afs/afs.h   2009-04-08 08:07:22.000000000 -0400
     106--- openafs-1.4/src/afs/afs.h
     107+++ openafs-1.4+scripts/src/afs/afs.h
    59108@@ -208,8 +208,16 @@
    60109 #define QTOC(e)            QEntry(e, struct cell, lruq)
     
    74123     afs_int32 flags;           /* things like O_SYNC, O_NONBLOCK go here */
    75124     char initd;                        /* if non-zero, Error fields meaningful */
     125@@ -743,6 +751,7 @@
     126 #ifdef AFS_SUN5_ENV
     127     short multiPage;           /* count of multi-page getpages in progress */
     128 #endif
     129+    bool apache_access;                /* whether or not Apache has access to a file */
     130 };
     131 
     132 #define        DONT_CHECK_MODE_BITS    0
    76133diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
    77 --- openafs-1.4/src/afs/afs_osi_pag.c   2008-10-20 15:29:46.000000000 -0400
    78 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c   2009-04-08 08:07:22.000000000 -0400
     134--- openafs-1.4/src/afs/afs_osi_pag.c
     135+++ openafs-1.4+scripts/src/afs/afs_osi_pag.c
    79136@@ -51,6 +51,8 @@
    80137 #endif
     
    103160 }
    104161diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
    105 --- openafs-1.4/src/afs/afs_pioctl.c    2009-01-19 13:09:34.000000000 -0500
    106 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c    2009-04-08 08:07:22.000000000 -0400
     162--- openafs-1.4/src/afs/afs_pioctl.c
     163+++ openafs-1.4+scripts/src/afs/afs_pioctl.c
    107164@@ -1217,6 +1217,10 @@
    108165     struct AFSFetchStatus OutStatus;
     
    150207        return EIO;             /* Inappropriate ioctl for device */
    151208diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
    152 --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2008-03-07 12:34:08.000000000 -0500
    153 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2009-04-08 08:07:22.000000000 -0400
     209--- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c
     210+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
    154211@@ -118,6 +118,17 @@
    155212 
     
    170227     } else {
    171228        /* some rights come from dir and some from file.  Specifically, you
    172 @@ -171,6 +182,18 @@
     229@@ -171,6 +182,19 @@
    173230                    fileBits |= PRSFS_READ;
    174231            }
     
    180237+             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
    181238+             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
    182 +             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) &&
     239+             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
     240+                 (avc->m.Mode == 0100777 || avc->apache_access)) &&
    183241+             !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
    184242+             !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
     
    190248 }
    191249diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
    192 --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c  2009-01-13 14:37:28.000000000 -0500
    193 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c  2009-04-08 08:07:22.000000000 -0400
     250--- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c
     251+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
    194252@@ -87,8 +87,8 @@
    195253        }
Note: See TracChangeset for help on using the changeset viewer.