Index: trunk/locker/doc/cluedump/AFS.tex =================================================================== --- trunk/locker/doc/cluedump/AFS.tex (revision 1648) +++ trunk/locker/doc/cluedump/AFS.tex (revision 1648) @@ -0,0 +1,65 @@ +\subsection{AFS} + +\begin{frame} + \frametitle{AFS access controls} + \begin{itemize} + \item AFS enforces server side access controls. + \item On Athena systems: user's password $\to$ Kerberos tickets + $\to$ AFS tokens, which authenticate the client to the AFS server. + \item On scripts, we don't have the user's password or tickets. + \item User's scripts are not publicly readable. + \item Access is controlled through a single {\tt daemon.scripts} AFS + user. + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Isolating users on scripts} + \begin{itemize} + \item If all users share {\tt daemon.scripts} AFS tokens, how are + they prevented from accessing each other's {\tt web\_scripts}? + \item On scripts, we enforce additional restrictions in the AFS + kernel module. + \begin{itemize} + \item \texttt{afsAccessOK()} in + \texttt{openafs/src/afs/VNOPS/afs\_vnop\_access.c} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \only<1>{You can only use {\tt daemon.scripts} credentials to access + files in a volume with volume ID equal to your UID,}% + \only<2>{or the file is {\tt system:anyuser} readable + anyway,\vspace{\baselineskip}}% + \only<3>{or the {\tt apache} or {\tt postfix} users are doing a {\tt + stat()},\vspace{\baselineskip}}% + \only<4>{or the {\tt apache} user is trying to read a file with mode + {\tt 777},\vspace{\baselineskip}}% + \only<5>{or the {\tt root} or {\tt signup} users are accessing file + with the special {\tt D} or {\tt E} bits.}% + +\begin{footnotesize} +\begin{semiverbatim} + int + afs_AccessOK(struct vcache *avc, afs_int32 arights, + struct vrequest *areq, afs_int32 check_mode_bits) + \{ + \ldots ++ if (\alert<1>{!(areq->realuid == avc->fid.Fid.Volume)} && ++ \alert<2>{!((avc->anyAccess | arights) == avc->anyAccess)} && ++ \alert<3>{!(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&} ++ \alert<3>{!(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID)} && ++ \alert<4>{!(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&} ++ \alert<4>{ avc->m.Mode == 0100777)} && ++ \alert<5>{!(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) &&} ++ \alert<5>{ areq->realuid == 0) &&} ++ \alert<5>{!(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) &&} ++ \alert<5>{ (areq->realuid == 0 || areq->realuid == SIGNUP_UID))}) \{ ++ return 0; ++ \} + \ldots +\end{semiverbatim} +\end{footnotesize} +\end{frame} + Index: trunk/locker/doc/cluedump/LDAP.tex =================================================================== --- trunk/locker/doc/cluedump/LDAP.tex (revision 1648) +++ trunk/locker/doc/cluedump/LDAP.tex (revision 1648) @@ -0,0 +1,17 @@ +\subsection{LDAP} + +\begin{frame} + \frametitle{LDAP data} + + \begin{itemize} + \item All user-specific information is stored in LDAP records + \item Each scripts server runs a local LDAP daemon with multi-master + replication + \item Each user has a \texttt{posixAccount} and at least one + \texttt{apacheConfig} and \texttt{scriptsVhost} + \item Users can request additional virtual hosts + \item We hope to create a web interface (phase 1 of + ``scripts-pony'') for users to create virtual hosts in the + \texttt{*.user.scripts.mit.edu} namespace + \end{itemize} +\end{frame} Index: trunk/locker/doc/cluedump/LVS.tex =================================================================== --- trunk/locker/doc/cluedump/LVS.tex (revision 1648) +++ trunk/locker/doc/cluedump/LVS.tex (revision 1648) @@ -0,0 +1,22 @@ +\subsection{LVS} + +\begin{frame} + \frametitle{Linux Virtual Server} + \begin{itemize} + \item Provides high availability and load balancing + \item {\tt heartbeat} provides failover between LVS ``directors'' + \item {\tt ldirectord} keeps track of online scripts servers and chooses destination server for each request + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Load Balancing} + \begin{itemize} + \item Users are assigned to scripts servers based on IP + \item Works around bugs in scripts that assume a single web server + \end{itemize} + \begin{center} + \only<1>{\includegraphics[width=3in] {Aggregated-cps_www-year.png}} + \only<2>{\includegraphics[width=3in] {Aggregated-cps_www-year-clip.png}} + \end{center} +\end{frame} Index: trunk/locker/doc/cluedump/backend.tex =================================================================== --- trunk/locker/doc/cluedump/backend.tex (revision 1648) +++ trunk/locker/doc/cluedump/backend.tex (revision 1648) @@ -0,0 +1,1 @@ +\section{Backend} Index: trunk/locker/doc/cluedump/closing.tex =================================================================== --- trunk/locker/doc/cluedump/closing.tex (revision 1648) +++ trunk/locker/doc/cluedump/closing.tex (revision 1648) @@ -0,0 +1,7 @@ +\section{Further Info} +\begin{frame} + \frametitle{Further Info} + Subversion: {\tt svn://scripts.mit.edu/} + \\ + Scripts Hackathon \\ Saturday, 2 PM, W20-557 +\end{frame} Index: trunk/locker/doc/cluedump/contents.tex =================================================================== --- trunk/locker/doc/cluedump/contents.tex (revision 1648) +++ trunk/locker/doc/cluedump/contents.tex (revision 1648) @@ -0,0 +1,5 @@ +\begin{frame} + \frametitle{Outline} + \tableofcontents[pausesections] +\end{frame} + Index: trunk/locker/doc/cluedump/httpdmods.tex =================================================================== --- trunk/locker/doc/cluedump/httpdmods.tex (revision 1648) +++ trunk/locker/doc/cluedump/httpdmods.tex (revision 1648) @@ -0,0 +1,50 @@ +\subsection{Apache modules} + +\begin{frame}[fragile] + \frametitle{Apache modules} + \begin{itemize} + \item We make it easy to do authentication against MIT certificates. + \item Both \texttt{https://scripts-cert.mit.edu}, and port + \texttt{444} on any scripts hostname, are configured to request + client certificates. + \item \texttt{mod\_ssl} provides the + \texttt{SSL\_CLIENT\_S\_DN\_Email} environment variable, but does + not integrate with the Apache authentication and authorization + framework. + \item Wrote a collection of Apache modules to make this cleaner. + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{\texttt{mod\_auth\_sslcert}} + \begin{itemize} + \item \texttt{mod\_auth\_sslcert} passes the + \texttt{SSL\_CLIENT\_S\_DN\_Email} variable to the Apache + authorization handlers. + \end{itemize} +\begin{semiverbatim} +AuthType SSLCert +AuthSSLCertVar SSL_CLIENT_S_DN_Email +AuthSSLCertStripSuffix "@MIT.EDU" +\end{semiverbatim} +\end{frame} + +\begin{frame}[fragile] + \frametitle{\texttt{mod\_authz\_afsgroup}} + \begin{itemize} + \item \texttt{mod\_authz\_afsgroup} does Apache authorization based + on AFS groups. + \end{itemize} +\begin{semiverbatim} +Require afsgroup system:scripts-team +\end{semiverbatim} +\end{frame} + +\begin{frame}[fragile] + \frametitle{\texttt{mod\_auth\_optional}} + \begin{itemize} + \item \texttt{mod\_auth\_optional} subverts the authorization + process to allow you to serve different pages to users with + certificates and users without certificates. + \end{itemize} +\end{frame} Index: trunk/locker/doc/cluedump/kerberos.tex =================================================================== --- trunk/locker/doc/cluedump/kerberos.tex (revision 1648) +++ trunk/locker/doc/cluedump/kerberos.tex (revision 1648) @@ -0,0 +1,47 @@ +\subsection{Kerberos} + +\begin{frame} + \frametitle{Group locker support} + + \begin{itemize} + \item ``Users'' on scripts are actually lockers. + \item User IDs are actually locker volume IDs. + \pause + \item Kerberos is modified to let users SSH in as any locker they + administrate. + \begin{itemize} + \item Replaced the \texttt{.k5login} mechanism: + \texttt{krb5\_kuserok()} in + \texttt{krb5/src/lib/krb5/os/kuserok.c} + \item Calls a Perl script \texttt{/usr/local/sbin/admof} to do the + actual check. + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] +\begin{footnotesize} +\begin{semiverbatim} + krb5_boolean KRB5_CALLCONV + krb5_kuserok(krb5_context context, krb5_principal principal, + const char *luser) + \{ + \ldots ++ if ((pid = fork()) == -1) \{ ++ free(princname); ++ return(FALSE); ++ \} ++ if (pid == 0) \{ ++#define ADMOF_PATH "/usr/local/sbin/ssh-admof" ++ exec(ADMOF_PATH, ADMOF_PATH, (char *) luser, princname, NULL); ++ exit(1); ++ \} ++ if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && ++ WEXITSTATUS(status) == 33) \{ ++ isok = TRUE; ++ \} + \ldots + \} +\end{semiverbatim} +\end{footnotesize} +\end{frame} Index: trunk/locker/doc/cluedump/services.tex =================================================================== --- trunk/locker/doc/cluedump/services.tex (revision 1648) +++ trunk/locker/doc/cluedump/services.tex (revision 1648) @@ -0,0 +1,89 @@ +\section{Services} + +\subsection{Web} +\begin{frame} + \frametitle{Apache} + \begin{itemize} + \item Everyone wants Apache + \item Apache's default configuration isn't safe for scripting + \item Scripting \emph{requires} code execution---mod\_php, mod\_perl, mod\_python + \item Apache normally runs everything as apache/nobody + \item How to secure? + \pause + \item suEXEC---allows Apache to spawn a process as the user\ldots + \item {\ldots}even for static content! + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{suEXEC} + \begin{itemize} + \item setuid program + \item Passed the request by Apache + \item Verifies that the script is in the {\tt web\_scripts} directory + \item Switches to the uid of the file and executes + \item Even for static files! + \end{itemize} +\end{frame} + +\subsection{Mail} + +\begin{frame}[fragile] + \frametitle{Postfix} + \begin{itemize} + \item Standard Postfix server + \item No local mailboxes + \item All mail is passed to procmail + \end{itemize} + \begin{verbatim}mailbox_command = /usr/bin/procmail -t \ +-a "${EXTENSION}" ~/mail_scripts/procmailrc\end{verbatim} +\end{frame} + +\begin{frame}[fragile] + \frametitle{procmail} + \begin{itemize} + \item Reads \verb|~/mail_scripts/procmailrc| from user's home directory + \item Users can do whatever they want with messages + \item AFS causes problems---No way to know if failure is temporary (file server is down) or permanent (user isn't signed up for mail scripts) + \item All procmail failures are treated as temporary, so mail is queued + \end{itemize} +\end{frame} + +\subsection{Cron (``Shortjobs'')} + +\begin{frame}[fragile] + \frametitle{Cron (cronie)} + \begin{itemize} + \item Crontabs are currently stored locally on scripts servers + \item {\tt cronload} command loads the crontabs from + \verb|~/cron_scripts/crontab| \pause + \item Needs improvement + \item Cron does not fail over with Web and Mail + \item Plan to move crontabs into AFS and do hot failover + \end{itemize} +\end{frame} + +\subsection{SQL} + +\begin{frame} + \frametitle{sql.mit.edu} + Though scripts.mit.edu makes use of sql.mit.edu, it's a separate SIPB service with different maintainers. +\begin{itemize} +\item sql.mit.edu provides MySQL databases to scripts users and anyone else +\item SQL data is stored locally, replicated across multiple servers +\item Nightly backups go into AFS +\end{itemize} +\end{frame} + +\subsection{Version control} + +\begin{frame} + \frametitle{SVN and Git hosting} + \begin{itemize} + \item New service (September 2008), not well documented + \item svn://\textit{username}.scripts.mit.edu/ and git://\textit{username}.scripts.mit.edu/ + \item Uses suEXEC to run a svnserve / git-daemon as the user + \item /mit/\textit{username}/Scripts/\{svn,git\} + \item git:// is read-only, so future plans for svn+ssh:// and git+ssh:// + \end{itemize} +\end{frame} Index: trunk/locker/doc/cluedump/slides.nav =================================================================== --- trunk/locker/doc/cluedump/slides.nav (revision 1648) +++ trunk/locker/doc/cluedump/slides.nav (revision 1648) @@ -0,0 +1,84 @@ +\beamer@endinputifotherversion {3.06pt} +\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}} +\headcommand {\beamer@framepages {1}{1}} +\headcommand {\slideentry {0}{0}{2}{2/4}{}{0}} +\headcommand {\beamer@framepages {2}{4}} +\headcommand {\sectionentry {1}{Services}{5}{Services}{0}} +\headcommand {\beamer@sectionpages {1}{4}} +\headcommand {\beamer@subsectionpages {1}{4}} +\headcommand {\slideentry {1}{0}{3}{5/5}{}{0}} +\headcommand {\beamer@framepages {5}{5}} +\headcommand {\beamer@subsectionpages {5}{5}} +\headcommand {\slideentry {1}{1}{1}{6/7}{Web}{0}} +\headcommand {\beamer@framepages {6}{7}} +\headcommand {\slideentry {1}{1}{2}{8/8}{Web}{0}} +\headcommand {\beamer@framepages {8}{8}} +\headcommand {\beamer@subsectionpages {6}{8}} +\headcommand {\slideentry {1}{2}{1}{9/9}{Mail}{0}} +\headcommand {\beamer@framepages {9}{9}} +\headcommand {\slideentry {1}{2}{2}{10/10}{Mail}{0}} +\headcommand {\beamer@framepages {10}{10}} +\headcommand {\beamer@subsectionpages {9}{10}} +\headcommand {\slideentry {1}{3}{1}{11/12}{Cron (``Shortjobs'')}{0}} +\headcommand {\beamer@framepages {11}{12}} +\headcommand {\beamer@subsectionpages {11}{12}} +\headcommand {\slideentry {1}{4}{1}{13/13}{SQL}{0}} +\headcommand {\beamer@framepages {13}{13}} +\headcommand {\beamer@subsectionpages {13}{13}} +\headcommand {\slideentry {1}{5}{1}{14/14}{Version control}{0}} +\headcommand {\beamer@framepages {14}{14}} +\headcommand {\sectionentry {2}{Backend}{15}{Backend}{0}} +\headcommand {\beamer@sectionpages {5}{14}} +\headcommand {\beamer@subsectionpages {14}{14}} +\headcommand {\slideentry {2}{0}{2}{15/15}{}{0}} +\headcommand {\beamer@framepages {15}{15}} +\headcommand {\beamer@subsectionpages {15}{15}} +\headcommand {\slideentry {2}{1}{1}{16/16}{AFS}{0}} +\headcommand {\beamer@framepages {16}{16}} +\headcommand {\slideentry {2}{1}{2}{17/17}{AFS}{0}} +\headcommand {\beamer@framepages {17}{17}} +\headcommand {\slideentry {2}{1}{3}{18/22}{AFS}{0}} +\headcommand {\beamer@framepages {18}{22}} +\headcommand {\beamer@subsectionpages {16}{22}} +\headcommand {\slideentry {2}{2}{1}{23/23}{suEXEC}{0}} +\headcommand {\beamer@framepages {23}{23}} +\headcommand {\slideentry {2}{2}{2}{24/24}{suEXEC}{0}} +\headcommand {\beamer@framepages {24}{24}} +\headcommand {\slideentry {2}{2}{3}{25/25}{suEXEC}{0}} +\headcommand {\beamer@framepages {25}{25}} +\headcommand {\slideentry {2}{2}{4}{26/26}{suEXEC}{0}} +\headcommand {\beamer@framepages {26}{26}} +\headcommand {\beamer@subsectionpages {23}{26}} +\headcommand {\slideentry {2}{3}{1}{27/28}{Kerberos}{0}} +\headcommand {\beamer@framepages {27}{28}} +\headcommand {\slideentry {2}{3}{2}{29/29}{Kerberos}{0}} +\headcommand {\beamer@framepages {29}{29}} +\headcommand {\beamer@subsectionpages {27}{29}} +\headcommand {\slideentry {2}{4}{1}{30/30}{LDAP}{0}} +\headcommand {\beamer@framepages {30}{30}} +\headcommand {\beamer@subsectionpages {30}{30}} +\headcommand {\slideentry {2}{5}{1}{31/31}{Apache modules}{0}} +\headcommand {\beamer@framepages {31}{31}} +\headcommand {\slideentry {2}{5}{2}{32/32}{Apache modules}{0}} +\headcommand {\beamer@framepages {32}{32}} +\headcommand {\slideentry {2}{5}{3}{33/33}{Apache modules}{0}} +\headcommand {\beamer@framepages {33}{33}} +\headcommand {\slideentry {2}{5}{4}{34/34}{Apache modules}{0}} +\headcommand {\beamer@framepages {34}{34}} +\headcommand {\beamer@subsectionpages {31}{34}} +\headcommand {\slideentry {2}{6}{1}{35/35}{LVS}{0}} +\headcommand {\beamer@framepages {35}{35}} +\headcommand {\slideentry {2}{6}{2}{36/37}{LVS}{0}} +\headcommand {\beamer@framepages {36}{37}} +\headcommand {\sectionentry {3}{Further Info}{38}{Further Info}{0}} +\headcommand {\beamer@sectionpages {15}{37}} +\headcommand {\beamer@subsectionpages {35}{37}} +\headcommand {\slideentry {3}{0}{3}{38/38}{}{0}} +\headcommand {\beamer@framepages {38}{38}} +\headcommand {\slideentry {3}{0}{4}{39/39}{}{0}} +\headcommand {\beamer@framepages {39}{39}} +\headcommand {\beamer@partpages {1}{39}} +\headcommand {\beamer@subsectionpages {38}{39}} +\headcommand {\beamer@sectionpages {38}{39}} +\headcommand {\beamer@documentpages {39}} +\headcommand {\def \inserttotalframenumber {29}} Index: trunk/locker/doc/cluedump/slides.out =================================================================== --- trunk/locker/doc/cluedump/slides.out (revision 1648) +++ trunk/locker/doc/cluedump/slides.out (revision 1648) @@ -0,0 +1,14 @@ +\BOOKMARK [2][]{Outline0.1}{Services}{} +\BOOKMARK [3][]{Outline0.1.1.6}{Web}{Outline0.1} +\BOOKMARK [3][]{Outline0.1.2.9}{Mail}{Outline0.1} +\BOOKMARK [3][]{Outline0.1.3.11}{Cron \(``Shortjobs''\)}{Outline0.1} +\BOOKMARK [3][]{Outline0.1.4.13}{SQL}{Outline0.1} +\BOOKMARK [3][]{Outline0.1.5.14}{Version control}{Outline0.1} +\BOOKMARK [2][]{Outline0.2}{Backend}{} +\BOOKMARK [3][]{Outline0.2.1.16}{AFS}{Outline0.2} +\BOOKMARK [3][]{Outline0.2.2.23}{suEXEC}{Outline0.2} +\BOOKMARK [3][]{Outline0.2.3.27}{Kerberos}{Outline0.2} +\BOOKMARK [3][]{Outline0.2.4.30}{LDAP}{Outline0.2} +\BOOKMARK [3][]{Outline0.2.5.31}{Apache modules}{Outline0.2} +\BOOKMARK [3][]{Outline0.2.6.35}{LVS}{Outline0.2} +\BOOKMARK [2][]{Outline0.3}{Further Info}{} Index: trunk/locker/doc/cluedump/slides.tex =================================================================== --- trunk/locker/doc/cluedump/slides.tex (revision 1648) +++ trunk/locker/doc/cluedump/slides.tex (revision 1648) @@ -0,0 +1,42 @@ +\documentclass{beamer} + +\mode +{ \usetheme{Copenhagen} } + +\AtBeginSection[] +{ + \begin{frame} + \frametitle{Outline} + \tableofcontents[currentsection] + \end{frame} +} + +\usepackage{graphicx} + +\title{scripts.mit.edu} +\author{Quentin Smith \and Geoffrey Thomas \\ \texttt{scripts@mit.edu}} +\institute{Student Information Processing Board} +\date{October 28, 2008} + +\begin{document} + +% Title slide - do not change +\begin{frame} + \titlepage +\end{frame} + +\include{contents} +\include{services} + +\include{backend} + +\include{AFS} +\include{suexec} +\include{kerberos} +\include{LDAP} +\include{httpdmods} +\include{LVS} + +\include{closing} + +\end{document} Index: trunk/locker/doc/cluedump/slides.toc =================================================================== --- trunk/locker/doc/cluedump/slides.toc (revision 1648) +++ trunk/locker/doc/cluedump/slides.toc (revision 1648) @@ -0,0 +1,15 @@ +\beamer@endinputifotherversion {3.06pt} +\beamer@sectionintoc {1}{Services}{5}{0}{1} +\beamer@subsectionintoc {1}{1}{Web}{6}{0}{1} +\beamer@subsectionintoc {1}{2}{Mail}{9}{0}{1} +\beamer@subsectionintoc {1}{3}{Cron (``Shortjobs'')}{11}{0}{1} +\beamer@subsectionintoc {1}{4}{SQL}{13}{0}{1} +\beamer@subsectionintoc {1}{5}{Version control}{14}{0}{1} +\beamer@sectionintoc {2}{Backend}{15}{0}{2} +\beamer@subsectionintoc {2}{1}{AFS}{16}{0}{2} +\beamer@subsectionintoc {2}{2}{suEXEC}{23}{0}{2} +\beamer@subsectionintoc {2}{3}{Kerberos}{27}{0}{2} +\beamer@subsectionintoc {2}{4}{LDAP}{30}{0}{2} +\beamer@subsectionintoc {2}{5}{Apache modules}{31}{0}{2} +\beamer@subsectionintoc {2}{6}{LVS}{35}{0}{2} +\beamer@sectionintoc {3}{Further Info}{38}{0}{3} Index: trunk/locker/doc/cluedump/slides.vrb =================================================================== --- trunk/locker/doc/cluedump/slides.vrb (revision 1648) +++ trunk/locker/doc/cluedump/slides.vrb (revision 1648) @@ -0,0 +1,6 @@ +\frametitle {\texttt{mod\_auth\_optional}} + \begin{itemize} + \item \texttt{mod\_auth\_optional} subverts the authorization + process to allow you to serve different pages to users with + certificates and users without certificates. + \end{itemize} Index: trunk/locker/doc/cluedump/standard-slide-include.sty =================================================================== --- trunk/locker/doc/cluedump/standard-slide-include.sty (revision 1648) +++ trunk/locker/doc/cluedump/standard-slide-include.sty (revision 1648) @@ -0,0 +1,137 @@ +% \pagestyle{empty} % no page numbers + +\addtolength{\topmargin}{-1.25in} +\addtolength{\textheight}{2in} +\frenchspacing % uniform spacing +\hyphenpenalty=10000 % no hyphenation +\rightskip=0pt plus1.4in % add some stretchy glue to right side + +%%% Make LaTeX stuff easier to typeset + +\def\cmd#1{{\tt $\backslash$#1}} + +%\def\example#1{\begin{tabular}{p{0.5\textwidth}p{0.5\textwidth}} #1 &% +%\begin{verbatim} +%#1 +%\end{verbatim} \end{tabular}} + +%\def\example#1{\verb @#1@} + +%%% Set up handling of titles for slides + +\newlength{\titl@wd} %% Length of title +\newlength{\titl@rulewidth} %% Thickness of underlining +\setlength{\titl@rulewidth}{0.15ex} + +\def\titlesize{\large} +\def\textsize{\normalsize} + +\def\mktitle{\slidetitle} + +\def\slidetitle{\@ifstar{\@nocontentstitle}{\@contentstitle}} + +\def\@contentstitle#1{% + \addcontentsline{toc}{slide}{#1}% + \@nocontentstitle{#1}} + +\def\@nocontentstitle#1{{%Makes the title of the slide + \def\th@title{{\titlesize \bf #1}} + \settowidth{\titl@wd}{\th@title} + \flushleft\th@title\hspace{-\titl@wd}%This comment necessary for spacing + \rule[-.3\baselineskip]{\textwidth}{\titl@rulewidth}\hfil\par +}} + +%%% Set up figure and table environments + +%% Some required counters +\newcounter{fig@re} +\setcounter{fig@re}{0} + +\newcounter{t@ble} +\setcounter{t@ble}{0} + +%% The environments themselves +\newenvironment{figure} + {\@floatimitator{fig@re}} + {} + +\newenvironment{table} + {\@floatimitator{t@ble}} + {} + +%% A macro to detect [] stuff +\def\@floatimitator#1{% + \@ifnextchar[% + {\@xfloatimitator{#1}}% [] stuff present + {\@regfloatimitator{#1}}} % call different things depending on whether location specifier is present + +\def\@regfloatimitator#1{% + \stepcounter{#1}% + \def\caption##1{% + {\def\@currentlabel{\csname the#1\endcsname}% + \m@kecaption{\csname #1num\endcsname}{##1}}}} + +\def\@xfloatimitator#1[#2]{\@regfloatimitator{#1}} % just ignore the [] stuff + +%% Caption starter definitions +\def\fig@renum{\fig@rename~\thefig@re} +\def\t@blenum{\t@blename~\thet@ble} + +\def\fig@rename{Figure} +\def\t@blename{Table} + +%% Macro to make caption itself +\long\def\m@kecaption#1#2{% + \vskip\abovecaptionskip + \sbox\@tempboxa{#1: #2}% + \ifdim \wd\@tempboxa >\hsize + #1: #2\par + \else + \global \@minipagefalse + \hb@xt@\hsize{\hfil\box\@tempboxa\hfil}% + \fi + \vskip\belowcaptionskip} + +%% Some more lengths to control caption positioning +\newlength{\abovecaptionskip} +\setlength{\abovecaptionskip}{0pt} + +\newlength{\belowcaptionskip} +\setlength{\belowcaptionskip}{0pt} + + +%%% Label handling + +%% Fix the way labels are handled... +\def\label#1{\@bsphack + \protected@write\@auxout{}% + {\string\newlabel{#1}{{\@currentlabel}{\theslide}}}% + \@esphack} + +%% define the standard label to just be slide +\def\@currentlabel{\theslide} + + +%% table of contents stuff +\def\addcontentsline#1#2#3{% + \addtocontents{#1}{\protect\contentsline{#2}{#3}{\theslide}}} + +\newcommand\tableofcontents{% + \thispagestyle{empty}% + \addtocounter{slide}{-1}% + \slidetitle*{\contentsname + \@mkboth{% + \MakeUppercase\contentsname}{\MakeUppercase\contentsname}}% + \begingroup + \tiny + \@starttoc{toc}% + \endgroup + } + +\newcommand*\l@slide{\@dottedtocline{0}{1.5em}{2.3em}} + +\newcommand\contentsname{Contents} +\newcommand\@pnumwidth{1.55em} +\newcommand\@tocrmarg{2.55em} +\newcommand\@dotsep{4.5} +\setcounter{tocdepth}{0} Index: trunk/locker/doc/cluedump/suexec.tex =================================================================== --- trunk/locker/doc/cluedump/suexec.tex (revision 1648) +++ trunk/locker/doc/cluedump/suexec.tex (revision 1648) @@ -0,0 +1,96 @@ +\subsection{suEXEC} + +\begin{frame} + \frametitle{Serving static content} + \begin{itemize} + \item The \texttt{apache} user does not have permission to read the + user's files directly. + \item Both static and dynamic content is served through suEXEC. + \end{itemize} +\end{frame} + +\begin{frame}[fragile,t] + \begin{enumerate} + \item \texttt{/etc/httpd/conf.d/execsys.conf} is configured to serve + static content with the \texttt{cgi-script} handler. + \end{enumerate} +\begin{footnotesize} +\begin{semiverbatim} + + SetHandler cgi-script + Options +ExecCGI + + + SetHandler cgi-script + Options +ExecCGI + +\ldots + + SetHandler cgi-script + Options +ExecCGI + + + SetHandler cgi-script + Options +ExecCGI + +\ldots +\end{semiverbatim} +\end{footnotesize} +\end{frame} + +\begin{frame}[fragile,t] + \begin{enumerate} + \addtocounter{enumi}{1} + \item \texttt{openafs/src/afs/VNOPS/afs\_vnop\_access.c} is modified + to mark \emph{all} files as executable (!). + \end{enumerate} +\begin{footnotesize} +\begin{semiverbatim} + int + afs_access(OSI_VC_DECL(avc), register afs_int32 amode, + struct AFS_UCRED *acred) + \{ + register afs_int32 code; + struct vrequest treq; + struct afs_fakestat_state fakestate; + OSI_VC_CONVERT(avc); + + AFS_STATCNT(afs_access); ++ amode = amode & ~VEXEC; + afs_Trace3(afs_iclSetp, CM_TRACE_ACCESS, ICL_TYPE_POINTER, avc, + ICL_TYPE_INT32, amode, ICL_TYPE_OFFSET, + ICL_HANDLE_OFFSET(avc->m.Length)); + \ldots + \} +\end{semiverbatim} +\end{footnotesize} +\end{frame} + +\begin{frame}[fragile,t] + \begin{enumerate} + \addtocounter{enumi}{2} + \item \texttt{httpd/support/suexec.c} is modified to dispatch static + content to \texttt{/usr/local/bin/static-cat}. + \end{enumerate} +\begin{footnotesize} +\begin{semiverbatim} ++#define STATIC_CAT_PATH "/usr/local/bin/static-cat" ++static const char *static_extensions[] = \{ ++ "html", ++ "css", ++ \ldots ++\} ++ + int main(int argc, char *argv[]) + \{ + \ldots ++ if (is_static_extension(cmd)) \{ ++ argv[2] = STATIC_CAT_PATH; ++ execv(STATIC_CAT_PATH, &argv[2]); ++ log_err("(%d)%s: static_cat exec failed (%s)\\n", errno, ++ strerror(errno), argv[2]); ++ exit(255); ++ \} +\end{semiverbatim} +\end{footnotesize} +\end{frame}