Index: server/common/patches/openafs-scripts.patch
===================================================================
--- server/common/patches/openafs-scripts.patch	(revision 627)
+++ server/common/patches/openafs-scripts.patch	(revision 628)
@@ -2,4 +2,5 @@
 # Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
 # with modifications by Joe Presbrey <presbrey@mit.edu>
+# and Anders Kaseorg <andersk@mit.edu>
 #
 # This file is available under both the MIT license and the GPL.
@@ -41,7 +42,7 @@
 # See /COPYRIGHT in this repository for more information.
 #
-diff -ur openafs-1.4.1-rc10/src/afs/afs_analyze.c openafs-1.4.1-rc10-scripts/src/afs/afs_analyze.c
---- openafs-1.4.1-rc10/src/afs/afs_analyze.c	2003-08-27 17:43:16.000000000 -0400
-+++ openafs-1.4.1-rc10-scripts/src/afs/afs_analyze.c	2006-04-18 16:38:55.000000000 -0400
+diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c
+--- openafs-1.4/src/afs/afs_analyze.c	2007-11-05 23:08:45.000000000 -0500
++++ openafs-1.4+scripts/src/afs/afs_analyze.c	2007-12-18 19:22:59.000000000 -0500
 @@ -505,7 +505,7 @@
  			 (afid ? afid->Fid.Volume : 0));
@@ -53,11 +54,11 @@
  		(aerrP->err_Volume)++;
  	    areq->volumeError = VOLBUSY;
-diff -ur openafs-1.4.1-rc10/src/afs/afs.h openafs-1.4.1-rc10-scripts/src/afs/afs.h
---- openafs-1.4.1-rc10/src/afs/afs.h	2006-02-17 16:58:33.000000000 -0500
-+++ openafs-1.4.1-rc10-scripts/src/afs/afs.h	2006-04-18 16:38:55.000000000 -0400
-@@ -175,8 +175,14 @@
-    struct afs_q *prev;
+diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h
+--- openafs-1.4/src/afs/afs.h	2007-12-05 03:57:36.000000000 -0500
++++ openafs-1.4+scripts/src/afs/afs.h	2007-12-18 20:12:31.000000000 -0500
+@@ -177,8 +177,16 @@
+     struct afs_q *prev;
  };
-
+ 
 +#define AFSAGENT_UID (101)
 +#define SIGNUP_UID (102)
@@ -65,4 +66,6 @@
 +#define POSTFIX_UID (89)
 +#define DAEMON_SCRIPTS_PTSID (33554596)
++extern afs_int32 globalpag;
++
  struct vrequest {
      afs_int32 uid;		/* user id making the request */
@@ -71,9 +74,9 @@
      afs_int32 flags;		/* things like O_SYNC, O_NONBLOCK go here */
      char initd;			/* if non-zero, non-uid fields meaningful */
-diff -ur openafs-1.4.1-rc10/src/afs/afs_osi_pag.c openafs-1.4.1-rc10-scripts/src/afs/afs_osi_pag.c
---- openafs-1.4.1-rc10/src/afs/afs_osi_pag.c	2005-10-05 01:58:27.000000000 -0400
-+++ openafs-1.4.1-rc10-scripts/src/afs/afs_osi_pag.c	2006-04-18 16:38:55.000000000 -0400
-@@ -46,6 +46,8 @@
- 
+diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c
+--- openafs-1.4/src/afs/afs_osi_pag.c	2007-11-05 23:08:45.000000000 -0500
++++ openafs-1.4+scripts/src/afs/afs_osi_pag.c	2007-12-18 20:26:57.000000000 -0500
+@@ -51,6 +51,8 @@
+ #endif
  /* Local variables */
  
@@ -83,5 +86,5 @@
   * Pags are implemented as follows: the set of groups whose long
   * representation is '41XXXXXX' hex are used to represent the pags.
-@@ -426,6 +430,15 @@
+@@ -442,6 +444,15 @@
  	av->uid = acred->cr_ruid;	/* default when no pag is set */
  #endif
@@ -92,5 +95,5 @@
 +      globalpag = av->uid;
 +    }
-+    else {
++    else if (globalpag && av->uid == acred->cr_ruid) {
 +      av->uid = globalpag;
 +    }
@@ -99,12 +102,12 @@
      return 0;
  }
-diff -ur openafs-1.4.1-rc10/src/afs/afs_pioctl.c openafs-1.4.1-rc10-scripts/src/afs/afs_pioctl.c
---- openafs-1.4.1-rc10/src/afs/afs_pioctl.c	2006-03-02 01:44:05.000000000 -0500
-+++ openafs-1.4.1-rc10-scripts/src/afs/afs_pioctl.c	2006-04-18 16:38:55.000000000 -0400
-@@ -1202,6 +1202,10 @@
+diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c
+--- openafs-1.4/src/afs/afs_pioctl.c	2007-12-05 03:57:37.000000000 -0500
++++ openafs-1.4+scripts/src/afs/afs_pioctl.c	2007-12-18 21:05:10.000000000 -0500
+@@ -1208,6 +1208,10 @@
      struct AFSFetchStatus OutStatus;
      XSTATS_DECLS;
  
-+    if(areq->realuid != AFSAGENT_UID) {
++    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
 +      return EACCES;
 +    }
@@ -113,10 +116,10 @@
      if (!avc)
  	return EINVAL;
-@@ -1422,6 +1428,10 @@
+@@ -1428,6 +1432,10 @@
      struct vrequest treq;
      afs_int32 flag, set_parent_pag = 0;
  
-+    if(areq->realuid != AFSAGENT_UID) {
-+      return 0;
++    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
++	return 0;
 +    }
 +
@@ -124,10 +127,10 @@
      if (!afs_resourceinit_flag) {
  	return EIO;
-@@ -1864,6 +1876,10 @@
+@@ -1870,6 +1878,10 @@
      register afs_int32 i;
      register struct unixuser *tu;
  
-+    if(areq->realuid != AFSAGENT_UID) {
-+      return 0;
++    if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) {
++	return 0;
 +    }
 +
@@ -135,13 +138,14 @@
      if (!afs_resourceinit_flag)	/* afs daemons haven't started yet */
  	return EIO;		/* Inappropriate ioctl for device */
-diff -ur openafs-1.4.1-rc10/src/afs/VNOPS/afs_vnop_access.c openafs-1.4.1-rc10-scripts/src/afs/VNOPS/afs_vnop_access.c
---- openafs-1.4.1-rc10/src/afs/VNOPS/afs_vnop_access.c	2004-08-25 03:09:35.000000000 -0400
-+++ openafs-1.4.1-rc10-scripts/src/afs/VNOPS/afs_vnop_access.c	2006-04-18 16:38:55.000000000 -0400
-@@ -118,6 +118,16 @@
+diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c
+--- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c	2007-11-05 23:08:46.000000000 -0500
++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c	2007-12-18 21:06:20.000000000 -0500
+@@ -118,6 +118,17 @@
  
      if ((vType(avc) == VDIR) || (avc->states & CForeign)) {
  	/* rights are just those from acl */
 +
-+      if ( !(areq->realuid == avc->fid.Fid.Volume) &&
++      if ( areq->uid == globalpag &&
++           !(areq->realuid == avc->fid.Fid.Volume) &&
 +           !((avc->anyAccess | arights) == avc->anyAccess) &&
 +           !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) &&
@@ -155,10 +159,11 @@
      } else {
  	/* some rights come from dir and some from file.  Specifically, you 
-@@ -171,6 +182,17 @@
+@@ -171,6 +182,18 @@
  		    fileBits |= PRSFS_READ;
  	    }
  	}
 +	
-+        if ( !(areq->realuid == avc->fid.Fid.Volume) &&
++        if ( areq->uid == globalpag &&
++             !(areq->realuid == avc->fid.Fid.Volume) &&
 +             !((avc->anyAccess | arights) == avc->anyAccess) &&
 +             !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&
@@ -173,5 +178,5 @@
      }
  }
-@@ -192,6 +218,7 @@
+@@ -192,6 +215,7 @@
      OSI_VC_CONVERT(avc);
  
@@ -181,7 +186,7 @@
  	       ICL_TYPE_INT32, amode, ICL_TYPE_OFFSET,
  	       ICL_HANDLE_OFFSET(avc->m.Length));
-diff -ur openafs-1.4.1-rc10/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4.1-rc10-scripts/src/afs/VNOPS/afs_vnop_attrs.c
---- openafs-1.4.1-rc10/src/afs/VNOPS/afs_vnop_attrs.c	2005-10-23 02:31:23.000000000 -0400
-+++ openafs-1.4.1-rc10-scripts/src/afs/VNOPS/afs_vnop_attrs.c	2006-04-18 16:41:32.000000000 -0400
+diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c
+--- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c	2007-11-05 23:08:46.000000000 -0500
++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c	2007-12-18 19:22:59.000000000 -0500
 @@ -87,8 +87,8 @@
  	}
@@ -195,5 +200,5 @@
      attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0];
  #elif defined(AFS_OSF_ENV)
-@@ -172,6 +179,7 @@
+@@ -172,6 +172,7 @@
  #else /* everything else */
      attrs->va_blocks = (attrs->va_size ? ((attrs->va_size + 1023)>>10)<<1:0);