Changeset 1179 for branches/fc11-dev/server/common/patches

Timestamp:

Jun 8, 2009, 1:07:47 PM (15 years ago)

Author:

mitchb

Message:

Merge r1121:1178 from trunk to branches/fc11-dev

Location:

branches/fc11-dev/server/common/patches

Files:

• httpd-suexec-scripts.patch (modified) (10 diffs)
• openafs-scripts.patch (modified) (9 diffs)

branches/fc11-dev/server/common/patches/httpd-suexec-scripts.patch

@@ -46 +46 @@
    AC_DEFINE_UNQUOTED(AP_DOC_ROOT, "$withval", [SuExec root directory] ) ] )
 --- httpd-2.2.11/support/suexec.c.old   2008-11-30 10:47:31.000000000 -0500
-+++ httpd-2.2.11/support/suexec.c       2009-06-03 05:16:45.000000000 -0400
++++ httpd-2.2.11/support/suexec.c       2009-06-08 09:02:17.000000000 -0400
 @@ -30,6 +30,9 @@
   *
@@ -141 +141 @@
      gid_t gid;              /* target group placeholder  */
      char *target_uname;     /* target user name          */
-@@ -350,6 +413,20 @@
+@@ -268,6 +331,7 @@
+      * Start with a "clean" environment
+      */
+     clean_env();
++    setenv("JAVA_TOOL_OPTIONS", "-Xmx128M", 1); /* scripts.mit.edu local hack */
+ 
+     prog = argv[0];
+     /*
+@@ -350,6 +414,20 @@
  #endif /*_OSD_POSIX*/
  
@@ -162 +170 @@
       * or attempts to back up out of the current directory,
       * to protect against attacks.  If any are
-@@ -371,6 +448,7 @@
+@@ -371,6 +449,7 @@
          userdir = 1;
      }
@@ -170 +178 @@
       * Error out if the target username is invalid.
       */
-@@ -452,7 +530,7 @@
+@@ -452,7 +531,7 @@
       * Error out if attempt is made to execute as root or as
       * a UID less than AP_UID_MIN.  Tsk tsk.
@@ -179 +187 @@
          exit(107);
      }
-@@ -484,6 +562,21 @@
+@@ -484,6 +563,21 @@
          log_err("failed to setuid (%ld: %s)\n", uid, cmd);
          exit(110);
@@ -201 +209 @@
      /*
       * Get the current working directory, as well as the proper
-@@ -506,6 +599,21 @@
+@@ -506,6 +600,21 @@
              log_err("cannot get docroot information (%s)\n", target_homedir);
              exit(112);
@@ -223 +231 @@
      else {
          if (((chdir(AP_DOC_ROOT)) != 0) ||
-@@ -532,15 +640,17 @@
+@@ -532,15 +641,17 @@
      /*
       * Error out if cwd is writable by others.
@@ -242 +250 @@
          exit(117);
      }
-@@ -548,10 +658,12 @@
+@@ -548,10 +659,12 @@
      /*
       * Error out if the program is writable by others.
@@ -255 +263 @@
      /*
       * Error out if the file is setuid or setgid.
-@@ -565,6 +677,7 @@
+@@ -565,6 +678,7 @@
       * Error out if the target name/group is different from
       * the name/group of the cwd or the program.
@@ -263 +271 @@
          (gid != dir_info.st_gid) ||
          (uid != prg_info.st_uid) ||
-@@ -576,16 +689,33 @@
+@@ -576,16 +690,33 @@
                  prg_info.st_uid, prg_info.st_gid);
          exit(120);

branches/fc11-dev/server/common/patches/openafs-scripts.patch

@@ -3 +3 @@
 # with modifications by Joe Presbrey <presbrey@mit.edu>
 # and Anders Kaseorg <andersk@mit.edu>
+# and Edward Z. Yang <ezyang@mit.edu>
 #
 # This file is available under both the MIT license and the GPL.
@@ -43 +44 @@
 #
 diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
---- openafs-1.4/src/afs/afs_analyze.c   2008-10-27 19:54:06.000000000 -0400
-+++ openafs-1.4+scripts/src/afs/afs_analyze.c   2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/afs_analyze.c
++++ openafs-1.4+scripts/src/afs/afs_analyze.c
 @@ -585,7 +585,7 @@
                          (afid ? afid->Fid.Volume : 0));
@@ -54 +55 @@
                 (aerrP->err_Volume)++;
             areq->volumeError = VOLBUSY;
+diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
+--- openafs-1.4/src/afs/LINUX/osi_vnodeops.c
++++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c
+@@ -875,6 +875,28 @@
+        /* should we always update the attributes at this point? */
+        /* unlikely--the vcache entry hasn't changed */
+ 
++       /* [scripts] This code makes hardlinks work correctly.
++        *
++        * We want Apache to be able to read a file with hardlinks
++        * named .htaccess and foo to be able to read it via .htaccess
++        * and not via foo, regardless of which name was looked up
++        * (remember, inodes do not have filenames associated with them.)
++        *
++        * It is important that we modify the existing cache entry even
++        * if it is otherwise totally valid and would not be reloaded.
++        * Otherwise, it won't recover from repeatedly reading the same
++        * inode via multiple hardlinks or different names.  Specifically,
++        * Apache will be able to read both names if it was first looked
++        * up (by anyone!) via .htaccess, and neither if it was first
++        * looked up via foo.
++        *
++        * With regards to performance, the strncmp() is bounded by
++        * three characters, so it takes O(3) operations.  If this code
++        * is extended to all static-cat extensions, we'll want to do
++        * some clever hashing using gperf here.
++        */
++       vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0;
++
+     } else {
+ #ifdef notyet
+        pvcp = VTOAFS(dp->d_parent->d_inode);           /* dget_parent()? */
+diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
+--- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c
++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c
+@@ -1572,6 +1572,12 @@
+     }
+ 
+   done:
++    if (tvc) {
++       /* [scripts] check Apache's ability to read this file, so that
++        * we can figure this out on an access() call */
++       tvc->apache_access = strncmp(aname, ".ht", 3) == 0;
++    }
++
+     /* put the network buffer back, if need be */
+     if (tname != aname && tname)
+        osi_FreeLargeSpace(tname);
 diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
---- openafs-1.4/src/afs/afs.h   2009-01-19 14:27:19.000000000 -0500
-+++ openafs-1.4+scripts/src/afs/afs.h   2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/afs.h
++++ openafs-1.4+scripts/src/afs/afs.h
 @@ -208,8 +208,16 @@
  #define QTOC(e)            QEntry(e, struct cell, lruq)
@@ -74 +123 @@
      afs_int32 flags;           /* things like O_SYNC, O_NONBLOCK go here */
      char initd;                        /* if non-zero, Error fields meaningful */
+@@ -743,6 +751,7 @@
+ #ifdef AFS_SUN5_ENV
+     short multiPage;           /* count of multi-page getpages in progress */
+ #endif
++    int apache_access;         /* whether or not Apache has access to a file */
+ };
+ 
+ #define        DONT_CHECK_MODE_BITS    0
 diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
---- openafs-1.4/src/afs/afs_osi_pag.c   2008-10-20 15:29:46.000000000 -0400
-+++ openafs-1.4+scripts/src/afs/afs_osi_pag.c   2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/afs_osi_pag.c
++++ openafs-1.4+scripts/src/afs/afs_osi_pag.c
 @@ -51,6 +51,8 @@
  #endif
@@ -103 +160 @@
  }
 diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
---- openafs-1.4/src/afs/afs_pioctl.c    2009-01-19 13:09:34.000000000 -0500
-+++ openafs-1.4+scripts/src/afs/afs_pioctl.c    2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/afs_pioctl.c
++++ openafs-1.4+scripts/src/afs/afs_pioctl.c
 @@ -1217,6 +1217,10 @@
      struct AFSFetchStatus OutStatus;
@@ -150 +207 @@
         return EIO;             /* Inappropriate ioctl for device */
 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
---- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2008-03-07 12:34:08.000000000 -0500
-+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c
++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
 @@ -118,6 +118,17 @@
  
@@ -170 +227 @@
      } else {
         /* some rights come from dir and some from file.  Specifically, you 
-@@ -171,6 +182,18 @@
+@@ -171,6 +182,19 @@
                     fileBits |= PRSFS_READ;
             }
@@ -180 +237 @@
 +             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
 +             !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) &&
-+             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) &&
++             !(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&
++                 (avc->m.Mode == 0100777 || avc->apache_access)) &&
 +             !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) &&
 +             !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) {
@@ -190 +248 @@
  }
 diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
---- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c  2009-01-13 14:37:28.000000000 -0500
-+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c  2009-04-08 08:07:22.000000000 -0400
+--- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c
++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
 @@ -87,8 +87,8 @@
         }