Index: branches/fc11-dev/server/common/oursrc/nss_nonlocal/configure.ac =================================================================== --- branches/fc11-dev/server/common/oursrc/nss_nonlocal/configure.ac (revision 1175) +++ branches/fc11-dev/server/common/oursrc/nss_nonlocal/configure.ac (revision 1179) @@ -1,3 +1,3 @@ -AC_INIT([nss_nonlocal], [1.8], [andersk@mit.edu]) +AC_INIT([nss_nonlocal], [1.9], [andersk@mit.edu]) AC_CANONICAL_TARGET AM_INIT_AUTOMAKE([-Wall -Werror foreign]) Index: branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-group.c =================================================================== --- branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-group.c (revision 1175) +++ branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-group.c (revision 1179) @@ -98,10 +98,20 @@ fct.ptr = fct_start; do { + morebuf: if (fct.l == _nss_nonlocal_getgrgid_r) status = NSS_STATUS_NOTFOUND; else status = DL_CALL_FCT(fct.l, (gid, &gbuf, buf, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - break; + if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { + free(buf); + buflen *= 2; + buf = malloc(buflen); + if (buf == NULL) { + *errnop = ENOMEM; + errno = old_errno; + return NSS_STATUS_TRYAGAIN; + } + goto morebuf; + } } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); @@ -118,5 +128,5 @@ enum nss_status -get_local_group(const char *name, struct group *grp, char *buffer, size_t buflen, int *errnop) +get_local_group(const char *name, struct group *grp, char **buffer, int *errnop) { static const char *fct_name = "getgrnam_r"; @@ -130,11 +140,10 @@ void *ptr; } fct; - struct group gbuf; - int n; + size_t buflen; int old_errno = errno; - int len = sysconf(_SC_GETGR_R_SIZE_MAX); - char *buf = malloc(len); - if (buf == NULL) { + buflen = sysconf(_SC_GETGR_R_SIZE_MAX); + *buffer = malloc(buflen); + if (*buffer == NULL) { *errnop = ENOMEM; errno = old_errno; @@ -144,5 +153,6 @@ if (fct_start == NULL && __nss_group_lookup(&startp, fct_name, &fct_start) != 0) { - free(buf); + free(*buffer); + *buffer = NULL; return NSS_STATUS_UNAVAIL; } @@ -150,48 +160,27 @@ fct.ptr = fct_start; do { + morebuf: if (fct.l == _nss_nonlocal_getgrnam_r) status = NSS_STATUS_NOTFOUND; else - status = DL_CALL_FCT(fct.l, (name, &gbuf, buf, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - break; - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); - - if (status != NSS_STATUS_SUCCESS) - goto get_local_group_done; - - n = snprintf(buffer, buflen, "%s", gbuf.gr_name); - if (n < 0 || n >= buflen) { - *errnop = ERANGE; - status = NSS_STATUS_TRYAGAIN; - goto get_local_group_done; - } - grp->gr_name = buffer; - buffer += n; - buflen -= n; - - n = snprintf(buffer, buflen, "%s", gbuf.gr_passwd); - if (n < 0 || n >= buflen) { - *errnop = ERANGE; - status = NSS_STATUS_TRYAGAIN; - goto get_local_group_done; - } - grp->gr_passwd = buffer; - buffer += n; - buflen -= n; - - grp->gr_gid = gbuf.gr_gid; - - if (buflen < sizeof(void *)) { - *errnop = ERANGE; - status = NSS_STATUS_TRYAGAIN; - goto get_local_group_done; - } - *(void **)buffer = NULL; - buffer += sizeof(void *); - buflen -= sizeof(void *); - - get_local_group_done: - free(buf); + status = DL_CALL_FCT(fct.l, (name, grp, *buffer, buflen, errnop)); + if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { + free(*buffer); + buflen *= 2; + *buffer = malloc(buflen); + if (*buffer == NULL) { + *errnop = ENOMEM; + errno = old_errno; + return NSS_STATUS_TRYAGAIN; + } + goto morebuf; + } + } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); + + if (status != NSS_STATUS_SUCCESS) { + free(*buffer); + *buffer = NULL; + } + return status; } @@ -401,5 +390,4 @@ gid_t local_users_gid, gid; int is_local = 0; - int buflen; char *buffer; @@ -413,17 +401,10 @@ int old_errno = errno; - buflen = sysconf(_SC_GETGR_R_SIZE_MAX); - buffer = malloc(buflen); - if (buffer == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; - } status = get_local_group(MAGIC_LOCAL_GROUPNAME, - &local_users_group, buffer, buflen, errnop); + &local_users_group, &buffer, errnop); if (status == NSS_STATUS_SUCCESS) { local_users_gid = local_users_group.gr_gid; + free(buffer); } else if (status == NSS_STATUS_TRYAGAIN) { - free(buffer); return status; } else { @@ -432,22 +413,14 @@ local_users_gid = -1; } - free(buffer); if (is_local) { gid = local_users_gid; } else { - buflen = sysconf(_SC_GETGR_R_SIZE_MAX); - buffer = malloc(buflen); - if (buffer == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; - } status = get_local_group(MAGIC_NONLOCAL_GROUPNAME, - &nonlocal_users_group, buffer, buflen, errnop); + &nonlocal_users_group, &buffer, errnop); if (status == NSS_STATUS_SUCCESS) { gid = nonlocal_users_group.gr_gid; + free(buffer); } else if (status == NSS_STATUS_TRYAGAIN) { - free(buffer); return status; } else { @@ -456,5 +429,4 @@ gid = -1; } - free(buffer); } Index: branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c =================================================================== --- branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c (revision 1175) +++ branches/fc11-dev/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c (revision 1179) @@ -96,10 +96,20 @@ fct.ptr = fct_start; do { + morebuf: if (fct.l == _nss_nonlocal_getpwuid_r) status = NSS_STATUS_NOTFOUND; else status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - break; + if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { + free(buf); + buflen *= 2; + buf = malloc(buflen); + if (buf == NULL) { + *errnop = ENOMEM; + errno = old_errno; + return NSS_STATUS_TRYAGAIN; + } + goto morebuf; + } } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); @@ -147,10 +157,20 @@ fct.ptr = fct_start; do { + morebuf: if (fct.l == _nss_nonlocal_getpwnam_r) status = NSS_STATUS_NOTFOUND; else status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - break; + if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { + free(buf); + buflen *= 2; + buf = malloc(buflen); + if (buf == NULL) { + *errnop = ENOMEM; + errno = old_errno; + return NSS_STATUS_TRYAGAIN; + } + goto morebuf; + } } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); Index: branches/fc11-dev/server/common/oursrc/php_scripts/build.sh =================================================================== --- branches/fc11-dev/server/common/oursrc/php_scripts/build.sh (revision 1179) +++ branches/fc11-dev/server/common/oursrc/php_scripts/build.sh (revision 1179) @@ -0,0 +1,18 @@ +#!/bin/bash + +mkdir -p test/ +cp -a config.m4 php_scripts.c php_scripts.h test/ +cd test/ +phpize +./configure +make +exit + +cd ../ +echo '*****' +php -c php.ini test.php +echo '*****' +php-cgi test.php +echo '*****' +php-cgi -c php.ini test.php +echo '*****' Index: branches/fc11-dev/server/common/oursrc/php_scripts/config.m4 =================================================================== --- branches/fc11-dev/server/common/oursrc/php_scripts/config.m4 (revision 1179) +++ branches/fc11-dev/server/common/oursrc/php_scripts/config.m4 (revision 1179) @@ -0,0 +1,7 @@ +PHP_ARG_ENABLE(scripts, whether to enable scripts.mit.edu support, +[ --enable-scripts Enable scripts.mit.edu support]) + +if test "$PHP_SCRIPTS" != "no"; then + AC_DEFINE(HAVE_SCRIPTS, 1, [Whether you have scripts.mit.edu support]) + PHP_NEW_EXTENSION(scripts, php_scripts.c, $ext_shared) +fi Index: branches/fc11-dev/server/common/oursrc/php_scripts/php.ini =================================================================== --- branches/fc11-dev/server/common/oursrc/php_scripts/php.ini (revision 1179) +++ branches/fc11-dev/server/common/oursrc/php_scripts/php.ini (revision 1179) @@ -0,0 +1,5 @@ +;display_startup_errors = On +extension_dir = /root/php_scripts/test/modules/ +extension = ../../../../root/php_scripts/test/modules/scripts.so +;zend_extension_ts = ../../../../root/php_scripts/test/modules/scripts.so +error_reporting = E_ALL Index: branches/fc11-dev/server/common/oursrc/php_scripts/php_scripts.c =================================================================== --- branches/fc11-dev/server/common/oursrc/php_scripts/php_scripts.c (revision 1179) +++ branches/fc11-dev/server/common/oursrc/php_scripts/php_scripts.c (revision 1179) @@ -0,0 +1,85 @@ +/*** + * scripts.mit.edu PHP enhancement extension + * + * Joe Presbrey + * 2008-06-19 + * + ***/ + +#include "php.h" +#include "zend_extensions.h" + +#include "php_scripts.h" + +#ifndef ZEND_EXT_API +#define ZEND_EXT_API ZEND_DLEXPORT +#endif +ZEND_EXTENSION(); + +ZEND_MODULE_STARTUP_D(scripts) +{ + return SUCCESS; +} + +ZEND_MODULE_SHUTDOWN_D(scripts) +{ +} + +ZEND_MODULE_ACTIVATE_D(scripts) +{ + // replace error handler callback with our own + old_error_cb = zend_error_cb; + new_error_cb = scripts_error_cb; + zend_error_cb = new_error_cb; + + return SUCCESS; +} + +ZEND_MODULE_DEACTIVATE_D(scripts) +{ + // restore original error handler callback + zend_error_cb = old_error_cb; +} + +void scripts_error_cb(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args) +{ + char *buffer; + const char *user = php_get_current_user(); + + // enhance the log message + spprintf(&buffer, 0, "(%s) %s", user, format); + + // pass through to builtin error callback + if (strncmp(format, "Module '%s' already loaded", 26)==0) { + // demote from E_CORE_WARNING + old_error_cb(E_NOTICE, error_filename, error_lineno, buffer, args); + } else { + old_error_cb(type, error_filename, error_lineno, buffer, args); + } + + efree(buffer); +} + +ZEND_DLEXPORT zend_extension zend_extension_entry = { + PHP_SCRIPTS_EXTNAME, + PHP_SCRIPTS_VERSION, + PHP_SCRIPTS_AUTHOR, + PHP_SCRIPTS_URL, + PHP_SCRIPTS_YEAR, + ZEND_MODULE_STARTUP_N(scripts), /* startup_func_t */ + ZEND_MODULE_SHUTDOWN_N(scripts), /* shutdown_func_t */ + ZEND_MODULE_ACTIVATE_N(scripts), /* activate_func_t */ + ZEND_MODULE_DEACTIVATE_N(scripts), /* deactivate_func_t */ + NULL, /* message_handler_func_t */ + NULL, /* op_array_handler_func_t */ + NULL, /* statement_handler_func_t */ + NULL, /* fcall_begin_handler_func_t */ + NULL, /* fcall_end_handler_func_t */ + NULL, /* op_array_ctor_func_t */ + NULL, /* op_array_dtor_func_t */ + STANDARD_ZEND_EXTENSION_PROPERTIES +}; + +#ifdef COMPILE_DL_SCRIPTS +ZEND_GET_MODULE(scripts) +#endif Index: branches/fc11-dev/server/common/oursrc/php_scripts/php_scripts.h =================================================================== --- branches/fc11-dev/server/common/oursrc/php_scripts/php_scripts.h (revision 1179) +++ branches/fc11-dev/server/common/oursrc/php_scripts/php_scripts.h (revision 1179) @@ -0,0 +1,51 @@ +/*** + * scripts.mit.edu PHP extension + * + * Joe Presbrey + * 2008-06-19 + * + ***/ + +#ifndef PHP_SCRIPTS_H +#define PHP_SCRIPTS_H 1 + +#define PHP_SCRIPTS_VERSION "1.0" +#define PHP_SCRIPTS_EXTNAME "scripts" +#define PHP_SCRIPTS_AUTHOR "presbrey@mit.edu" +#define PHP_SCRIPTS_URL "http://scripts.mit.edu/" +#define PHP_SCRIPTS_YEAR "2008" + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +extern zend_module_entry scripts_module_entry; +#define phpext_scripts_ptr &scripts_module_entry + +/* error callback repalcement functions */ +void (*old_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args); +void (*new_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args); +void scripts_error_cb(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args); + +static function_entry scripts_functions[] = { + {NULL, NULL, NULL} +}; + +zend_module_entry scripts_module_entry = { +#if ZEND_MODULE_API_NO >= 20010901 + STANDARD_MODULE_HEADER, +#endif + PHP_SCRIPTS_EXTNAME, + scripts_functions, + NULL, //PHP_MINIT(scripts), + NULL, //PHP_MSHUTDOWN(scripts), + NULL, + NULL, + NULL, +#if ZEND_MODULE_API_NO >= 20010901 + PHP_SCRIPTS_VERSION, +#endif + STANDARD_MODULE_PROPERTIES +}; + +#endif Index: branches/fc11-dev/server/common/oursrc/php_scripts/test.php =================================================================== --- branches/fc11-dev/server/common/oursrc/php_scripts/test.php (revision 1179) +++ branches/fc11-dev/server/common/oursrc/php_scripts/test.php (revision 1179) @@ -0,0 +1,7 @@ + # and Anders Kaseorg +# and Edward Z. Yang # # This file is available under both the MIT license and the GPL. @@ -43,6 +44,6 @@ # diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c ---- openafs-1.4/src/afs/afs_analyze.c 2008-10-27 19:54:06.000000000 -0400 -+++ openafs-1.4+scripts/src/afs/afs_analyze.c 2009-04-08 08:07:22.000000000 -0400 +--- openafs-1.4/src/afs/afs_analyze.c ++++ openafs-1.4+scripts/src/afs/afs_analyze.c @@ -585,7 +585,7 @@ (afid ? afid->Fid.Volume : 0)); @@ -54,7 +55,55 @@ (aerrP->err_Volume)++; areq->volumeError = VOLBUSY; +diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c +--- openafs-1.4/src/afs/LINUX/osi_vnodeops.c ++++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c +@@ -875,6 +875,28 @@ + /* should we always update the attributes at this point? */ + /* unlikely--the vcache entry hasn't changed */ + ++ /* [scripts] This code makes hardlinks work correctly. ++ * ++ * We want Apache to be able to read a file with hardlinks ++ * named .htaccess and foo to be able to read it via .htaccess ++ * and not via foo, regardless of which name was looked up ++ * (remember, inodes do not have filenames associated with them.) ++ * ++ * It is important that we modify the existing cache entry even ++ * if it is otherwise totally valid and would not be reloaded. ++ * Otherwise, it won't recover from repeatedly reading the same ++ * inode via multiple hardlinks or different names. Specifically, ++ * Apache will be able to read both names if it was first looked ++ * up (by anyone!) via .htaccess, and neither if it was first ++ * looked up via foo. ++ * ++ * With regards to performance, the strncmp() is bounded by ++ * three characters, so it takes O(3) operations. If this code ++ * is extended to all static-cat extensions, we'll want to do ++ * some clever hashing using gperf here. ++ */ ++ vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0; ++ + } else { + #ifdef notyet + pvcp = VTOAFS(dp->d_parent->d_inode); /* dget_parent()? */ +diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c +--- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c ++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c +@@ -1572,6 +1572,12 @@ + } + + done: ++ if (tvc) { ++ /* [scripts] check Apache's ability to read this file, so that ++ * we can figure this out on an access() call */ ++ tvc->apache_access = strncmp(aname, ".ht", 3) == 0; ++ } ++ + /* put the network buffer back, if need be */ + if (tname != aname && tname) + osi_FreeLargeSpace(tname); diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h ---- openafs-1.4/src/afs/afs.h 2009-01-19 14:27:19.000000000 -0500 -+++ openafs-1.4+scripts/src/afs/afs.h 2009-04-08 08:07:22.000000000 -0400 +--- openafs-1.4/src/afs/afs.h ++++ openafs-1.4+scripts/src/afs/afs.h @@ -208,8 +208,16 @@ #define QTOC(e) QEntry(e, struct cell, lruq) @@ -74,7 +123,15 @@ afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ char initd; /* if non-zero, Error fields meaningful */ +@@ -743,6 +751,7 @@ + #ifdef AFS_SUN5_ENV + short multiPage; /* count of multi-page getpages in progress */ + #endif ++ int apache_access; /* whether or not Apache has access to a file */ + }; + + #define DONT_CHECK_MODE_BITS 0 diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c ---- openafs-1.4/src/afs/afs_osi_pag.c 2008-10-20 15:29:46.000000000 -0400 -+++ openafs-1.4+scripts/src/afs/afs_osi_pag.c 2009-04-08 08:07:22.000000000 -0400 +--- openafs-1.4/src/afs/afs_osi_pag.c ++++ openafs-1.4+scripts/src/afs/afs_osi_pag.c @@ -51,6 +51,8 @@ #endif @@ -103,6 +160,6 @@ } diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c ---- openafs-1.4/src/afs/afs_pioctl.c 2009-01-19 13:09:34.000000000 -0500 -+++ openafs-1.4+scripts/src/afs/afs_pioctl.c 2009-04-08 08:07:22.000000000 -0400 +--- openafs-1.4/src/afs/afs_pioctl.c ++++ openafs-1.4+scripts/src/afs/afs_pioctl.c @@ -1217,6 +1217,10 @@ struct AFSFetchStatus OutStatus; @@ -150,6 +207,6 @@ return EIO; /* Inappropriate ioctl for device */ diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c ---- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c 2008-03-07 12:34:08.000000000 -0500 -+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c 2009-04-08 08:07:22.000000000 -0400 +--- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c ++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c @@ -118,6 +118,17 @@ @@ -170,5 +227,5 @@ } else { /* some rights come from dir and some from file. Specifically, you -@@ -171,6 +182,18 @@ +@@ -171,6 +182,19 @@ fileBits |= PRSFS_READ; } @@ -180,5 +237,6 @@ + !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && + !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && -+ !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && avc->m.Mode == 33279) && ++ !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && ++ (avc->m.Mode == 0100777 || avc->apache_access)) && + !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && + !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { @@ -190,6 +248,6 @@ } diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c ---- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c 2009-01-13 14:37:28.000000000 -0500 -+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c 2009-04-08 08:07:22.000000000 -0400 +--- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c ++++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c @@ -87,8 +87,8 @@ } Index: branches/fc11-dev/server/doc/HOWTO-SETUP-LDAP =================================================================== --- branches/fc11-dev/server/doc/HOWTO-SETUP-LDAP (revision 1175) +++ branches/fc11-dev/server/doc/HOWTO-SETUP-LDAP (revision 1179) @@ -12,4 +12,6 @@ - /sbin/service dirsrv start - Apply ./fedora-ds-enable-ssl-and-kerberos.diff manually +- Also set nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket + and nsslapd-ldapilisten: on, otherwise ldapi won't work. - /sbin/service dirsrv stop - Add the scripts schemas to /var/lib/dirsrv/slapd-scripts @@ -17,4 +19,5 @@ - certutil -d /etc/dirsrv/slapd-scripts -A -n "scripts.mit.edu CA" -t CT,, -a -i scripts-ca.pem - Generate a pkcs12 cert for the server: +- openssl pkcs12 -export -in c-w.pem -inkey c-w.key -name 'ldap/cats-whiskers' -out c-w.pkcs12 - pk12util -i ldap-server-cert.p12 -d /etc/dirsrv/slapd-scripts - Put LDAP keytab in /etc/dirsrv/keytab Index: branches/fc11-dev/server/doc/install-howto.sh =================================================================== --- branches/fc11-dev/server/doc/install-howto.sh (revision 1175) +++ branches/fc11-dev/server/doc/install-howto.sh (revision 1179) @@ -75,4 +75,6 @@ \cp -a etc / +# yum remove nss_ldap, because nss-ldapd conflicts with it + # env NSS_NONLOCAL_IGNORE=1 yum install scripts-base YUM install -y scripts-base @@ -99,5 +101,5 @@ # Install various dependencies of the scripts system, including syslog-ng, -# glibc-devel.i386, python-twisted-core, mod_fcgid, nrpe, nagios-plugins-all. +# glibc-devel.i586, python-twisted-core, mod_fcgid, nrpe, nagios-plugins-all. # Disable NetworkManager with chkconfig NetworkManager off. Configure @@ -109,7 +111,25 @@ # /usr/vice/etc/cacheinfo to contain: # /afs:/usr/vice/cache:10000000 +# Also fix ThisCell to contain athena.mit.edu in both directories # Figure out why Zephyr isn't working. Most recently, it was because there # was a 64-bit RPM installed; remove it and install Joe's 32-bit one + +# Install the athena-base, athena-lprng, and athena-lprng-misc RPMs +# from the Athena 9 build (these are present in our yum repo). Note +# that you will have to use --nodeps for at least one of the lprng +# ones because it thinks it needs the Athena hesiod RPM. It doesn't +# really. Before doing this, run it without --nodeps and arrange to +# install the rest of the things it really does depend on. This will +# include a bunch of 32-bit rpms; go ahead and install the .i586 versions +# of them. In the case of the Kerberos libraries, you'll be told that +# there are conflicting files with the 64-bit versions of the packages, +# which we scriptsify. You'll have to use --force to install those +# rpms despite the conflicts. After doing that, you may want to +# install the corresponding 64-bit scriptsified versions again, just +# to be safe in case the 32-bit versions overwrite files that differ. +# When you try this, it will complain that you already have the same +# version installed; again, you'll need to use --force to do it anyway. +# Yuck. # Install the full list of RPMs that users expect to be on the @@ -127,18 +147,37 @@ # TO DO THIS: # On another server, run: -# perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "$_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > /mit/scripts/config/perl-packages.txt +# perldoc -u perllocal | grep head2 | cut -f 3 -d '<' | cut -f 1 -d '|' | sort -u | perl -ne 'chomp; print "notest install $_\n" if system("rpm -q --whatprovides \"perl($_)\" >/dev/null 2>/dev/null")' > /mit/scripts/config/perl-packages.txt # Then on the server you're installing, - perl -MCPAN -e"$(echo notest install $(cat /mit/scripts/config/perl-packages.txt))" + cat perl-packages.txt | perl -MCPAN -e shell # Install the Python eggs and Ruby gems and PEAR/PECL doohickeys that are on # the other scripts.mit.edu servers and do not have RPMs. -# - Look at /usr/lib/python2.5/site-packages for Python eggs and modules. +# - Look at /usr/lib/python2.6/site-packages and +# /usr/lib64/python2.6/site-packages for Python eggs and modules. +# First use 'yum search' to see if the relevant package is now available +# as an RPM, and install that if it is. If not, then use easy_install. # - Look at `gem list` for Ruby gems. +# Again, use 'yum search' and prefer RPMs, but failing that, 'gem install'. # - Look at `pear list` for Pear fruits (or whatever they're called). - -# echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.5/site-packages"))' > /usr/lib/python2.5/site-packages/00scripts-home.pth - -# Install the credentials (machine keytab, daemon.scripts keytab, SSL -# certs). +# Yet again, 'yum search' for RPMs before resorting to 'pear install'. Note +# that for things in the beta repo, you'll need 'pear install package-beta'. + +# echo 'import site, os.path; site.addsitedir(os.path.expanduser("~/lib/python2.6/site-packages"))' > /usr/lib/python2.6/site-packages/00scripts-home.pth + +# Install the credentials. There are a lot of things to remember here: +# o You probably installed the machine keytab long ago +# o Use ktutil to combine the host/scripts.mit.edu and +# host/scripts-vhosts.mit.edu keys with host/this-server.mit.edu in +# the keytab. Do not use 'k5srvutil change' on the combined keytab +# or you'll break the other servers. +# o The daemon.scripts keytab +# o The SSL cert private key +# o The LDAP password for the signup process +# o The SQL password for the signup process +# o The LDAP keytab for this server, which will be used later +# o Replace the ssh host keys with the ones common to all scripts servers +# o You'll install an LDAP certificate signed by the scripts CA later +# o Make sure root's .k5login is correct +# o Make sure logview's .k5login is correct # If you are setting up a test server, pay attention to @@ -155,4 +194,7 @@ # correct. +# cd /etc/postfix; postmap virtual +# Otherwise postfix will appear to work, but actually not deliver mail + # Run fmtutil-sys --all, which does something that makes TeX work. Index: branches/fc11-dev/server/fedora/Makefile =================================================================== --- branches/fc11-dev/server/fedora/Makefile (revision 1175) +++ branches/fc11-dev/server/fedora/Makefile (revision 1179) @@ -21,5 +21,5 @@ upstream_yum = krb5 httpd openssh php upstream = openafs $(upstream_yum) -oursrc = execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i386 whoisd mit-zephyr nss-ldapd scripts-base +oursrc = execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i586 whoisd mit-zephyr nss-ldapd nss-ldapd.i586 scripts-base allsrc = $(upstream) $(oursrc) oursrcdir = ${PWD}/../common/oursrc @@ -127,9 +127,9 @@ $(oursrc): rpmbuild_args += --define 'scriptsversion $(shell svnversion ${oursrcdir}/$** | tr ':' '_')' -$(filter %.i386,$(oursrc)): %.i386: setup +$(filter %.i586,$(oursrc)): %.i586: setup PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ - setarch i386 rpmbuild $(rpmbuild_args) --target=i386 --define="_lib lib" -bb ${tmp_specs}/$**.spec + setarch i586 rpmbuild $(rpmbuild_args) --target=i586 --define="_lib lib" -bb ${tmp_specs}/$**.spec -$(filter-out %.i386,$(oursrc)): %: setup +$(filter-out %.i586,$(oursrc)): %: setup PATH="/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" \ rpmbuild $(rpmbuild_args) -bb ${tmp_specs}/$**.spec @@ -180,5 +180,5 @@ # The following packages are needed for our packages basic-deps = kernel-devel rpm-build rpmdevtools gcc autoconf patch krb5-workstation glibc-devel.i586 glibc-devel libtool libgcc.i586 -oursrc-deps = hesinfo openldap-clients +oursrc-deps = hesinfo openldap-clients openldap-devel.i586 httpdmods-deps = httpd-devel httpd-deps = xmlto db4-devel expat-devel zlib-devel libselinux-devel apr-devel apr-util-devel pcre-devel openssl-devel distcache-devel Index: branches/fc11-dev/server/fedora/config/etc/environment =================================================================== --- branches/fc11-dev/server/fedora/config/etc/environment (revision 1179) +++ branches/fc11-dev/server/fedora/config/etc/environment (revision 1179) @@ -0,0 +1,1 @@ +JAVA_TOOL_OPTIONS=-Xmx128M Index: branches/fc11-dev/server/fedora/config/etc/httpd/vhosts.d/cycling-club.conf =================================================================== --- branches/fc11-dev/server/fedora/config/etc/httpd/vhosts.d/cycling-club.conf (revision 1175) +++ (revision ) @@ -1,32 +1,0 @@ -# do not trailing-slash DocumentRoot - - - ServerName cycling-club.scripts.mit.edu - ServerAlias cycling-club.scripts - DocumentRoot /afs/athena.mit.edu/activity/c/cycling-club/web_scripts - Alias /~cycling-club /afs/athena.mit.edu/activity/c/cycling-club/web_scripts - SuExecUserGroup cycling-club cycling-club - Include conf.d/vhosts-common.conf - - - - - ServerName cycling-club.scripts.mit.edu - ServerAlias cycling-club.scripts - DocumentRoot /afs/athena.mit.edu/activity/c/cycling-club/web_scripts - Alias /~cycling-club /afs/athena.mit.edu/activity/c/cycling-club/web_scripts - SuExecUserGroup cycling-club cycling-club - Include conf.d/vhosts-common-ssl.conf - SSLCertificateFile /etc/pki/tls/certs/cycling-club.pem - - - ServerName cycling-club.scripts.mit.edu - ServerAlias cycling-club.scripts - DocumentRoot /afs/athena.mit.edu/activity/c/cycling-club/web_scripts - Alias /~cycling-club /afs/athena.mit.edu/activity/c/cycling-club/web_scripts - SuExecUserGroup cycling-club cycling-club - Include conf.d/vhosts-common-ssl.conf - Include conf.d/vhosts-common-ssl-cert.conf - SSLCertificateFile /etc/pki/tls/certs/cycling-club.pem - - Index: branches/fc11-dev/server/fedora/config/etc/httpd/vhosts.d/geofft.conf =================================================================== --- branches/fc11-dev/server/fedora/config/etc/httpd/vhosts.d/geofft.conf (revision 1179) +++ branches/fc11-dev/server/fedora/config/etc/httpd/vhosts.d/geofft.conf (revision 1179) @@ -0,0 +1,32 @@ +# do not trailing-slash DocumentRoot + + + ServerName geofft.mit.edu + ServerAlias geofft + DocumentRoot /afs/athena.mit.edu/user/g/e/geofft/web_scripts/geofft + Alias /~geofft /afs/athena.mit.edu/user/g/e/geofft/web_scripts + SuExecUserGroup geofft geofft + Include conf.d/vhosts-common.conf + + + + + ServerName geofft.mit.edu + ServerAlias geofft + DocumentRoot /afs/athena.mit.edu/user/g/e/geofft/web_scripts/geofft + Alias /~geofft /afs/athena.mit.edu/user/g/e/geofft/web_scripts + SuExecUserGroup geofft geofft + Include conf.d/vhosts-common-ssl.conf + SSLCertificateFile /etc/pki/tls/certs/geofft.pem + + + ServerName geofft.mit.edu + ServerAlias geofft + DocumentRoot /afs/athena.mit.edu/user/g/e/geofft/web_scripts/geofft + Alias /~geofft /afs/athena.mit.edu/user/g/e/geofft/web_scripts + SuExecUserGroup geofft geofft + Include conf.d/vhosts-common-ssl.conf + Include conf.d/vhosts-common-ssl-cert.conf + SSLCertificateFile /etc/pki/tls/certs/geofft.pem + + Index: branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/check.pl =================================================================== --- branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/check.pl (revision 1179) +++ branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/check.pl (revision 1179) @@ -0,0 +1,28 @@ +#!/usr/bin/perl + +use File::Basename; +use Date::Parse; + +my $dir = basename($0); +chdir $dir; + +my $now = time(); + +our $verbose = 0; +$verbose = 1 if ($ARGV[0] eq "-v"); + +use constant WARNING => 60*60*24*14; # Warn if a cert is expiring within 14 days + +foreach my $cert (glob "*.pem") { + open(X509, "-|", qw(openssl x509 -in), $cert, qw(-enddate -noout)) or die "Couldn't invoke openssl x509: $!"; + chomp(my $exp = ); + close(X509); + $exp =~ s/^notAfter=// or warn "Cert appears broken: $cert"; + + my $time = str2time($exp); + + if ($verbose || ($time - $now) <= WARNING) { + printf "Certificate expiring in %.2f days: %s for ", (($time - $now) / (60.0*60*24)), $cert; + system(qw(openssl x509 -in), $cert, qw(-subject -noout)); + } +} Index: branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/cycling-club.pem =================================================================== --- branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/cycling-club.pem (revision 1175) +++ (revision ) @@ -1,35 +1,0 @@ ------BEGIN CERTIFICATE----- -MIIGETCCBPmgAwIBAgIQOTKSLw4+ShFTT6pc11D3azANBgkqhkiG9w0BAQUFADCB -lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug -Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho -dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt -SGFyZHdhcmUwHhcNMDkwNDE3MDAwMDAwWhcNMDkwNTE3MjM1OTU5WjCCAVgxCzAJ -BgNVBAYTAlVTMQ4wDAYDVQQREwUwMjEzOTEWMBQGA1UECBMNTWFzc2FjaHVzZXR0 -czESMBAGA1UEBxMJQ2FtYnJpZGdlMR0wGwYDVQQJExQ4NCBNYXNzYWNodXNldHRz -IEF2ZTEuMCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5v -bG9neTEYMBYGA1UECxMPc2NyaXB0cy5taXQuZWR1MS0wKwYDVQQLEyRURVNUIFVT -RSBPTkxZIC0gTk8gV0FSUkFOVFkgQVRUQUNIRUQxMzAxBgNVBAsTKkhvc3RlZCBi -eSBTZWN1cmUgU29ja2V0cyBMYWJvcmF0b3JpZXMsIExMQzEZMBcGA1UECxMQQ29t -b2RvIFRyaWFsIFNTTDElMCMGA1UEAxMcY3ljbGluZy1jbHViLnNjcmlwdHMubWl0 -LmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtT4hTcGJawGMR4D+szcn -dvhSQeaiPUt2eOXyZjwPsa37l48uorZT07YO4mb5uQu3zrTV9RwfbyJ9SPVt8BbN -jkh50RRKFC8v+MS9HYfPfYtcd61YJLAOoW3WCsfYvC9nZchd2NgxwmdLSvShpVSC -r8s0CCoEf458TLfb3GqKXYECAwEAAaOCAhcwggITMB8GA1UdIwQYMBaAFKFyXyYb -KJhDlV0HN9WFlp1L0sNFMB0GA1UdDgQWBBRUEXwJVUQclEWponZGKywkJmpE6DAO -BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD -AQYIKwYBBQUHAwIwEQYJYIZIAYb4QgEBBAQDAgbAMEYGA1UdIAQ/MD0wOwYMKwYB -BAGyMQECAQMEMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5u -ZXQvQ1BTMHsGA1UdHwR0MHIwOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t -L1VUTi1VU0VSRmlyc3QtSGFyZHdhcmUuY3JsMDagNKAyhjBodHRwOi8vY3JsLmNv -bW9kby5uZXQvVVROLVVTRVJGaXJzdC1IYXJkd2FyZS5jcmwwcQYIKwYBBQUHAQEE -ZTBjMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9VVE5BZGRU -cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv -Y2EuY29tMEkGA1UdEQRCMECCHGN5Y2xpbmctY2x1Yi5zY3JpcHRzLm1pdC5lZHWC -IHd3dy5jeWNsaW5nLWNsdWIuc2NyaXB0cy5taXQuZWR1MA0GCSqGSIb3DQEBBQUA -A4IBAQAOWgCNSXK8Ff3XoQrmdxc1iI1eXVi5HNQFBn3fhFIUyhHXAyqg5GkrcM7x -w1APfNur0rum17lWCFtArVRPss4IJzrkipnIzgRPqRhXwGtiz5/bYkXPwHCYMQup -XHKm34nnNjvWQtXuMiCKAZ1sX9trCChvqxm6limhiPpSjyrwnKullRa+y4ADIGcn -wDoSO8lu0NqXlNcm6y3HWfaCQXR2l3XyGNFwO69WU+RRh2LAmpQ1tmZbdiAAU1x+ -4dvmkSKgq+x6w+R5RakUvpMiZ5F5SS6jCyqgvqP/Hy5VXJvgRbYjnXD6Du2+MA7n -bFIuEbqwW1yMuBXFKBdwwbd1KWYM ------END CERTIFICATE----- Index: branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/geofft.pem =================================================================== --- branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/geofft.pem (revision 1179) +++ branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/geofft.pem (revision 1179) @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCArKgAwIBAgIDC5fgMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNVBAYTAlVT +MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4 +IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDkwNTEzMDEzNTA3WhcN +MDkwNjEzMDkwMjA4WjCBuDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDmdlb2ZmdC5t +aXQuZWR1MRMwEQYDVQQLEwpHVDAzOTQ4OTc5MTEwLwYDVQQLEyhTZWUgd3d3LnJh +cGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA5MS8wLQYDVQQLEyZEb21haW4g +Q29udHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEXMBUGA1UEAxMOZ2VvZmZ0 +Lm1pdC5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALU+IU3BiWsBjEeA +/rM3J3b4UkHmoj1Ldnjl8mY8D7Gt+5ePLqK2U9O2DuJm+bkLt8601fUcH28ifUj1 +bfAWzY5IedEUShQvL/jEvR2Hz32LXHetWCSwDqFt1grH2LwvZ2XIXdjYMcJnS0r0 +oaVUgq/LNAgqBH+OfEy329xqil2BAgMBAAGjgb0wgbowDgYDVR0PAQH/BAQDAgTw +MB0GA1UdDgQWBBRUEXwJVUQclEWponZGKywkJmpE6DA7BgNVHR8ENDAyMDCgLqAs +hipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL2dsb2JhbGNhMS5jcmwwHwYD +VR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUH +AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAO7B0 +T9u1ut4xt7FHPzd2WpUbOm2PfCRwwAlHk9tml5awQRwdpZvl/JrZCi5EU+vZ78hf +mKzuf7r0JOCS8SxogEcOmBp/brBjkAfWzW/UFdRnqse8ytUMdAgjylS0bVau7OAf +cB13QcrOBu0HK+FiuyAAqQLHqBPRNLOjV2DFqug= +-----END CERTIFICATE----- Index: branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/scripts.pem =================================================================== --- branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/scripts.pem (revision 1175) +++ branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/scripts.pem (revision 1179) @@ -2,11 +2,11 @@ Data: Version: 3 (0x2) - Serial Number: 2871 (0xb37) + Serial Number: 745256 (0xb5f28) Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=MIT Certification Authority + Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Validity - Not Before: Jul 23 16:00:00 2008 GMT - Not After : Jul 23 16:00:00 2009 GMT - Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=Student Information Processing Board, CN=scripts.mit.edu/Email=scripts@mit.edu + Not Before: Jun 4 20:22:36 2009 GMT + Not After : Jun 7 02:53:00 2011 GMT + Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=Student Information Processing Board, CN=scripts.mit.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -24,41 +24,42 @@ Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Cert Type: - SSL Client, SSL Server, S/MIME - X509v3 Extended Key Usage: - TLS Web Server Authentication, E-mail Protection, TLS Web Client Authentication - X509v3 Key Usage: - Digital Signature, Non Repudiation, Key Encipherment + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Key Identifier: 54:11:7C:09:55:44:1C:94:45:A9:A2:76:46:2B:2C:24:26:6A:44:E8 + X509v3 CRL Distribution Points: + URI:http://crl.geotrust.com/crls/secureca.crl + + X509v3 Authority Key Identifier: + keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption - 3f:34:05:8a:a7:a1:c1:51:9b:f0:6d:c6:e4:2a:aa:fc:cd:2a: - 50:8e:36:12:74:7e:d8:9f:a7:db:63:cf:d2:19:48:01:00:aa: - 50:f8:83:5c:5b:4b:68:b8:de:a6:0a:2b:0d:f0:af:fa:d6:92: - a5:46:73:20:e4:1c:62:d4:a3:b7:48:8d:f4:6a:88:d2:a8:e0: - 2a:38:ab:c8:df:9a:55:ec:e5:83:c7:1f:e5:63:d5:b6:d5:3d: - 30:6e:a3:6e:30:84:d1:f2:35:09:b9:31:e1:c8:f1:3d:11:4d: - 99:ad:f7:33:95:8d:d7:5c:88:6a:49:23:02:1e:7d:94:ff:a7: - 7f:bf + 0e:42:72:ba:24:61:07:eb:69:d6:3e:4a:e9:ec:a3:f8:16:c0: + a2:31:2d:f0:93:ec:37:2c:dc:c0:7c:a6:9e:60:52:d4:c6:af: + f4:c7:cb:f0:ad:bf:3c:b8:34:a7:1e:35:c3:15:84:f6:79:96: + f3:ec:d7:78:62:83:81:b5:bb:5e:77:0a:19:b6:d1:9f:ae:a9: + 0b:f6:8a:7c:71:1e:a9:8e:e7:3d:e7:a6:38:47:3a:9f:0c:69: + 37:a1:3f:0e:44:77:47:b9:75:4a:49:08:f3:42:43:58:2c:24: + d2:b9:5b:9c:8b:9a:5f:b6:83:cc:bb:ec:26:65:b7:75:50:83: + a6:5b -----BEGIN CERTIFICATE----- -MIIDOjCCAqOgAwIBAgICCzcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCVVMx -FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMg -SW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxJDAiBgNVBAsTG01JVCBDZXJ0aWZpY2F0 -aW9uIEF1dGhvcml0eTAeFw0wODA3MjMxNjAwMDBaFw0wOTA3MjMxNjAwMDBaMIHS -MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJ -Q2FtYnJpZGdlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBU -ZWNobm9sb2d5MS0wKwYDVQQLEyRTdHVkZW50IEluZm9ybWF0aW9uIFByb2Nlc3Np -bmcgQm9hcmQxGDAWBgNVBAMTD3NjcmlwdHMubWl0LmVkdTEeMBwGCSqGSIb3DQEJ -ARYPc2NyaXB0c0BtaXQuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1 -PiFNwYlrAYxHgP6zNyd2+FJB5qI9S3Z45fJmPA+xrfuXjy6itlPTtg7iZvm5C7fO -tNX1HB9vIn1I9W3wFs2OSHnRFEoULy/4xL0dh899i1x3rVgksA6hbdYKx9i8L2dl -yF3Y2DHCZ0tK9KGlVIKvyzQIKgR/jnxMt9vcaopdgQIDAQABo3UwczAJBgNVHRME -AjAAMBEGCWCGSAGG+EIBAQQEAwIF4DAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYB -BQUHAwQGCCsGAQUFBwMCMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUVBF8CVVEHJRF -qaJ2RissJCZqROgwDQYJKoZIhvcNAQEFBQADgYEAPzQFiqehwVGb8G3G5Cqq/M0q -UI42EnR+2J+n22PP0hlIAQCqUPiDXFtLaLjepgorDfCv+taSpUZzIOQcYtSjt0iN -9GqI0qjgKjiryN+aVezlg8cf5WPVttU9MG6jbjCE0fI1Cbkx4cjxPRFNma33M5WN -11yIakkjAh59lP+nf78= +MIIDKDCCApGgAwIBAgIDC18oMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNjA0MjAyMjM2WhcNMTEwNjA3MDI1MzAw +WjCBsjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNV +BAcTCUNhbWJyaWRnZTEuMCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUg +b2YgVGVjaG5vbG9neTEtMCsGA1UECxMkU3R1ZGVudCBJbmZvcm1hdGlvbiBQcm9j +ZXNzaW5nIEJvYXJkMRgwFgYDVQQDEw9zY3JpcHRzLm1pdC5lZHUwgZ8wDQYJKoZI +hvcNAQEBBQADgY0AMIGJAoGBALU+IU3BiWsBjEeA/rM3J3b4UkHmoj1Ldnjl8mY8 +D7Gt+5ePLqK2U9O2DuJm+bkLt8601fUcH28ifUj1bfAWzY5IedEUShQvL/jEvR2H +z32LXHetWCSwDqFt1grH2LwvZ2XIXdjYMcJnS0r0oaVUgq/LNAgqBH+OfEy329xq +il2BAgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBRUEXwJVUQc +lEWponZGKywkJmpE6DA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmdlb3Ry +dXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAfBgNVHSMEGDAWgBRI5mj5K9KylddH +2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZI +hvcNAQEFBQADgYEADkJyuiRhB+tp1j5K6eyj+BbAojEt8JPsNyzcwHymnmBS1Mav +9MfL8K2/PLg0px41wxWE9nmW8+zXeGKDgbW7XncKGbbRn66pC/aKfHEeqY7nPeem +OEc6nwxpN6E/DkR3R7l1SkkI80JDWCwk0rlbnIuaX7aDzLvsJmW3dVCDpls= -----END CERTIFICATE----- Index: branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/star.scripts.pem =================================================================== --- branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/star.scripts.pem (revision 1175) +++ branches/fc11-dev/server/fedora/config/etc/pki/tls/certs/star.scripts.pem (revision 1179) @@ -2,11 +2,11 @@ Data: Version: 3 (0x2) - Serial Number: 2870 (0xb36) + Serial Number: 744584 (0xb5c88) Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=MIT Certification Authority + Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Validity - Not Before: Jul 23 16:00:00 2008 GMT - Not After : Jul 23 16:00:00 2009 GMT - Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=Student Information Processing Board, CN=*.scripts.mit.edu/Email=scripts@mit.edu + Not Before: Jun 4 09:13:16 2009 GMT + Not After : Jun 5 13:13:22 2014 GMT + Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=Student Information Processing Board, CN=*.scripts.mit.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -24,41 +24,42 @@ Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Cert Type: - SSL Client, SSL Server, S/MIME - X509v3 Extended Key Usage: - TLS Web Server Authentication, E-mail Protection, TLS Web Client Authentication - X509v3 Key Usage: - Digital Signature, Non Repudiation, Key Encipherment + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Key Identifier: 54:11:7C:09:55:44:1C:94:45:A9:A2:76:46:2B:2C:24:26:6A:44:E8 + X509v3 CRL Distribution Points: + URI:http://crl.geotrust.com/crls/secureca.crl + + X509v3 Authority Key Identifier: + keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4 + + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption - 2a:6e:b7:99:2a:13:93:a1:35:42:e2:fd:a9:30:3c:63:a2:e0: - c0:87:b0:8c:1a:60:9e:12:db:be:e7:6d:01:9a:1b:d2:80:fd: - fa:49:12:2b:7e:48:cf:00:0d:d6:f8:aa:d2:2a:0d:cf:86:01: - 4c:bd:33:bf:ca:ee:b5:4e:aa:fe:4b:c3:6d:e5:2a:ad:d8:2e: - 8a:87:e3:f0:3e:11:c8:fa:0e:bf:0f:6e:c3:7a:25:17:e5:96: - 33:7a:e6:fb:5b:03:b0:b3:7d:75:31:e7:ab:59:3a:0e:f9:11: - 44:0a:23:1a:3e:1c:a8:06:5c:f7:e7:7d:0b:0c:f4:53:02:e9: - 51:8d + 2c:25:90:82:a2:82:e8:03:58:b4:38:11:bc:c0:b5:f0:44:ee: + b3:d9:5f:90:ab:b3:f6:24:fa:92:6b:9c:3a:7d:5d:89:f4:a2: + 3c:2f:cb:85:b2:fe:b6:92:0f:1b:94:65:2d:d6:70:f8:9f:77: + 9c:b3:20:fa:16:91:9d:e1:b7:64:07:27:42:8b:be:e2:f3:d9: + 78:71:42:12:3d:6f:33:37:4b:01:2e:1d:87:25:48:bf:50:23: + 7a:b0:02:41:5d:35:08:bf:e7:15:08:5c:11:7d:91:10:06:52: + 19:d3:05:01:94:86:07:f7:76:41:e1:fb:d9:1c:d0:ee:74:9f: + 51:66 -----BEGIN CERTIFICATE----- -MIIDPDCCAqWgAwIBAgICCzYwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCVVMx -FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMg -SW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxJDAiBgNVBAsTG01JVCBDZXJ0aWZpY2F0 -aW9uIEF1dGhvcml0eTAeFw0wODA3MjMxNjAwMDBaFw0wOTA3MjMxNjAwMDBaMIHU -MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJ -Q2FtYnJpZGdlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBU -ZWNobm9sb2d5MS0wKwYDVQQLEyRTdHVkZW50IEluZm9ybWF0aW9uIFByb2Nlc3Np -bmcgQm9hcmQxGjAYBgNVBAMTESouc2NyaXB0cy5taXQuZWR1MR4wHAYJKoZIhvcN -AQkBFg9zY3JpcHRzQG1pdC5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB -ALU+IU3BiWsBjEeA/rM3J3b4UkHmoj1Ldnjl8mY8D7Gt+5ePLqK2U9O2DuJm+bkL -t8601fUcH28ifUj1bfAWzY5IedEUShQvL/jEvR2Hz32LXHetWCSwDqFt1grH2Lwv -Z2XIXdjYMcJnS0r0oaVUgq/LNAgqBH+OfEy329xqil2BAgMBAAGjdTBzMAkGA1Ud -EwQCMAAwEQYJYIZIAYb4QgEBBAQDAgXgMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggr -BgEFBQcDBAYIKwYBBQUHAwIwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRUEXwJVUQc -lEWponZGKywkJmpE6DANBgkqhkiG9w0BAQUFAAOBgQAqbreZKhOToTVC4v2pMDxj -ouDAh7CMGmCeEtu+520BmhvSgP36SRIrfkjPAA3W+KrSKg3PhgFMvTO/yu61Tqr+ -S8Nt5Sqt2C6Kh+PwPhHI+g6/D27DeiUX5ZYzeub7WwOws311MeerWToO+RFECiMa -PhyoBlz3530LDPRTAulRjQ== +MIIDKjCCApOgAwIBAgIDC1yIMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNjA0MDkxMzE2WhcNMTQwNjA1MTMxMzIy +WjCBtDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNV +BAcTCUNhbWJyaWRnZTEuMCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUg +b2YgVGVjaG5vbG9neTEtMCsGA1UECxMkU3R1ZGVudCBJbmZvcm1hdGlvbiBQcm9j +ZXNzaW5nIEJvYXJkMRowGAYDVQQDFBEqLnNjcmlwdHMubWl0LmVkdTCBnzANBgkq +hkiG9w0BAQEFAAOBjQAwgYkCgYEAtT4hTcGJawGMR4D+szcndvhSQeaiPUt2eOXy +ZjwPsa37l48uorZT07YO4mb5uQu3zrTV9RwfbyJ9SPVt8BbNjkh50RRKFC8v+MS9 +HYfPfYtcd61YJLAOoW3WCsfYvC9nZchd2NgxwmdLSvShpVSCr8s0CCoEf458TLfb +3GqKXYECAwEAAaOBrjCBqzAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0OBBYEFFQRfAlV +RByURamidkYrLCQmakToMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwuZ2Vv +dHJ1c3QuY29tL2NybHMvc2VjdXJlY2EuY3JsMB8GA1UdIwQYMBaAFEjmaPkr0rKV +10fYIyAQTzOYkJ/UMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkq +hkiG9w0BAQUFAAOBgQAsJZCCooLoA1i0OBG8wLXwRO6z2V+Qq7P2JPqSa5w6fV2J +9KI8L8uFsv62kg8blGUt1nD4n3ecsyD6FpGd4bdkBydCi77i89l4cUISPW8zN0sB +Lh2HJUi/UCN6sAJBXTUIv+cVCFwRfZEQBlIZ0wUBlIYH93ZB4fvZHNDudJ9RZg== -----END CERTIFICATE----- Index: branches/fc11-dev/server/fedora/config/etc/postfix/main.cf =================================================================== --- branches/fc11-dev/server/fedora/config/etc/postfix/main.cf (revision 1175) +++ branches/fc11-dev/server/fedora/config/etc/postfix/main.cf (revision 1179) @@ -10,5 +10,5 @@ alias_database = hash:/etc/aliases myorigin = scripts.mit.edu -mydestination = scripts.mit.edu, scripts, $myhostname, scripts-test.mit.edu, scripts-test, localhost +mydestination = scripts.mit.edu, scripts, $myhostname, scripts-test.mit.edu, scripts-test, scripts-vhosts.mit.edu, scripts-vhosts, localhost relayhost = mynetworks = 127.0.0.0/8 Index: branches/fc11-dev/server/fedora/config/etc/security/limits.conf =================================================================== --- branches/fc11-dev/server/fedora/config/etc/security/limits.conf (revision 1175) +++ branches/fc11-dev/server/fedora/config/etc/security/limits.conf (revision 1179) @@ -45,5 +45,4 @@ # For everyone else, * soft core 0 -* - memlock 64 * - rss 524268 * - data 1048576 Index: branches/fc11-dev/server/fedora/config/etc/ssh/shosts.equiv =================================================================== --- branches/fc11-dev/server/fedora/config/etc/ssh/shosts.equiv (revision 1175) +++ branches/fc11-dev/server/fedora/config/etc/ssh/shosts.equiv (revision 1179) @@ -2,5 +2,7 @@ old-faithful.mit.edu bees-knees.mit.edu +cats-whiskers.mit.edu 172.21.0.53 172.21.0.57 172.21.0.167 +172.21.0.228 Index: branches/fc11-dev/server/fedora/config/etc/ssh/ssh_known_hosts =================================================================== --- branches/fc11-dev/server/fedora/config/etc/ssh/ssh_known_hosts (revision 1175) +++ branches/fc11-dev/server/fedora/config/etc/ssh/ssh_known_hosts (revision 1179) @@ -1,2 +1,3 @@ +cats-whiskers.mit.edu,cats-whiskers,c-w.mit.edu,c-w,scripts4.mit.edu,scripts4,18.181.0.228,172.21.0.228 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== bees-knees.mit.edu,bees-knees,b-k.mit.edu,b-k,scripts3.mit.edu,scripts3,18.181.0.167,172.21.0.167 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== better-mousetrap.mit.edu,better-mousetrap,b-m.mit.edu,b-m,scripts1.mit.edu,scripts1,18.181.0.57,172.21.0.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== Index: branches/fc11-dev/server/fedora/config/etc/ssh/sshd_config =================================================================== --- branches/fc11-dev/server/fedora/config/etc/ssh/sshd_config (revision 1175) +++ branches/fc11-dev/server/fedora/config/etc/ssh/sshd_config (revision 1179) @@ -19,3 +19,3 @@ IgnoreRhosts yes IgnoreUserKnownHosts yes -DenyUsers root@old-faithful.mit.edu root@better-mousetrap.mit.edu root@bees-knees.mit.edu +DenyUsers root@old-faithful.mit.edu root@better-mousetrap.mit.edu root@bees-knees.mit.edu root@cats-whiskers.mit.edu Index: branches/fc11-dev/server/fedora/config/etc/sysconfig/network-scripts/route-eth1 =================================================================== --- branches/fc11-dev/server/fedora/config/etc/sysconfig/network-scripts/route-eth1 (revision 1175) +++ branches/fc11-dev/server/fedora/config/etc/sysconfig/network-scripts/route-eth1 (revision 1179) @@ -5,2 +5,3 @@ 18.181.0.57 via 172.21.0.57 18.181.0.167 via 172.21.0.167 +18.181.0.228 via 172.21.0.228 Index: branches/fc11-dev/server/fedora/specs/nss_nonlocal.spec =================================================================== --- branches/fc11-dev/server/fedora/specs/nss_nonlocal.spec (revision 1175) +++ branches/fc11-dev/server/fedora/specs/nss_nonlocal.spec (revision 1179) @@ -2,5 +2,5 @@ Group: System Environment/Libraries Name: nss_nonlocal -Version: 1.8 +Version: 1.9 Release: 0 URL: http://debathena.mit.edu/nss_nonlocal/