Index: /branches/fc15-dev/locker/bin/firefox-test =================================================================== --- /branches/fc15-dev/locker/bin/firefox-test (revision 1877) +++ /branches/fc15-dev/locker/bin/firefox-test (revision 1878) @@ -3,3 +3,3 @@ LD_PRELOAD=/mit/scripts/scripts-test/@sys/scripts-test-preload.so export LD_PRELOAD -exec firefox +exec firefox -no-remote Index: /branches/fc15-dev/lvs/debian/config/etc/apt/sources.list.d/backports.list =================================================================== --- /branches/fc15-dev/lvs/debian/config/etc/apt/sources.list.d/backports.list (revision 1878) +++ /branches/fc15-dev/lvs/debian/config/etc/apt/sources.list.d/backports.list (revision 1878) @@ -0,0 +1,1 @@ +deb http://backports.debian.org/debian-backports lenny-backports main contrib non-free Index: /branches/fc15-dev/server/common/oursrc/discuss/discuss.xinetd =================================================================== --- /branches/fc15-dev/server/common/oursrc/discuss/discuss.xinetd (revision 1878) +++ /branches/fc15-dev/server/common/oursrc/discuss/discuss.xinetd (revision 1878) @@ -0,0 +1,11 @@ +service discuss +{ + disable = yes + port = 2199 + socket_type = stream + protocol = tcp + wait = no + user = discuss + passenv = PATH + server = /usr/sbin/discussd +} Index: /branches/fc15-dev/server/common/oursrc/execsys/ldapize.pl =================================================================== --- /branches/fc15-dev/server/common/oursrc/execsys/ldapize.pl (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/execsys/ldapize.pl (revision 1878) @@ -7,23 +7,11 @@ use Net::LDAP::Filter; -sub report_error -{ - my $proto = shift; - my $mesg = shift; - - if ($proto eq 'git') { - $mesg = "ERR \n " . $mesg . "\n"; - my $len = length($mesg)+4; - printf "%04x%s", $len, $mesg; - } else { - print $mesg; - } - exit 0; -} - my $url = $ARGV[0]; my ($proto, $hostname, $path) = $url =~ m|^(.*?)://([^/]*)(.*)| or die "Could not match URL"; my $mesg; +my $vhostName = $hostname; + +vhost: # oh my gosh Net::LDAP::Filter SUCKS my $filter = bless({and => @@ -32,10 +20,10 @@ {or => [{equalityMatch => {attributeDesc => 'scriptsVhostName', - assertionValue => $hostname}}, + assertionValue => $vhostName}}, {equalityMatch => {attributeDesc => 'scriptsVhostAlias', - assertionValue => $hostname}}]}]}, + assertionValue => $vhostName}}]}]}, 'Net::LDAP::Filter'); -my $ldap = Net::LDAP->new("ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/"); +my $ldap = Net::LDAP->new("ldapi://%2fvar%2frun%2fslapd-scripts.socket/"); $mesg = $ldap->bind(); $mesg->code && die $mesg->error; @@ -46,8 +34,10 @@ my $vhostEntry = $mesg->pop_entry; -if (!$vhostEntry) -{ - report_error($proto, "Could not find Host $hostname"); +if (!defined $vhostEntry) { + $vhostName ne '*' or die 'No vhost for *'; + $vhostName =~ s/^(?:\*\.)?[^.]*/*/; # Try next wildcard + goto vhost; } + my $vhostDirectory = $vhostEntry->get_value('scriptsVhostDirectory'); @@ -59,13 +49,20 @@ my ($homeDirectory, $uidNumber, $gidNumber) = map { $userEntry->get_value($_) } qw(homeDirectory uidNumber gidNumber); +(my $scriptsdir = $homeDirectory) =~ s{(?:/Scripts)?$}{/Scripts}; if ($proto eq 'svn') { chdir '/usr/libexec/scripts-trusted'; - exec('/usr/sbin/suexec', $uidNumber, $gidNumber, '/usr/libexec/scripts-trusted/svn', "$homeDirectory/Scripts/svn/$vhostDirectory"); + exec('/usr/sbin/suexec', $uidNumber, $gidNumber, '/usr/libexec/scripts-trusted/svn', "$scriptsdir/svn/$vhostDirectory"); } elsif ($proto eq 'git') { + if ($vhostEntry->get_value('scriptsVhostName') eq 'notfound.example.com') { + # git-daemon doesn’t report useful errors yet + my $msg = "ERR No such host $hostname\n"; + printf '%04x%s', length($msg) + 4, $msg; + exit; + } chdir '/usr/libexec/scripts-trusted'; - exec('/usr/sbin/suexec', $uidNumber, $gidNumber, '/usr/libexec/scripts-trusted/git', "$homeDirectory/Scripts/git/$vhostDirectory"); + exec('/usr/sbin/suexec', $uidNumber, $gidNumber, '/usr/libexec/scripts-trusted/git', "$scriptsdir/git/$vhostDirectory"); } elsif ($proto eq 'http') { - print "suexec $uidNumber $gidNumber $homeDirectory/Scripts/web/$vhostDirectory/$path\n"; + print "suexec $uidNumber $gidNumber $scriptsdir/web/$vhostDirectory/$path\n"; } else { die "Unknown protocol\n"; Index: /branches/fc15-dev/server/common/oursrc/execsys/mime.types =================================================================== --- /branches/fc15-dev/server/common/oursrc/execsys/mime.types (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/execsys/mime.types (revision 1878) @@ -509,2 +509,30 @@ application/xaml+xml xaml application/x-silverlight-app xap +# The following MS Office MIME types are from this source: +# http://blogs.msdn.com/b/vsofficedeveloper/archive/2008/05/08/office-2007-open-xml-mime-types.aspx +# There's a typo in .potm that's corrected in this alternate source: +# http://therightstuff.de/2006/12/16/Office+2007+File+Icons+For+Windows+SharePoint+Services+20+And+SharePoint+Portal+Server+2003.aspx +application/msword dot +application/vnd.openxmlformats-officedocument.wordprocessingml.document docx +application/vnd.openxmlformats-officedocument.wordprocessingml.template dotx +application/vnd.ms-word.document.macroEnabled.12 docm +application/vnd.ms-word.template.macroEnabled.12 dotm +application/vnd.ms-excel xlt +application/vnd.ms-excel xla +application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx +application/vnd.openxmlformats-officedocument.spreadsheetml.template xltx +application/vnd.ms-excel.sheet.macroEnabled.12 xlsm +application/vnd.ms-excel.template.macroEnabled.12 xltm +application/vnd.ms-excel.addin.macroEnabled.12 xlam +application/vnd.ms-excel.sheet.binary.macroEnabled.12 xlsb +application/vnd.ms-powerpoint pot +application/vnd.ms-powerpoint pps +application/vnd.ms-powerpoint ppa +application/vnd.openxmlformats-officedocument.presentationml.presentation pptx +application/vnd.openxmlformats-officedocument.presentationml.template potx +application/vnd.openxmlformats-officedocument.presentationml.slideshow ppsx +application/vnd.ms-powerpoint.addin.macroEnabled.12 ppam +application/vnd.ms-powerpoint.presentation.macroEnabled.12 pptm +application/vnd.ms-powerpoint.template.macroEnabled.12 potm +application/vnd.ms-powerpoint.slideshow.macroEnabled.12 ppsm +# End MS Office MIME types. Index: /branches/fc15-dev/server/common/oursrc/execsys/upd-execsys =================================================================== --- /branches/fc15-dev/server/common/oursrc/execsys/upd-execsys (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/execsys/upd-execsys (revision 1878) @@ -53,4 +53,27 @@ xls ppt + dot + docx + dotx + docm + dotm + xlt + xla + xlsx + xltx + xlsm + xltm + xlam + xlsb + pot + pps + ppa + pptx + potx + ppsx + ppam + pptm + potm + ppsm swf mp3 @@ -70,4 +93,18 @@ ttf otf + odc + odb + odf + odg + otg + odi + odp + otp + ods + ots + odt + odm + ott + oth ); Index: /branches/fc15-dev/server/common/oursrc/nss_nonlocal/Makefile.am =================================================================== --- /branches/fc15-dev/server/common/oursrc/nss_nonlocal/Makefile.am (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/nss_nonlocal/Makefile.am (revision 1878) @@ -5,10 +5,6 @@ libnss_nonlocal_la_LDFLAGS = \ -version-info 2:0:0 \ - -export-symbols-regex '^_nss_nonlocal_' - -noinst_PROGRAMS = .linktest -_linktest_SOURCES = -_linktest_LDADD = libnss_nonlocal.la -_linktest_LDFLAGS = -nostdlib -entry=0 + -export-symbols-regex '^_nss_nonlocal_' \ + -no-undefined -Wl,-z,defs install-exec-hook: Index: /branches/fc15-dev/server/common/oursrc/nss_nonlocal/README =================================================================== --- /branches/fc15-dev/server/common/oursrc/nss_nonlocal/README (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/nss_nonlocal/README (revision 1878) @@ -9,4 +9,19 @@ group: compat nonlocal group_nonlocal: hesiod + +The module also assigns special properties to two local groups and one +local user, if they exist: + +• If the local group ‘nss-nonlocal-users’ exists, then nonlocal users + will be automatically added to it. Furthermore, if a local user is + added to this group, then that user will inherit any nonlocal gids + from a nonlocal user of the same name, as supplementary gids. + +• If the local group ‘nss-local-users’ exists, then local users will + be automatically added to it. + +• If the local user ‘nss-nonlocal-users’ is added to a local group, + then the local group will inherit the nonlocal membership of a group + of the same gid. Copyright © 2007–2010 Anders Kaseorg and Tim Abbott Index: /branches/fc15-dev/server/common/oursrc/nss_nonlocal/configure.ac =================================================================== --- /branches/fc15-dev/server/common/oursrc/nss_nonlocal/configure.ac (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/nss_nonlocal/configure.ac (revision 1878) @@ -1,3 +1,3 @@ -AC_INIT([nss_nonlocal], [1.11], [andersk@mit.edu]) +AC_INIT([nss_nonlocal], [2.0], [andersk@mit.edu]) AC_CANONICAL_TARGET AM_INIT_AUTOMAKE([-Wall -Werror foreign]) @@ -9,4 +9,6 @@ AC_PROG_INSTALL AC_PROG_LIBTOOL + +AC_HEADER_STDBOOL case "$target_cpu" in Index: /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal-group.c =================================================================== --- /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal-group.c (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal-group.c (revision 1878) @@ -34,4 +34,5 @@ #include #include +#include #include #include @@ -39,6 +40,25 @@ #include "nonlocal.h" +/* + * If the MAGIC_NONLOCAL_GROUPNAME local group exists, then nonlocal + * users will be automatically added to it. Furthermore, if a local + * user is added to this group, then that user will inherit any + * nonlocal gids from a nonlocal user of the same name, as + * supplementary gids. + */ #define MAGIC_NONLOCAL_GROUPNAME "nss-nonlocal-users" + +/* + * If the MAGIC_LOCAL_GROUPNAME local group exists, then local users + * will be automatically added to it. + */ #define MAGIC_LOCAL_GROUPNAME "nss-local-users" + +/* + * If the MAGIC_NONLOCAL_USERNAME local user is added to a local + * group, then the local group will inherit the nonlocal membership of + * a group of the same gid. + */ +#define MAGIC_NONLOCAL_USERNAME "nss-nonlocal-users" @@ -52,74 +72,63 @@ -static service_user * -nss_group_nonlocal_database(void) -{ - static service_user *nip = NULL; - if (nip == NULL) - __nss_database_lookup("group_nonlocal", NULL, "", &nip); - - return nip; -} - - -enum nss_status -check_nonlocal_gid(const char *user, gid_t gid, int *errnop) -{ - static const char *fct_name = "getgrgid_r"; - static service_user *startp = NULL; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(gid_t gid, struct group *grp, - char *buffer, size_t buflen, int *errnop); - void *ptr; - } fct; +static service_user *__nss_group_nonlocal_database; + +static int +internal_function +__nss_group_nonlocal_lookup(service_user **ni, const char *fct_name, + void **fctp) +{ + if (__nss_group_nonlocal_database == NULL + && __nss_database_lookup("group_nonlocal", NULL, NULL, + &__nss_group_nonlocal_database) < 0) + return -1; + + *ni = __nss_group_nonlocal_database; + + *fctp = __nss_lookup_function(*ni, fct_name); + return 0; +} + + +enum nss_status +check_nonlocal_gid(const char *user, const char *group, gid_t gid, int *errnop) +{ + enum nss_status status; struct group gbuf; - int old_errno = errno; - + char *buf; size_t buflen = sysconf(_SC_GETGR_R_SIZE_MAX); - char *buf = malloc(buflen); - if (buf == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; - } - - if (fct_start == NULL && - __nss_group_lookup(&startp, fct_name, &fct_start) != 0) { - free(buf); - return NSS_STATUS_UNAVAIL; - } - nip = startp; - fct.ptr = fct_start; - do { - morebuf: - if (fct.l == _nss_nonlocal_getgrgid_r) - status = NSS_STATUS_NOTFOUND; - else - status = DL_CALL_FCT(fct.l, (gid, &gbuf, buf, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { - free(buf); - buflen *= 2; - buf = malloc(buflen); - if (buf == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; + const struct walk_nss w = { + .lookup = &__nss_group_lookup, .fct_name = "getgrgid_r", + .status = &status, .errnop = errnop, .buf = &buf, .buflen = &buflen + }; + const __typeof__(&_nss_nonlocal_getgrgid_r) self = &_nss_nonlocal_getgrgid_r; +#define args (gid, &gbuf, buf, buflen, errnop) +#include "walk_nss.h" +#undef args + + if (status == NSS_STATUS_TRYAGAIN) + return status; + else if (status != NSS_STATUS_SUCCESS) + return NSS_STATUS_SUCCESS; + + if (group == NULL || strcmp(gbuf.gr_name, group) == 0) { + char *const *mem; + for (mem = gbuf.gr_mem; *mem != NULL; mem++) + if (strcmp(*mem, MAGIC_NONLOCAL_USERNAME) == 0) { + status = check_nonlocal_user(*mem, errnop); + if (status == NSS_STATUS_TRYAGAIN) { + free(buf); + return status; + } else if (status == NSS_STATUS_NOTFOUND) { + free(buf); + return NSS_STATUS_SUCCESS; + } + break; } - goto morebuf; - } - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); - - if (status == NSS_STATUS_SUCCESS) { - syslog(LOG_DEBUG, "nss_nonlocal: removing local group %u (%s) from non-local user %s\n", gbuf.gr_gid, gbuf.gr_name, user); - status = NSS_STATUS_NOTFOUND; - } else if (status != NSS_STATUS_TRYAGAIN) { - status = NSS_STATUS_SUCCESS; - } - + } + + syslog(LOG_DEBUG, "nss_nonlocal: removing local group %u (%s) from non-local user %s\n", gbuf.gr_gid, gbuf.gr_name, user); free(buf); - return status; + return NSS_STATUS_NOTFOUND; } @@ -134,11 +143,13 @@ errno = 0; gid = strtoul(grp->gr_name, &end, 10); - if (errno == 0 && *end == '\0' && (gid_t)gid == gid) - status = check_nonlocal_gid(user, gid, errnop); - errno = old_errno; + if (errno == 0 && *end == '\0' && (gid_t)gid == gid) { + errno = old_errno; + status = check_nonlocal_gid(user, grp->gr_name, gid, errnop); + } else + errno = old_errno; if (status != NSS_STATUS_SUCCESS) return status; - return check_nonlocal_gid(user, grp->gr_gid, errnop); + return check_nonlocal_gid(user, grp->gr_name, grp->gr_gid, errnop); } @@ -146,61 +157,18 @@ get_local_group(const char *name, struct group *grp, char **buffer, int *errnop) { - static const char *fct_name = "getgrnam_r"; - static service_user *startp = NULL; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(const char *name, struct group *grp, - char *buffer, size_t buflen, int *errnop); - void *ptr; - } fct; - size_t buflen; - int old_errno = errno; - - buflen = sysconf(_SC_GETGR_R_SIZE_MAX); - *buffer = malloc(buflen); - if (*buffer == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; - } - - if (fct_start == NULL && - __nss_group_lookup(&startp, fct_name, &fct_start) != 0) { - free(*buffer); - *buffer = NULL; - return NSS_STATUS_UNAVAIL; - } - nip = startp; - fct.ptr = fct_start; - do { - morebuf: - if (fct.l == _nss_nonlocal_getgrnam_r) - status = NSS_STATUS_NOTFOUND; - else - status = DL_CALL_FCT(fct.l, (name, grp, *buffer, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { - free(*buffer); - buflen *= 2; - *buffer = malloc(buflen); - if (*buffer == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; - } - goto morebuf; - } - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); - - if (status != NSS_STATUS_SUCCESS) { - free(*buffer); - *buffer = NULL; - } - + enum nss_status status; + size_t buflen = sysconf(_SC_GETGR_R_SIZE_MAX); + const struct walk_nss w = { + .lookup = &__nss_group_lookup, .fct_name = "getgrnam_r", + .status = &status, .errnop = errnop, .buf = buffer, .buflen = &buflen + }; + const __typeof__(&_nss_nonlocal_getgrnam_r) self = &_nss_nonlocal_getgrnam_r; +#define args (name, grp, *buffer, buflen, errnop) +#include "walk_nss.h" +#undef args return status; } -static service_user *grent_nip = NULL; +static service_user *grent_startp, *grent_nip; static void *grent_fct_start; static union { @@ -214,31 +182,20 @@ _nss_nonlocal_setgrent(int stayopen) { - static const char *fct_name = "setgrent"; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(int stayopen); - void *ptr; - } fct; - - nip = nss_group_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, (stayopen)); - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); + enum nss_status status; + const struct walk_nss w = { + .lookup = &__nss_group_nonlocal_lookup, .fct_name = "setgrent", + .status = &status + }; + const __typeof__(&_nss_nonlocal_setgrent) self = NULL; +#define args (stayopen) +#include "walk_nss.h" +#undef args if (status != NSS_STATUS_SUCCESS) return status; - grent_nip = nip; if (grent_fct_start == NULL) - grent_fct_start = __nss_lookup_function(nip, grent_fct_name); + __nss_group_nonlocal_lookup(&grent_startp, grent_fct_name, + &grent_fct_start); + grent_nip = grent_startp; grent_fct.ptr = grent_fct_start; return NSS_STATUS_SUCCESS; @@ -248,27 +205,16 @@ _nss_nonlocal_endgrent(void) { - static const char *fct_name = "endgrent"; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(void); - void *ptr; - } fct; + enum nss_status status; + const struct walk_nss w = { + .lookup = &__nss_group_nonlocal_lookup, .fct_name = "endgrent", + .status = &status + }; + const __typeof__(&_nss_nonlocal_endgrent) self = NULL; grent_nip = NULL; - nip = nss_group_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, ()); - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); +#define args () +#include "walk_nss.h" +#undef args return status; } @@ -315,13 +261,10 @@ char *buffer, size_t buflen, int *errnop) { - static const char *fct_name = "getgrnam_r"; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(const char *name, struct group *grp, - char *buffer, size_t buflen, int *errnop); - void *ptr; - } fct; + enum nss_status status; + const struct walk_nss w = { + .lookup = &__nss_group_nonlocal_lookup, .fct_name = "getgrnam_r", + .status = &status, .errnop = errnop + }; + const __typeof__(&_nss_nonlocal_getgrnam_r) self = NULL; char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV); @@ -329,18 +272,7 @@ return NSS_STATUS_UNAVAIL; - nip = nss_group_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, (name, grp, buffer, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - break; - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); +#define args (name, grp, buffer, buflen, errnop) +#include "walk_nss.h" +#undef args if (status != NSS_STATUS_SUCCESS) return status; @@ -358,13 +290,10 @@ char *buffer, size_t buflen, int *errnop) { - static const char *fct_name = "getgrgid_r"; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(gid_t gid, struct group *grp, - char *buffer, size_t buflen, int *errnop); - void *ptr; - } fct; + enum nss_status status; + const struct walk_nss w = { + .lookup = &__nss_group_nonlocal_lookup, .fct_name = "getgrgid_r", + .status = &status, .errnop = errnop + }; + const __typeof__(&_nss_nonlocal_getgrgid_r) self = NULL; char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV); @@ -372,18 +301,7 @@ return NSS_STATUS_UNAVAIL; - nip = nss_group_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, (gid, grp, buffer, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - break; - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); +#define args (gid, grp, buffer, buflen, errnop) +#include "walk_nss.h" +#undef args if (status != NSS_STATUS_SUCCESS) return status; @@ -397,4 +315,37 @@ } +static bool +add_group(gid_t group, long int *start, long int *size, gid_t **groupsp, + long int limit, int *errnop, enum nss_status *status) +{ + int i, old_errno = errno; + for (i = 0; i < *start; ++i) + if ((*groupsp)[i] == group) + return true; + if (*start + 1 > *size) { + gid_t *newgroups; + long int newsize = 2 * *size; + if (limit > 0) { + if (*size >= limit) { + *status = NSS_STATUS_SUCCESS; + return false; + } + if (newsize > limit) + newsize = limit; + } + newgroups = realloc(*groupsp, newsize * sizeof((*groupsp)[0])); + errno = old_errno; + if (newgroups == NULL) { + *errnop = ENOMEM; + *status = NSS_STATUS_TRYAGAIN; + return false; + } + *groupsp = newgroups; + *size = newsize; + } + (*groupsp)[(*start)++] = group; + return true; +} + enum nss_status _nss_nonlocal_initgroups_dyn(const char *user, gid_t group, long int *start, @@ -402,109 +353,96 @@ int *errnop) { - static const char *fct_name = "initgroups_dyn"; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(const char *user, gid_t group, long int *start, - long int *size, gid_t **groupsp, long int limit, - int *errnop); - void *ptr; - } fct; + enum nss_status status; + const struct walk_nss w = { + .lookup = &__nss_group_nonlocal_lookup, .fct_name = "initgroups_dyn", + .status = &status, .errnop = errnop + }; + const __typeof__(&_nss_nonlocal_initgroups_dyn) self = NULL; struct group local_users_group, nonlocal_users_group; - gid_t local_users_gid, gid; - int is_local = 0; + bool is_nonlocal = true; char *buffer; - int old_errno; int in, out, i; - /* Check that the user is a nonlocal user before adding any groups. */ + /* Check that the user is a nonlocal user, or a member of the + * MAGIC_NONLOCAL_GROUPNAME group, before adding any groups. */ status = check_nonlocal_user(user, errnop); - if (status == NSS_STATUS_TRYAGAIN) - return status; - else if (status != NSS_STATUS_SUCCESS) - is_local = 1; - - old_errno = errno; - - status = get_local_group(MAGIC_LOCAL_GROUPNAME, - &local_users_group, &buffer, errnop); - if (status == NSS_STATUS_SUCCESS) { - local_users_gid = local_users_group.gr_gid; - free(buffer); - } else if (status == NSS_STATUS_TRYAGAIN) { - return status; - } else { - syslog(LOG_WARNING, "nss_nonlocal: Group %s does not exist locally!", - MAGIC_LOCAL_GROUPNAME); - local_users_gid = -1; - } - - if (is_local) { - gid = local_users_gid; - } else { - status = get_local_group(MAGIC_NONLOCAL_GROUPNAME, - &nonlocal_users_group, &buffer, errnop); + if (status == NSS_STATUS_TRYAGAIN) { + return status; + } else if (status != NSS_STATUS_SUCCESS) { + is_nonlocal = false; + + status = get_local_group(MAGIC_LOCAL_GROUPNAME, + &local_users_group, &buffer, errnop); if (status == NSS_STATUS_SUCCESS) { - gid = nonlocal_users_group.gr_gid; free(buffer); + if (!add_group(local_users_group.gr_gid, start, size, groupsp, + limit, errnop, &status)) + return status; } else if (status == NSS_STATUS_TRYAGAIN) { return status; } else { - syslog(LOG_WARNING, "nss_nonlocal: Group %s does not exist locally!", - MAGIC_NONLOCAL_GROUPNAME); - gid = -1; - } - } - - if (gid != -1) { - int i; - for (i = 0; i < *start; ++i) - if ((*groupsp)[i] == gid) - break; - if (i >= *start) { - if (*start + 1 > *size) { - gid_t *newgroups; - long int newsize = 2 * *size; - if (limit > 0) { - if (*size >= limit) - return NSS_STATUS_SUCCESS; - if (newsize > limit) - newsize = limit; + syslog(LOG_WARNING, + "nss_nonlocal: Group %s does not exist locally!", + MAGIC_LOCAL_GROUPNAME); + } + } + + status = get_local_group(MAGIC_NONLOCAL_GROUPNAME, + &nonlocal_users_group, &buffer, errnop); + if (status == NSS_STATUS_SUCCESS) { + free(buffer); + if (is_nonlocal) { + if (!add_group(nonlocal_users_group.gr_gid, start, size, groupsp, + limit, errnop, &status)) + return status; + } else { + int i; + for (i = 0; i < *start; ++i) { + if ((*groupsp)[i] == nonlocal_users_group.gr_gid) { + is_nonlocal = true; + break; } - newgroups = realloc(*groupsp, newsize * sizeof((*groupsp)[0])); - if (newgroups == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; + } + + if (is_nonlocal) { + struct passwd pwbuf; + char *buf; + int nonlocal_errno = *errnop; + status = get_nonlocal_passwd(user, &pwbuf, &buf, errnop); + + if (status == NSS_STATUS_SUCCESS) { + nonlocal_errno = *errnop; + status = check_nonlocal_gid(user, NULL, pwbuf.pw_gid, + &nonlocal_errno); + free(buf); } - *groupsp = newgroups; - *size = newsize; + + if (status == NSS_STATUS_SUCCESS) { + if (!add_group(pwbuf.pw_gid, start, size, groupsp, limit, + errnop, &status)) + return status; + } else if (status == NSS_STATUS_TRYAGAIN) { + *errnop = nonlocal_errno; + return status; + } } - (*groupsp)[(*start)++] = gid; - } - } - - if (is_local) + } + } else if (status == NSS_STATUS_TRYAGAIN) { + if (is_nonlocal) + return status; + } else { + syslog(LOG_WARNING, "nss_nonlocal: Group %s does not exist locally!", + MAGIC_NONLOCAL_GROUPNAME); + } + + if (!is_nonlocal) return NSS_STATUS_SUCCESS; in = out = *start; - nip = nss_group_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, (user, group, start, size, groupsp, limit, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - break; - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); +#define args (user, group, start, size, groupsp, limit, errnop) +#include "walk_nss.h" +#undef args if (status != NSS_STATUS_SUCCESS) return status; @@ -519,12 +457,6 @@ continue; - /* Don't let users get into MAGIC_LOCAL_GROUPNAME from nonlocal reasons. */ - if (local_users_gid == (*groupsp)[in]) { - syslog(LOG_WARNING, "nss_nonlocal: Nonlocal user %s removed from special local users group %s", - user, MAGIC_LOCAL_GROUPNAME); - continue; - } - - status = check_nonlocal_gid(user, (*groupsp)[in], &nonlocal_errno); + status = check_nonlocal_gid(user, NULL, (*groupsp)[in], + &nonlocal_errno); if (status == NSS_STATUS_SUCCESS) { (*groupsp)[out++] = (*groupsp)[in]; Index: /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c =================================================================== --- /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal-passwd.c (revision 1878) @@ -50,12 +50,20 @@ -static service_user * -nss_passwd_nonlocal_database(void) -{ - static service_user *nip = NULL; - if (nip == NULL) - __nss_database_lookup("passwd_nonlocal", NULL, "", &nip); - - return nip; +static service_user *__nss_passwd_nonlocal_database; + +static int +internal_function +__nss_passwd_nonlocal_lookup(service_user **ni, const char *fct_name, + void **fctp) +{ + if (__nss_passwd_nonlocal_database == NULL + && __nss_database_lookup("passwd_nonlocal", NULL, NULL, + &__nss_passwd_nonlocal_database) < 0) + return -1; + + *ni = __nss_passwd_nonlocal_database; + + *fctp = __nss_lookup_function(*ni, fct_name); + return 0; } @@ -64,53 +72,20 @@ check_nonlocal_uid(const char *user, uid_t uid, int *errnop) { - static const char *fct_name = "getpwuid_r"; - static service_user *startp = NULL; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(uid_t uid, struct passwd *pwd, - char *buffer, size_t buflen, int *errnop); - void *ptr; - } fct; + enum nss_status status; struct passwd pwbuf; - int old_errno = errno; - + char *buf; size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX); - char *buf = malloc(buflen); - if (buf == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; - } - - if (fct_start == NULL && - __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) { - free(buf); - return NSS_STATUS_UNAVAIL; - } - nip = startp; - fct.ptr = fct_start; - do { - morebuf: - if (fct.l == _nss_nonlocal_getpwuid_r) - status = NSS_STATUS_NOTFOUND; - else - status = DL_CALL_FCT(fct.l, (uid, &pwbuf, buf, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { - free(buf); - buflen *= 2; - buf = malloc(buflen); - if (buf == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; - } - goto morebuf; - } - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); + const struct walk_nss w = { + .lookup = &__nss_passwd_lookup, .fct_name = "getpwuid_r", + .status = &status, .errnop = errnop, .buf = &buf, .buflen = &buflen + }; + const __typeof__(&_nss_nonlocal_getpwuid_r) self = &_nss_nonlocal_getpwuid_r; +#define args (uid, &pwbuf, buf, buflen, errnop) +#include "walk_nss.h" +#undef args if (status == NSS_STATUS_SUCCESS) { syslog(LOG_ERR, "nss_nonlocal: possible spoofing attack: non-local user %s has same UID as local user %s!\n", user, pwbuf.pw_name); + free(buf); status = NSS_STATUS_NOTFOUND; } else if (status != NSS_STATUS_TRYAGAIN) { @@ -118,5 +93,4 @@ } - free(buf); return status; } @@ -132,7 +106,10 @@ errno = 0; uid = strtoul(pwd->pw_name, &end, 10); - if (errno == 0 && *end == '\0' && (uid_t)uid == uid) + if (errno == 0 && *end == '\0' && (uid_t)uid == uid) { + errno = old_errno; status = check_nonlocal_uid(user, uid, errnop); - errno = old_errno; + } else { + errno = old_errno; + } if (status != NSS_STATUS_SUCCESS) return status; @@ -144,62 +121,46 @@ check_nonlocal_user(const char *user, int *errnop) { - static const char *fct_name = "getpwnam_r"; - static service_user *startp = NULL; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(const char *name, struct passwd *pwd, - char *buffer, size_t buflen, int *errnop); - void *ptr; - } fct; + enum nss_status status; struct passwd pwbuf; - int old_errno = errno; - + char *buf; size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX); - char *buf = malloc(buflen); - if (buf == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; - } - - if (fct_start == NULL && - __nss_passwd_lookup(&startp, fct_name, &fct_start) != 0) { + const struct walk_nss w = { + .lookup = __nss_passwd_lookup, .fct_name = "getpwnam_r", + .status = &status, .errnop = errnop, .buf = &buf, .buflen = &buflen + }; + const __typeof__(&_nss_nonlocal_getpwnam_r) self = &_nss_nonlocal_getpwnam_r; +#define args (user, &pwbuf, buf, buflen, errnop) +#include "walk_nss.h" +#undef args + + if (status == NSS_STATUS_SUCCESS) { free(buf); - return NSS_STATUS_UNAVAIL; - } - nip = startp; - fct.ptr = fct_start; - do { - morebuf: - if (fct.l == _nss_nonlocal_getpwnam_r) - status = NSS_STATUS_NOTFOUND; - else - status = DL_CALL_FCT(fct.l, (user, &pwbuf, buf, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) { - free(buf); - buflen *= 2; - buf = malloc(buflen); - if (buf == NULL) { - *errnop = ENOMEM; - errno = old_errno; - return NSS_STATUS_TRYAGAIN; - } - goto morebuf; - } - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); - - if (status == NSS_STATUS_SUCCESS) status = NSS_STATUS_NOTFOUND; - else if (status != NSS_STATUS_TRYAGAIN) + } else if (status != NSS_STATUS_TRYAGAIN) { status = NSS_STATUS_SUCCESS; - - free(buf); + } + return status; } - -static service_user *pwent_nip = NULL; +enum nss_status +get_nonlocal_passwd(const char *name, struct passwd *pwd, char **buffer, + int *errnop) +{ + enum nss_status status; + size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX); + const struct walk_nss w = { + .lookup = __nss_passwd_nonlocal_lookup, .fct_name = "getpwnam_r", + .status = &status, .errnop = errnop, .buf = buffer, .buflen = &buflen + }; + const __typeof__(&_nss_nonlocal_getpwnam_r) self = NULL; +#define args (name, pwd, *buffer, buflen, errnop) +#include "walk_nss.h" +#undef args + return status; +} + + +static service_user *pwent_startp, *pwent_nip; static void *pwent_fct_start; static union { @@ -213,31 +174,20 @@ _nss_nonlocal_setpwent(int stayopen) { - static const char *fct_name = "setpwent"; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(int stayopen); - void *ptr; - } fct; - - nip = nss_passwd_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, (stayopen)); - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); - if (status != NSS_STATUS_SUCCESS) - return status; - - pwent_nip = nip; + enum nss_status status; + const struct walk_nss w = { + .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "setpwent", + .status = &status + }; + const __typeof__(&_nss_nonlocal_setpwent) self = NULL; +#define args (stayopen) +#include "walk_nss.h" +#undef args + if (status != NSS_STATUS_SUCCESS) + return status; + if (pwent_fct_start == NULL) - pwent_fct_start = __nss_lookup_function(nip, pwent_fct_name); + __nss_passwd_nonlocal_lookup(&pwent_startp, pwent_fct_name, + &pwent_fct_start); + pwent_nip = pwent_startp; pwent_fct.ptr = pwent_fct_start; return NSS_STATUS_SUCCESS; @@ -247,27 +197,16 @@ _nss_nonlocal_endpwent(void) { - static const char *fct_name = "endpwent"; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(void); - void *ptr; - } fct; + enum nss_status status; + const struct walk_nss w = { + .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "endpwent", + .status = &status + }; + const __typeof__(&_nss_nonlocal_endpwent) self = NULL; pwent_nip = NULL; - nip = nss_passwd_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, ()); - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); +#define args () +#include "walk_nss.h" +#undef args return status; } @@ -314,14 +253,11 @@ char *buffer, size_t buflen, int *errnop) { - static const char *fct_name = "getpwnam_r"; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(const char *name, struct passwd *pwd, - char *buffer, size_t buflen, int *errnop); - void *ptr; - } fct; + enum nss_status status; int group_errno; + const struct walk_nss w = { + .lookup = __nss_passwd_nonlocal_lookup, .fct_name = "getpwnam_r", + .status = &status, .errnop = errnop + }; + const __typeof__(&_nss_nonlocal_getpwnam_r) self = NULL; char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV); @@ -329,18 +265,7 @@ return NSS_STATUS_UNAVAIL; - nip = nss_passwd_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, (name, pwd, buffer, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - break; - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); +#define args (name, pwd, buffer, buflen, errnop) +#include "walk_nss.h" +#undef args if (status != NSS_STATUS_SUCCESS) return status; @@ -355,5 +280,5 @@ return status; - if (check_nonlocal_gid(name, pwd->pw_gid, &group_errno) != + if (check_nonlocal_gid(name, NULL, pwd->pw_gid, &group_errno) != NSS_STATUS_SUCCESS) pwd->pw_gid = 65534 /* nogroup */; @@ -365,14 +290,11 @@ char *buffer, size_t buflen, int *errnop) { - static const char *fct_name = "getpwuid_r"; - static void *fct_start = NULL; - enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(uid_t uid, struct passwd *pwd, - char *buffer, size_t buflen, int *errnop); - void *ptr; - } fct; + enum nss_status status; int group_errno; + const struct walk_nss w = { + .lookup = &__nss_passwd_nonlocal_lookup, .fct_name = "getpwuid_r", + .status = &status, .errnop = errnop + }; + const __typeof__(&_nss_nonlocal_getpwuid_r) self = NULL; char *nonlocal_ignore = getenv(NONLOCAL_IGNORE_ENV); @@ -380,18 +302,7 @@ return NSS_STATUS_UNAVAIL; - nip = nss_passwd_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, (uid, pwd, buffer, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - break; - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); +#define args (uid, pwd, buffer, buflen, errnop) +#include "walk_nss.h" +#undef args if (status != NSS_STATUS_SUCCESS) return status; @@ -406,5 +317,5 @@ return status; - if (check_nonlocal_gid(pwd->pw_name, pwd->pw_gid, &group_errno) != + if (check_nonlocal_gid(pwd->pw_name, NULL, pwd->pw_gid, &group_errno) != NSS_STATUS_SUCCESS) pwd->pw_gid = 65534 /* nogroup */; Index: /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal-shadow.c =================================================================== --- /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal-shadow.c (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal-shadow.c (revision 1878) @@ -40,16 +40,24 @@ -static service_user * -nss_shadow_nonlocal_database(void) +static service_user *__nss_shadow_nonlocal_database; + +static int +internal_function +__nss_shadow_nonlocal_lookup(service_user **ni, const char *fct_name, + void **fctp) { - static service_user *nip = NULL; - if (nip == NULL) - __nss_database_lookup("shadow_nonlocal", NULL, "", &nip); + if (__nss_shadow_nonlocal_database == NULL + && __nss_database_lookup("shadow_nonlocal", NULL, NULL, + &__nss_shadow_nonlocal_database) < 0) + return -1; - return nip; + *ni = __nss_shadow_nonlocal_database; + + *fctp = __nss_lookup_function(*ni, fct_name); + return 0; } -static service_user *spent_nip = NULL; +static service_user *spent_startp, *spent_nip; static void *spent_fct_start; static union { @@ -63,31 +71,20 @@ _nss_nonlocal_setspent(int stayopen) { - static const char *fct_name = "setspent"; - static void *fct_start = NULL; enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(int stayopen); - void *ptr; - } fct; - - nip = nss_shadow_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, (stayopen)); - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); + const struct walk_nss w = { + .lookup = &__nss_shadow_nonlocal_lookup, .fct_name = "setspent", + .status = &status + }; + const __typeof__(&_nss_nonlocal_setspent) self = NULL; +#define args (stayopen) +#include "walk_nss.h" +#undef args if (status != NSS_STATUS_SUCCESS) return status; - spent_nip = nip; if (spent_fct_start == NULL) - spent_fct_start = __nss_lookup_function(nip, spent_fct_name); + __nss_shadow_nonlocal_lookup(&spent_startp, spent_fct_name, + &spent_fct_start); + spent_nip = spent_startp; spent_fct.ptr = spent_fct_start; return NSS_STATUS_SUCCESS; @@ -97,27 +94,16 @@ _nss_nonlocal_endspent(void) { - static const char *fct_name = "endspent"; - static void *fct_start = NULL; enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(void); - void *ptr; - } fct; + const struct walk_nss w = { + .lookup = &__nss_shadow_nonlocal_lookup, .fct_name = "endspent", + .status = &status + }; + const __typeof__(&_nss_nonlocal_endspent) self = NULL; spent_nip = NULL; - nip = nss_shadow_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, ()); - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); +#define args () +#include "walk_nss.h" +#undef args return status; } @@ -154,28 +140,13 @@ char *buffer, size_t buflen, int *errnop) { - static const char *fct_name = "getspnam_r"; - static void *fct_start = NULL; enum nss_status status; - service_user *nip; - union { - enum nss_status (*l)(const char *name, struct spwd *pwd, - char *buffer, size_t buflen, int *errnop); - void *ptr; - } fct; - - nip = nss_shadow_nonlocal_database(); - if (nip == NULL) - return NSS_STATUS_UNAVAIL; - if (fct_start == NULL) - fct_start = __nss_lookup_function(nip, fct_name); - fct.ptr = fct_start; - do { - if (fct.ptr == NULL) - status = NSS_STATUS_UNAVAIL; - else - status = DL_CALL_FCT(fct.l, (name, pwd, buffer, buflen, errnop)); - if (status == NSS_STATUS_TRYAGAIN && *errnop == ERANGE) - break; - } while (__nss_next(&nip, fct_name, &fct.ptr, status, 0) == 0); + const struct walk_nss w = { + .lookup = __nss_shadow_nonlocal_lookup, .fct_name = "getspnam_r", + .status = &status, .errnop = errnop + }; + const __typeof__(&_nss_nonlocal_getspnam_r) self = NULL; +#define args (name, pwd, buffer, buflen, errnop) +#include "walk_nss.h" +#undef args if (status != NSS_STATUS_SUCCESS) return status; Index: /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal.h =================================================================== --- /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal.h (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/nss_nonlocal/nonlocal.h (revision 1878) @@ -1,2 +1,27 @@ +/* + * nonlocal.h + * common definitions for nss_nonlocal proxy + * + * Copyright © 2007–2010 Anders Kaseorg and Tim + * Abbott + * + * This file is part of nss_nonlocal. + * + * nss_nonlocal is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * nss_nonlocal is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with nss_nonlocal; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301 USA + */ + #ifndef NONLOCAL_H #define NONLOCAL_H @@ -4,7 +29,39 @@ #include "config.h" +#ifdef HAVE_STDBOOL_H +# include +#else +# ifndef HAVE__BOOL +# ifdef __cplusplus +typedef bool _Bool; +# else +# define _Bool signed char +# endif +# endif +# define bool _Bool +# define false 0 +# define true 1 +# define __bool_true_false_are_defined 1 +#endif + +#include "nsswitch-internal.h" +#include + +struct walk_nss { + enum nss_status *status; + int (*lookup)(service_user **ni, const char *fct_name, + void **fctp) internal_function; + const char *fct_name; + int *errnop; + char **buf; + size_t *buflen; +}; + enum nss_status check_nonlocal_uid(const char *user, uid_t uid, int *errnop); -enum nss_status check_nonlocal_gid(const char *user, gid_t gid, int *errnop); +enum nss_status check_nonlocal_gid(const char *user, const char *group, + gid_t gid, int *errnop); enum nss_status check_nonlocal_user(const char *user, int *errnop); +enum nss_status get_nonlocal_passwd(const char *name, struct passwd *pwd, + char **buffer, int *errnop); #define NONLOCAL_IGNORE_ENV "NSS_NONLOCAL_IGNORE" Index: /branches/fc15-dev/server/common/oursrc/nss_nonlocal/walk_nss.h =================================================================== --- /branches/fc15-dev/server/common/oursrc/nss_nonlocal/walk_nss.h (revision 1878) +++ /branches/fc15-dev/server/common/oursrc/nss_nonlocal/walk_nss.h (revision 1878) @@ -0,0 +1,62 @@ +{ + static service_user *startp = NULL; + static void *fct_start = NULL; + + service_user *nip; + union { + __typeof__(self) l; + void *ptr; + } fct; + int old_errno = errno; + + if (fct_start == NULL && + w.lookup(&startp, w.fct_name, &fct_start) != 0) { + *w.status = NSS_STATUS_UNAVAIL; + goto walk_nss_out; + } + + nip = startp; + fct.ptr = fct_start; + + if (w.buf != NULL) { + *w.buf = malloc(*w.buflen); + errno = old_errno; + if (*w.buf == NULL) { + *w.status = NSS_STATUS_TRYAGAIN; + *w.errnop = ENOMEM; + goto walk_nss_out; + } + } + + do { + walk_nss_morebuf: + if (fct.ptr == NULL) + *w.status = NSS_STATUS_UNAVAIL; + else if (self != NULL && fct.l == self) + *w.status = NSS_STATUS_NOTFOUND; + else + *w.status = DL_CALL_FCT(fct.l, args); + if (*w.status == NSS_STATUS_TRYAGAIN && + w.errnop != NULL && *w.errnop == ERANGE) { + if (w.buf == NULL) + break; + free(*w.buf); + *w.buflen *= 2; + *w.buf = malloc(*w.buflen); + errno = old_errno; + if (*w.buf == NULL) { + *w.errnop = ENOMEM; + goto walk_nss_out; + } + goto walk_nss_morebuf; + } + } while (__nss_next(&nip, w.fct_name, &fct.ptr, *w.status, 0) == 0); + + if (w.buf != NULL && *w.status != NSS_STATUS_SUCCESS) { + free(*w.buf); + *w.buf = NULL; + } + + walk_nss_out: + ; +} Index: /branches/fc15-dev/server/common/oursrc/scripts-static-cat/StaticCat.hs =================================================================== --- /branches/fc15-dev/server/common/oursrc/scripts-static-cat/StaticCat.hs (revision 1877) +++ /branches/fc15-dev/server/common/oursrc/scripts-static-cat/StaticCat.hs (revision 1878) @@ -35,4 +35,9 @@ (".css", "text/css"), (".doc", "application/msword"), + (".docm", "application/vnd.ms-word.document.macroEnabled.12"), + (".docx", "application/vnd.openxmlformats-officedocument.wordprocessingml.document"), + (".dot", "application/msword"), + (".dotm", "application/vnd.ms-word.template.macroEnabled.12"), + (".dotx", "application/vnd.openxmlformats-officedocument.wordprocessingml.template"), (".gif", "image/gif"), (".htm", "text/html"), @@ -50,8 +55,32 @@ (".mpeg", "video/mpeg"), (".mpg", "video/mpeg"), + (".odb", "application/vnd.oasis.opendocument.database"), + (".odc", "application/vnd.oasis.opendocument.chart"), + (".odf", "application/vnd.oasis.opendocument.formula"), + (".odg", "application/vnd.oasis.opendocument.graphics"), + (".odi", "application/vnd.oasis.opendocument.image"), + (".odm", "application/vnd.oasis.opendocument.text-master"), + (".odp", "application/vnd.oasis.opendocument.presentation"), + (".ods", "application/vnd.oasis.opendocument.spreadsheet"), + (".odt", "application/vnd.oasis.opendocument.text"), (".otf", "application/octet-stream"), + (".otg", "application/vnd.oasis.opendocument.graphics-template"), + (".oth", "application/vnd.oasis.opendocument.text-web"), + (".otp", "application/vnd.oasis.opendocument.presentation-template"), + (".ots", "application/vnd.oasis.opendocument.spreadsheet-template"), + (".ott", "application/vnd.oasis.opendocument.text-template"), (".pdf", "application/pdf"), (".png", "image/png"), + (".pot", "application/vnd.ms-powerpoint"), + (".potm", "application/vnd.ms-powerpoint.template.macroEnabled.12"), + (".potx", "application/vnd.openxmlformats-officedocument.presentationml.template"), + (".ppa", "application/vnd.ms-powerpoint"), + (".ppam", "application/vnd.ms-powerpoint.addin.macroEnabled.12"), + (".pps", "application/vnd.ms-powerpoint"), + (".ppsm", "application/vnd.ms-powerpoint.slideshow.macroEnabled.12"), + (".ppsx", "application/vnd.openxmlformats-officedocument.presentationml.slideshow"), (".ppt", "application/vnd.ms-powerpoint"), + (".pptm", "application/vnd.ms-powerpoint.presentation.macroEnabled.12"), + (".pptx", "application/vnd.openxmlformats-officedocument.presentationml.presentation"), (".ps", "application/postscript"), (".svg", "image/svg+xml"), @@ -67,5 +96,13 @@ (".xap", "application/x-silverlight-app"), (".xhtml", "application/xhtml+xml"), + (".xla", "application/vnd.ms-excel"), + (".xlam", "application/vnd.ms-excel.addin.macroEnabled.12"), (".xls", "application/vnd.ms-excel"), + (".xlsb", "application/vnd.ms-excel.sheet.binary.macroEnabled.12"), + (".xlsm", "application/vnd.ms-excel.sheet.macroEnabled.12"), + (".xlsx", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"), + (".xlt", "application/vnd.ms-excel"), + (".xltm", "application/vnd.ms-excel.template.macroEnabled.12"), + (".xltx", "application/vnd.openxmlformats-officedocument.spreadsheetml.template"), (".xml", "text/xml"), (".xsl", "text/xml"), Index: /branches/fc15-dev/server/common/patches/httpd-suexec-scripts.patch =================================================================== --- /branches/fc15-dev/server/common/patches/httpd-suexec-scripts.patch (revision 1877) +++ /branches/fc15-dev/server/common/patches/httpd-suexec-scripts.patch (revision 1878) @@ -73,5 +73,5 @@ /* variable name is */ -@@ -245,9 +250,71 @@ +@@ -245,9 +250,108 @@ environ = cleanenv; } @@ -100,4 +100,27 @@ + "xls", + "ppt", ++ "dot", ++ "docx", ++ "dotx", ++ "docm", ++ "dotm", ++ "xlt", ++ "xla", ++ "xlsx", ++ "xltx", ++ "xlsm", ++ "xltm", ++ "xlam", ++ "xlsb", ++ "pot", ++ "pps", ++ "ppa", ++ "pptx", ++ "potx", ++ "ppsx", ++ "ppam", ++ "pptm", ++ "potm", ++ "ppsm", + "swf", + "mp3", @@ -117,4 +140,18 @@ + "ttf", + "otf", ++ "odc", ++ "odb", ++ "odf", ++ "odg", ++ "otg", ++ "odi", ++ "odp", ++ "otp", ++ "ods", ++ "ots", ++ "odt", ++ "odm", ++ "ott", ++ "oth", + NULL +}; @@ -145,5 +182,5 @@ gid_t gid; /* target group placeholder */ char *target_uname; /* target user name */ -@@ -268,6 +331,7 @@ +@@ -268,6 +368,7 @@ * Start with a "clean" environment */ @@ -153,5 +190,5 @@ prog = argv[0]; /* -@@ -350,6 +414,20 @@ +@@ -350,6 +451,20 @@ #endif /*_OSD_POSIX*/ @@ -174,5 +211,5 @@ * or attempts to back up out of the current directory, * to protect against attacks. If any are -@@ -371,6 +449,7 @@ +@@ -371,6 +486,7 @@ userdir = 1; } @@ -182,5 +219,5 @@ * Error out if the target username is invalid. */ -@@ -452,7 +531,7 @@ +@@ -452,7 +568,7 @@ * Error out if attempt is made to execute as root or as * a UID less than AP_UID_MIN. Tsk tsk. @@ -191,5 +228,5 @@ exit(107); } -@@ -484,6 +563,7 @@ +@@ -484,6 +599,7 @@ log_err("failed to setuid (%ld: %s)\n", uid, cmd); exit(110); @@ -199,5 +236,5 @@ /* * Get the current working directory, as well as the proper -@@ -506,6 +600,21 @@ +@@ -506,6 +637,21 @@ log_err("cannot get docroot information (%s)\n", target_homedir); exit(112); @@ -221,5 +258,5 @@ else { if (((chdir(AP_DOC_ROOT)) != 0) || -@@ -532,15 +641,17 @@ +@@ -532,15 +678,17 @@ /* * Error out if cwd is writable by others. @@ -240,5 +277,5 @@ exit(117); } -@@ -548,10 +659,12 @@ +@@ -548,10 +696,12 @@ /* * Error out if the program is writable by others. @@ -253,5 +290,5 @@ /* * Error out if the file is setuid or setgid. -@@ -565,6 +678,7 @@ +@@ -565,6 +715,7 @@ * Error out if the target name/group is different from * the name/group of the cwd or the program. @@ -261,5 +298,5 @@ (gid != dir_info.st_gid) || (uid != prg_info.st_uid) || -@@ -576,12 +690,14 @@ +@@ -576,12 +727,14 @@ prg_info.st_uid, prg_info.st_gid); exit(120); @@ -277,5 +314,5 @@ exit(121); } -@@ -614,6 +730,23 @@ +@@ -614,6 +767,23 @@ /* * Execute the command, replacing our image with its own. Index: /branches/fc15-dev/server/doc/install-ldap =================================================================== --- /branches/fc15-dev/server/doc/install-ldap (revision 1877) +++ /branches/fc15-dev/server/doc/install-ldap (revision 1878) @@ -28,5 +28,5 @@ # Inside cn=config. These changes definitely require a restart. -nsslapd-ldapifilepath: /var/run/dirsrv/slapd-scripts.socket +nsslapd-ldapifilepath: /var/run/slapd-scripts.socket nsslapd-ldapilisten: on nsslapd-syntaxcheck: off @@ -51,5 +51,4 @@ - chown fedora-ds:fedora-ds /var/run/dirsrv - chown fedora-ds /etc/dirsrv/keytab -- chmod 755 /var/run/dirsrv - /sbin/service dirsrv start - Use ldapvi -b cn=config to add these indexes (8 of them): Index: /branches/fc15-dev/server/doc/install-xen =================================================================== --- /branches/fc15-dev/server/doc/install-xen (revision 1877) +++ /branches/fc15-dev/server/doc/install-xen (revision 1878) @@ -1,48 +1,95 @@ -# install Hardy -# this involves complicated partitioning (with lvm) -# the popular version of Grub doesn't cope with this. -# Thus, we need a boot partition not under LVM -# allocate about 1G for /root ext3 filesystem -# partition the two disks the same way -# that means you have two disks, each with a 1G partition and -# a "rest-of-the-space"G partition -# now, combine the two 1G partitions into a RAID 1 (as /boot ext3) -# take the two other partitions, another RAID 1 (set up as lvm) -# create one volume group the same as the host -# in that volume group, create two lvs one of them named root (ext3) -# and one named swap (copy sizes, 10G root and 2G swap) -# F11 will suggest ext4, DON'T USE IT. +# install Squeeze + # Configure each drive with a 1G partition and a rest-of-the-space partition, as RAID + # Create a RAID1 for the 1G partitions + # Create a RAID1 for each pair of rest-of-the-space partitions + # Create an ext3 /boot on the 1G RAID1 + # Create an LVM volume group named after the machine's short hostname + # Create an LV called "swap" that is the same size as the machine's physical RAM + # Create an LV called "root" that is 50G ext4 + +# ??? F11 will suggest ext4, DON'T USE IT. # - New filesystem, so it's scary # - The hosts can't mount it # - Grub can't cope with it -# enable backports (because Xen 3.3 is in hardy backports) - apt-get update - apt-get dist-upgrade +# install useful utility packages + aptitude install htop ipmitool emacs23-nox vim memtest86 memtest86+ ntp ntpdate git smartmontools kpartx apticron bwm-ng bzip2 ethtool i2c-tools lm-sensors mii-diag molly-guard mtr-tiny nbd-client nbd-server rlwrap strace tcpdump tree + git config --global color.ui auto + # install Xen - apt-get install ubuntu-xen-server + aptitude install xen-linux-system + # download Debathena archive key, verify - apt-key add ... -# add Debathena repos to etc/apt.d/sources.list -# install Debathena software - apt-get install debathena-clients + (aptitude install debian-keyring && + cd /tmp && + wget http://debathena.mit.edu/apt/debathena-archive.asc && + kcr_fingerprint=$(gpg --keyring /usr/share/keyrings/debian-keyring.gpg --no-default-keyring --list-keys --with-colons kcr@debian.org | grep ^pub | cut -f 5 -d :) && + gpg --primary-keyring /tmp/debathena.gpg --no-default-keyring --import debathena-archive.asc && + gpg --primary-keyring /tmp/debathena.gpg --no-default-keyring --refresh-keys && + gpg --primary-keyring /tmp/debathena.gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --check-sigs --with-colons debathena@mit.edu | grep '^sig:!' | cut -d: -f5 | grep -q $kcr_fingerprint && + gpg --primary-keyring /tmp/debathena.gpg --no-default-keyring --export debathena@mit.edu | apt-key adv --import) + +# add Debathena repos to etc/apt/sources.list.d + cat < /etc/apt/sources.list.d/debathena.list +deb http://debathena.mit.edu/apt squeeze debathena debathena-config debathena-system openafs +deb-src http://debathena.mit.edu/apt squeeze debathena debathena-config debathena-system openafs +EOF + +# install host keytab + cp $keytab /etc/krb5.keytab + k5srvutil change + k5srvutil delold +# install ~/.k5login +# install Debathena software (hit enter to take the defaults at the +# configuration prompts) + aptitude update + aptitude install debathena-clients debathena-ssh-server-config # compare packages with another server -dpkg -l + dpkg -l # reconfigure so that we can get an MTA, although we don't -# want the hosts to accept mail (smart host, does not take mail) +# want the hosts to accept mail (mail sent by smarthost; no local mail) # outgoing.mit.edu - dpkg reconfigure xm4-config + dpkg-reconfigure exim4-config # answer questions properly # change root alias in /etc/aliases to be the same as scripts server # reload it newaliases -# ssh key for host... -# install host keytab +# clone the xen config (/etc/xen) + git clone -b squeeze ssh://scripts@scripts.mit.edu/mit/scripts/git/xen.git /etc/xen # copy conserver config (we need to version this) -# clone the xen config (/etc/xen) - git clone ssh://scripts@scripts.mit.edu/mit/scripts/git/xen.git /etc/xen - + aptitude install sudo conserver-{server,client} # setup conserver - cat /etc/conserver/console.cf # add the correct entires here + cat < /etc/conserver/conserver.cf +config * { + sslrequired no; +} +default full { + rw *; +} +default * { + logfile /var/log/conserver/&.log; + timestamp "1lab"; + include full; + sslrequired no; + options reinitoncc; +} +default xen { + type exec; + exec sudo xm console f; + execsubst f=cs; +} +access * { + trusted 127.0.0.1; +} +EOF visudo # add conservr to sudoers list with: conservr ALL=(ALL) NOPASSWD: /usr/sbin/xm console * + +# setup munin and nagios + aptitude install munin-node +cat <> /etc/munin/munin-node.conf +allow ^18\.187\.1\.128$ +allow ^18\.181\.0\.65$ +allow ^18\.181\.0\.51$ +EOF + Index: /branches/fc15-dev/server/fedora/config/etc/aliases =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/aliases (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/aliases (revision 1878) @@ -89,5 +89,5 @@ # Person who should get root's mail -root: andersk@mit.edu, quentin@mit.edu, geofft+root@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu +root: andersk@mit.edu, quentin@mit.edu, geofft+root@mit.edu, mitchb@mit.edu, ezyang@mit.edu, xavid@mit.edu, adehnert-sipb@mit.edu, achernya@mit.edu scripts: root @@ -100,2 +100,5 @@ # Put "/dev/null" as the target of their alias srimano: /dev/null # has a phpBB generating a lot of backscatter + +# Temporary to clear the queue +# Should be deleted if left uncommitted Index: /branches/fc15-dev/server/fedora/config/etc/cron.daily/num-crontabs =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/cron.daily/num-crontabs (revision 1878) +++ /branches/fc15-dev/server/fedora/config/etc/cron.daily/num-crontabs (revision 1878) @@ -0,0 +1,8 @@ +#!/bin/sh + +numcrontabs=$(ls -1 /var/spool/cron | wc -l) +if [ $numcrontabs -lt 100 ] && [ $numcrontabs -gt 0 ]; then + msg="$(hostname --fqdn) has $numcrontabs files in /var/spool/cron and should have none or hundreds." + logger -u /dev/log -p cron.warning -t cron "$msg" + echo "$msg" +fi Index: /branches/fc15-dev/server/fedora/config/etc/httpd/conf/httpd.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/httpd/conf/httpd.conf (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/httpd/conf/httpd.conf (revision 1878) @@ -345,4 +345,6 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/scripts.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key + SSLCertificateChainFile /etc/pki/tls/certs/scripts.pem @@ -352,4 +354,6 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/scripts.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key + SSLCertificateChainFile /etc/pki/tls/certs/scripts.pem # LDAP vhost, w00t w00t Index: /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/carepackages.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/carepackages.conf (revision 1878) +++ /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/carepackages.conf (revision 1878) @@ -0,0 +1,34 @@ +# do not trailing-slash DocumentRoot + + + ServerName carepackages.mit.edu + ServerAlias carepackages + DocumentRoot /afs/athena.mit.edu/user/a/f/afarrell/web_scripts/uso + Alias /~afarrell /afs/athena.mit.edu/user/a/f/afarrell/web_scripts + SuExecUserGroup afarrell afarrell + Include conf.d/vhosts-common.conf + + + + + ServerName carepackages.mit.edu + ServerAlias carepackages + DocumentRoot /afs/athena.mit.edu/user/a/f/afarrell/web_scripts/uso + Alias /~afarrell /afs/athena.mit.edu/user/a/f/afarrell/web_scripts + SuExecUserGroup afarrell afarrell + Include conf.d/vhosts-common-ssl.conf + SSLCertificateFile /etc/pki/tls/certs/carepackages.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key + + + ServerName carepackages.mit.edu + ServerAlias carepackages + DocumentRoot /afs/athena.mit.edu/user/a/f/afarrell/web_scripts/uso + Alias /~afarrell /afs/athena.mit.edu/user/a/f/afarrell/web_scripts + SuExecUserGroup afarrell afarrell + Include conf.d/vhosts-common-ssl.conf + Include conf.d/vhosts-common-ssl-cert.conf + SSLCertificateFile /etc/pki/tls/certs/carepackages.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key + + Index: /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/finboard.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/finboard.conf (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/finboard.conf (revision 1878) @@ -19,4 +19,5 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/finboard.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -29,4 +30,5 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/finboard.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/reify-vhost.py =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/reify-vhost.py (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/reify-vhost.py (revision 1878) @@ -25,5 +25,5 @@ import sys -ll = ldap.initialize("ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/") +ll = ldap.initialize("ldapi://%2fvar%2frun%2fslapd-scripts.socket/") ll.simple_bind_s("", "") Index: /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/ties.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/ties.conf (revision 1878) +++ /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/ties.conf (revision 1878) @@ -0,0 +1,34 @@ +# do not trailing-slash DocumentRoot + + + ServerName ties.mit.edu + ServerAlias ties + DocumentRoot /afs/athena.mit.edu/user/n/a/nagaraj/web_scripts/ties + Alias /~nagaraj /afs/athena.mit.edu/user/n/a/nagaraj/web_scripts + SuExecUserGroup nagaraj nagaraj + Include conf.d/vhosts-common.conf + + + + + ServerName ties.mit.edu + ServerAlias ties + DocumentRoot /afs/athena.mit.edu/user/n/a/nagaraj/web_scripts/ties + Alias /~nagaraj /afs/athena.mit.edu/user/n/a/nagaraj/web_scripts + SuExecUserGroup nagaraj nagaraj + Include conf.d/vhosts-common-ssl.conf + SSLCertificateFile /etc/pki/tls/certs/ties.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key + + + ServerName ties.mit.edu + ServerAlias ties + DocumentRoot /afs/athena.mit.edu/user/n/a/nagaraj/web_scripts/ties + Alias /~nagaraj /afs/athena.mit.edu/user/n/a/nagaraj/web_scripts + SuExecUserGroup nagaraj nagaraj + Include conf.d/vhosts-common-ssl.conf + Include conf.d/vhosts-common-ssl-cert.conf + SSLCertificateFile /etc/pki/tls/certs/ties.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key + + Index: /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/tours.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/tours.conf (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/httpd/vhosts.d/tours.conf (revision 1878) @@ -19,4 +19,5 @@ Include conf.d/vhosts-common-ssl.conf SSLCertificateFile /etc/pki/tls/certs/tours.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key @@ -29,4 +30,5 @@ Include conf.d/vhosts-common-ssl-cert.conf SSLCertificateFile /etc/pki/tls/certs/tours.pem + SSLCertificateKeyFile /etc/pki/tls/private/scripts.key Index: /branches/fc15-dev/server/fedora/config/etc/ldap.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/ldap.conf (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/ldap.conf (revision 1878) @@ -27,5 +27,5 @@ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator -uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ +uri ldapi://%2fvar%2frun%2fslapd-scripts.socket/ # The LDAP version to use (defaults to 3 Index: /branches/fc15-dev/server/fedora/config/etc/nagios/check_afs =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/nagios/check_afs (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/nagios/check_afs (revision 1878) @@ -8,5 +8,5 @@ if [ $STATUS -gt 0 ]; then - if $ECHO "$CHECKS" | grep -i STYX >/dev/null; then + if $ECHO "$CHECKS" | grep -i PHLEGETHON >/dev/null; then exit $STATE_CRITICAL; else Index: /branches/fc15-dev/server/fedora/config/etc/nagios/check_kern_taint =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/nagios/check_kern_taint (revision 1878) +++ /branches/fc15-dev/server/fedora/config/etc/nagios/check_kern_taint (revision 1878) @@ -0,0 +1,48 @@ +#!/bin/sh +. /usr/lib64/nagios/plugins/utils.sh + +taintval=$(cat /proc/sys/kernel/tainted) + +if [ "$taintval" = 0 ]; then + $ECHO "Not tainted" + exit $STATE_OK +fi + +# This is a bash reimplementation of kernel/panic.c:print_tainted +# Letters are as follows: +# (As quoted from http://lxr.linux.no/#linux+v2.6.38/kernel/panic.c#L181) +# * print_tainted - return a string to represent the kernel taint state. +# * +# * 'P' - Proprietary module has been loaded. +# * 'F' - Module has been forcibly loaded. +# * 'S' - SMP with CPUs not designed for SMP. +# * 'R' - User forced a module unload. +# * 'M' - System experienced a machine check exception. +# * 'B' - System has hit bad_page. +# * 'U' - Userspace-defined naughtiness. +# * 'D' - Kernel has oopsed before +# * 'A' - ACPI table overridden. +# * 'W' - Taint on warning. +# * 'C' - modules from drivers/staging are loaded. +# * 'I' - Working around severe firmware bug. +# * + +flag=1 +taints="" +for i in P F S R M B U D A W C I; do + if [ $(($taintval & $flag)) -ne 0 ]; then + taints="$taints$i" + else + taints="$taints " + fi + flag=$(($flag * 2)) +done + +$ECHO "Tainted: $taints" + +case "$taints" in + *M*|*B*|*D*) exit $STATE_CRITICAL;; + *U*|*W*) exit $STATE_WARNING;; + *) exit $STATE_OK;; +esac + Index: /branches/fc15-dev/server/fedora/config/etc/nagios/nrpe.cfg =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/nagios/nrpe.cfg (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/nagios/nrpe.cfg (revision 1878) @@ -221,5 +221,7 @@ command[check_procs_u]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -u $ARG3$ command[check_procs_z]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -z $ARG3$ +command[check_postfix_mailq]=/usr/lib64/nagios/plugins/check_mailq -w 300 -c 1000 -M postfix command[check_afs]=/etc/nagios/check_afs command[check_cron_working]=/etc/nagios/check_cron_working command[check_ldap_mmr]=/etc/nagios/check_ldap_mmr +command[check_kern_taint]=/etc/nagios/check_kern_taint Index: /branches/fc15-dev/server/fedora/config/etc/nslcd.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/nslcd.conf (revision 1878) +++ /branches/fc15-dev/server/fedora/config/etc/nslcd.conf (revision 1878) @@ -0,0 +1,139 @@ +# This is the configuration file for the LDAP nameservice +# switch library's nslcd daemon. It configures the mapping +# between NSS names (see /etc/nsswitch.conf) and LDAP +# information in the directory. +# See the manual page nslcd.conf(5) for more information. + +# The user and group nslcd should run as. +uid nslcd +gid ldap + +# The uri pointing to the LDAP server to use for name lookups. +# Multiple entries may be specified. The address that is used +# here should be resolvable without using LDAP (obviously). +#uri ldap://127.0.0.1/ +#uri ldaps://127.0.0.1/ +#uri ldapi://%2fvar%2frun%2fldapi_sock/ +# Note: %2f encodes the '/' used as directory separator +# uri ldap://127.0.0.1/ + +# The LDAP version to use (defaults to 3 +# if supported by client library) +#ldap_version 3 + +# The distinguished name of the search base. +# base dc=example,dc=com + +# The distinguished name to bind to the server with. +# Optional: default is to bind anonymously. +#binddn cn=proxyuser,dc=example,dc=com + +# The credentials to bind with. +# Optional: default is no credentials. +# Note that if you set a bindpw you should check the permissions of this file. +#bindpw secret + +# The distinguished name to perform password modifications by root by. +#rootpwmoddn cn=admin,dc=example,dc=com + +# The default search scope. +#scope sub +#scope one +#scope base + +# Customize certain database lookups. +#base group ou=Groups,dc=example,dc=com +#base passwd ou=People,dc=example,dc=com +#base shadow ou=People,dc=example,dc=com +#scope group onelevel +#scope hosts sub + +# Bind/connect timelimit. +#bind_timelimit 30 + +# Search timelimit. +#timelimit 30 + +# Idle timelimit. nslcd will close connections if the +# server has not been contacted for the number of seconds. +#idle_timelimit 3600 + +# Use StartTLS without verifying the server certificate. +#ssl start_tls +#tls_reqcert never + +# CA certificates for server certificate verification +#tls_cacertdir /etc/ssl/certs +#tls_cacertfile /etc/ssl/ca.cert + +# Seed the PRNG if /dev/urandom is not provided +#tls_randfile /var/run/egd-pool + +# SSL cipher suite +# See man ciphers for syntax +#tls_ciphers TLSv1 + +# Client certificate and key +# Use these, if your server requires client authentication. +#tls_cert +#tls_key + +# NDS mappings +#map group uniqueMember member + +# Mappings for Services for UNIX 3.5 +#filter passwd (objectClass=User) +#map passwd uid msSFU30Name +#map passwd userPassword msSFU30Password +#map passwd homeDirectory msSFU30HomeDirectory +#map passwd homeDirectory msSFUHomeDirectory +#filter shadow (objectClass=User) +#map shadow uid msSFU30Name +#map shadow userPassword msSFU30Password +#filter group (objectClass=Group) +#map group uniqueMember msSFU30PosixMember + +# Mappings for Services for UNIX 2.0 +#filter passwd (objectClass=User) +#map passwd uid msSFUName +#map passwd userPassword msSFUPassword +#map passwd homeDirectory msSFUHomeDirectory +#map passwd gecos msSFUName +#filter shadow (objectClass=User) +#map shadow uid msSFUName +#map shadow userPassword msSFUPassword +#map shadow shadowLastChange pwdLastSet +#filter group (objectClass=Group) +#map group uniqueMember posixMember + +# Mappings for Active Directory +#pagesize 1000 +#referrals off +#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) +#map passwd uid sAMAccountName +#map passwd homeDirectory unixHomeDirectory +#map passwd gecos displayName +#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) +#map shadow uid sAMAccountName +#map shadow shadowLastChange pwdLastSet +#filter group (objectClass=group) +#map group uniqueMember member + +# Mappings for AIX SecureWay +#filter passwd (objectClass=aixAccount) +#map passwd uid userName +#map passwd userPassword passwordChar +#map passwd uidNumber uid +#map passwd gidNumber gid +#filter group (objectClass=aixAccessGroup) +#map group cn groupName +#map group uniqueMember member +#map group gidNumber gid +# This comment prevents repeated auto-migration of settings. +uri ldapi://%2fvar%2frun%2fslapd-scripts.socket/ +base dc=scripts,dc=mit,dc=edu +base group ou=Groups,dc=scripts,dc=mit,dc=edu +base passwd ou=People,dc=scripts,dc=mit,dc=edu +timelimit 120 +bind_timelimit 120 +idle_timelimit 3600 Index: anches/fc15-dev/server/fedora/config/etc/nss-ldapd.conf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/nss-ldapd.conf (revision 1877) +++ (revision ) @@ -1,134 +1,0 @@ -# This is the configuration file for the LDAP nameservice -# switch library's nslcd daemon. It configures the mapping -# between NSS names (see /etc/nsswitch.conf) and LDAP -# information in the directory. -# See the manual page nss-ldapd.conf(5) for more information. - -# The uri pointing to the LDAP server to use for name lookups. -# Multiple entries may be specified. The address that is used -# here should be resolvable without using LDAP (obviously). -#uri ldap://127.0.0.1/ -#uri ldaps://127.0.0.1/ -#uri ldapi://%2fvar%2frun%2fldapi_sock/ -# Note: %2f encodes the '/' used as directory separator -# uri ldap://127.0.0.1/ - -# The LDAP version to use (defaults to 3 -# if supported by client library) -#ldap_version 3 - -# The distinguished name of the search base. -# base dc=example,dc=com - -# The distinguished name to bind to the server with. -# Optional: default is to bind anonymously. -#binddn cn=proxyuser,dc=example,dc=com - -# The credentials to bind with. -# Optional: default is no credentials. -# Note that if you set a bindpw you should check the permissions of this file. -#bindpw secret - -# The default search scope. -#scope sub -#scope one -#scope base - -# Customize certain database lookups. -#base group ou=Groups,dc=example,dc=com -#base passwd ou=People,dc=example,dc=com -#base shadow ou=People,dc=example,dc=com -#scope group onelevel -#scope hosts sub - -# Bind/connect timelimit. -#bind_timelimit 30 - -# Search timelimit. -#timelimit 30 - -# Idle timelimit. nslcd will close connections if the -# server has not been contacted for the number of seconds. -#idle_timelimit 3600 - -# Use StartTLS without verifying the server certificate. -#ssl start_tls -#tls_reqcert never - -# CA certificates for server certificate verification -#tls_cacertdir /etc/ssl/certs -#tls_cacertfile /etc/ssl/ca.cert - -# Seed the PRNG if /dev/urandom is not provided -#tls_randfile /var/run/egd-pool - -# SSL cipher suite -# See man ciphers for syntax -#tls_ciphers TLSv1 - -# Client certificate and key -# Use these, if your server requires client authentication. -#tls_cert -#tls_key - -# NDS mappings -#map group uniqueMember member - -# Mappings for Services for UNIX 3.5 -#filter passwd (objectClass=User) -#map passwd uid msSFU30Name -#map passwd userPassword msSFU30Password -#map passwd homeDirectory msSFU30HomeDirectory -#map passwd homeDirectory msSFUHomeDirectory -#filter shadow (objectClass=User) -#map shadow uid msSFU30Name -#map shadow userPassword msSFU30Password -#filter group (objectClass=Group) -#map group uniqueMember msSFU30PosixMember - -# Mappings for Services for UNIX 2.0 -#filter passwd (objectClass=User) -#map passwd uid msSFUName -#map passwd userPassword msSFUPassword -#map passwd homeDirectory msSFUHomeDirectory -#map passwd cn msSFUName -#filter shadow (objectClass=User) -#map shadow uid msSFUName -#map shadow userPassword msSFUPassword -#map shadow shadowLastChange pwdLastSet -#filter group (objectClass=Group) -#map group uniqueMember posixMember - -# Mappings for Active Directory -#pagesize 1000 -#referrals off -#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) -#map passwd uid sAMAccountName -#map passwd homeDirectory unixHomeDirectory -#map passwd gecos displayName -#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) -#map shadow uid sAMAccountName -#map shadow shadowLastChange pwdLastSet -#filter group (objectClass=group) -#map group uniqueMember member - -# Mappings for AIX SecureWay -#filter passwd (objectClass=aixAccount) -#map passwd uid userName -#map passwd userPassword passwordChar -#map passwd uidNumber uid -#map passwd gidNumber gid -#filter group (objectClass=aixAccessGroup) -#map group cn groupName -#map group uniqueMember member -#map group gidNumber gid -uid nslcd -gid ldap -# This comment prevents repeated auto-migration of settings from /etc/ldap.conf. -uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ -base dc=scripts,dc=mit,dc=edu -timelimit 120 -bind_timelimit 120 -idle_timelimit 3600 -base group ou=Groups,dc=scripts,dc=mit,dc=edu -base passwd ou=People,dc=scripts,dc=mit,dc=edu Index: /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/carepackages.pem =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/carepackages.pem (revision 1878) +++ /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/carepackages.pem (revision 1878) @@ -0,0 +1,110 @@ +From mitcert@MIT.EDU Tue Apr 19 14:44:59 2011 +Date: Tue, 19 Apr 2011 14:44:57 -0400 +From: mitcert@MIT.EDU +To: geofft@mit.edu +Subject: [help.mit.edu #1582630] Certificate request for carepackages.mit.edu + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 91:ca:bd:82:34:d5:b7:15:35:f1:ea:a5:f9:08:74:70 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=MIT Certification Authority + Validity + Not Before: Apr 18 16:00:00 2011 GMT + Not After : Apr 18 16:00:00 2012 GMT + Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=scripts.mit.edu web hosting service, CN=carepackages.mit.edu/emailAddress=scripts@mit.edu + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (4096 bit) + Modulus (4096 bit): + 00:bf:a3:f2:7b:98:cc:16:a7:57:e6:92:85:34:56: + f1:e3:62:83:9e:6a:4f:35:9d:f0:cf:89:87:73:e3: + 93:f7:b7:01:57:38:6e:e9:fc:59:4d:24:eb:a7:17: + 47:ca:2c:51:0e:45:c8:b7:68:c9:0e:32:26:e0:91: + d3:06:5c:8c:7c:0e:6c:99:0c:b2:46:05:0f:4d:f1: + b0:c7:5e:35:06:62:fe:2a:d6:0f:1b:2c:b5:02:24: + 4c:c3:06:71:ec:94:ca:1d:aa:af:7e:b9:2d:c0:55: + 4b:cc:bc:51:3d:76:68:5b:d3:ed:35:d0:03:ba:1b: + 6c:f3:a0:d8:d3:dc:6b:44:b0:5e:01:51:d3:02:cc: + 4a:da:52:12:de:35:31:69:16:5a:48:8b:0f:ce:ad: + 4d:e4:d5:8b:11:36:7f:87:1c:fd:84:da:43:2e:87: + 2f:41:70:ac:ad:df:54:c0:ed:f6:21:51:fa:c5:06: + f0:1b:eb:a1:b0:bf:4d:1c:42:34:8a:d5:6f:f7:25: + 66:73:8f:60:c4:d7:8d:33:91:f4:46:3a:97:09:59: + 01:ff:c3:64:94:40:48:30:68:f0:6e:03:26:74:c2: + a1:b3:d7:cb:94:fc:6e:53:8a:2a:9e:fd:b1:4f:c4: + 74:56:25:63:1f:aa:bd:95:25:78:9c:45:46:1b:0c: + 21:71:eb:84:94:d0:b2:f1:da:52:f6:d1:7f:63:1d: + 08:23:52:5f:c2:f9:4d:ac:a4:44:e5:9a:54:70:fc: + c9:fc:d4:d4:b7:1d:75:95:00:e3:bf:3e:4c:f3:43: + c3:96:c7:09:2a:29:45:12:d2:31:d6:79:4c:8a:e7: + 54:27:22:c6:80:ae:87:23:56:f1:8d:49:9b:c8:fa: + ed:33:5b:5f:56:76:c8:0f:7e:85:14:69:c4:48:31: + 07:39:a5:34:81:f2:6b:15:50:22:fb:bb:2c:ad:4b: + 84:ea:55:64:f7:de:56:9d:d0:b6:d0:7d:1e:1b:51: + 50:37:44:94:e6:c4:15:eb:45:31:f1:b3:ec:0f:b3: + a9:0c:f8:1c:47:c7:51:00:05:ef:ee:b0:3d:9f:7e: + 07:a7:38:e8:83:4c:3d:db:34:b6:24:0c:90:57:c0: + f9:d0:64:14:8a:93:47:9b:41:f5:a3:14:1d:9e:18: + 5d:d5:d8:66:af:f5:f3:c8:2f:bc:a7:02:a7:ef:dc: + f0:0e:c7:47:8d:2e:d6:a8:62:42:93:5b:7c:f5:35: + f8:31:10:7b:38:d4:40:24:68:81:13:27:cb:fb:76: + 0e:d1:99:14:d8:d5:eb:f7:69:64:8f:af:8f:82:bb: + 24:29:f9:d4:29:1d:ce:e6:14:ba:4c:8b:09:ff:46: + ce:8b:6d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Client, SSL Server, S/MIME + X509v3 Extended Key Usage: + TLS Web Server Authentication, E-mail Protection, TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Subject Key Identifier: + CB:11:B7:01:5F:86:55:4F:45:5E:AB:27:69:BE:E1:3C:89:7A:55:62 + X509v3 CRL Distribution Points: + URI:http://ca.mit.edu/ca/mitserver.crl + + Signature Algorithm: sha1WithRSAEncryption + 62:09:ad:c1:43:17:16:6c:aa:9d:ef:91:91:50:e8:3b:f4:b1: + a2:81:2d:fd:94:0c:d0:8e:8f:73:d1:6e:bc:4e:9d:d9:ab:46: + 6b:24:37:ef:5a:08:e9:38:8f:1f:6e:9d:b7:df:b9:2d:dc:53: + 9d:d0:fd:8e:b0:f5:02:f0:22:b1:d3:c9:da:e8:b4:5e:90:ce: + 05:94:c2:8d:81:19:a1:0f:89:da:55:78:29:74:56:2c:26:67: + 8d:c9:5d:ad:62:95:a9:21:b5:ce:87:a0:a1:39:75:1e:0c:92: + 2f:b8:53:59:8d:06:09:44:62:e7:0e:db:33:cb:04:8c:4d:1a: + 00:db +-----BEGIN CERTIFICATE----- +MIIFCDCCBHGgAwIBAgIRAJHKvYI01bcVNfHqpfkIdHAwDQYJKoZIhvcNAQEFBQAw +ezELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoT +JU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxJDAiBgNVBAsT +G01JVCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTA0MTgxNjAwMDBaFw0x +MjA0MTgxNjAwMDBaMIHWMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVz +ZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRz +IEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MSwwKgYDVQQLEyNzY3JpcHRzLm1pdC5l +ZHUgd2ViIGhvc3Rpbmcgc2VydmljZTEdMBsGA1UEAxMUY2FyZXBhY2thZ2VzLm1p +dC5lZHUxHjAcBgkqhkiG9w0BCQEWD3NjcmlwdHNAbWl0LmVkdTCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAL+j8nuYzBanV+aShTRW8eNig55qTzWd8M+J +h3Pjk/e3AVc4bun8WU0k66cXR8osUQ5FyLdoyQ4yJuCR0wZcjHwObJkMskYFD03x +sMdeNQZi/irWDxsstQIkTMMGceyUyh2qr365LcBVS8y8UT12aFvT7TXQA7obbPOg +2NPca0SwXgFR0wLMStpSEt41MWkWWkiLD86tTeTVixE2f4cc/YTaQy6HL0FwrK3f +VMDt9iFR+sUG8BvrobC/TRxCNIrVb/clZnOPYMTXjTOR9EY6lwlZAf/DZJRASDBo +8G4DJnTCobPXy5T8blOKKp79sU/EdFYlYx+qvZUleJxFRhsMIXHrhJTQsvHaUvbR +f2MdCCNSX8L5TaykROWaVHD8yfzU1LcddZUA478+TPNDw5bHCSopRRLSMdZ5TIrn +VCcixoCuhyNW8Y1Jm8j67TNbX1Z2yA9+hRRpxEgxBzmlNIHyaxVQIvu7LK1LhOpV +ZPfeVp3QttB9HhtRUDdElObEFetFMfGz7A+zqQz4HEfHUQAF7+6wPZ9+B6c46INM +Pds0tiQMkFfA+dBkFIqTR5tB9aMUHZ4YXdXYZq/188gvvKcCp+/c8A7HR40u1qhi +QpNbfPU1+DEQezjUQCRogRMny/t2DtGZFNjV6/dpZI+vj4K7JCn51CkdzuYUukyL +Cf9GzottAgMBAAGjgaswgagwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBeAw +JwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMEBggrBgEFBQcDAjALBgNVHQ8E +BAMCBeAwHQYDVR0OBBYEFMsRtwFfhlVPRV6rJ2m+4TyJelViMDMGA1UdHwQsMCow +KKAmoCSGImh0dHA6Ly9jYS5taXQuZWR1L2NhL21pdHNlcnZlci5jcmwwDQYJKoZI +hvcNAQEFBQADgYEAYgmtwUMXFmyqne+RkVDoO/SxooEt/ZQM0I6Pc9FuvE6d2atG +ayQ371oI6TiPH26dt9+5LdxTndD9jrD1AvAisdPJ2ui0XpDOBZTCjYEZoQ+J2lV4 +KXRWLCZnjcldrWKVqSG1zoegoTl1HgySL7hTWY0GCURi5w7bM8sEjE0aANs= +-----END CERTIFICATE----- + Index: /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/finboard.pem =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/finboard.pem (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/finboard.pem (revision 1878) @@ -1,27 +1,58 @@ +From mitcert@MIT.EDU Tue Apr 19 13:48:37 2011 +Date: Tue, 19 Apr 2011 13:48:34 -0400 +From: mitcert@MIT.EDU +To: geofft@mit.edu +Subject: [help.mit.edu #1582629] Certificate renewal request for finboard.mit.edu + Certificate: Data: Version: 3 (0x2) Serial Number: - a4:10:09:e5:83:d7:c1:06:a9:b6:f5:bd:5d:dc:92:d8 + db:fb:e9:9c:73:3e:ac:a0:fa:8b:82:fb:8f:3a:69:99 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=MIT Certification Authority Validity - Not Before: Apr 28 16:00:00 2010 GMT - Not After : Apr 28 16:00:00 2011 GMT - Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=scripts.mit.edu web hosting service, -CN=finboard.mit.edu/emailAddress=scripts@mit.edu + Not Before: Apr 18 16:00:00 2011 GMT + Not After : Apr 18 16:00:00 2012 GMT + Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=scripts.mit.edu web hosting service, CN=finboard.mit.edu/emailAddress=scripts@mit.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption - RSA Public Key: (1024 bit) - Modulus (1024 bit): - 00:b5:3e:21:4d:c1:89:6b:01:8c:47:80:fe:b3:37: - 27:76:f8:52:41:e6:a2:3d:4b:76:78:e5:f2:66:3c: - 0f:b1:ad:fb:97:8f:2e:a2:b6:53:d3:b6:0e:e2:66: - f9:b9:0b:b7:ce:b4:d5:f5:1c:1f:6f:22:7d:48:f5: - 6d:f0:16:cd:8e:48:79:d1:14:4a:14:2f:2f:f8:c4: - bd:1d:87:cf:7d:8b:5c:77:ad:58:24:b0:0e:a1:6d: - d6:0a:c7:d8:bc:2f:67:65:c8:5d:d8:d8:31:c2:67: - 4b:4a:f4:a1:a5:54:82:af:cb:34:08:2a:04:7f:8e: - 7c:4c:b7:db:dc:6a:8a:5d:81 + RSA Public Key: (4096 bit) + Modulus (4096 bit): + 00:bf:a3:f2:7b:98:cc:16:a7:57:e6:92:85:34:56: + f1:e3:62:83:9e:6a:4f:35:9d:f0:cf:89:87:73:e3: + 93:f7:b7:01:57:38:6e:e9:fc:59:4d:24:eb:a7:17: + 47:ca:2c:51:0e:45:c8:b7:68:c9:0e:32:26:e0:91: + d3:06:5c:8c:7c:0e:6c:99:0c:b2:46:05:0f:4d:f1: + b0:c7:5e:35:06:62:fe:2a:d6:0f:1b:2c:b5:02:24: + 4c:c3:06:71:ec:94:ca:1d:aa:af:7e:b9:2d:c0:55: + 4b:cc:bc:51:3d:76:68:5b:d3:ed:35:d0:03:ba:1b: + 6c:f3:a0:d8:d3:dc:6b:44:b0:5e:01:51:d3:02:cc: + 4a:da:52:12:de:35:31:69:16:5a:48:8b:0f:ce:ad: + 4d:e4:d5:8b:11:36:7f:87:1c:fd:84:da:43:2e:87: + 2f:41:70:ac:ad:df:54:c0:ed:f6:21:51:fa:c5:06: + f0:1b:eb:a1:b0:bf:4d:1c:42:34:8a:d5:6f:f7:25: + 66:73:8f:60:c4:d7:8d:33:91:f4:46:3a:97:09:59: + 01:ff:c3:64:94:40:48:30:68:f0:6e:03:26:74:c2: + a1:b3:d7:cb:94:fc:6e:53:8a:2a:9e:fd:b1:4f:c4: + 74:56:25:63:1f:aa:bd:95:25:78:9c:45:46:1b:0c: + 21:71:eb:84:94:d0:b2:f1:da:52:f6:d1:7f:63:1d: + 08:23:52:5f:c2:f9:4d:ac:a4:44:e5:9a:54:70:fc: + c9:fc:d4:d4:b7:1d:75:95:00:e3:bf:3e:4c:f3:43: + c3:96:c7:09:2a:29:45:12:d2:31:d6:79:4c:8a:e7: + 54:27:22:c6:80:ae:87:23:56:f1:8d:49:9b:c8:fa: + ed:33:5b:5f:56:76:c8:0f:7e:85:14:69:c4:48:31: + 07:39:a5:34:81:f2:6b:15:50:22:fb:bb:2c:ad:4b: + 84:ea:55:64:f7:de:56:9d:d0:b6:d0:7d:1e:1b:51: + 50:37:44:94:e6:c4:15:eb:45:31:f1:b3:ec:0f:b3: + a9:0c:f8:1c:47:c7:51:00:05:ef:ee:b0:3d:9f:7e: + 07:a7:38:e8:83:4c:3d:db:34:b6:24:0c:90:57:c0: + f9:d0:64:14:8a:93:47:9b:41:f5:a3:14:1d:9e:18: + 5d:d5:d8:66:af:f5:f3:c8:2f:bc:a7:02:a7:ef:dc: + f0:0e:c7:47:8d:2e:d6:a8:62:42:93:5b:7c:f5:35: + f8:31:10:7b:38:d4:40:24:68:81:13:27:cb:fb:76: + 0e:d1:99:14:d8:d5:eb:f7:69:64:8f:af:8f:82:bb: + 24:29:f9:d4:29:1d:ce:e6:14:ba:4c:8b:09:ff:46: + ce:8b:6d Exponent: 65537 (0x10001) X509v3 extensions: @@ -30,41 +61,50 @@ Netscape Cert Type: SSL Client, SSL Server, S/MIME - X509v3 Extended Key Usage: + X509v3 Extended Key Usage: TLS Web Server Authentication, E-mail Protection, TLS Web Client Authentication - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Key Identifier: - 54:11:7C:09:55:44:1C:94:45:A9:A2:76:46:2B:2C:24:26:6A:44:E8 + CB:11:B7:01:5F:86:55:4F:45:5E:AB:27:69:BE:E1:3C:89:7A:55:62 X509v3 CRL Distribution Points: URI:http://ca.mit.edu/ca/mitserver.crl Signature Algorithm: sha1WithRSAEncryption - 4a:7c:d3:b2:84:dd:b8:f9:46:1e:04:28:c3:cc:7b:78:72:ca: - 97:c3:6e:a9:6b:0e:a0:b1:99:47:65:1a:6c:13:5c:13:b2:20: - 10:6e:cd:af:9e:f1:47:ff:4c:f5:b0:ab:0f:e5:2d:dd:bd:40: - 05:43:cc:12:3d:dc:7b:c6:c8:d9:d8:18:dd:59:1a:e3:78:b2: - 93:b4:c2:75:18:7a:23:2d:ee:15:0e:bf:9e:ff:18:c3:d2:9d: - 4f:15:2a:f9:66:1c:04:40:db:cc:57:b8:fa:59:e6:b7:49:b8: - 29:fc:02:a6:0f:a2:c9:dd:ee:00:e0:58:cc:b4:79:60:f5:3e: - 91:fd + 7a:69:0c:91:e2:fb:49:59:50:9f:7f:e5:ad:3f:3e:c7:56:f7: + 14:0e:f4:b7:7c:9b:da:1c:33:6c:62:f4:c2:b3:82:fc:28:17: + f4:87:3e:29:ea:da:c2:1a:15:6f:bd:ab:af:87:81:d8:43:b6: + f2:32:f3:f1:7d:37:e3:04:67:23:f5:13:67:a4:80:e7:c4:9f: + fa:b1:ff:53:53:24:bd:ce:ff:9a:89:b9:4f:13:04:e1:9c:f5: + 54:e3:ff:e6:de:09:a8:f8:2e:50:66:b2:c4:67:ac:34:ae:78: + f8:b7:4a:3b:48:70:1b:f9:ec:8f:a7:e6:3d:cd:28:8e:28:b5: + fd:f7 -----BEGIN CERTIFICATE----- -MIIDgDCCAumgAwIBAgIRAKQQCeWD18EGqbb1vV3cktgwDQYJKoZIhvcNAQEFBQAw +MIIFBDCCBG2gAwIBAgIRANv76ZxzPqyg+ouC+486aZkwDQYJKoZIhvcNAQEFBQAw ezELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoT JU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxJDAiBgNVBAsT -G01JVCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA0MjgxNjAwMDBaFw0x -MTA0MjgxNjAwMDBaMIHSMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVz +G01JVCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTA0MTgxNjAwMDBaFw0x +MjA0MTgxNjAwMDBaMIHSMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVz ZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRz IEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MSwwKgYDVQQLEyNzY3JpcHRzLm1pdC5l ZHUgd2ViIGhvc3Rpbmcgc2VydmljZTEZMBcGA1UEAxMQZmluYm9hcmQubWl0LmVk -dTEeMBwGCSqGSIb3DQEJARYPc2NyaXB0c0BtaXQuZWR1MIGfMA0GCSqGSIb3DQEB -AQUAA4GNADCBiQKBgQC1PiFNwYlrAYxHgP6zNyd2+FJB5qI9S3Z45fJmPA+xrfuX -jy6itlPTtg7iZvm5C7fOtNX1HB9vIn1I9W3wFs2OSHnRFEoULy/4xL0dh899i1x3 -rVgksA6hbdYKx9i8L2dlyF3Y2DHCZ0tK9KGlVIKvyzQIKgR/jnxMt9vcaopdgQID -AQABo4GrMIGoMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgXgMCcGA1UdJQQg -MB4GCCsGAQUFBwMBBggrBgEFBQcDBAYIKwYBBQUHAwIwCwYDVR0PBAQDAgXgMB0G -A1UdDgQWBBRUEXwJVUQclEWponZGKywkJmpE6DAzBgNVHR8ELDAqMCigJqAkhiJo -dHRwOi8vY2EubWl0LmVkdS9jYS9taXRzZXJ2ZXIuY3JsMA0GCSqGSIb3DQEBBQUA -A4GBAEp807KE3bj5Rh4EKMPMe3hyypfDbqlrDqCxmUdlGmwTXBOyIBBuza+e8Uf/ -TPWwqw/lLd29QAVDzBI93HvGyNnYGN1ZGuN4spO0wnUYeiMt7hUOv57/GMPSnU8V -KvlmHARA28xXuPpZ5rdJuCn8AqYPosnd7gDgWMy0eWD1PpH9 +dTEeMBwGCSqGSIb3DQEJARYPc2NyaXB0c0BtaXQuZWR1MIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAv6Pye5jMFqdX5pKFNFbx42KDnmpPNZ3wz4mHc+OT +97cBVzhu6fxZTSTrpxdHyixRDkXIt2jJDjIm4JHTBlyMfA5smQyyRgUPTfGwx141 +BmL+KtYPGyy1AiRMwwZx7JTKHaqvfrktwFVLzLxRPXZoW9PtNdADuhts86DY09xr +RLBeAVHTAsxK2lIS3jUxaRZaSIsPzq1N5NWLETZ/hxz9hNpDLocvQXCsrd9UwO32 +IVH6xQbwG+uhsL9NHEI0itVv9yVmc49gxNeNM5H0RjqXCVkB/8NklEBIMGjwbgMm +dMKhs9fLlPxuU4oqnv2xT8R0ViVjH6q9lSV4nEVGGwwhceuElNCy8dpS9tF/Yx0I +I1JfwvlNrKRE5ZpUcPzJ/NTUtx11lQDjvz5M80PDlscJKilFEtIx1nlMiudUJyLG +gK6HI1bxjUmbyPrtM1tfVnbID36FFGnESDEHOaU0gfJrFVAi+7ssrUuE6lVk995W +ndC20H0eG1FQN0SU5sQV60Ux8bPsD7OpDPgcR8dRAAXv7rA9n34Hpzjog0w92zS2 +JAyQV8D50GQUipNHm0H1oxQdnhhd1dhmr/XzyC+8pwKn79zwDsdHjS7WqGJCk1t8 +9TX4MRB7ONRAJGiBEyfL+3YO0ZkU2NXr92lkj6+PgrskKfnUKR3O5hS6TIsJ/0bO +i20CAwEAAaOBqzCBqDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF4DAnBgNV +HSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMCMAsGA1UdDwQEAwIF +4DAdBgNVHQ4EFgQUyxG3AV+GVU9FXqsnab7hPIl6VWIwMwYDVR0fBCwwKjAooCag +JIYiaHR0cDovL2NhLm1pdC5lZHUvY2EvbWl0c2VydmVyLmNybDANBgkqhkiG9w0B +AQUFAAOBgQB6aQyR4vtJWVCff+WtPz7HVvcUDvS3fJvaHDNsYvTCs4L8KBf0hz4p +6trCGhVvvauvh4HYQ7byMvPxfTfjBGcj9RNnpIDnxJ/6sf9TUyS9zv+aiblPEwTh +nPVU4//m3gmo+C5QZrLEZ6w0rnj4t0o7SHAb+eyPp+Y9zSiOKLX99w== -----END CERTIFICATE----- + Index: /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/scripts.pem =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/scripts.pem (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/scripts.pem (revision 1878) @@ -1,65 +1,72 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 745256 (0xb5f28) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority - Validity - Not Before: Jun 4 20:22:36 2009 GMT - Not After : Jun 7 02:53:00 2011 GMT - Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=Student Information Processing Board, CN=scripts.mit.edu - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (1024 bit) - Modulus (1024 bit): - 00:b5:3e:21:4d:c1:89:6b:01:8c:47:80:fe:b3:37: - 27:76:f8:52:41:e6:a2:3d:4b:76:78:e5:f2:66:3c: - 0f:b1:ad:fb:97:8f:2e:a2:b6:53:d3:b6:0e:e2:66: - f9:b9:0b:b7:ce:b4:d5:f5:1c:1f:6f:22:7d:48:f5: - 6d:f0:16:cd:8e:48:79:d1:14:4a:14:2f:2f:f8:c4: - bd:1d:87:cf:7d:8b:5c:77:ad:58:24:b0:0e:a1:6d: - d6:0a:c7:d8:bc:2f:67:65:c8:5d:d8:d8:31:c2:67: - 4b:4a:f4:a1:a5:54:82:af:cb:34:08:2a:04:7f:8e: - 7c:4c:b7:db:dc:6a:8a:5d:81 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Key Usage: critical - Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment - X509v3 Subject Key Identifier: - 54:11:7C:09:55:44:1C:94:45:A9:A2:76:46:2B:2C:24:26:6A:44:E8 - X509v3 CRL Distribution Points: - URI:http://crl.geotrust.com/crls/secureca.crl +From mitcert@MIT.EDU Wed May 25 15:32:24 2011 +Date: Wed, 25 May 2011 15:32:22 -0400 +From: mitcert@MIT.EDU +To: geofft@mit.edu +Subject: [help.mit.edu #1615888] Equifax certificate renewal for scripts.mit.edu - X509v3 Authority Key Identifier: - keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4 +5 Year ($300) Certificate: - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - Signature Algorithm: sha1WithRSAEncryption - 0e:42:72:ba:24:61:07:eb:69:d6:3e:4a:e9:ec:a3:f8:16:c0: - a2:31:2d:f0:93:ec:37:2c:dc:c0:7c:a6:9e:60:52:d4:c6:af: - f4:c7:cb:f0:ad:bf:3c:b8:34:a7:1e:35:c3:15:84:f6:79:96: - f3:ec:d7:78:62:83:81:b5:bb:5e:77:0a:19:b6:d1:9f:ae:a9: - 0b:f6:8a:7c:71:1e:a9:8e:e7:3d:e7:a6:38:47:3a:9f:0c:69: - 37:a1:3f:0e:44:77:47:b9:75:4a:49:08:f3:42:43:58:2c:24: - d2:b9:5b:9c:8b:9a:5f:b6:83:cc:bb:ec:26:65:b7:75:50:83: - a6:5b +Web Server CERTIFICATE +----------------- + -----BEGIN CERTIFICATE----- -MIIDKDCCApGgAwIBAgIDC18oMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT -MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 -aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNjA0MjAyMjM2WhcNMTEwNjA3MDI1MzAw -WjCBsjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNV -BAcTCUNhbWJyaWRnZTEuMCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUg -b2YgVGVjaG5vbG9neTEtMCsGA1UECxMkU3R1ZGVudCBJbmZvcm1hdGlvbiBQcm9j -ZXNzaW5nIEJvYXJkMRgwFgYDVQQDEw9zY3JpcHRzLm1pdC5lZHUwgZ8wDQYJKoZI -hvcNAQEBBQADgY0AMIGJAoGBALU+IU3BiWsBjEeA/rM3J3b4UkHmoj1Ldnjl8mY8 -D7Gt+5ePLqK2U9O2DuJm+bkLt8601fUcH28ifUj1bfAWzY5IedEUShQvL/jEvR2H -z32LXHetWCSwDqFt1grH2LwvZ2XIXdjYMcJnS0r0oaVUgq/LNAgqBH+OfEy329xq -il2BAgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBRUEXwJVUQc -lEWponZGKywkJmpE6DA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmdlb3Ry -dXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAfBgNVHSMEGDAWgBRI5mj5K9KylddH -2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZI -hvcNAQEFBQADgYEADkJyuiRhB+tp1j5K6eyj+BbAojEt8JPsNyzcwHymnmBS1Mav -9MfL8K2/PLg0px41wxWE9nmW8+zXeGKDgbW7XncKGbbRn66pC/aKfHEeqY7nPeem -OEc6nwxpN6E/DkR3R7l1SkkI80JDWCwk0rlbnIuaX7aDzLvsJmW3dVCDpls= +MIIFvTCCBKWgAwIBAgIDAKAKMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT +MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM +IENBMB4XDTExMDUyNDExNDA1MloXDTE2MDYyNDE2MjgwNlowgdwxKTAnBgNVBAUT +IHNLTHQ1aW8zNjBqTS1vQWQyRUdMTkswRXJhWHdYRTQ2MQswCQYDVQQGEwJVUzEW +MBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMS4wLAYD +VQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MSwwKgYD +VQQLEyNzY3JpcHRzLm1pdC5lZHUgd2ViIGhvc3Rpbmcgc2VydmljZTEYMBYGA1UE +AxMPc2NyaXB0cy5taXQuZWR1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC +AgEAv6Pye5jMFqdX5pKFNFbx42KDnmpPNZ3wz4mHc+OT97cBVzhu6fxZTSTrpxdH +yixRDkXIt2jJDjIm4JHTBlyMfA5smQyyRgUPTfGwx141BmL+KtYPGyy1AiRMwwZx +7JTKHaqvfrktwFVLzLxRPXZoW9PtNdADuhts86DY09xrRLBeAVHTAsxK2lIS3jUx +aRZaSIsPzq1N5NWLETZ/hxz9hNpDLocvQXCsrd9UwO32IVH6xQbwG+uhsL9NHEI0 +itVv9yVmc49gxNeNM5H0RjqXCVkB/8NklEBIMGjwbgMmdMKhs9fLlPxuU4oqnv2x +T8R0ViVjH6q9lSV4nEVGGwwhceuElNCy8dpS9tF/Yx0II1JfwvlNrKRE5ZpUcPzJ +/NTUtx11lQDjvz5M80PDlscJKilFEtIx1nlMiudUJyLGgK6HI1bxjUmbyPrtM1tf +VnbID36FFGnESDEHOaU0gfJrFVAi+7ssrUuE6lVk995WndC20H0eG1FQN0SU5sQV +60Ux8bPsD7OpDPgcR8dRAAXv7rA9n34Hpzjog0w92zS2JAyQV8D50GQUipNHm0H1 +oxQdnhhd1dhmr/XzyC+8pwKn79zwDsdHjS7WqGJCk1t89TX4MRB7ONRAJGiBEyfL ++3YO0ZkU2NXr92lkj6+PgrskKfnUKR3O5hS6TIsJ/0bOi20CAwEAAaOCASEwggEd +MB8GA1UdIwQYMBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIF +oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGgYDVR0RBBMwEYIPc2Ny +aXB0cy5taXQuZWR1MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwu +Z2VvdHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBTLEbcBX4ZVT0Ve +qydpvuE8iXpVYjAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEF +BQcwAoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0G +CSqGSIb3DQEBBQUAA4IBAQAyzdBtuhneBsq8S1I1WA2vQn/qp4lfRoqNzdSCGixW +rbk2RK/qMic7mwrOFX1ZYflCzWyuehcTOAKfjetVmyfs+81atmB/liLNGnpF0qSJ +JQJbNemjf8KxQyXCFj/OXvUhG/lLh83FA2AGqvFAFiD8mVe/xmzbd7UsI1+EpaFd +sKcn7f/3YQ25ADrfdOguuiXIGsWPKcApo09fK69NZZKjD9oQ6QFsj9Hyk8Ymyhf5 +bBtvqYOUQ5QMlYZ91Uy4CXVhx5mCo3L1ddXWDG/onDdcDI0LORxCgJVIqh+3g4vg +QKJR/6V68wkGpGGblkWawj02bfcyMjc73TVIASl+QOi/ -----END CERTIFICATE----- + + +INTERMEDIATE CA: +--------------------------------------- + +-----BEGIN CERTIFICATE----- +MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT +MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG +EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0 +IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat +cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu +FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR +8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh +dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50 +96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN +d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5 +VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4 +ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov +L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE +KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI +hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji +J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES +0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk +2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V +4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE +TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ= +-----END CERTIFICATE----- Index: /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/ties.pem =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/ties.pem (revision 1878) +++ /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/ties.pem (revision 1878) @@ -0,0 +1,110 @@ +From mitcert@MIT.EDU Thu May 19 12:07:49 2011 +Date: Thu, 19 May 2011 12:07:47 -0400 +From: mitcert@MIT.EDU +To: geofft@mit.edu +Subject: [help.mit.edu #1611578] CSR for scripts vhost ties.mit.edu + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 10:7b:ef:ff:12:5b:2c:ce:64:a1:4c:2d:5f:63:1b:0f + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=MIT Certification Authority + Validity + Not Before: May 17 16:00:00 2011 GMT + Not After : May 17 16:00:00 2012 GMT + Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=scripts.mit.edu web hosting service, CN=ties.mit.edu/emailAddress=scripts@mit.edu + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (4096 bit) + Modulus (4096 bit): + 00:bf:a3:f2:7b:98:cc:16:a7:57:e6:92:85:34:56: + f1:e3:62:83:9e:6a:4f:35:9d:f0:cf:89:87:73:e3: + 93:f7:b7:01:57:38:6e:e9:fc:59:4d:24:eb:a7:17: + 47:ca:2c:51:0e:45:c8:b7:68:c9:0e:32:26:e0:91: + d3:06:5c:8c:7c:0e:6c:99:0c:b2:46:05:0f:4d:f1: + b0:c7:5e:35:06:62:fe:2a:d6:0f:1b:2c:b5:02:24: + 4c:c3:06:71:ec:94:ca:1d:aa:af:7e:b9:2d:c0:55: + 4b:cc:bc:51:3d:76:68:5b:d3:ed:35:d0:03:ba:1b: + 6c:f3:a0:d8:d3:dc:6b:44:b0:5e:01:51:d3:02:cc: + 4a:da:52:12:de:35:31:69:16:5a:48:8b:0f:ce:ad: + 4d:e4:d5:8b:11:36:7f:87:1c:fd:84:da:43:2e:87: + 2f:41:70:ac:ad:df:54:c0:ed:f6:21:51:fa:c5:06: + f0:1b:eb:a1:b0:bf:4d:1c:42:34:8a:d5:6f:f7:25: + 66:73:8f:60:c4:d7:8d:33:91:f4:46:3a:97:09:59: + 01:ff:c3:64:94:40:48:30:68:f0:6e:03:26:74:c2: + a1:b3:d7:cb:94:fc:6e:53:8a:2a:9e:fd:b1:4f:c4: + 74:56:25:63:1f:aa:bd:95:25:78:9c:45:46:1b:0c: + 21:71:eb:84:94:d0:b2:f1:da:52:f6:d1:7f:63:1d: + 08:23:52:5f:c2:f9:4d:ac:a4:44:e5:9a:54:70:fc: + c9:fc:d4:d4:b7:1d:75:95:00:e3:bf:3e:4c:f3:43: + c3:96:c7:09:2a:29:45:12:d2:31:d6:79:4c:8a:e7: + 54:27:22:c6:80:ae:87:23:56:f1:8d:49:9b:c8:fa: + ed:33:5b:5f:56:76:c8:0f:7e:85:14:69:c4:48:31: + 07:39:a5:34:81:f2:6b:15:50:22:fb:bb:2c:ad:4b: + 84:ea:55:64:f7:de:56:9d:d0:b6:d0:7d:1e:1b:51: + 50:37:44:94:e6:c4:15:eb:45:31:f1:b3:ec:0f:b3: + a9:0c:f8:1c:47:c7:51:00:05:ef:ee:b0:3d:9f:7e: + 07:a7:38:e8:83:4c:3d:db:34:b6:24:0c:90:57:c0: + f9:d0:64:14:8a:93:47:9b:41:f5:a3:14:1d:9e:18: + 5d:d5:d8:66:af:f5:f3:c8:2f:bc:a7:02:a7:ef:dc: + f0:0e:c7:47:8d:2e:d6:a8:62:42:93:5b:7c:f5:35: + f8:31:10:7b:38:d4:40:24:68:81:13:27:cb:fb:76: + 0e:d1:99:14:d8:d5:eb:f7:69:64:8f:af:8f:82:bb: + 24:29:f9:d4:29:1d:ce:e6:14:ba:4c:8b:09:ff:46: + ce:8b:6d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Cert Type: + SSL Client, SSL Server, S/MIME + X509v3 Extended Key Usage: + TLS Web Server Authentication, E-mail Protection, TLS Web Client Authentication + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + X509v3 Subject Key Identifier: + CB:11:B7:01:5F:86:55:4F:45:5E:AB:27:69:BE:E1:3C:89:7A:55:62 + X509v3 CRL Distribution Points: + URI:http://ca.mit.edu/ca/mitserver.crl + + Signature Algorithm: sha1WithRSAEncryption + 92:17:5a:90:61:e4:58:f7:84:21:e1:87:9d:96:67:8b:a8:d2: + 38:3c:b3:43:c0:c7:b5:ed:e1:3a:12:1a:01:f2:62:f5:d9:fc: + 74:b8:c0:73:f6:39:04:f1:74:3e:73:1a:11:e3:fe:84:4a:42: + a1:bf:b6:5c:a1:55:a7:54:91:4d:dd:14:ee:44:24:ed:84:bb: + 82:6a:42:56:7c:b4:d7:ed:a5:56:7c:65:08:cc:30:65:ed:95: + 61:ab:00:dc:60:ea:fd:81:38:dc:5b:24:ae:3e:ef:3d:d3:00: + 8d:5d:dd:1e:0a:88:0d:7f:e5:3b:56:14:01:45:ed:7e:87:97: + bb:1f +-----BEGIN CERTIFICATE----- +MIIE/zCCBGigAwIBAgIQEHvv/xJbLM5koUwtX2MbDzANBgkqhkiG9w0BAQUFADB7 +MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEuMCwGA1UEChMl +TWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEkMCIGA1UECxMb +TUlUIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTExMDUxNzE2MDAwMFoXDTEy +MDUxNzE2MDAwMFowgc4xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl +dHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMg +SW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxLDAqBgNVBAsTI3NjcmlwdHMubWl0LmVk +dSB3ZWIgaG9zdGluZyBzZXJ2aWNlMRUwEwYDVQQDEwx0aWVzLm1pdC5lZHUxHjAc +BgkqhkiG9w0BCQEWD3NjcmlwdHNAbWl0LmVkdTCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAL+j8nuYzBanV+aShTRW8eNig55qTzWd8M+Jh3Pjk/e3AVc4 +bun8WU0k66cXR8osUQ5FyLdoyQ4yJuCR0wZcjHwObJkMskYFD03xsMdeNQZi/irW +DxsstQIkTMMGceyUyh2qr365LcBVS8y8UT12aFvT7TXQA7obbPOg2NPca0SwXgFR +0wLMStpSEt41MWkWWkiLD86tTeTVixE2f4cc/YTaQy6HL0FwrK3fVMDt9iFR+sUG +8BvrobC/TRxCNIrVb/clZnOPYMTXjTOR9EY6lwlZAf/DZJRASDBo8G4DJnTCobPX +y5T8blOKKp79sU/EdFYlYx+qvZUleJxFRhsMIXHrhJTQsvHaUvbRf2MdCCNSX8L5 +TaykROWaVHD8yfzU1LcddZUA478+TPNDw5bHCSopRRLSMdZ5TIrnVCcixoCuhyNW +8Y1Jm8j67TNbX1Z2yA9+hRRpxEgxBzmlNIHyaxVQIvu7LK1LhOpVZPfeVp3QttB9 +HhtRUDdElObEFetFMfGz7A+zqQz4HEfHUQAF7+6wPZ9+B6c46INMPds0tiQMkFfA ++dBkFIqTR5tB9aMUHZ4YXdXYZq/188gvvKcCp+/c8A7HR40u1qhiQpNbfPU1+DEQ +ezjUQCRogRMny/t2DtGZFNjV6/dpZI+vj4K7JCn51CkdzuYUukyLCf9GzottAgMB +AAGjgaswgagwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBeAwJwYDVR0lBCAw +HgYIKwYBBQUHAwEGCCsGAQUFBwMEBggrBgEFBQcDAjALBgNVHQ8EBAMCBeAwHQYD +VR0OBBYEFMsRtwFfhlVPRV6rJ2m+4TyJelViMDMGA1UdHwQsMCowKKAmoCSGImh0 +dHA6Ly9jYS5taXQuZWR1L2NhL21pdHNlcnZlci5jcmwwDQYJKoZIhvcNAQEFBQAD +gYEAkhdakGHkWPeEIeGHnZZni6jSODyzQ8DHte3hOhIaAfJi9dn8dLjAc/Y5BPF0 +PnMaEeP+hEpCob+2XKFVp1SRTd0U7kQk7YS7gmpCVny01+2lVnxlCMwwZe2VYasA +3GDq/YE43Fskrj7vPdMAjV3dHgqIDX/lO1YUAUXtfoeXux8= +-----END CERTIFICATE----- + Index: /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/tours.pem =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/tours.pem (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/pki/tls/certs/tours.pem (revision 1878) @@ -1,7 +1,7 @@ -From mitcert@MIT.EDU Thu Jun 17 08:13:52 2010 -Date: Thu, 17 Jun 2010 08:13:51 -0400 (EDT) +From mitcert@MIT.EDU Mon Jun 6 11:01:40 2011 +Date: Mon, 6 Jun 2011 11:01:37 -0400 From: mitcert@MIT.EDU -To: mitchb@mit.edu -Subject: Certificate signing request for tours.mit.edu [help.mit.edu #1263305] +To: geofft@mit.edu +Subject: [help.mit.edu #1628846] certificate renewal for scripts vhost tours.mit.edu Certificate: @@ -9,24 +9,50 @@ Version: 3 (0x2) Serial Number: - 63:75:30:51:9d:87:bd:ac:0d:9b:0d:27:00:13:b9:b5 + cd:7f:98:ad:03:56:53:60:54:b9:67:c1:4b:ca:66:75 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Massachusetts, O=Massachusetts Institute of Technology, OU=MIT Certification Authority Validity - Not Before: Jun 15 16:00:00 2010 GMT - Not After : Jun 16 16:00:00 2011 GMT + Not Before: Jun 4 16:00:00 2011 GMT + Not After : Jun 5 16:00:00 2012 GMT Subject: C=US, ST=Massachusetts, L=Cambridge, O=Massachusetts Institute of Technology, OU=scripts.mit.edu web hosting service, CN=tours.mit.edu/emailAddress=scripts@mit.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption - RSA Public Key: (1024 bit) - Modulus (1024 bit): - 00:b5:3e:21:4d:c1:89:6b:01:8c:47:80:fe:b3:37: - 27:76:f8:52:41:e6:a2:3d:4b:76:78:e5:f2:66:3c: - 0f:b1:ad:fb:97:8f:2e:a2:b6:53:d3:b6:0e:e2:66: - f9:b9:0b:b7:ce:b4:d5:f5:1c:1f:6f:22:7d:48:f5: - 6d:f0:16:cd:8e:48:79:d1:14:4a:14:2f:2f:f8:c4: - bd:1d:87:cf:7d:8b:5c:77:ad:58:24:b0:0e:a1:6d: - d6:0a:c7:d8:bc:2f:67:65:c8:5d:d8:d8:31:c2:67: - 4b:4a:f4:a1:a5:54:82:af:cb:34:08:2a:04:7f:8e: - 7c:4c:b7:db:dc:6a:8a:5d:81 + RSA Public Key: (4096 bit) + Modulus (4096 bit): + 00:bf:a3:f2:7b:98:cc:16:a7:57:e6:92:85:34:56: + f1:e3:62:83:9e:6a:4f:35:9d:f0:cf:89:87:73:e3: + 93:f7:b7:01:57:38:6e:e9:fc:59:4d:24:eb:a7:17: + 47:ca:2c:51:0e:45:c8:b7:68:c9:0e:32:26:e0:91: + d3:06:5c:8c:7c:0e:6c:99:0c:b2:46:05:0f:4d:f1: + b0:c7:5e:35:06:62:fe:2a:d6:0f:1b:2c:b5:02:24: + 4c:c3:06:71:ec:94:ca:1d:aa:af:7e:b9:2d:c0:55: + 4b:cc:bc:51:3d:76:68:5b:d3:ed:35:d0:03:ba:1b: + 6c:f3:a0:d8:d3:dc:6b:44:b0:5e:01:51:d3:02:cc: + 4a:da:52:12:de:35:31:69:16:5a:48:8b:0f:ce:ad: + 4d:e4:d5:8b:11:36:7f:87:1c:fd:84:da:43:2e:87: + 2f:41:70:ac:ad:df:54:c0:ed:f6:21:51:fa:c5:06: + f0:1b:eb:a1:b0:bf:4d:1c:42:34:8a:d5:6f:f7:25: + 66:73:8f:60:c4:d7:8d:33:91:f4:46:3a:97:09:59: + 01:ff:c3:64:94:40:48:30:68:f0:6e:03:26:74:c2: + a1:b3:d7:cb:94:fc:6e:53:8a:2a:9e:fd:b1:4f:c4: + 74:56:25:63:1f:aa:bd:95:25:78:9c:45:46:1b:0c: + 21:71:eb:84:94:d0:b2:f1:da:52:f6:d1:7f:63:1d: + 08:23:52:5f:c2:f9:4d:ac:a4:44:e5:9a:54:70:fc: + c9:fc:d4:d4:b7:1d:75:95:00:e3:bf:3e:4c:f3:43: + c3:96:c7:09:2a:29:45:12:d2:31:d6:79:4c:8a:e7: + 54:27:22:c6:80:ae:87:23:56:f1:8d:49:9b:c8:fa: + ed:33:5b:5f:56:76:c8:0f:7e:85:14:69:c4:48:31: + 07:39:a5:34:81:f2:6b:15:50:22:fb:bb:2c:ad:4b: + 84:ea:55:64:f7:de:56:9d:d0:b6:d0:7d:1e:1b:51: + 50:37:44:94:e6:c4:15:eb:45:31:f1:b3:ec:0f:b3: + a9:0c:f8:1c:47:c7:51:00:05:ef:ee:b0:3d:9f:7e: + 07:a7:38:e8:83:4c:3d:db:34:b6:24:0c:90:57:c0: + f9:d0:64:14:8a:93:47:9b:41:f5:a3:14:1d:9e:18: + 5d:d5:d8:66:af:f5:f3:c8:2f:bc:a7:02:a7:ef:dc: + f0:0e:c7:47:8d:2e:d6:a8:62:42:93:5b:7c:f5:35: + f8:31:10:7b:38:d4:40:24:68:81:13:27:cb:fb:76: + 0e:d1:99:14:d8:d5:eb:f7:69:64:8f:af:8f:82:bb: + 24:29:f9:d4:29:1d:ce:e6:14:ba:4c:8b:09:ff:46: + ce:8b:6d Exponent: 65537 (0x10001) X509v3 extensions: @@ -40,37 +66,45 @@ Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Key Identifier: - 54:11:7C:09:55:44:1C:94:45:A9:A2:76:46:2B:2C:24:26:6A:44:E8 + CB:11:B7:01:5F:86:55:4F:45:5E:AB:27:69:BE:E1:3C:89:7A:55:62 X509v3 CRL Distribution Points: URI:http://ca.mit.edu/ca/mitserver.crl Signature Algorithm: sha1WithRSAEncryption - 5e:72:af:24:29:41:16:76:f9:61:0d:e1:ad:16:05:00:90:8c: - c4:42:41:ae:20:3b:cc:9f:e8:e5:de:07:26:35:bd:54:1a:95: - 4f:20:7b:5a:5d:e1:5b:10:ac:6b:c1:24:0d:22:cd:ef:d2:16: - 67:2a:33:b1:4e:8f:da:44:56:35:98:b0:67:67:47:ca:c5:89: - 51:26:7e:cd:e9:5c:c2:74:73:d1:ac:ff:20:03:ee:76:17:97: - 6c:d9:e2:74:c1:48:89:a4:b8:53:70:24:23:36:b8:f4:c4:ed: - 76:9d:6a:d2:69:26:07:a7:79:fd:9f:9b:b1:f9:64:00:c2:61: - 48:5e + 22:c7:5e:7a:58:8e:2f:a9:e2:fc:ff:27:3f:2d:91:2e:c6:a1: + 47:02:af:7b:a5:22:43:cc:c7:2c:08:04:98:c1:56:e8:14:88: + 89:08:b7:56:d0:7a:61:5b:f7:32:d7:21:58:80:13:e4:68:99: + 74:43:50:54:e7:64:f1:ce:68:3a:87:22:5c:c7:b9:c4:43:cd: + 53:5f:09:23:a1:92:c4:3a:ec:a7:1e:60:2a:cd:3e:17:5d:51: + cf:14:c2:4a:b8:10:55:a6:66:e7:6b:b1:c7:08:32:ae:e7:9f: + a8:31:79:65:c6:61:2e:dc:e1:0d:e6:a0:f6:6e:98:90:5b:66: + 8a:a5 -----BEGIN CERTIFICATE----- -MIIDfDCCAuWgAwIBAgIQY3UwUZ2HvawNmw0nABO5tTANBgkqhkiG9w0BAQUFADB7 -MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEuMCwGA1UEChMl -TWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEkMCIGA1UECxMb -TUlUIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEwMDYxNTE2MDAwMFoXDTEx -MDYxNjE2MDAwMFowgc8xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl -dHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMg -SW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxLDAqBgNVBAsTI3NjcmlwdHMubWl0LmVk -dSB3ZWIgaG9zdGluZyBzZXJ2aWNlMRYwFAYDVQQDEw10b3Vycy5taXQuZWR1MR4w -HAYJKoZIhvcNAQkBFg9zY3JpcHRzQG1pdC5lZHUwgZ8wDQYJKoZIhvcNAQEBBQAD -gY0AMIGJAoGBALU+IU3BiWsBjEeA/rM3J3b4UkHmoj1Ldnjl8mY8D7Gt+5ePLqK2 -U9O2DuJm+bkLt8601fUcH28ifUj1bfAWzY5IedEUShQvL/jEvR2Hz32LXHetWCSw -DqFt1grH2LwvZ2XIXdjYMcJnS0r0oaVUgq/LNAgqBH+OfEy329xqil2BAgMBAAGj -gaswgagwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBeAwJwYDVR0lBCAwHgYI -KwYBBQUHAwEGCCsGAQUFBwMEBggrBgEFBQcDAjALBgNVHQ8EBAMCBeAwHQYDVR0O -BBYEFFQRfAlVRByURamidkYrLCQmakToMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6 -Ly9jYS5taXQuZWR1L2NhL21pdHNlcnZlci5jcmwwDQYJKoZIhvcNAQEFBQADgYEA -XnKvJClBFnb5YQ3hrRYFAJCMxEJBriA7zJ/o5d4HJjW9VBqVTyB7Wl3hWxCsa8Ek -DSLN79IWZyozsU6P2kRWNZiwZ2dHysWJUSZ+zelcwnRz0az/IAPudheXbNnidMFI -iaS4U3AkIza49MTtdp1q0mkmB6d5/Z+bsflkAMJhSF4= +MIIFATCCBGqgAwIBAgIRAM1/mK0DVlNgVLlnwUvKZnUwDQYJKoZIhvcNAQEFBQAw +ezELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoT +JU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxJDAiBgNVBAsT +G01JVCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTA2MDQxNjAwMDBaFw0x +MjA2MDUxNjAwMDBaMIHPMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVz +ZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMS4wLAYDVQQKEyVNYXNzYWNodXNldHRz +IEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MSwwKgYDVQQLEyNzY3JpcHRzLm1pdC5l +ZHUgd2ViIGhvc3Rpbmcgc2VydmljZTEWMBQGA1UEAxMNdG91cnMubWl0LmVkdTEe +MBwGCSqGSIb3DQEJARYPc2NyaXB0c0BtaXQuZWR1MIICIjANBgkqhkiG9w0BAQEF +AAOCAg8AMIICCgKCAgEAv6Pye5jMFqdX5pKFNFbx42KDnmpPNZ3wz4mHc+OT97cB +Vzhu6fxZTSTrpxdHyixRDkXIt2jJDjIm4JHTBlyMfA5smQyyRgUPTfGwx141BmL+ +KtYPGyy1AiRMwwZx7JTKHaqvfrktwFVLzLxRPXZoW9PtNdADuhts86DY09xrRLBe +AVHTAsxK2lIS3jUxaRZaSIsPzq1N5NWLETZ/hxz9hNpDLocvQXCsrd9UwO32IVH6 +xQbwG+uhsL9NHEI0itVv9yVmc49gxNeNM5H0RjqXCVkB/8NklEBIMGjwbgMmdMKh +s9fLlPxuU4oqnv2xT8R0ViVjH6q9lSV4nEVGGwwhceuElNCy8dpS9tF/Yx0II1Jf +wvlNrKRE5ZpUcPzJ/NTUtx11lQDjvz5M80PDlscJKilFEtIx1nlMiudUJyLGgK6H +I1bxjUmbyPrtM1tfVnbID36FFGnESDEHOaU0gfJrFVAi+7ssrUuE6lVk995WndC2 +0H0eG1FQN0SU5sQV60Ux8bPsD7OpDPgcR8dRAAXv7rA9n34Hpzjog0w92zS2JAyQ +V8D50GQUipNHm0H1oxQdnhhd1dhmr/XzyC+8pwKn79zwDsdHjS7WqGJCk1t89TX4 +MRB7ONRAJGiBEyfL+3YO0ZkU2NXr92lkj6+PgrskKfnUKR3O5hS6TIsJ/0bOi20C +AwEAAaOBqzCBqDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF4DAnBgNVHSUE +IDAeBggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMCMAsGA1UdDwQEAwIF4DAd +BgNVHQ4EFgQUyxG3AV+GVU9FXqsnab7hPIl6VWIwMwYDVR0fBCwwKjAooCagJIYi +aHR0cDovL2NhLm1pdC5lZHUvY2EvbWl0c2VydmVyLmNybDANBgkqhkiG9w0BAQUF +AAOBgQAix156WI4vqeL8/yc/LZEuxqFHAq97pSJDzMcsCASYwVboFIiJCLdW0Hph +W/cy1yFYgBPkaJl0Q1BU52Txzmg6hyJcx7nEQ81TXwkjoZLEOuynHmAqzT4XXVHP +FMJKuBBVpmbna7HHCDKu55+oMXllxmEu3OEN5qD2bpiQW2aKpQ== -----END CERTIFICATE----- Index: /branches/fc15-dev/server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/postfix/virtual-alias-domains-ldap.cf (revision 1878) @@ -12,5 +12,5 @@ # version 3 is necessary to use ldapi. -server_host = ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ +server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/ search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%s)(scriptsVhostAlias=%s))(!(scriptsVhostName=scripts.mit.edu))) Index: /branches/fc15-dev/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf =================================================================== --- /branches/fc15-dev/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf (revision 1877) +++ /branches/fc15-dev/server/fedora/config/etc/postfix/virtual-alias-maps-ldap.cf (revision 1878) @@ -13,5 +13,5 @@ # necessary to use ldapi. -server_host = ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ +server_host = ldapi://%2fvar%2frun%2fslapd-scripts.socket/ search_base = ou=VirtualHosts,dc=scripts,dc=mit,dc=edu query_filter = (&(objectClass=scriptsVhost)(|(scriptsVhostName=%d)(scriptsVhostAlias=%d))(!(scriptsVhostName=scripts.mit.edu))) Index: /branches/fc15-dev/server/fedora/specs/athena-aclocal.spec =================================================================== --- /branches/fc15-dev/server/fedora/specs/athena-aclocal.spec (revision 1878) +++ /branches/fc15-dev/server/fedora/specs/athena-aclocal.spec (revision 1878) @@ -0,0 +1,38 @@ +# Make sure to update this to coincide with the most recent debathena-aclocal +# release from http://debathena.mit.edu/apt/pool/debathena/d/debathena-aclocal/ +%define upstreamversion 1.1.2 +Name: athena-aclocal +Version: %{upstreamversion} +Release: 1.%{scriptsversion}%{?dist} +Summary: Common autoconf macros for Athena software +Vendor: The scripts.mit.edu Team (scripts@mit.edu) +Group: Development/Tools +License: MIT +URL: http://scripts.mit.edu/ +Source: deb%{name}_%{upstreamversion}.tar.gz +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) +Requires: automake + +%description +This package contains autoconf macros used in the building of multiple +pieces of Athena software. It is a clone of Debathena's debathena-aclocal. + +%prep +%setup -q -n deb%{name}-%{upstreamversion} + +%install +rm -rf %{buildroot} +mkdir -p %{buildroot}%{_datadir}/aclocal +cp aclocal/* %{buildroot}%{_datadir}/aclocal + +%clean +rm -rf %{buildroot} + +%files +%defattr(-,root,root,-) +%{_datadir}/aclocal/*.m4 + +%changelog +* Sun May 29 2011 Mitchell Berger - 1.1.2-1 +- Initial packaging of Athena aclocal macros on Fedora + Index: /branches/fc15-dev/server/fedora/specs/discuss.spec =================================================================== --- /branches/fc15-dev/server/fedora/specs/discuss.spec (revision 1878) +++ /branches/fc15-dev/server/fedora/specs/discuss.spec (revision 1878) @@ -0,0 +1,112 @@ +# Make sure to update this to coincide with the most recent debathena-discuss +# release from http://debathena.mit.edu/apt/pool/debathena/d/debathena-discuss/ +%define upstreamversion 10.0.13 +Name: discuss +Version: %{upstreamversion} +Release: 1.%{scriptsversion}%{?dist} +Vendor: The scripts.mit.edu Team (scripts@mit.edu) +Summary: A conferencing and mail archiving system +Group: Applications/Archiving +License: MIT +URL: http://scripts.mit.edu/ +Source0: debathena-%{name}_%{upstreamversion}.orig.tar.gz +Source1: discuss.xinetd +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) +BuildRequires: athena-aclocal, byacc, libcom_err-devel, libss-devel, krb5-devel, zephyr-devel, readline-devel, less +Requires: less + +%description +Discuss is a user-interface front end to a networked conferencing system. +This is a clone of Debathena's debathena-discuss package. + +%prep +%setup -q -n debathena-%{name}-%{upstreamversion} + +%build +autoreconf -fi +# automake doesn't like that there's no Makefile.am, but we're only +# using it to copy in install-sh and config.{sub|guess}, so we don't +# want the error return code to cause rpmbuild to bomb out. +automake --add-missing --foreign || : +%configure --without-krb4 --with-krb5 --with-zephyr --with-pager=/usr/bin/less +make %{?_smp_mflags} + +%install +rm -rf %{buildroot} +make install DESTDIR=%{buildroot} +# Unfortunately, discuss's build system doesn't presently support +# building shared libraries, so we won't be installing any of the +# dev stuff at all just yet. +rm -rf %{buildroot}%{_includedir} +rm -rf %{buildroot}%{_libdir} +mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d +cp %{SOURCE1} %{buildroot}%{_sysconfdir}/xinetd.d/%{name} +mkdir -p %{buildroot}%{_localstatedir}/spool/discuss + +%clean +rm -rf %{buildroot} + +%files +%defattr(755,root,root) +%{_bindir}/crmtgs +%{_bindir}/discuss +%{_bindir}/dsc_setup +%{_bindir}/dsgrep +%{_bindir}/dsmail +%{_bindir}/dspipe +%{_bindir}/mkds +%{_bindir}/pmtg +%{_bindir}/rmds +%{_libexecdir}/edsc +%defattr(-,root,root,-) +/usr/share/discuss +%doc %{_mandir}/man1/*.1.gz +%doc %{_mandir}/man8/*.8.gz + +%post +if ! grep -q '^discuss[[:space:]]' %{_sysconfdir}/services; then + cat <>%{_sysconfdir}/services +discuss 2100/tcp # Networked conferencing +EOF +fi + +%package emacs +Summary: Emacs interface to discuss +Group: Applications/Archiving +Requires: %{name}%{?_isa} = %{version}-%{release}, emacs +%description emacs +Discuss is a user-interface front end to a networked conferencing system. +This package contains an Emacs interface to discuss. + +%files emacs +%defattr(-,root,root,-) +%{_datadir}/emacs/site-lisp/*.el + +%package server +Summary: A conferencing and mail archiving system +Group: Applications/Archiving +Requires(pre): shadow-utils +Requires: %{name}%{?_isa} = %{version}-%{release}, xinetd +%description server +A conferencing and mail archiving system. +This package contains the discuss server. + +%files server +%defattr(755,root,root) +%{_bindir}/create_mtg_dir +%{_sbindir}/discussd +%attr(4755,discuss,discuss) %{_sbindir}/disserve +%attr(755,discuss,discuss) %{_localstatedir}/spool/discuss +%attr(644,root,root) %config(noreplace) %{_sysconfdir}/xinetd.d/%{name} + +%pre server +getent group discuss >/dev/null || groupadd -r discuss +getent passwd discuss >/dev/null || \ + useradd -r -M -g discuss -d /var/spool/discuss -s /sbin/nologin \ + -c "Discuss server" discuss +exit 0 + +%changelog +* Sun May 29 2011 Mitchell Berger - 10.0.13-1 +- Initial packaging of Discuss on Fedora + Index: /branches/fc15-dev/server/fedora/specs/nss_nonlocal.spec =================================================================== --- /branches/fc15-dev/server/fedora/specs/nss_nonlocal.spec (revision 1877) +++ /branches/fc15-dev/server/fedora/specs/nss_nonlocal.spec (revision 1878) @@ -2,5 +2,5 @@ Group: System Environment/Libraries Name: nss_nonlocal -Version: 1.11 +Version: 2.0 Release: 1 URL: http://debathena.mit.edu/nss_nonlocal/ @@ -11,4 +11,5 @@ Source: %{name}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Requires(pre): shadow-utils %description @@ -47,6 +48,10 @@ %pre -groupadd -r nss-local-users || : -groupadd -r nss-nonlocal-users || : +getent passwd nss-nonlocal-users >/dev/null || \ + useradd -r -g nobody -d / -s /sbin/nologin \ + -c 'Magic user for local group whitelist' nss-nonlocal-users +getent group nss-local-users || groupadd -r nss-local-users +getent group nss-nonlocal-users || groupadd -r nss-nonlocal-users +exit 0 %post @@ -57,4 +62,7 @@ %changelog + +* Tue Mar 29 2011 Anders Kaseorg 2.0-1 +- New upstream version. * Sun May 2 2010 Anders Kaseorg 1.11-1