Changeset 1179 for branches/fc11-dev/server/common

Timestamp:

Jun 8, 2009, 1:07:47 PM (15 years ago)

Author:

mitchb

Message:

Merge r1121:1178 from trunk to branches/fc11-dev

Location:

branches/fc11-dev/server/common

Files:

• oursrc/nss_nonlocal/configure.ac (modified) (1 diff)
• oursrc/nss_nonlocal/nonlocal-group.c (modified) (9 diffs)
• oursrc/nss_nonlocal/nonlocal-passwd.c (modified) (2 diffs)
• oursrc/php_scripts (copied) (copied from trunk/server/common/oursrc/php_scripts)
• patches/httpd-suexec-scripts.patch (modified) (10 diffs)
• patches/openafs-scripts.patch (modified) (9 diffs)

branches/fc11-dev/server/common/oursrc/nss_nonlocal/configure.ac

@@ -1 @@
-AC_INIT([nss_nonlocal], [1.8], [andersk@mit.edu])
+AC_INIT([nss_nonlocal], [1.9], [andersk@mit.edu])
 AC_CANONICAL_TARGET
 AM_INIT_AUTOMAKE([-Wall -Werror foreign])

branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-group.c

@@ -98 +98 @@
     fct.ptr = fct_start;
     do {
+    morebuf:
         if (fct.l == _nss_nonlocal_getgrgid_r)
             status = NSS_STATUS_NOTFOUND;
         else
             status = DL_CALL_FCT(fct.l, (gid, &gbuf, buf, buflen, errnop));
-        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
-            break;
+        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
+            free(buf);
+            buflen *= 2;
+            buf = malloc(buflen);
+            if (buf == NULL) {
+                *errnop = ENOMEM;
+                errno = old_errno;
+                return NSS_STATUS_TRYAGAIN;
+            }
+            goto morebuf;
+        }
     } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
 
@@ -118 +128 @@
 
 enum nss_status
-get_local_group(const char *name, struct group *grp, char *buffer, size_t buflen, int *errnop)
+get_local_group(const char *name, struct group *grp, char **buffer, int *errnop)
 {
     static const char *fct_name = "getgrnam_r";
@@ -130 +140 @@
         void *ptr;
     } fct;
-    struct group gbuf;
-    int n;
+    size_t buflen;
     int old_errno = errno;
 
-    int len = sysconf(_SC_GETGR_R_SIZE_MAX);
-    char *buf = malloc(len);
-    if (buf == NULL) {
+    buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+    *buffer = malloc(buflen);
+    if (*buffer == NULL) {
         *errnop = ENOMEM;
         errno = old_errno;
@@ -144 +153 @@
     if (fct_start == NULL &&
         __nss_group_lookup(&startp, fct_name, &fct_start) != 0) {
-        free(buf);
+        free(*buffer);
+        *buffer = NULL;
         return NSS_STATUS_UNAVAIL;
     }
@@ -150 +160 @@
     fct.ptr = fct_start;
     do {
+    morebuf:
         if (fct.l == _nss_nonlocal_getgrnam_r)
             status = NSS_STATUS_NOTFOUND;
         else
-            status = DL_CALL_FCT(fct.l, (name, &gbuf, buf, buflen, errnop));
-        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
-            break;
-    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
-
-    if (status != NSS_STATUS_SUCCESS)
-        goto get_local_group_done;
-
-    n = snprintf(buffer, buflen, "%s", gbuf.gr_name);
-    if (n < 0 || n >= buflen) {
-        *errnop = ERANGE;
-        status = NSS_STATUS_TRYAGAIN;
-        goto get_local_group_done;
-    }
-    grp->gr_name = buffer;
-    buffer += n;
-    buflen -= n;
-
-    n = snprintf(buffer, buflen, "%s", gbuf.gr_passwd);
-    if (n < 0 || n >= buflen) {
-        *errnop = ERANGE;
-        status = NSS_STATUS_TRYAGAIN;
-        goto get_local_group_done;
-    }
-    grp->gr_passwd = buffer;
-    buffer += n;
-    buflen -= n;
-
-    grp->gr_gid = gbuf.gr_gid;
-
-    if (buflen < sizeof(void *)) {
-        *errnop = ERANGE;
-        status = NSS_STATUS_TRYAGAIN;
-        goto get_local_group_done;
-    }
-    *(void **)buffer = NULL;
-    buffer += sizeof(void *);
-    buflen -= sizeof(void *);
-
- get_local_group_done:
-    free(buf);
+            status = DL_CALL_FCT(fct.l, (name, grp, *buffer, buflen, errnop));
+        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
+            free(*buffer);
+            buflen *= 2;
+            *buffer = malloc(buflen);
+            if (*buffer == NULL) {
+                *errnop = ENOMEM;
+                errno = old_errno;
+                return NSS_STATUS_TRYAGAIN;
+            }
+            goto morebuf;
+        }
+    } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
+
+    if (status != NSS_STATUS_SUCCESS) {
+        free(*buffer);
+        *buffer = NULL;
+    }
+
     return status;
 }
@@ -401 +390 @@
     gid_t local_users_gid, gid;
     int is_local = 0;
-    int buflen;
     char *buffer;
 
@@ -413 +401 @@
     int old_errno = errno;
 
-    buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
-    buffer = malloc(buflen);
-    if (buffer == NULL) {
-        *errnop = ENOMEM;
-        errno = old_errno;
-        return NSS_STATUS_TRYAGAIN;
-    }
     status = get_local_group(MAGIC_LOCAL_GROUPNAME,
-                             &local_users_group, buffer, buflen, errnop);
+                             &local_users_group, &buffer, errnop);
     if (status == NSS_STATUS_SUCCESS) {
         local_users_gid = local_users_group.gr_gid;
+        free(buffer);
     } else if (status == NSS_STATUS_TRYAGAIN) {
-        free(buffer);
         return status;
     } else {
@@ -432 +413 @@
         local_users_gid = -1;
     }
-    free(buffer);
 
     if (is_local) {
         gid = local_users_gid;
     } else {
-        buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
-        buffer = malloc(buflen);
-        if (buffer == NULL) {
-            *errnop = ENOMEM;
-            errno = old_errno;
-            return NSS_STATUS_TRYAGAIN;
-        }
         status = get_local_group(MAGIC_NONLOCAL_GROUPNAME,
-                                 &nonlocal_users_group, buffer, buflen, errnop);
+                                 &nonlocal_users_group, &buffer, errnop);
         if (status == NSS_STATUS_SUCCESS) {
             gid = nonlocal_users_group.gr_gid;
+            free(buffer);
         } else if (status == NSS_STATUS_TRYAGAIN) {
-            free(buffer);
             return status;
         } else {
@@ -456 +429 @@
             gid = -1;
         }
-        free(buffer);
     }
 

branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c

@@ -96 +96 @@
     fct.ptr = fct_start;
     do {
+    morebuf:
         if (fct.l == _nss_nonlocal_getpwuid_r)
             status = NSS_STATUS_NOTFOUND;
         else
             status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop));
-        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
-            break;
+        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
+            free(buf);
+            buflen *= 2;
+            buf = malloc(buflen);
+            if (buf == NULL) {
+                *errnop = ENOMEM;
+                errno = old_errno;
+                return NSS_STATUS_TRYAGAIN;
+            }
+            goto morebuf;
+        }
     } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
 
@@ -147 +157 @@
     fct.ptr = fct_start;
     do {
+    morebuf:
         if (fct.l == _nss_nonlocal_getpwnam_r)
             status = NSS_STATUS_NOTFOUND;
         else
             status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop));
-        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
-            break;
+        if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) {
+            free(buf);
+            buflen *= 2;
+            buf = malloc(buflen);
+            if (buf == NULL) {
+                *errnop = ENOMEM;
+                errno = old_errno;
+                return NSS_STATUS_TRYAGAIN;
+            }
+            goto morebuf;
+        }
     } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0);
 

branches/fc11-dev/server/common/patches/httpd-suexec-scripts.patch

@@ -46 +46 @@
    AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] )
 --- httpd-2.2.11/support/suexec.c.old   2008-11-30 10:47:31.000000000 -0500
-+++ httpd-2.2.11/support/suexec.c       2009-06-03 05:16:45.000000000 -0400
++++ httpd-2.2.11/support/suexec.c       2009-06-08 09:02:17.000000000 -0400
 @@ -30,6 +30,9 @@
   *
@@ -141 +141 @@
      gid_t gid;              /* target group placeholder  */
      char *target_uname;     /* target user name          */
-@@ -350,6 +413,20 @@
+@@ -268,6 +331,7 @@
+      * Start with a "clean" environment
+      */
+     clean_env();
++    setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */
+ 
+     prog = argv[0];
+     /*
+@@ -350,6 +414,20 @@
  #endif /*_OSD_POSIX*/
  
@@ -162 +170 @@
       * or attempts to back up out of the current directory,
       * to protect against attacks.  If any are
-@@ -371,6 +448,7 @@
+@@ -371,6 +449,7 @@
          userdir = 1;
      }
@@ -170 +178 @@
       * Error out if the target username is invalid.
       */
-@@ -452,7 +530,7 @@
+@@ -452,7 +531,7 @@
       * Error out if attempt is made to execute as root or as
       * a UID less than AP_UID_MIN.  Tsk tsk.
@@ -179 +187 @@
          exit(107);
      }
-@@ -484,6 +562,21 @@
+@@ -484,6 +563,21 @@
          log_err("failed to setuid (%ld: %s)\n", uid, cmd);
          exit(110);
@@ -201 +209 @@
      /*
       * Get the current working directory, as well as the proper
-@@ -506,6 +599,21 @@
+@@ -506,6 +600,21 @@
              log_err("cannot get docroot information (%s)\n", target_homedir);
              exit(112);
@@ -223 +231 @@
      else {
          if (((chdir(AP_DOC_ROOT)) != 0) ||
-@@ -532,15 +640,17 @@
+@@ -532,15 +641,17 @@
      /*
       * Error out if cwd is writable by others.
@@ -242 +250 @@
          exit(117);
      }
-@@ -548,10 +658,12 @@
+@@ -548,10 +659,12 @@
      /*
       * Error out if the program is writable by others.
@@ -255 +263 @@
      /*
       * Error out if the file is setuid or setgid.
-@@ -565,6 +677,7 @@
+@@ -565,6 +678,7 @@
       * Error out if the target name/group is different from
       * the name/group of the cwd or the program.
@@ -263 +271 @@
          (gid != dir_info.st_gid) ||
          (uid != prg_info.st_uid) ||
-@@ -576,16 +689,33 @@
+@@ -576,16 +690,33 @@
                  prg_info.st_uid, prg_info.st_gid);
          exit(120);

branches/fc11-dev/server/common/patches/openafs-scripts.patch

@@ -3 +3 @@
 # with modifications by Joe Presbrey <presbrey@mit.edu>
 # and Anders Kaseorg <andersk@mit.edu>
+# and Edward Z. Yang <ezyang@mit.edu>
 #
 # This file is available under both the MIT license and the GPL.
@@ -43 +44 @@
 #
 diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
---- openafs-1.4/src/afs/afs_analyze.c   2008-10-27 19:54:06.000000000 -0400
-+++ openafs-1.4+scripts/src/afs/afs_analyze.c   2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/afs_analyze.c
++++ openafs-1.4+scripts/src/afs/afs_analyze.c
 @@ -585,7 +585,7 @@
                          (afid ? afid->Fid.Volume : 0));
@@ -54 +55 @@
                 (aerrP->err_Volume)++;
             areq->volumeError = VOLBUSY;
+diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
+--- openafs-1.4/src/afs/LINUX/osi_vnodeops.c
++++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
+@@ -875,6 +875,28 @@
+        /* should we always update the attributes at this point? */
+        /* unlikely--the vcache entry hasn't changed */
+ 
++       /* [scripts] This code makes hardlinks work correctly.
++        *
++        * We want Apache to be able to read a file with hardlinks
++        * named .htaccess and foo to be able to read it via .htaccess
++        * and not via foo, regardless of which name was looked up
++        * (remember, inodes do not have filenames associated with them.)
++        *
++        * It is important that we modify the existing cache entry even
++        * if it is otherwise totally valid and would not be reloaded.
++        * Otherwise, it won't recover from repeatedly reading the same
++        * inode via multiple hardlinks or different names.  Specifically,
++        * Apache will be able to read both names if it was first looked
++        * up (by anyone!) via .htaccess, and neither if it was first
++        * looked up via foo.
++        *
++        * With regards to performance, the strncmp() is bounded by
++        * three characters, so it takes O(3) operations.  If this code
++        * is extended to all static-cat extensions, we'll want to do
++        * some clever hashing using gperf here.
++        */
++       vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0;
++
+     } else {
+ #ifdef notyet
+        pvcp = VTOAFS(dp->d_parent->d_inode);           /* dget_parent()? */
+diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
+--- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c
++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
+@@ -1572,6 +1572,12 @@
+     }
+ 
+   done:
++    if (tvc) {
++       /* [scripts] check Apache's ability to read this file, so that
++        * we can figure this out on an access() call */
++       tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
++    }
++
+     /* put the network buffer back, if need be */
+     if (tname != aname && tname)
+        osi_FreeLargeSpace(tname);
 diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
---- openafs-1.4/src/afs/afs.h   2009-01-19 14:27:19.000000000 -0500
-+++ openafs-1.4+scripts/src/afs/afs.h   2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/afs.h
++++ openafs-1.4+scripts/src/afs/afs.h
 @@ -208,8 +208,16 @@
  #define QTOC(e)            QEntry(e, struct cell, lruq)
@@ -74 +123 @@
      afs_int32 flags;           /* things like O_SYNC, O_NONBLOCK go here */
      char initd;                        /* if non-zero, Error fields meaningful */
+@@ -743,6 +751,7 @@
+ #ifdef AFS_SUN5_ENV
+     short multiPage;           /* count of multi-page getpages in progress */
+ #endif
++    int apache_access;         /* whether or not Apache has access to a file */
+ };
+ 
+ #define        DONT_CHECK_MODE_BITS    0
 diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
---- openafs-1.4/src/afs/afs_osi_pag.c   2008-10-20 15:29:46.000000000 -0400
-+++ openafs-1.4+scripts/src/afs/afs_osi_pag.c   2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/afs_osi_pag.c
++++ openafs-1.4+scripts/src/afs/afs_osi_pag.c
 @@ -51,6 +51,8 @@
  #endif
@@ -103 +160 @@
  }
 diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
---- openafs-1.4/src/afs/afs_pioctl.c    2009-01-19 13:09:34.000000000 -0500
-+++ openafs-1.4+scripts/src/afs/afs_pioctl.c    2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/afs_pioctl.c
++++ openafs-1.4+scripts/src/afs/afs_pioctl.c
 @@ -1217,6 +1217,10 @@
      struct AFSFetchStatus OutStatus;
@@ -150 +207 @@
         return EIO;             /* Inappropriate ioctl for device */
 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
---- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2008-03-07 12:34:08.000000000 -0500
-+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c
++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
 @@ -118,6 +118,17 @@
  
@@ -170 +227 @@
      } else {
         /* some rights come from dir and some from file.  Specifically, you 
-@@ -171,6 +182,18 @@
+@@ -171,6 +182,19 @@
                     fileBits |= PRSFS_READ;
             }
@@ -180 +237 @@
 +             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
 +             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
-+             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) &&
++             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
++                 (avc->m.Mode == 0100777 || avc->apache_access)) &&
 +             !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
 +             !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
@@ -190 +248 @@
  }
 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
---- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c  2009-01-13 14:37:28.000000000 -0500
-+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c  2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c
++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
 @@ -87,8 +87,8 @@
         }