Ignore:
Timestamp:
Jun 8, 2009, 1:07:47 PM (13 years ago)
Author:
mitchb
Message:
Merge r1121:1178 from trunk to branches/fc11-dev
Location:
branches/fc11-dev/server/common
Files:
5 edited
1 copied

Legend:

Unmodified
Added
Removed
  • branches/fc11-dev/server/common/oursrc/nss_nonlocal/configure.ac

    r800 r1179  
    1 AC_INIT([nss_nonlocal], [1.8], [andersk@mit.edu])
     1AC_INIT([nss_nonlocal], [1.9], [andersk@mit.edu])
    22AC_CANONICAL_TARGET
    33AM_INIT_AUTOMAKE([-Wall -Werror foreign])
  • branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-group.c

    r800 r1179  
    9898    fct.ptr = fct_start;
    9999    do {
     100    morebuf:
    100101        if (fct.l == _nss_nonlocal_getgrgid_r)
    101102            status = NSS_STATUS_NOTFOUND;
    102103        else
    103104            status = DL_CALL_FCT(fct.l, (gid, &gbuf, buf, buflen, errnop));
    104         if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
    105             break;
     105        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
     106            free(buf);
     107            buflen *= 2;
     108            buf = malloc(buflen);
     109            if (buf == NULL) {
     110                *errnop = ENOMEM;
     111                errno = old_errno;
     112                return NSS_STATUS_TRYAGAIN;
     113            }
     114            goto morebuf;
     115        }
    106116    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
    107117
     
    118128
    119129enum nss_status
    120 get_local_group(const char *name, struct group *grp, char *buffer, size_t buflen, int *errnop)
     130get_local_group(const char *name, struct group *grp, char **buffer, int *errnop)
    121131{
    122132    static const char *fct_name = "getgrnam_r";
     
    130140        void *ptr;
    131141    } fct;
    132     struct group gbuf;
    133     int n;
     142    size_t buflen;
    134143    int old_errno = errno;
    135144
    136     int len = sysconf(_SC_GETGR_R_SIZE_MAX);
    137     char *buf = malloc(len);
    138     if (buf == NULL) {
     145    buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
     146    *buffer = malloc(buflen);
     147    if (*buffer == NULL) {
    139148        *errnop = ENOMEM;
    140149        errno = old_errno;
     
    144153    if (fct_start == NULL &&
    145154        __nss_group_lookup(&startp, fct_name, &fct_start) != 0) {
    146         free(buf);
     155        free(*buffer);
     156        *buffer = NULL;
    147157        return NSS_STATUS_UNAVAIL;
    148158    }
     
    150160    fct.ptr = fct_start;
    151161    do {
     162    morebuf:
    152163        if (fct.l == _nss_nonlocal_getgrnam_r)
    153164            status = NSS_STATUS_NOTFOUND;
    154165        else
    155             status = DL_CALL_FCT(fct.l, (name, &gbuf, buf, buflen, errnop));
    156         if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
    157             break;
    158     } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
    159 
    160     if (status != NSS_STATUS_SUCCESS)
    161         goto get_local_group_done;
    162 
    163     n = snprintf(buffer, buflen, "%s", gbuf.gr_name);
    164     if (n < 0 || n >= buflen) {
    165         *errnop = ERANGE;
    166         status = NSS_STATUS_TRYAGAIN;
    167         goto get_local_group_done;
    168     }
    169     grp->gr_name = buffer;
    170     buffer += n;
    171     buflen -= n;
    172 
    173     n = snprintf(buffer, buflen, "%s", gbuf.gr_passwd);
    174     if (n < 0 || n >= buflen) {
    175         *errnop = ERANGE;
    176         status = NSS_STATUS_TRYAGAIN;
    177         goto get_local_group_done;
    178     }
    179     grp->gr_passwd = buffer;
    180     buffer += n;
    181     buflen -= n;
    182 
    183     grp->gr_gid = gbuf.gr_gid;
    184 
    185     if (buflen < sizeof(void *)) {
    186         *errnop = ERANGE;
    187         status = NSS_STATUS_TRYAGAIN;
    188         goto get_local_group_done;
    189     }
    190     *(void **)buffer = NULL;
    191     buffer += sizeof(void *);
    192     buflen -= sizeof(void *);
    193 
    194  get_local_group_done:
    195     free(buf);
     166            status = DL_CALL_FCT(fct.l, (name, grp, *buffer, buflen, errnop));
     167        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
     168            free(*buffer);
     169            buflen *= 2;
     170            *buffer = malloc(buflen);
     171            if (*buffer == NULL) {
     172                *errnop = ENOMEM;
     173                errno = old_errno;
     174                return NSS_STATUS_TRYAGAIN;
     175            }
     176            goto morebuf;
     177        }
     178    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
     179
     180    if (status != NSS_STATUS_SUCCESS) {
     181        free(*buffer);
     182        *buffer = NULL;
     183    }
     184
    196185    return status;
    197186}
     
    401390    gid_t local_users_gid, gid;
    402391    int is_local = 0;
    403     int buflen;
    404392    char *buffer;
    405393
     
    413401    int old_errno = errno;
    414402
    415     buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
    416     buffer = malloc(buflen);
    417     if (buffer == NULL) {
    418         *errnop = ENOMEM;
    419         errno = old_errno;
    420         return NSS_STATUS_TRYAGAIN;
    421     }
    422403    status = get_local_group(MAGIC_LOCAL_GROUPNAME,
    423                              &local_users_group, buffer, buflen, errnop);
     404                             &local_users_group, &buffer, errnop);
    424405    if (status == NSS_STATUS_SUCCESS) {
    425406        local_users_gid = local_users_group.gr_gid;
     407        free(buffer);
    426408    } else if (status == NSS_STATUS_TRYAGAIN) {
    427         free(buffer);
    428409        return status;
    429410    } else {
     
    432413        local_users_gid = -1;
    433414    }
    434     free(buffer);
    435415
    436416    if (is_local) {
    437417        gid = local_users_gid;
    438418    } else {
    439         buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
    440         buffer = malloc(buflen);
    441         if (buffer == NULL) {
    442             *errnop = ENOMEM;
    443             errno = old_errno;
    444             return NSS_STATUS_TRYAGAIN;
    445         }
    446419        status = get_local_group(MAGIC_NONLOCAL_GROUPNAME,
    447                                  &nonlocal_users_group, buffer, buflen, errnop);
     420                                 &nonlocal_users_group, &buffer, errnop);
    448421        if (status == NSS_STATUS_SUCCESS) {
    449422            gid = nonlocal_users_group.gr_gid;
     423            free(buffer);
    450424        } else if (status == NSS_STATUS_TRYAGAIN) {
    451             free(buffer);
    452425            return status;
    453426        } else {
     
    456429            gid = -1;
    457430        }
    458         free(buffer);
    459431    }
    460432
  • branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c

    r782 r1179  
    9696    fct.ptr = fct_start;
    9797    do {
     98    morebuf:
    9899        if (fct.l == _nss_nonlocal_getpwuid_r)
    99100            status = NSS_STATUS_NOTFOUND;
    100101        else
    101102            status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop));
    102         if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
    103             break;
     103        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
     104            free(buf);
     105            buflen *= 2;
     106            buf = malloc(buflen);
     107            if (buf == NULL) {
     108                *errnop = ENOMEM;
     109                errno = old_errno;
     110                return NSS_STATUS_TRYAGAIN;
     111            }
     112            goto morebuf;
     113        }
    104114    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
    105115
     
    147157    fct.ptr = fct_start;
    148158    do {
     159    morebuf:
    149160        if (fct.l == _nss_nonlocal_getpwnam_r)
    150161            status = NSS_STATUS_NOTFOUND;
    151162        else
    152163            status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop));
    153         if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
    154             break;
     164        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
     165            free(buf);
     166            buflen *= 2;
     167            buf = malloc(buflen);
     168            if (buf == NULL) {
     169                *errnop = ENOMEM;
     170                errno = old_errno;
     171                return NSS_STATUS_TRYAGAIN;
     172            }
     173            goto morebuf;
     174        }
    155175    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
    156176
  • branches/fc11-dev/server/common/patches/httpd-suexec-scripts.patch

    r1146 r1179  
    4646   AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] )
    4747--- httpd-2.2.11/support/suexec.c.old   2008-11-30 10:47:31.000000000 -0500
    48 +++ httpd-2.2.11/support/suexec.c       2009-06-03 05:16:45.000000000 -0400
     48+++ httpd-2.2.11/support/suexec.c       2009-06-08 09:02:17.000000000 -0400
    4949@@ -30,6 +30,9 @@
    5050  *
     
    141141     gid_t gid;              /* target group placeholder  */
    142142     char *target_uname;     /* target user name          */
    143 @@ -350,6 +413,20 @@
     143@@ -268,6 +331,7 @@
     144      * Start with a "clean" environment
     145      */
     146     clean_env();
     147+    setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */
     148 
     149     prog = argv[0];
     150     /*
     151@@ -350,6 +414,20 @@
    144152 #endif /*_OSD_POSIX*/
    145153 
     
    162170      * or attempts to back up out of the current directory,
    163171      * to protect against attacks.  If any are
    164 @@ -371,6 +448,7 @@
     172@@ -371,6 +449,7 @@
    165173         userdir = 1;
    166174     }
     
    170178      * Error out if the target username is invalid.
    171179      */
    172 @@ -452,7 +530,7 @@
     180@@ -452,7 +531,7 @@
    173181      * Error out if attempt is made to execute as root or as
    174182      * a UID less than AP_UID_MIN.  Tsk tsk.
     
    179187         exit(107);
    180188     }
    181 @@ -484,6 +562,21 @@
     189@@ -484,6 +563,21 @@
    182190         log_err("failed to setuid (%ld: %s)\n", uid, cmd);
    183191         exit(110);
     
    201209     /*
    202210      * Get the current working directory, as well as the proper
    203 @@ -506,6 +599,21 @@
     211@@ -506,6 +600,21 @@
    204212             log_err("cannot get docroot information (%s)\n", target_homedir);
    205213             exit(112);
     
    223231     else {
    224232         if (((chdir(AP_DOC_ROOT)) != 0) ||
    225 @@ -532,15 +640,17 @@
     233@@ -532,15 +641,17 @@
    226234     /*
    227235      * Error out if cwd is writable by others.
     
    242250         exit(117);
    243251     }
    244 @@ -548,10 +658,12 @@
     252@@ -548,10 +659,12 @@
    245253     /*
    246254      * Error out if the program is writable by others.
     
    255263     /*
    256264      * Error out if the file is setuid or setgid.
    257 @@ -565,6 +677,7 @@
     265@@ -565,6 +678,7 @@
    258266      * Error out if the target name/group is different from
    259267      * the name/group of the cwd or the program.
     
    263271         (gid != dir_info.st_gid) ||
    264272         (uid != prg_info.st_uid) ||
    265 @@ -576,16 +689,33 @@
     273@@ -576,16 +690,33 @@
    266274                 prg_info.st_uid, prg_info.st_gid);
    267275         exit(120);
  • branches/fc11-dev/server/common/patches/openafs-scripts.patch

    r1070 r1179  
    33# with modifications by Joe Presbrey <presbrey@mit.edu>
    44# and Anders Kaseorg <andersk@mit.edu>
     5# and Edward Z. Yang <ezyang@mit.edu>
    56#
    67# This file is available under both the MIT license and the GPL.
     
    4344#
    4445diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
    45 --- openafs-1.4/src/afs/afs_analyze.c   2008-10-27 19:54:06.000000000 -0400
    46 +++ openafs-1.4+scripts/src/afs/afs_analyze.c   2009-04-08 08:07:22.000000000 -0400
     46--- openafs-1.4/src/afs/afs_analyze.c
     47+++ openafs-1.4+scripts/src/afs/afs_analyze.c
    4748@@ -585,7 +585,7 @@
    4849                         (afid ? afid->Fid.Volume : 0));
     
    5455                (aerrP->err_Volume)++;
    5556            areq->volumeError = VOLBUSY;
     57diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
     58--- openafs-1.4/src/afs/LINUX/osi_vnodeops.c
     59+++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
     60@@ -875,6 +875,28 @@
     61        /* should we always update the attributes at this point? */
     62        /* unlikely--the vcache entry hasn't changed */
     63 
     64+       /* [scripts] This code makes hardlinks work correctly.
     65+        *
     66+        * We want Apache to be able to read a file with hardlinks
     67+        * named .htaccess and foo to be able to read it via .htaccess
     68+        * and not via foo, regardless of which name was looked up
     69+        * (remember, inodes do not have filenames associated with them.)
     70+        *
     71+        * It is important that we modify the existing cache entry even
     72+        * if it is otherwise totally valid and would not be reloaded.
     73+        * Otherwise, it won't recover from repeatedly reading the same
     74+        * inode via multiple hardlinks or different names.  Specifically,
     75+        * Apache will be able to read both names if it was first looked
     76+        * up (by anyone!) via .htaccess, and neither if it was first
     77+        * looked up via foo.
     78+        *
     79+        * With regards to performance, the strncmp() is bounded by
     80+        * three characters, so it takes O(3) operations.  If this code
     81+        * is extended to all static-cat extensions, we'll want to do
     82+        * some clever hashing using gperf here.
     83+        */
     84+       vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0;
     85+
     86     } else {
     87 #ifdef notyet
     88        pvcp = VTOAFS(dp->d_parent->d_inode);           /* dget_parent()? */
     89diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
     90--- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c
     91+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
     92@@ -1572,6 +1572,12 @@
     93     }
     94 
     95   done:
     96+    if (tvc) {
     97+       /* [scripts] check Apache's ability to read this file, so that
     98+        * we can figure this out on an access() call */
     99+       tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
     100+    }
     101+
     102     /* put the network buffer back, if need be */
     103     if (tname != aname && tname)
     104        osi_FreeLargeSpace(tname);
    56105diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
    57 --- openafs-1.4/src/afs/afs.h   2009-01-19 14:27:19.000000000 -0500
    58 +++ openafs-1.4+scripts/src/afs/afs.h   2009-04-08 08:07:22.000000000 -0400
     106--- openafs-1.4/src/afs/afs.h
     107+++ openafs-1.4+scripts/src/afs/afs.h
    59108@@ -208,8 +208,16 @@
    60109 #define QTOC(e)            QEntry(e, struct cell, lruq)
     
    74123     afs_int32 flags;           /* things like O_SYNC, O_NONBLOCK go here */
    75124     char initd;                        /* if non-zero, Error fields meaningful */
     125@@ -743,6 +751,7 @@
     126 #ifdef AFS_SUN5_ENV
     127     short multiPage;           /* count of multi-page getpages in progress */
     128 #endif
     129+    int apache_access;         /* whether or not Apache has access to a file */
     130 };
     131 
     132 #define        DONT_CHECK_MODE_BITS    0
    76133diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
    77 --- openafs-1.4/src/afs/afs_osi_pag.c   2008-10-20 15:29:46.000000000 -0400
    78 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c   2009-04-08 08:07:22.000000000 -0400
     134--- openafs-1.4/src/afs/afs_osi_pag.c
     135+++ openafs-1.4+scripts/src/afs/afs_osi_pag.c
    79136@@ -51,6 +51,8 @@
    80137 #endif
     
    103160 }
    104161diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
    105 --- openafs-1.4/src/afs/afs_pioctl.c    2009-01-19 13:09:34.000000000 -0500
    106 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c    2009-04-08 08:07:22.000000000 -0400
     162--- openafs-1.4/src/afs/afs_pioctl.c
     163+++ openafs-1.4+scripts/src/afs/afs_pioctl.c
    107164@@ -1217,6 +1217,10 @@
    108165     struct AFSFetchStatus OutStatus;
     
    150207        return EIO;             /* Inappropriate ioctl for device */
    151208diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
    152 --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2008-03-07 12:34:08.000000000 -0500
    153 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2009-04-08 08:07:22.000000000 -0400
     209--- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c
     210+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
    154211@@ -118,6 +118,17 @@
    155212 
     
    170227     } else {
    171228        /* some rights come from dir and some from file.  Specifically, you
    172 @@ -171,6 +182,18 @@
     229@@ -171,6 +182,19 @@
    173230                    fileBits |= PRSFS_READ;
    174231            }
     
    180237+             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
    181238+             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
    182 +             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) &&
     239+             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
     240+                 (avc->m.Mode == 0100777 || avc->apache_access)) &&
    183241+             !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
    184242+             !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
     
    190248 }
    191249diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
    192 --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c  2009-01-13 14:37:28.000000000 -0500
    193 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c  2009-04-08 08:07:22.000000000 -0400
     250--- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c
     251+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
    194252@@ -87,8 +87,8 @@
    195253        }
Note: See TracChangeset for help on using the changeset viewer.