Changeset 1179 for branches/fc11-dev/server/common
- Timestamp:
- Jun 8, 2009, 1:07:47 PM (16 years ago)
- Location:
- branches/fc11-dev/server/common
- Files:
-
- 5 edited
- 1 copied
Legend:
- Unmodified
- Added
- Removed
-
branches/fc11-dev/server/common/oursrc/nss_nonlocal/configure.ac
r800 r1179 1 AC_INIT([nss_nonlocal], [1. 8], [andersk@mit.edu])1 AC_INIT([nss_nonlocal], [1.9], [andersk@mit.edu]) 2 2 AC_CANONICAL_TARGET 3 3 AM_INIT_AUTOMAKE([-Wall -Werror foreign]) -
branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-group.c
r800 r1179 98 98 fct.ptr = fct_start; 99 99 do { 100 morebuf: 100 101 if (fct.l == _nss_nonlocal_getgrgid_r) 101 102 status = NSS_STATUS_NOTFOUND; 102 103 else 103 104 status = DL_CALL_FCT(fct.l, (gid, &gbuf, buf, buflen, errnop)); 104 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) 105 break; 105 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { 106 free(buf); 107 buflen *= 2; 108 buf = malloc(buflen); 109 if (buf == NULL) { 110 *errnop = ENOMEM; 111 errno = old_errno; 112 return NSS_STATUS_TRYAGAIN; 113 } 114 goto morebuf; 115 } 106 116 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); 107 117 … … 118 128 119 129 enum nss_status 120 get_local_group(const char *name, struct group *grp, char * buffer, size_t buflen, int *errnop)130 get_local_group(const char *name, struct group *grp, char **buffer, int *errnop) 121 131 { 122 132 static const char *fct_name = "getgrnam_r"; … … 130 140 void *ptr; 131 141 } fct; 132 struct group gbuf; 133 int n; 142 size_t buflen; 134 143 int old_errno = errno; 135 144 136 intlen = sysconf(_SC_GETGR_R_SIZE_MAX);137 char *buf = malloc(len);138 if ( buf== NULL) {145 buflen = sysconf(_SC_GETGR_R_SIZE_MAX); 146 *buffer = malloc(buflen); 147 if (*buffer == NULL) { 139 148 *errnop = ENOMEM; 140 149 errno = old_errno; … … 144 153 if (fct_start == NULL && 145 154 __nss_group_lookup(&startp, fct_name, &fct_start) != 0) { 146 free(buf); 155 free(*buffer); 156 *buffer = NULL; 147 157 return NSS_STATUS_UNAVAIL; 148 158 } … … 150 160 fct.ptr = fct_start; 151 161 do { 162 morebuf: 152 163 if (fct.l == _nss_nonlocal_getgrnam_r) 153 164 status = NSS_STATUS_NOTFOUND; 154 165 else 155 status = DL_CALL_FCT(fct.l, (name, &gbuf, buf, buflen, errnop)); 156 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) 157 break; 158 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); 159 160 if (status != NSS_STATUS_SUCCESS) 161 goto get_local_group_done; 162 163 n = snprintf(buffer, buflen, "%s", gbuf.gr_name); 164 if (n < 0 || n >= buflen) { 165 *errnop = ERANGE; 166 status = NSS_STATUS_TRYAGAIN; 167 goto get_local_group_done; 168 } 169 grp->gr_name = buffer; 170 buffer += n; 171 buflen -= n; 172 173 n = snprintf(buffer, buflen, "%s", gbuf.gr_passwd); 174 if (n < 0 || n >= buflen) { 175 *errnop = ERANGE; 176 status = NSS_STATUS_TRYAGAIN; 177 goto get_local_group_done; 178 } 179 grp->gr_passwd = buffer; 180 buffer += n; 181 buflen -= n; 182 183 grp->gr_gid = gbuf.gr_gid; 184 185 if (buflen < sizeof(void *)) { 186 *errnop = ERANGE; 187 status = NSS_STATUS_TRYAGAIN; 188 goto get_local_group_done; 189 } 190 *(void **)buffer = NULL; 191 buffer += sizeof(void *); 192 buflen -= sizeof(void *); 193 194 get_local_group_done: 195 free(buf); 166 status = DL_CALL_FCT(fct.l, (name, grp, *buffer, buflen, errnop)); 167 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { 168 free(*buffer); 169 buflen *= 2; 170 *buffer = malloc(buflen); 171 if (*buffer == NULL) { 172 *errnop = ENOMEM; 173 errno = old_errno; 174 return NSS_STATUS_TRYAGAIN; 175 } 176 goto morebuf; 177 } 178 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); 179 180 if (status != NSS_STATUS_SUCCESS) { 181 free(*buffer); 182 *buffer = NULL; 183 } 184 196 185 return status; 197 186 } … … 401 390 gid_t local_users_gid, gid; 402 391 int is_local = 0; 403 int buflen;404 392 char *buffer; 405 393 … … 413 401 int old_errno = errno; 414 402 415 buflen = sysconf(_SC_GETGR_R_SIZE_MAX);416 buffer = malloc(buflen);417 if (buffer == NULL) {418 *errnop = ENOMEM;419 errno = old_errno;420 return NSS_STATUS_TRYAGAIN;421 }422 403 status = get_local_group(MAGIC_LOCAL_GROUPNAME, 423 &local_users_group, buffer, buflen, errnop);404 &local_users_group, &buffer, errnop); 424 405 if (status == NSS_STATUS_SUCCESS) { 425 406 local_users_gid = local_users_group.gr_gid; 407 free(buffer); 426 408 } else if (status == NSS_STATUS_TRYAGAIN) { 427 free(buffer);428 409 return status; 429 410 } else { … … 432 413 local_users_gid = -1; 433 414 } 434 free(buffer);435 415 436 416 if (is_local) { 437 417 gid = local_users_gid; 438 418 } else { 439 buflen = sysconf(_SC_GETGR_R_SIZE_MAX);440 buffer = malloc(buflen);441 if (buffer == NULL) {442 *errnop = ENOMEM;443 errno = old_errno;444 return NSS_STATUS_TRYAGAIN;445 }446 419 status = get_local_group(MAGIC_NONLOCAL_GROUPNAME, 447 &nonlocal_users_group, buffer, buflen, errnop);420 &nonlocal_users_group, &buffer, errnop); 448 421 if (status == NSS_STATUS_SUCCESS) { 449 422 gid = nonlocal_users_group.gr_gid; 423 free(buffer); 450 424 } else if (status == NSS_STATUS_TRYAGAIN) { 451 free(buffer);452 425 return status; 453 426 } else { … … 456 429 gid = -1; 457 430 } 458 free(buffer);459 431 } 460 432 -
branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c
r782 r1179 96 96 fct.ptr = fct_start; 97 97 do { 98 morebuf: 98 99 if (fct.l == _nss_nonlocal_getpwuid_r) 99 100 status = NSS_STATUS_NOTFOUND; 100 101 else 101 102 status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop)); 102 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) 103 break; 103 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { 104 free(buf); 105 buflen *= 2; 106 buf = malloc(buflen); 107 if (buf == NULL) { 108 *errnop = ENOMEM; 109 errno = old_errno; 110 return NSS_STATUS_TRYAGAIN; 111 } 112 goto morebuf; 113 } 104 114 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); 105 115 … … 147 157 fct.ptr = fct_start; 148 158 do { 159 morebuf: 149 160 if (fct.l == _nss_nonlocal_getpwnam_r) 150 161 status = NSS_STATUS_NOTFOUND; 151 162 else 152 163 status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop)); 153 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) 154 break; 164 if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { 165 free(buf); 166 buflen *= 2; 167 buf = malloc(buflen); 168 if (buf == NULL) { 169 *errnop = ENOMEM; 170 errno = old_errno; 171 return NSS_STATUS_TRYAGAIN; 172 } 173 goto morebuf; 174 } 155 175 } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); 156 176 -
branches/fc11-dev/server/common/patches/httpd-suexec-scripts.patch
r1146 r1179 46 46 AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] ) 47 47 --- httpd-2.2.11/support/suexec.c.old 2008-11-30 10:47:31.000000000 -0500 48 +++ httpd-2.2.11/support/suexec.c 2009-06-0 3 05:16:45.000000000 -040048 +++ httpd-2.2.11/support/suexec.c 2009-06-08 09:02:17.000000000 -0400 49 49 @@ -30,6 +30,9 @@ 50 50 * … … 141 141 gid_t gid; /* target group placeholder */ 142 142 char *target_uname; /* target user name */ 143 @@ -350,6 +413,20 @@ 143 @@ -268,6 +331,7 @@ 144 * Start with a "clean" environment 145 */ 146 clean_env(); 147 + setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */ 148 149 prog = argv[0]; 150 /* 151 @@ -350,6 +414,20 @@ 144 152 #endif /*_OSD_POSIX*/ 145 153 … … 162 170 * or attempts to back up out of the current directory, 163 171 * to protect against attacks. If any are 164 @@ -371,6 +44 8,7 @@172 @@ -371,6 +449,7 @@ 165 173 userdir = 1; 166 174 } … … 170 178 * Error out if the target username is invalid. 171 179 */ 172 @@ -452,7 +53 0,7 @@180 @@ -452,7 +531,7 @@ 173 181 * Error out if attempt is made to execute as root or as 174 182 * a UID less than AP_UID_MIN. Tsk tsk. … … 179 187 exit(107); 180 188 } 181 @@ -484,6 +56 2,21 @@189 @@ -484,6 +563,21 @@ 182 190 log_err("failed to setuid (%ld: %s)\n", uid, cmd); 183 191 exit(110); … … 201 209 /* 202 210 * Get the current working directory, as well as the proper 203 @@ -506,6 + 599,21 @@211 @@ -506,6 +600,21 @@ 204 212 log_err("cannot get docroot information (%s)\n", target_homedir); 205 213 exit(112); … … 223 231 else { 224 232 if (((chdir(AP_DOC_ROOT)) != 0) || 225 @@ -532,15 +64 0,17 @@233 @@ -532,15 +641,17 @@ 226 234 /* 227 235 * Error out if cwd is writable by others. … … 242 250 exit(117); 243 251 } 244 @@ -548,10 +65 8,12 @@252 @@ -548,10 +659,12 @@ 245 253 /* 246 254 * Error out if the program is writable by others. … … 255 263 /* 256 264 * Error out if the file is setuid or setgid. 257 @@ -565,6 +67 7,7 @@265 @@ -565,6 +678,7 @@ 258 266 * Error out if the target name/group is different from 259 267 * the name/group of the cwd or the program. … … 263 271 (gid != dir_info.st_gid) || 264 272 (uid != prg_info.st_uid) || 265 @@ -576,16 +6 89,33 @@273 @@ -576,16 +690,33 @@ 266 274 prg_info.st_uid, prg_info.st_gid); 267 275 exit(120); -
branches/fc11-dev/server/common/patches/openafs-scripts.patch
r1070 r1179 3 3 # with modifications by Joe Presbrey <presbrey@mit.edu> 4 4 # and Anders Kaseorg <andersk@mit.edu> 5 # and Edward Z. Yang <ezyang@mit.edu> 5 6 # 6 7 # This file is available under both the MIT license and the GPL. … … 43 44 # 44 45 diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c 45 --- openafs-1.4/src/afs/afs_analyze.c 2008-10-27 19:54:06.000000000 -040046 +++ openafs-1.4+scripts/src/afs/afs_analyze.c 2009-04-08 08:07:22.000000000 -040046 --- openafs-1.4/src/afs/afs_analyze.c 47 +++ openafs-1.4+scripts/src/afs/afs_analyze.c 47 48 @@ -585,7 +585,7 @@ 48 49 (afid ? afid->Fid.Volume : 0)); … … 54 55 (aerrP->err_Volume)++; 55 56 areq->volumeError = VOLBUSY; 57 diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c 58 --- openafs-1.4/src/afs/LINUX/osi_vnodeops.c 59 +++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c 60 @@ -875,6 +875,28 @@ 61 /* should we always update the attributes at this point? */ 62 /* unlikely--the vcache entry hasn't changed */ 63 64 + /* [scripts] This code makes hardlinks work correctly. 65 + * 66 + * We want Apache to be able to read a file with hardlinks 67 + * named .htaccess and foo to be able to read it via .htaccess 68 + * and not via foo, regardless of which name was looked up 69 + * (remember, inodes do not have filenames associated with them.) 70 + * 71 + * It is important that we modify the existing cache entry even 72 + * if it is otherwise totally valid and would not be reloaded. 73 + * Otherwise, it won't recover from repeatedly reading the same 74 + * inode via multiple hardlinks or different names. Specifically, 75 + * Apache will be able to read both names if it was first looked 76 + * up (by anyone!) via .htaccess, and neither if it was first 77 + * looked up via foo. 78 + * 79 + * With regards to performance, the strncmp() is bounded by 80 + * three characters, so it takes O(3) operations. If this code 81 + * is extended to all static-cat extensions, we'll want to do 82 + * some clever hashing using gperf here. 83 + */ 84 + vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0; 85 + 86 } else { 87 #ifdef notyet 88 pvcp = VTOAFS(dp->d_parent->d_inode); /* dget_parent()? */ 89 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c 90 --- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c 91 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c 92 @@ -1572,6 +1572,12 @@ 93 } 94 95 done: 96 + if (tvc) { 97 + /* [scripts] check Apache's ability to read this file, so that 98 + * we can figure this out on an access() call */ 99 + tvc->apache_access = strncmp(aname, ".ht", 3) == 0; 100 + } 101 + 102 /* put the network buffer back, if need be */ 103 if (tname != aname && tname) 104 osi_FreeLargeSpace(tname); 56 105 diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h 57 --- openafs-1.4/src/afs/afs.h 2009-01-19 14:27:19.000000000 -050058 +++ openafs-1.4+scripts/src/afs/afs.h 2009-04-08 08:07:22.000000000 -0400106 --- openafs-1.4/src/afs/afs.h 107 +++ openafs-1.4+scripts/src/afs/afs.h 59 108 @@ -208,8 +208,16 @@ 60 109 #define QTOC(e) QEntry(e, struct cell, lruq) … … 74 123 afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ 75 124 char initd; /* if non-zero, Error fields meaningful */ 125 @@ -743,6 +751,7 @@ 126 #ifdef AFS_SUN5_ENV 127 short multiPage; /* count of multi-page getpages in progress */ 128 #endif 129 + int apache_access; /* whether or not Apache has access to a file */ 130 }; 131 132 #define DONT_CHECK_MODE_BITS 0 76 133 diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c 77 --- openafs-1.4/src/afs/afs_osi_pag.c 2008-10-20 15:29:46.000000000 -040078 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c 2009-04-08 08:07:22.000000000 -0400134 --- openafs-1.4/src/afs/afs_osi_pag.c 135 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c 79 136 @@ -51,6 +51,8 @@ 80 137 #endif … … 103 160 } 104 161 diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c 105 --- openafs-1.4/src/afs/afs_pioctl.c 2009-01-19 13:09:34.000000000 -0500106 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c 2009-04-08 08:07:22.000000000 -0400162 --- openafs-1.4/src/afs/afs_pioctl.c 163 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c 107 164 @@ -1217,6 +1217,10 @@ 108 165 struct AFSFetchStatus OutStatus; … … 150 207 return EIO; /* Inappropriate ioctl for device */ 151 208 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 152 --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2008-03-07 12:34:08.000000000 -0500153 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2009-04-08 08:07:22.000000000 -0400209 --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 210 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 154 211 @@ -118,6 +118,17 @@ 155 212 … … 170 227 } else { 171 228 /* some rights come from dir and some from file. Specifically, you 172 @@ -171,6 +182,1 8@@229 @@ -171,6 +182,19 @@ 173 230 fileBits |= PRSFS_READ; 174 231 } … … 180 237 + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && 181 238 + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && 182 + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) && 239 + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && 240 + (avc->m.Mode == 0100777 || avc->apache_access)) && 183 241 + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && 184 242 + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { … … 190 248 } 191 249 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c 192 --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c 2009-01-13 14:37:28.000000000 -0500193 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c 2009-04-08 08:07:22.000000000 -0400250 --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c 251 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c 194 252 @@ -87,8 +87,8 @@ 195 253 }
Note: See TracChangeset
for help on using the changeset viewer.