Changeset 1179 for branches/fc11-dev/server/common/patches
- Timestamp:
- Jun 8, 2009, 1:07:47 PM (16 years ago)
- Location:
- branches/fc11-dev/server/common/patches
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/fc11-dev/server/common/patches/httpd-suexec-scripts.patch
r1146 r1179 46 46 AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] ) 47 47 --- httpd-2.2.11/support/suexec.c.old 2008-11-30 10:47:31.000000000 -0500 48 +++ httpd-2.2.11/support/suexec.c 2009-06-0 3 05:16:45.000000000 -040048 +++ httpd-2.2.11/support/suexec.c 2009-06-08 09:02:17.000000000 -0400 49 49 @@ -30,6 +30,9 @@ 50 50 * … … 141 141 gid_t gid; /* target group placeholder */ 142 142 char *target_uname; /* target user name */ 143 @@ -350,6 +413,20 @@ 143 @@ -268,6 +331,7 @@ 144 * Start with a "clean" environment 145 */ 146 clean_env(); 147 + setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */ 148 149 prog = argv[0]; 150 /* 151 @@ -350,6 +414,20 @@ 144 152 #endif /*_OSD_POSIX*/ 145 153 … … 162 170 * or attempts to back up out of the current directory, 163 171 * to protect against attacks. If any are 164 @@ -371,6 +44 8,7 @@172 @@ -371,6 +449,7 @@ 165 173 userdir = 1; 166 174 } … … 170 178 * Error out if the target username is invalid. 171 179 */ 172 @@ -452,7 +53 0,7 @@180 @@ -452,7 +531,7 @@ 173 181 * Error out if attempt is made to execute as root or as 174 182 * a UID less than AP_UID_MIN. Tsk tsk. … … 179 187 exit(107); 180 188 } 181 @@ -484,6 +56 2,21 @@189 @@ -484,6 +563,21 @@ 182 190 log_err("failed to setuid (%ld: %s)\n", uid, cmd); 183 191 exit(110); … … 201 209 /* 202 210 * Get the current working directory, as well as the proper 203 @@ -506,6 + 599,21 @@211 @@ -506,6 +600,21 @@ 204 212 log_err("cannot get docroot information (%s)\n", target_homedir); 205 213 exit(112); … … 223 231 else { 224 232 if (((chdir(AP_DOC_ROOT)) != 0) || 225 @@ -532,15 +64 0,17 @@233 @@ -532,15 +641,17 @@ 226 234 /* 227 235 * Error out if cwd is writable by others. … … 242 250 exit(117); 243 251 } 244 @@ -548,10 +65 8,12 @@252 @@ -548,10 +659,12 @@ 245 253 /* 246 254 * Error out if the program is writable by others. … … 255 263 /* 256 264 * Error out if the file is setuid or setgid. 257 @@ -565,6 +67 7,7 @@265 @@ -565,6 +678,7 @@ 258 266 * Error out if the target name/group is different from 259 267 * the name/group of the cwd or the program. … … 263 271 (gid != dir_info.st_gid) || 264 272 (uid != prg_info.st_uid) || 265 @@ -576,16 +6 89,33 @@273 @@ -576,16 +690,33 @@ 266 274 prg_info.st_uid, prg_info.st_gid); 267 275 exit(120); -
branches/fc11-dev/server/common/patches/openafs-scripts.patch
r1070 r1179 3 3 # with modifications by Joe Presbrey <presbrey@mit.edu> 4 4 # and Anders Kaseorg <andersk@mit.edu> 5 # and Edward Z. Yang <ezyang@mit.edu> 5 6 # 6 7 # This file is available under both the MIT license and the GPL. … … 43 44 # 44 45 diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c 45 --- openafs-1.4/src/afs/afs_analyze.c 2008-10-27 19:54:06.000000000 -040046 +++ openafs-1.4+scripts/src/afs/afs_analyze.c 2009-04-08 08:07:22.000000000 -040046 --- openafs-1.4/src/afs/afs_analyze.c 47 +++ openafs-1.4+scripts/src/afs/afs_analyze.c 47 48 @@ -585,7 +585,7 @@ 48 49 (afid ? afid->Fid.Volume : 0)); … … 54 55 (aerrP->err_Volume)++; 55 56 areq->volumeError = VOLBUSY; 57 diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c 58 --- openafs-1.4/src/afs/LINUX/osi_vnodeops.c 59 +++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c 60 @@ -875,6 +875,28 @@ 61 /* should we always update the attributes at this point? */ 62 /* unlikely--the vcache entry hasn't changed */ 63 64 + /* [scripts] This code makes hardlinks work correctly. 65 + * 66 + * We want Apache to be able to read a file with hardlinks 67 + * named .htaccess and foo to be able to read it via .htaccess 68 + * and not via foo, regardless of which name was looked up 69 + * (remember, inodes do not have filenames associated with them.) 70 + * 71 + * It is important that we modify the existing cache entry even 72 + * if it is otherwise totally valid and would not be reloaded. 73 + * Otherwise, it won't recover from repeatedly reading the same 74 + * inode via multiple hardlinks or different names. Specifically, 75 + * Apache will be able to read both names if it was first looked 76 + * up (by anyone!) via .htaccess, and neither if it was first 77 + * looked up via foo. 78 + * 79 + * With regards to performance, the strncmp() is bounded by 80 + * three characters, so it takes O(3) operations. If this code 81 + * is extended to all static-cat extensions, we'll want to do 82 + * some clever hashing using gperf here. 83 + */ 84 + vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0; 85 + 86 } else { 87 #ifdef notyet 88 pvcp = VTOAFS(dp->d_parent->d_inode); /* dget_parent()? */ 89 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c 90 --- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c 91 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c 92 @@ -1572,6 +1572,12 @@ 93 } 94 95 done: 96 + if (tvc) { 97 + /* [scripts] check Apache's ability to read this file, so that 98 + * we can figure this out on an access() call */ 99 + tvc->apache_access = strncmp(aname, ".ht", 3) == 0; 100 + } 101 + 102 /* put the network buffer back, if need be */ 103 if (tname != aname && tname) 104 osi_FreeLargeSpace(tname); 56 105 diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h 57 --- openafs-1.4/src/afs/afs.h 2009-01-19 14:27:19.000000000 -050058 +++ openafs-1.4+scripts/src/afs/afs.h 2009-04-08 08:07:22.000000000 -0400106 --- openafs-1.4/src/afs/afs.h 107 +++ openafs-1.4+scripts/src/afs/afs.h 59 108 @@ -208,8 +208,16 @@ 60 109 #define QTOC(e) QEntry(e, struct cell, lruq) … … 74 123 afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ 75 124 char initd; /* if non-zero, Error fields meaningful */ 125 @@ -743,6 +751,7 @@ 126 #ifdef AFS_SUN5_ENV 127 short multiPage; /* count of multi-page getpages in progress */ 128 #endif 129 + int apache_access; /* whether or not Apache has access to a file */ 130 }; 131 132 #define DONT_CHECK_MODE_BITS 0 76 133 diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c 77 --- openafs-1.4/src/afs/afs_osi_pag.c 2008-10-20 15:29:46.000000000 -040078 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c 2009-04-08 08:07:22.000000000 -0400134 --- openafs-1.4/src/afs/afs_osi_pag.c 135 +++ openafs-1.4+scripts/src/afs/afs_osi_pag.c 79 136 @@ -51,6 +51,8 @@ 80 137 #endif … … 103 160 } 104 161 diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c 105 --- openafs-1.4/src/afs/afs_pioctl.c 2009-01-19 13:09:34.000000000 -0500106 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c 2009-04-08 08:07:22.000000000 -0400162 --- openafs-1.4/src/afs/afs_pioctl.c 163 +++ openafs-1.4+scripts/src/afs/afs_pioctl.c 107 164 @@ -1217,6 +1217,10 @@ 108 165 struct AFSFetchStatus OutStatus; … … 150 207 return EIO; /* Inappropriate ioctl for device */ 151 208 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 152 --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2008-03-07 12:34:08.000000000 -0500153 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2009-04-08 08:07:22.000000000 -0400209 --- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 210 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 154 211 @@ -118,6 +118,17 @@ 155 212 … … 170 227 } else { 171 228 /* some rights come from dir and some from file. Specifically, you 172 @@ -171,6 +182,1 8@@229 @@ -171,6 +182,19 @@ 173 230 fileBits |= PRSFS_READ; 174 231 } … … 180 237 + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && 181 238 + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && 182 + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) && 239 + !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && 240 + (avc->m.Mode == 0100777 || avc->apache_access)) && 183 241 + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && 184 242 + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { … … 190 248 } 191 249 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c 192 --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c 2009-01-13 14:37:28.000000000 -0500193 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c 2009-04-08 08:07:22.000000000 -0400250 --- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c 251 +++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c 194 252 @@ -87,8 +87,8 @@ 195 253 }
Note: See TracChangeset
for help on using the changeset viewer.