Changeset 2591 for trunk/server/common
- Timestamp:
- Aug 27, 2014, 10:06:17 PM (10 years ago)
- Location:
- trunk
- Files:
-
- 19 deleted
- 11 edited
- 4 copied
-
. (modified) (1 prop)
-
server/common/oursrc/accountadm/Makefile.in (modified) (1 diff)
-
server/common/oursrc/httpdmods/mod_authz_afsgroup.c (modified) (4 diffs)
-
server/common/oursrc/httpdmods/mod_original_dst.c (modified) (1 diff)
-
server/common/oursrc/tokensys/scripts-afsagent-startup.in (modified) (1 diff)
-
server/common/oursrc/tokensys/scripts-afsagent-startup.service (modified) (2 diffs)
-
server/common/oursrc/tokensys/scripts-afsagent.service (modified) (2 diffs)
-
server/common/patches/cve-2014-0196.patch (deleted)
-
server/common/patches/cve-2014-3153-0.patch (deleted)
-
server/common/patches/cve-2014-3153-1.patch (deleted)
-
server/common/patches/cve-2014-3153-2.patch (deleted)
-
server/common/patches/cve-2014-3153-3.patch (deleted)
-
server/common/patches/cve-2014-3153-4.patch (deleted)
-
server/common/patches/gnutls-2.12.x-cve-2014-0092.patch (deleted)
-
server/common/patches/httpd-2.2.x-304.patch (deleted)
-
server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch (deleted)
-
server/common/patches/httpd-2.2.x-mod_status-security.patch (deleted)
-
server/common/patches/httpd-304s.patch (copied) (copied from branches/fc20-dev/server/common/patches/httpd-304s.patch)
-
server/common/patches/httpd-SSLCompression.patch (deleted)
-
server/common/patches/httpd-allow-null-user.patch (copied) (copied from branches/fc20-dev/server/common/patches/httpd-allow-null-user.patch)
-
server/common/patches/httpd-fixup-vhost.patch (modified) (3 diffs)
-
server/common/patches/httpd-mod_status-security.patch (copied) (copied from branches/fc20-dev/server/common/patches/httpd-mod_status-security.patch)
-
server/common/patches/httpd-suexec-cloexec.patch (deleted)
-
server/common/patches/httpd-suexec-scripts.patch (modified) (16 diffs)
-
server/common/patches/openafs-scripts.patch (modified) (13 diffs)
-
server/common/patches/openafs-systemd-crond.patch (modified) (1 diff)
-
server/common/patches/openssl-1.0.0n-algo-doc.patch (deleted)
-
server/common/patches/openssl-1.0.0n-cipher-change.patch (deleted)
-
server/common/patches/openssl-1.0.0n-conflicts.patchpatch (deleted)
-
server/common/patches/openssl-1.0.0n-fips.patch (deleted)
-
server/common/patches/openssl-1.0.0n-ipv6-apps.patch (deleted)
-
server/common/patches/openssl-1.0.0n-version.patch (deleted)
-
server/common/patches/python-authkit.patch (copied) (copied from branches/fc20-dev/server/common/patches/python-authkit.patch)
-
server/common/patches/rubygems-rails-require-thread.patch (deleted)
Legend:
- Unmodified
- Added
- Removed
-
trunk
- Property svn:mergeinfo changed
-
trunk/server/common/oursrc/accountadm/Makefile.in
r2299 r2591 10 10 all-local: admof 11 11 12 admof: LDLIBS = -lafsauthent_pic -lafsrpc_pic -lresolv -lkrb5 -lpthread 12 admof: LDLIBS = -lafsauthent_pic -lafsrpc_pic -lresolv -lkrb5 -lpthread -lk5crypto 13 13 admof: admof.o 14 14 -
trunk/server/common/oursrc/httpdmods/mod_authz_afsgroup.c
r236 r2591 13 13 14 14 #include "ap_config.h" 15 #include "ap_provider.h" 15 16 #include "httpd.h" 16 17 #include "http_config.h" … … 19 20 #include "http_protocol.h" 20 21 #include "http_request.h" 22 23 #include "mod_auth.h" 21 24 22 25 #include <unistd.h> … … 48 51 module AP_MODULE_DECLARE_DATA authz_afsgroup_module; 49 52 50 static int check_afsgroup_access(request_rec *r) 53 static authz_status is_user_in_afsgroup(request_rec *r, char* user, char* afsgroup) 54 { 55 int pfd[2]; 56 pid_t cpid; 57 int status; 58 FILE *fp; 59 char *line = NULL; 60 char buf[256]; 61 size_t len = 0; 62 ssize_t read; 63 int found = 0; 64 if (pipe(pfd) == -1) { 65 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 66 "pipe() failed!"); 67 return AUTHZ_GENERAL_ERROR; 68 } 69 cpid = fork(); 70 if (cpid == -1) { 71 close(pfd[0]); 72 close(pfd[1]); 73 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 74 "fork() failed!"); 75 return AUTHZ_GENERAL_ERROR; 76 } 77 if (cpid == 0) { 78 close(pfd[0]); 79 dup2(pfd[1], STDOUT_FILENO); 80 execve("/usr/bin/pts", 81 (char *const[]) 82 { "pts", "membership", "-nameorid", afsgroup, NULL }, 83 NULL); 84 _exit(1); 85 } 86 close(pfd[1]); 87 fp = fdopen(pfd[0], "r"); 88 if (fp == NULL) { 89 close(pfd[0]); 90 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 91 "fdopen() failed!"); 92 return AUTHZ_GENERAL_ERROR; 93 } 94 if (snprintf(buf, sizeof(buf), " %s\n", user) >= sizeof(buf)) { 95 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 96 "access to %s failed, reason: username '%s' " 97 "is too long!", 98 r->uri, user); 99 return AUTHZ_DENIED; 100 } 101 while ((read = getline(&line, &len, fp)) != -1) { 102 if (strcmp(line, buf) == 0) 103 found = 1; 104 } 105 if (line) 106 free(line); 107 fclose(fp); 108 if (waitpid(cpid, &status, 0) == -1) { 109 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 110 "waitpid() failed!"); 111 return AUTHZ_GENERAL_ERROR; 112 } 113 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) { 114 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 115 "`pts membership -nameorid %s` failed!", 116 afsgroup); 117 return AUTHZ_GENERAL_ERROR; 118 } 119 if (found) 120 return AUTHZ_GRANTED; 121 122 return AUTHZ_DENIED; 123 } 124 125 static authz_status check_afsgroup_access(request_rec *r, 126 const char *require_line, 127 const void *parsed_require_line) 51 128 { 52 129 authz_afsgroup_config_rec *conf = ap_get_module_config(r->per_dir_config, 53 130 &authz_afsgroup_module); 54 char *user = r->user;55 int m = r->method_number;56 int required_afsgroup = 0;57 register int x;58 131 const char *t; 59 132 char *w; 60 const apr_array_header_t *reqs_arr = ap_requires(r); 61 require_line *reqs; 133 authz_status pergroup; 62 134 63 if (!reqs_arr) { 64 return DECLINED; 65 } 66 reqs = (require_line *)reqs_arr->elts; 67 68 for (x = 0; x < reqs_arr->nelts; x++) { 69 70 if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { 71 continue; 72 } 73 74 t = reqs[x].requirement; 75 w = ap_getword_white(r->pool, &t); 76 if (!strcasecmp(w, "afsgroup")) { 77 required_afsgroup = 1; 78 while (t[0]) { 79 int pfd[2]; 80 pid_t cpid; 81 int status; 82 FILE *fp; 83 char *line = NULL; 84 char buf[256]; 85 size_t len = 0; 86 ssize_t read; 87 int found = 0; 88 w = ap_getword_conf(r->pool, &t); 89 if (pipe(pfd) == -1) { 90 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 91 "pipe() failed!"); 92 return HTTP_INTERNAL_SERVER_ERROR; 93 } 94 cpid = fork(); 95 if (cpid == -1) { 96 close(pfd[0]); 97 close(pfd[1]); 98 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 99 "fork() failed!"); 100 return HTTP_INTERNAL_SERVER_ERROR; 101 } 102 if (cpid == 0) { 103 close(pfd[0]); 104 dup2(pfd[1], STDOUT_FILENO); 105 execve("/usr/bin/pts", 106 (char *const[]) { 107 "pts", "membership", "-nameorid", w, NULL 108 }, 109 NULL); 110 _exit(1); 111 } 112 close(pfd[1]); 113 fp = fdopen(pfd[0], "r"); 114 if (fp == NULL) { 115 close(pfd[0]); 116 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 117 "fdopen() failed!"); 118 return HTTP_INTERNAL_SERVER_ERROR; 119 } 120 if (snprintf(buf, sizeof(buf), " %s\n", user) >= sizeof(buf)) { 121 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 122 "access to %s failed, reason: username '%s' " 123 "is too long!", 124 r->uri, user); 125 continue; 126 } 127 while ((read = getline(&line, &len, fp)) != -1) { 128 if (strcmp(line, buf) == 0) 129 found = 1; 130 } 131 if (line) 132 free(line); 133 fclose(fp); 134 if (waitpid(cpid, &status, 0) == -1) { 135 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 136 "waitpid() failed!"); 137 return HTTP_INTERNAL_SERVER_ERROR; 138 } 139 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) { 140 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 141 "`pts membership -nameorid %s` failed!", 142 w); 143 return HTTP_INTERNAL_SERVER_ERROR; 144 } 145 if (found) 146 return OK; 147 } 148 } 135 if (!r->user) { 136 return AUTHZ_DENIED_NO_USER; 149 137 } 150 138 151 if (!required_afsgroup) { 152 return DECLINED; 139 t = require_line; 140 while ((w = ap_getword_conf(r->pool, &t)) && w[0]) { 141 if ((pergroup = is_user_in_afsgroup(r, r->user, w)) != AUTHZ_DENIED) { 142 // If we got some return value other than AUTHZ_DENIED, it 143 // means we either got GRANTED, or some sort of error, and 144 // we need to bubble that up. 145 return pergroup; 146 } 153 147 } 154 148 155 149 if (!conf->authoritative) { 156 return DECLINED;150 return AUTHZ_NEUTRAL; 157 151 } 158 152 … … 160 154 "access to %s failed, reason: user '%s' does not meet " 161 155 "'require'ments for afsgroup to be allowed access", 162 r->uri, user);156 r->uri, r->user); 163 157 164 ap_note_auth_failure(r); 165 return HTTP_FORBIDDEN; 158 return AUTHZ_DENIED; 166 159 } 160 161 static const authz_provider authz_afsgroup_provider = 162 { 163 &check_afsgroup_access, 164 NULL, 165 }; 167 166 168 167 static void register_hooks(apr_pool_t *p) 169 168 { 170 ap_hook_auth_checker(check_afsgroup_access, NULL, NULL, APR_HOOK_MIDDLE); 169 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "afsgroup", 170 AUTHZ_PROVIDER_VERSION, 171 &authz_afsgroup_provider, AP_AUTH_INTERNAL_PER_CONF); 172 171 173 } 172 174 -
trunk/server/common/oursrc/httpdmods/mod_original_dst.c
r1796 r2591 16 16 #include "ap_config.h" 17 17 #include "ap_listen.h" 18 #include "apr_portable.h" 18 19 #include "http_config.h" 19 20 #include "http_log.h" 20 21 #include "httpd.h" 21 #include "mpm.h" 22 #include "unixd.h" 23 24 #define MPM_ACCEPT_FUNC ap_unixd_accept 22 25 23 26 extern void apr_sockaddr_vars_set(apr_sockaddr_t *, int, apr_port_t); -
trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.in
r2246 r2591 3 3 /sbin/sysctl -q afs.GCPAGs=0 4 4 @fs_path@ setcrypt on 5 @fs_path@ sysname 'amd64_fedora 17_scripts' 'amd64_fedora15_scripts' 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora17' 'amd64_fedora15' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb60' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2'5 @fs_path@ sysname 'amd64_fedora20_scripts' 'amd64_fedora17_scripts' 'amd64_fedora15_scripts' 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora20' 'amd64_fedora17' 'amd64_fedora15' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb60' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' 6 6 7 7 @fs_path@ setcell -nosuid -c athena -
trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.service
r2561 r2591 2 2 Description=Scripts AFS Configuration Service 3 3 After=syslog.target openafs-client.service 4 Before= crond.service4 Before=remote-fs.target 5 5 Requires=openafs-client.service 6 6 … … 10 10 11 11 [Install] 12 WantedBy=multi-user.target remote-fs.target crond.service12 WantedBy=multi-user.target remote-fs.target -
trunk/server/common/oursrc/tokensys/scripts-afsagent.service
r2561 r2591 2 2 Description=Scripts afsagent Service 3 3 After=syslog.target openafs-client.service 4 Before= crond.service4 Before=remote-fs.target 5 5 Requires=openafs-client.service 6 6 … … 11 11 12 12 [Install] 13 WantedBy=multi-user.target remote-fs.target crond.service13 WantedBy=multi-user.target remote-fs.target -
trunk/server/common/patches/httpd-fixup-vhost.patch
r1602 r2591 1 commit 3b081163d6250d893838d69d9a83f217c341d657 2 Author: Greg Brockman <gdb@mit.edu> 3 Date: Fri Aug 6 23:19:15 2010 -0400 1 From e90c8e59a93e5dde747e6dec7b960d2a6f2523ab Mon Sep 17 00:00:00 2001 2 From: Alexander Chernyakhovsky <achernya@mit.edu> 3 Date: Fri, 3 May 2013 22:43:28 -0400 4 Subject: [PATCH] Export method to fixup a single virtual host 4 5 5 Add method to merge virtual host with a main server_rec 6 Apache normally provides ap_fixup_virtual_hosts, which merges the 7 configuration from the main server into each virtual host. Refactor 8 this code to allow merging the configuration into a single virtual 9 host, and export this method for use in mod_vhost_ldap. 10 11 Additionally, call the newly created method in the loop in 12 ap_fixup_virtual_hosts. 13 --- 14 include/http_config.h | 9 ++++++++ 15 server/config.c | 58 ++++++++++++++++++++++++++++----------------------- 16 2 files changed, 41 insertions(+), 26 deletions(-) 6 17 7 18 diff --git a/include/http_config.h b/include/http_config.h 8 index 5e9fd51..8e6f24710064419 index 7ee3760..e3657ea 100644 9 20 --- a/include/http_config.h 10 21 +++ b/include/http_config.h 11 @@ -827,6 +827,16 @@ AP_DECLARE(void) ap_register_hooks(module *m, apr_pool_t *p); 12 AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, 22 @@ -1012,6 +1012,15 @@ AP_DECLARE(void) ap_register_hooks(module *m, apr_pool_t *p); 23 */ 24 AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, 13 25 server_rec *main_server); 14 15 26 +/** 16 + * Setup a single virtual host by merging the main server_rec into it.27 + * Setup all virtual hosts 17 28 + * @param p The pool to allocate from 18 + * @param main_server The server_rec with which to merge19 + * @param virt The virtual host server_rec with some set of directives to override already set29 + * @param main_server The head of the server_rec list 30 + * @param virt The individual virtual host to fix 20 31 + */ 21 32 +AP_DECLARE(void) ap_fixup_virtual_host(apr_pool_t *p, 22 33 + server_rec *main_server, 23 34 + server_rec *virt); 24 +25 /* For http_request.c... */26 35 27 36 /** 37 * Reserve some modules slots for modules loaded by other means than 28 38 diff --git a/server/config.c b/server/config.c 29 index 101d0e4..ef0f2ba10064439 index c1aae17..254c5d2 100644 30 40 --- a/server/config.c 31 41 +++ b/server/config.c 32 @@ -1902,38 +1902,43 @@ AP_CORE_DECLARE(const char *) ap_init_virtual_host(apr_pool_t *p, 42 @@ -2245,46 +2245,52 @@ AP_DECLARE(void) ap_merge_log_config(const struct ap_logconf *old_conf, 43 } 33 44 } 34 35 45 36 46 -AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server) 37 47 +AP_DECLARE(void) ap_fixup_virtual_host(apr_pool_t *p, server_rec *main_server, 38 + 48 + server_rec *virt) 39 49 { 40 50 - server_rec *virt; 41 + merge_server_configs(p, main_server->module_config, 42 + virt->module_config); 51 core_dir_config *dconf = 52 ap_get_core_module_config(main_server->lookup_defaults); 53 dconf->log = &main_server->log; 43 54 44 55 - for (virt = main_server->next; virt; virt = virt->next) { 45 56 - merge_server_configs(p, main_server->module_config, 46 57 - virt->module_config); 47 + virt->lookup_defaults = 48 + ap_merge_per_dir_configs(p, main_server->lookup_defaults, 49 + virt->lookup_defaults); 58 + merge_server_configs(p, main_server->module_config, 59 + virt->module_config); 50 60 51 61 - virt->lookup_defaults = 52 62 - ap_merge_per_dir_configs(p, main_server->lookup_defaults, 53 63 - virt->lookup_defaults); 54 + if (virt->server_admin == NULL) 55 + virt->server_admin = main_server->server_admin; 64 + virt->lookup_defaults = 65 + ap_merge_per_dir_configs(p, main_server->lookup_defaults, 66 + virt->lookup_defaults); 56 67 57 68 - if (virt->server_admin == NULL) 58 69 - virt->server_admin = main_server->server_admin; 59 + if (virt-> timeout == 0)60 + virt->timeout = main_server->timeout;70 + if (virt->server_admin == NULL) 71 + virt->server_admin = main_server->server_admin; 61 72 62 73 - if (virt->timeout == 0) 63 74 - virt->timeout = main_server->timeout; 64 + if (virt-> keep_alive_timeout == 0)65 + virt->keep_alive_timeout = main_server->keep_alive_timeout;75 + if (virt->timeout == 0) 76 + virt->timeout = main_server->timeout; 66 77 67 78 - if (virt->keep_alive_timeout == 0) 68 79 - virt->keep_alive_timeout = main_server->keep_alive_timeout; 69 + if (virt->keep_alive == -1)70 + virt->keep_alive = main_server->keep_alive;80 + if (virt->keep_alive_timeout == 0) 81 + virt->keep_alive_timeout = main_server->keep_alive_timeout; 71 82 72 83 - if (virt->keep_alive == -1) 73 84 - virt->keep_alive = main_server->keep_alive; 74 + if (virt->keep_alive _max== -1)75 + virt->keep_alive_max = main_server->keep_alive_max;85 + if (virt->keep_alive == -1) 86 + virt->keep_alive = main_server->keep_alive; 76 87 77 88 - if (virt->keep_alive_max == -1) 78 89 - virt->keep_alive_max = main_server->keep_alive_max; 79 + /* XXX: this is really something that should be dealt with by a 80 + * post-config api phase 81 + */ 82 + ap_core_reorder_directories(p, virt); 83 +} 90 + if (virt->keep_alive_max == -1) 91 + virt->keep_alive_max = main_server->keep_alive_max; 92 93 - ap_merge_log_config(&main_server->log, &virt->log); 94 + ap_merge_log_config(&main_server->log, &virt->log); 95 96 - dconf = ap_get_core_module_config(virt->lookup_defaults); 97 - dconf->log = &virt->log; 98 + dconf = ap_get_core_module_config(virt->lookup_defaults); 99 + dconf->log = &virt->log; 84 100 85 101 - /* XXX: this is really something that should be dealt with by a … … 88 104 - ap_core_reorder_directories(p, virt); 89 105 - } 106 + /* XXX: this is really something that should be dealt with by a 107 + * post-config api phase 108 + */ 109 + ap_core_reorder_directories(p, virt); 110 +} 111 + 90 112 +AP_DECLARE(void) ap_fixup_virtual_hosts(apr_pool_t *p, server_rec *main_server) 91 113 +{ 92 114 + server_rec *virt; 93 + 115 + 94 116 + for (virt = main_server->next; virt; virt = virt->next) 95 117 + ap_fixup_virtual_host(p, main_server, virt); … … 97 119 ap_core_reorder_directories(p, main_server); 98 120 } 121 -- 122 1.8.1.2 123 -
trunk/server/common/patches/httpd-suexec-scripts.patch
r2186 r2591 1 # scripts.mit.edu httpd suexec patch 2 # Copyright (C) 2006, 2007, 2008 Jeff Arnold <jbarnold@mit.edu>, 3 # Joe Presbrey <presbrey@mit.edu>, 4 # Anders Kaseorg <andersk@mit.edu>, 5 # Geoffrey Thomas <geofft@mit.edu> 6 # 7 # This program is free software; you can redistribute it and/or 8 # modify it under the terms of the GNU General Public License 9 # as published by the Free Software Foundation; either version 2 10 # of the License, or (at your option) any later version. 11 # 12 # This program is distributed in the hope that it will be useful, 13 # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 # GNU General Public License for more details. 16 # 17 # You should have received a copy of the GNU General Public License 18 # along with this program; if not, write to the Free Software 19 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA 20 # 21 # See /COPYRIGHT in this repository for more information. 22 # 23 --- httpd-2.2.2/support/Makefile.in.old 2005-07-06 19:15:34.000000000 -0400 24 +++ httpd-2.2.2/support/Makefile.in 2007-01-20 17:12:51.000000000 -0500 25 @@ -60,7 +60,7 @@ 26 27 suexec_OBJECTS = suexec.lo 28 suexec: $(suexec_OBJECTS) 29 - $(LINK) $(suexec_OBJECTS) 30 + $(LINK) -lselinux $(suexec_OBJECTS) 31 32 htcacheclean_OBJECTS = htcacheclean.lo 33 htcacheclean: $(htcacheclean_OBJECTS) 34 --- httpd-2.2.2/configure.in.old 2007-07-17 10:48:25.000000000 -0400 35 +++ httpd-2.2.2/configure.in 2008-08-29 08:15:41.000000000 -0400 36 @@ -559,6 +559,10 @@ 1 From 427d432a56df94d69a11cc438b08adb070615005 Mon Sep 17 00:00:00 2001 2 From: Alexander Chernyakhovsky <achernya@mit.edu> 3 Date: Fri, 3 May 2013 21:38:58 -0400 4 Subject: [PATCH] Add scripts-specific support to suexec 5 6 This patch make suexec aware of static-cat, Scripts' tool to serve 7 static content out of AFS. Specifically, this introduces a whitelist 8 of extensions for which suexec is supposed to invoke static-cat as a 9 content-handler. 10 11 Additionally, this patch also sets JAVA_TOOL_OPTIONS, to allow the JVM 12 to start up in Scripts' limited memory environment. 13 14 Furthermore, this patch deals with some of suexec's paranoia being 15 incorrect in an AFS world, by ignoring some of the irrelevant stat 16 results. 17 18 Finally, add support for invoking php-cgi for php files, in a safe 19 manner that will strip arguments passed by Apache to php-cgi. 20 --- 21 configure.in | 4 ++ 22 support/suexec.c | 172 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 23 2 files changed, 173 insertions(+), 3 deletions(-) 24 25 diff --git a/configure.in b/configure.in 26 index 811aace..a95349f 100644 27 --- a/configure.in 28 +++ b/configure.in 29 @@ -721,6 +721,10 @@ AC_ARG_WITH(suexec-userdir, 37 30 APACHE_HELP_STRING(--with-suexec-userdir,User subdirectory),[ 38 31 AC_DEFINE_UNQUOTED(AP_USERDIR_SUFFIX, "$withval", [User subdirectory] ) ] ) … … 45 38 APACHE_HELP_STRING(--with-suexec-docroot,SuExec root directory),[ 46 39 AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] ) 47 --- httpd-2.2.11/support/suexec.c.old 2008-11-30 10:47:31.000000000 -0500 48 +++ httpd-2.2.11/support/suexec.c 2009-06-08 09:02:17.000000000 -0400 40 diff --git a/support/suexec.c b/support/suexec.c 41 index 32e7320..3a4d802 100644 42 --- a/support/suexec.c 43 +++ b/support/suexec.c 49 44 @@ -30,6 +30,9 @@ 50 45 * … … 57 52 #include "ap_config.h" 58 53 #include "suexec.h" 59 @@ -46,6 +49,7 @@ 60 #include <stdio.h> 61 #include <stdarg.h> 62 #include <stdlib.h> 63 +#include <selinux/selinux.h> 64 65 #ifdef HAVE_PWD_H 66 #include <pwd.h> 67 @@ -95,6 +99,7 @@ 54 @@ -92,6 +95,7 @@ static const char *const safe_env_lst[] = 68 55 { 69 56 /* variable name starts with */ … … 73 60 74 61 /* variable name is */ 75 @@ -2 45,9 +250,108 @@62 @@ -268,9 +272,108 @@ static void clean_env(void) 76 63 environ = cleanenv; 77 64 } … … 182 169 gid_t gid; /* target group placeholder */ 183 170 char *target_uname; /* target user name */ 184 @@ -2 68,6 +368,7 @@171 @@ -290,6 +393,7 @@ int main(int argc, char *argv[]) 185 172 * Start with a "clean" environment 186 173 */ … … 188 175 + setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */ 189 176 190 prog = argv[0];191 /*192 @@ -3 50,6 +451,20 @@177 /* 178 * Check existence/validity of the UID of the user 179 @@ -373,6 +477,20 @@ int main(int argc, char *argv[]) 193 180 #endif /*_OSD_POSIX*/ 194 181 … … 211 198 * or attempts to back up out of the current directory, 212 199 * to protect against attacks. If any are 213 @@ -3 71,6 +486,7 @@200 @@ -394,6 +512,7 @@ int main(int argc, char *argv[]) 214 201 userdir = 1; 215 202 } … … 219 206 * Error out if the target username is invalid. 220 207 */ 221 @@ -4 52,7 +568,7 @@208 @@ -482,7 +601,7 @@ int main(int argc, char *argv[]) 222 209 * Error out if attempt is made to execute as root or as 223 210 * a UID less than AP_UID_MIN. Tsk tsk. … … 225 212 - if ((uid == 0) || (uid < AP_UID_MIN)) { 226 213 + if ((uid == 0) || (uid < AP_UID_MIN && uid != 102)) { /* uid 102 = signup */ 227 log_err("cannot run as forbidden uid (% d/%s)\n",uid, cmd);214 log_err("cannot run as forbidden uid (%lu/%s)\n", (unsigned long)uid, cmd); 228 215 exit(107); 229 216 } 230 @@ - 484,6 +599,7 @@231 log_err("failed to setuid (%l d: %s)\n",uid, cmd);217 @@ -514,6 +633,7 @@ int main(int argc, char *argv[]) 218 log_err("failed to setuid (%lu: %s)\n", (unsigned long)uid, cmd); 232 219 exit(110); 233 220 } … … 236 223 /* 237 224 * Get the current working directory, as well as the proper 238 @@ -5 06,6 +637,21 @@225 @@ -536,6 +656,21 @@ int main(int argc, char *argv[]) 239 226 log_err("cannot get docroot information (%s)\n", target_homedir); 240 227 exit(112); … … 258 245 else { 259 246 if (((chdir(AP_DOC_ROOT)) != 0) || 260 @@ -5 32,15 +678,17 @@247 @@ -562,15 +697,17 @@ int main(int argc, char *argv[]) 261 248 /* 262 249 * Error out if cwd is writable by others. … … 277 264 exit(117); 278 265 } 279 @@ -5 48,10 +696,12 @@266 @@ -578,10 +715,12 @@ int main(int argc, char *argv[]) 280 267 /* 281 268 * Error out if the program is writable by others. … … 290 277 /* 291 278 * Error out if the file is setuid or setgid. 292 @@ -5 65,6 +715,7 @@279 @@ -595,6 +734,7 @@ int main(int argc, char *argv[]) 293 280 * Error out if the target name/group is different from 294 281 * the name/group of the cwd or the program. … … 298 285 (gid != dir_info.st_gid) || 299 286 (uid != prg_info.st_uid) || 300 @@ - 576,12 +727,14 @@301 prg_info.st_uid,prg_info.st_gid);287 @@ -606,12 +746,14 @@ int main(int argc, char *argv[]) 288 (unsigned long)prg_info.st_uid, (unsigned long)prg_info.st_gid); 302 289 exit(120); 303 290 } … … 314 301 exit(121); 315 302 } 316 @@ -6 14,6 +767,30 @@303 @@ -660,6 +802,30 @@ int main(int argc, char *argv[]) 317 304 /* 318 305 * Execute the command, replacing our image with its own. … … 345 332 /* We need the #! emulation when we want to execute scripts */ 346 333 { 334 -- 335 1.8.1.2 336 -
trunk/server/common/patches/openafs-scripts.patch
r2066 r2591 46 46 # 47 47 diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c 48 index 7c7705e..0d0e94f10064448 index 03caf1c..699b2ce 100644 49 49 --- a/src/afs/LINUX/osi_vnodeops.c 50 50 +++ b/src/afs/LINUX/osi_vnodeops.c 51 @@ - 904,6 +904,28 @@ afs_linux_dentry_revalidate(struct dentry *dp, int flags)51 @@ -1207,6 +1207,28 @@ afs_linux_dentry_revalidate(struct dentry *dp, int flags) 52 52 /* should we always update the attributes at this point? */ 53 53 /* unlikely--the vcache entry hasn't changed */ … … 79 79 #ifdef notyet 80 80 diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c 81 index eabcfeb..639085010064481 index feb0ca7..ba818c7 100644 82 82 --- a/src/afs/VNOPS/afs_vnop_access.c 83 83 +++ b/src/afs/VNOPS/afs_vnop_access.c … … 119 119 } 120 120 diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c 121 index b3931e5..71ef05c 100644121 index d01aff2..0a38c1c 100644 122 122 --- a/src/afs/VNOPS/afs_vnop_attrs.c 123 123 +++ b/src/afs/VNOPS/afs_vnop_attrs.c … … 134 134 #elif defined(AFS_DARWIN80_ENV) 135 135 diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c 136 index 8e7af1c..7e984e9100644136 index 5d96f75..7957eee 100644 137 137 --- a/src/afs/VNOPS/afs_vnop_lookup.c 138 138 +++ b/src/afs/VNOPS/afs_vnop_lookup.c 139 @@ -1 877,6 +1877,12 @@ afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr139 @@ -1915,6 +1915,12 @@ afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr 140 140 } 141 141 … … 151 151 osi_FreeLargeSpace(tname); 152 152 diff --git a/src/afs/afs.h b/src/afs/afs.h 153 index fcc4c70..0d53af6100644153 index 88d5f77..61d3ee9 100644 154 154 --- a/src/afs/afs.h 155 155 +++ b/src/afs/afs.h … … 171 171 afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ 172 172 char initd; /* if non-zero, Error fields meaningful */ 173 @@ -887,6 +895,7 @@ struct vcache { 174 #ifdef AFS_SUN5_ENV 173 @@ -896,6 +904,7 @@ struct vcache { 175 174 struct afs_q multiPage; /* list of multiPage_range structs */ 176 175 #endif 176 afs_uint32 lastBRLWarnTime; /* last time we warned about byte-range locks */ 177 177 + int apache_access; /* whether or not Apache has access to a file */ 178 178 }; … … 180 180 #define DONT_CHECK_MODE_BITS 0 181 181 diff --git a/src/afs/afs_analyze.c b/src/afs/afs_analyze.c 182 index 1834e6d..673a8e6100644182 index 2ecd38e..95aafcd 100644 183 183 --- a/src/afs/afs_analyze.c 184 184 +++ b/src/afs/afs_analyze.c 185 @@ - 368,7 +368,7 @@ afs_Analyze(struct afs_conn *aconn, afs_int32 acode,185 @@ -478,7 +478,7 @@ afs_Analyze(struct afs_conn *aconn, struct rx_connection *rxconn, 186 186 (afid ? afid->Fid.Volume : 0)); 187 187 } … … 193 193 areq->volumeError = VOLBUSY; 194 194 diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c 195 index c888605..ff5cf2d100644195 index efce229..c1c1871 100644 196 196 --- a/src/afs/afs_osi_pag.c 197 197 +++ b/src/afs/afs_osi_pag.c … … 206 206 * representation is '41XXXXXX' hex are used to represent the pags. 207 207 @@ -484,6 +486,15 @@ afs_InitReq(struct vrequest *av, afs_ucred_t *acred) 208 av->uid = afs_cr_ uid(acred); /* default when no pag is set */208 av->uid = afs_cr_ruid(acred); /* default when no pag is set */ 209 209 #endif 210 210 } … … 222 222 223 223 diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c 224 index f282510..00f1360100644224 index e0a744d..c1c8c8c 100644 225 225 --- a/src/afs/afs_pioctl.c 226 226 +++ b/src/afs/afs_pioctl.c 227 @@ -14 06,6 +1406,10 @@ DECL_PIOCTL(PSetAcl)227 @@ -1420,6 +1420,10 @@ DECL_PIOCTL(PSetAcl) 228 228 struct rx_connection *rxconn; 229 229 XSTATS_DECLS; … … 236 236 if (!avc) 237 237 return EINVAL; 238 @@ -1 790,6 +1794,10 @@ DECL_PIOCTL(PSetTokens)238 @@ -1806,6 +1810,10 @@ DECL_PIOCTL(PSetTokens) 239 239 struct vrequest treq; 240 240 afs_int32 flag, set_parent_pag = 0; … … 247 247 if (!afs_resourceinit_flag) { 248 248 return EIO; 249 @@ -22 31,6 +2239,11 @@ DECL_PIOCTL(PGetTokens)249 @@ -2266,6 +2274,11 @@ DECL_PIOCTL(PGetTokens) 250 250 int newStyle; 251 251 int code = E2BIG; … … 259 259 if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ 260 260 return EIO; /* Inappropriate ioctl for device */ 261 @@ -23 41,6 +2354,10 @@ DECL_PIOCTL(PUnlog)261 @@ -2376,6 +2389,10 @@ DECL_PIOCTL(PUnlog) 262 262 afs_int32 i; 263 263 struct unixuser *tu; -
trunk/server/common/patches/openafs-systemd-crond.patch
r2561 r2591 1 1 diff --git a/src/packaging/RedHat/openafs-client.service b/src/packaging/RedHat/openafs-client.service 2 index bc95057..96272801006442 index 936762e..c0558b2 100644 3 3 --- a/src/packaging/RedHat/openafs-client.service 4 4 +++ b/src/packaging/RedHat/openafs-client.service 5 @@ -1, 5 +1,6@@5 @@ -1,6 +1,7 @@ 6 6 [Unit] 7 7 Description=OpenAFS Client Service 8 +Before=crond.service 9 After=syslog.target network.target 8 -After=syslog.target network.target 9 +After=syslog.target network-online.target 10 +Before=remote-fs.target 10 11 11 12 [Service] 12 @@ -15,4 +16,4 @@ ExecStop=/sbin/rmmod openafs 13 KillMode=none 14 15 [Install] 16 -WantedBy=multi-user.target remote-fs.target 17 +WantedBy=multi-user.target remote-fs.target crond.service 13 Type=forking
Note: See TracChangeset
for help on using the changeset viewer.
