Index: trunk/server/common/oursrc/tokensys/configure.in =================================================================== --- trunk/server/common/oursrc/tokensys/configure.in (revision 1931) +++ trunk/server/common/oursrc/tokensys/configure.in (revision 2066) @@ -24,4 +24,13 @@ REQUIRE_PATH(aklog) +AC_ARG_WITH(fs, +[ --with-fs[=PATH] fs is located at PATH],[ + if test "$withval" != "no" -a "$withval" != "yes"; then + fs_path="$withval" + fi +]) +REQUIRE_PATH(fs) + AC_OUTPUT(Makefile) AC_OUTPUT(renew) +AC_OUTPUT(scripts-afsagent-startup) Index: trunk/server/common/oursrc/tokensys/crontab =================================================================== --- trunk/server/common/oursrc/tokensys/crontab (revision 1931) +++ (revision ) @@ -1,2 +1,0 @@ -@reboot afsagent /home/afsagent/renew -0 */3 * * * afsagent /home/afsagent/renew Index: trunk/server/common/oursrc/tokensys/renew.in =================================================================== --- trunk/server/common/oursrc/tokensys/renew.in (revision 1931) +++ trunk/server/common/oursrc/tokensys/renew.in (revision 2066) @@ -2,5 +2,5 @@ # This script renews afsagent's tickets and tokens. -# It is called by afsagent's crontab every 8 hours. +# It is called by systemd on a regular schedule. export KRB5CCNAME=/home/afsagent/krb5cc Index: trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.in =================================================================== --- trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.in (revision 2066) +++ trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.in (revision 2066) @@ -0,0 +1,7 @@ +#!/bin/sh + +/sbin/sysctl -q afs.GCPAGs=0 +@fs_path@ setcrypt on +@fs_path@ sysname 'amd64_fedora15_scripts' 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora15' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb60' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' + +@fs_path@ setcell -nosuid -c athena Index: trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.service =================================================================== --- trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.service (revision 2066) +++ trunk/server/common/oursrc/tokensys/scripts-afsagent-startup.service (revision 2066) @@ -0,0 +1,12 @@ +[Unit] +Description=Scripts AFS Configuration Service +After=syslog.target openafs-client.service +Before=crond.service +Requires=openafs-client.service + +[Service] +Type=oneshot +ExecStart=/usr/local/libexec/scripts-afsagent-startup + +[Install] +WantedBy=multi-user.target remote-fs.target crond.service Index: trunk/server/common/oursrc/tokensys/scripts-afsagent.service =================================================================== --- trunk/server/common/oursrc/tokensys/scripts-afsagent.service (revision 2066) +++ trunk/server/common/oursrc/tokensys/scripts-afsagent.service (revision 2066) @@ -0,0 +1,13 @@ +[Unit] +Description=Scripts afsagent Service +After=syslog.target openafs-client.service +Before=crond.service +Requires=openafs-client.service + +[Service] +Type=oneshot +ExecStart=/home/afsagent/renew +User=afsagent + +[Install] +WantedBy=multi-user.target remote-fs.target crond.service Index: trunk/server/common/oursrc/tokensys/scripts-afsagent.timer =================================================================== --- trunk/server/common/oursrc/tokensys/scripts-afsagent.timer (revision 2066) +++ trunk/server/common/oursrc/tokensys/scripts-afsagent.timer (revision 2066) @@ -0,0 +1,9 @@ +[Unit] +Description=Scripts afsagent periodic renew + +[Timer] +Unit=scripts-afsagent.service +OnUnitActiveSec=3h + +[Install] +WantedBy=multi-user.target remote-fs.target Index: trunk/server/common/oursrc/whoisd/Makefile.in =================================================================== --- trunk/server/common/oursrc/whoisd/Makefile.in (revision 1931) +++ trunk/server/common/oursrc/whoisd/Makefile.in (revision 2066) @@ -1,7 +1,7 @@ install: install -Dpm 644 whoisd.tac ${DESTDIR}@libexecdir@/whoisd.tac - install -Dpm 644 crontab ${DESTDIR}/etc/cron.d/whoisd + install -Dpm 644 scripts-whoisd.service ${DESTDIR}/lib/systemd/system/scripts-whoisd.service clean: rm -f ${DESTDIR}@libexecdir@/whoisd.tac - rm -f ${DESTDIR}/etc/cron.d/whoisd + rm -f ${DESTDIR}/lib/systemd/system/scripts-whoisd.service Index: trunk/server/common/oursrc/whoisd/scripts-whoisd.service =================================================================== --- trunk/server/common/oursrc/whoisd/scripts-whoisd.service (revision 2066) +++ trunk/server/common/oursrc/whoisd/scripts-whoisd.service (revision 2066) @@ -0,0 +1,10 @@ +[Unit] +Description=Scripts whois Service +After=syslog.target + +[Service] +Type=simple +ExecStart=/usr/bin/twistd --nodaemon -l /var/log/scripts-whoisd.log -y /usr/local/libexec/whoisd.tac + +[Install] +WantedBy=multi-user.target Index: trunk/server/common/patches/curl-gssapi-delegation.patch =================================================================== --- trunk/server/common/patches/curl-gssapi-delegation.patch (revision 1931) +++ (revision ) @@ -1,28 +1,0 @@ -From a4be0864ba953b3317ece66bf8c2332ea74a4715 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 8 Jun 2011 00:10:26 +0200 -Subject: [PATCH] Curl_input_negotiate: do not delegate credentials - -This is a security flaw. See curl advisory 201106xx for details. - -Reported by: Richard Silverman ---- - lib/http_negotiate.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index 202d69e..5127e64 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -243,7 +243,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, - &neg_ctx->context, - neg_ctx->server_name, - GSS_C_NO_OID, -- GSS_C_DELEG_FLAG, -+ 0, - 0, - GSS_C_NO_CHANNEL_BINDINGS, - &input_token, --- -1.7.5.3 - Index: trunk/server/common/patches/httpd-sysv-deps.patch =================================================================== --- trunk/server/common/patches/httpd-sysv-deps.patch (revision 2066) +++ trunk/server/common/patches/httpd-sysv-deps.patch (revision 2066) @@ -0,0 +1,11 @@ +--- a/httpd.init.orig 2011-11-05 19:10:18.897425517 -0400 ++++ b/httpd.init 2011-11-05 19:11:22.523201035 -0400 +@@ -12,7 +12,7 @@ + # + ### BEGIN INIT INFO + # Provides: httpd +-# Required-Start: $local_fs $remote_fs $network $named ++# Required-Start: $local_fs $remote_fs $network $named openafs-client crond + # Required-Stop: $local_fs $remote_fs $network + # Should-Start: distcache + # Short-Description: start and stop Apache HTTP Server Index: trunk/server/common/patches/krb5-kuserok-scripts.patch =================================================================== --- trunk/server/common/patches/krb5-kuserok-scripts.patch (revision 1931) +++ trunk/server/common/patches/krb5-kuserok-scripts.patch (revision 2066) @@ -1,4 +1,5 @@ # scripts.mit.edu krb5 kuserok patch # Copyright (C) 2006 Tim Abbott +# 2011 Alexander Chernyakhovsky # # This program is free software; you can redistribute it and/or @@ -18,8 +19,8 @@ # See /COPYRIGHT in this repository for more information. # ---- krb5-1.6.3/src/lib/krb5/os/kuserok.c.old 2009-04-08 06:17:06.000000000 -0400 -+++ krb5-1.6.3/src/lib/krb5/os/kuserok.c 2009-04-08 06:17:18.000000000 -0400 -@@ -31,6 +31,7 @@ - #if !defined(_WIN32) /* Not yet for Windows */ +--- krb5-1.9/src/lib/krb5/os/kuserok.c.old 2011-04-16 19:09:58.000000000 -0400 ++++ krb5-1.9/src/lib/krb5/os/kuserok.c 2011-04-16 19:34:23.000000000 -0400 +@@ -32,6 +32,7 @@ + #if !defined(_WIN32) /* Not yet for Windows */ #include #include @@ -28,98 +29,122 @@ #if defined(_AIX) && defined(_IBMR2) #include -@@ -71,7 +72,6 @@ +@@ -51,39 +52,6 @@ + enum result { ACCEPT, REJECT, PASS }; + + /* +- * Find the k5login filename for luser, either in the user's homedir or in a +- * configured directory under the username. +- */ +-static krb5_error_code +-get_k5login_filename(krb5_context context, const char *luser, +- const char *homedir, char **filename_out) +-{ +- krb5_error_code ret; +- char *dir, *filename; +- +- *filename_out = NULL; +- ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, +- KRB5_CONF_K5LOGIN_DIRECTORY, NULL, NULL, &dir); +- if (ret != 0) +- return ret; +- +- if (dir == NULL) { +- /* Look in the user's homedir. */ +- if (asprintf(&filename, "%s/.k5login", homedir) < 0) +- return ENOMEM; +- } else { +- /* Look in the configured directory. */ +- if (asprintf(&filename, "%s/%s", dir, luser) < 0) +- ret = ENOMEM; +- profile_release_string(dir); +- if (ret) +- return ret; +- } +- *filename_out = filename; +- return 0; +-} +- +-/* + * Determine whether principal is authorized to log in as luser according to + * the user's k5login file. Return ACCEPT if the k5login file authorizes the + * principal, PASS if the k5login file does not exist, or REJECT if the k5login +@@ -93,13 +61,12 @@ + static enum result + k5login_ok(krb5_context context, krb5_principal principal, const char *luser) { - struct stat sbuf; - struct passwd *pwd; -- char pbuf[MAXPATHLEN]; - krb5_boolean isok = FALSE; - FILE *fp; - char kuser[MAX_USERNAME]; -@@ -79,71 +79,35 @@ - char linebuf[BUFSIZ]; - char *newline; - int gobble; +- int authoritative = TRUE, gobble; ++ int authoritative = TRUE; + enum result result = REJECT; +- char *filename = NULL, *princname = NULL; +- char *newline, linebuf[BUFSIZ], pwbuf[BUFSIZ]; +- struct stat sbuf; ++ char *princname = NULL; ++ char pwbuf[BUFSIZ]; + struct passwd pwx, *pwd; +- FILE *fp = NULL; + int pid, status; - /* no account => no access */ - char pwbuf[BUFSIZ]; - struct passwd pwx; + if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE, +@@ -110,46 +77,29 @@ if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) - return(FALSE); -- (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); -- pbuf[sizeof(pbuf) - 1] = '\0'; -- (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf)); + goto cleanup; + +- if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0) +- goto cleanup; - -- if (access(pbuf, F_OK)) { /* not accessible */ -- /* -- * if he's trying to log in as himself, and there is no .k5login file, -- * let him. To find out, call -- * krb5_aname_to_localname to convert the principal to a name -- * which we can string compare. -- */ -- if (!(krb5_aname_to_localname(context, principal, -- sizeof(kuser), kuser)) -- && (strcmp(kuser, luser) == 0)) { -- return(TRUE); -- } +- if (access(filename, F_OK) != 0) { +- result = PASS; +- goto cleanup; - } - if (krb5_unparse_name(context, principal, &princname)) - return(FALSE); /* no hope of matching */ +- + if (krb5_unparse_name(context, principal, &princname) != 0) + goto cleanup; -- /* open ~/.k5login */ -- if ((fp = fopen(pbuf, "r")) == NULL) { -- free(princname); -- return(FALSE); -- } +- fp = fopen(filename, "r"); +- if (fp == NULL) ++ if ((pid = fork()) == -1) + goto cleanup; - set_cloexec_file(fp); -- /* -- * For security reasons, the .k5login file must be owned either by -- * the user himself, or by root. Otherwise, don't grant access. -- */ -- if (fstat(fileno(fp), &sbuf)) { -- fclose(fp); -- free(princname); -- return(FALSE); -+ if ((pid = fork()) == -1) { -+ free(princname); -+ return(FALSE); +- +- /* For security reasons, the .k5login file must be owned either by +- * the user or by root. */ +- if (fstat(fileno(fp), &sbuf)) +- goto cleanup; +- if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) +- goto cleanup; +- +- /* Check each line. */ +- while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) { +- newline = strrchr(linebuf, '\n'); +- if (newline != NULL) +- *newline = '\0'; +- if (strcmp(linebuf, princname) == 0) +- result = ACCEPT; +- /* Clean up the rest of the line if necessary. */ +- if (newline == NULL) +- while (((gobble = getc(fp)) != EOF) && gobble != '\n'); ++ ++ if (pid == 0) { ++ char *args[4]; ++#define ADMOF_PATH "/usr/local/sbin/ssh-admof" ++ args[0] = ADMOF_PATH; ++ args[1] = (char *) luser; ++ args[2] = princname; ++ args[3] = NULL; ++ execv(ADMOF_PATH, args); ++ exit(1); } -- if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) { -- fclose(fp); -- free(princname); -- return(FALSE); -+ if (pid == 0) { -+ char *args[4]; -+#define ADMOF_PATH "/usr/local/sbin/ssh-admof" -+ args[0] = ADMOF_PATH; -+ args[1] = (char *) luser; -+ args[2] = princname; -+ args[3] = NULL; -+ execv(ADMOF_PATH, args); -+ exit(1); - } -- -- /* check each line */ -- while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) { -- /* null-terminate the input string */ -- linebuf[BUFSIZ-1] = '\0'; -- newline = NULL; -- /* nuke the newline if it exists */ -- if ((newline = strchr(linebuf, '\n'))) -- *newline = '\0'; -- if (!strcmp(linebuf, princname)) { -- isok = TRUE; -- continue; -- } -- /* clean up the rest of the line if necessary */ -- if (!newline) -- while (((gobble = getc(fp)) != EOF) && gobble != '\n'); + + if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { -+ isok=TRUE; - } ++ result = ACCEPT; ++ } + + cleanup: free(princname); -- fclose(fp); - return(isok); +- free(filename); +- if (fp != NULL) +- fclose(fp); + /* If k5login files are non-authoritative, never reject. */ + return (!authoritative && result == REJECT) ? PASS : result; } - Index: trunk/server/common/patches/openafs-linux-3.1-fsync.patch =================================================================== --- trunk/server/common/patches/openafs-linux-3.1-fsync.patch (revision 2066) +++ trunk/server/common/patches/openafs-linux-3.1-fsync.patch (revision 2066) @@ -0,0 +1,90 @@ +From: Marc Dionne +Date: Fri, 2 Sep 2011 21:56:58 +0000 (-0400) +Subject: Linux: 3.1: adapt to fsync changes +X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=81f28004415ae07f2e3a1320da632cbd52c96b25;hp=ef492dc1e1a1809a910fbf07140b26c4924957c5 + +Linux: 3.1: adapt to fsync changes + +The fsync file operation gets new arguments to specify a range. +Add a configure test to check for the API change. + +The inode lock is also pushed down into the operation, so we need +to take it ourselves to keep the original behaviour. + +Reviewed-on: http://gerrit.openafs.org/5332 +Tested-by: BuildBot +Reviewed-by: Simon Wilkinson +Reviewed-by: Derrick Brashear +(cherry picked from commit cbaefa266d433af3b9a082a360e23a42f161d80f) + +Change-Id: Idb6770204b014c62a8611548509240f8b5f950bc +--- + +diff --git a/acinclude.m4 b/acinclude.m4 +index 3ff4551..35f2200 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -920,6 +920,7 @@ case $AFS_SYSNAME in *_linux* | *_umlinux*) + LINUX_DOP_D_REVALIDATE_TAKES_NAMEIDATA + LINUX_FOP_F_FLUSH_TAKES_FL_OWNER_T + LINUX_FOP_F_FSYNC_TAKES_DENTRY ++ LINUX_FOP_F_FSYNC_TAKES_RANGE + LINUX_AOP_WRITEBACK_CONTROL + LINUX_FS_STRUCT_FOP_HAS_SPLICE + LINUX_KERNEL_POSIX_LOCK_FILE_WAIT_ARG +diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c +index 696146b..019b568 100644 +--- a/src/afs/LINUX/osi_vnodeops.c ++++ b/src/afs/LINUX/osi_vnodeops.c +@@ -425,6 +425,8 @@ afs_linux_release(struct inode *ip, struct file *fp) + static int + #if defined(FOP_FSYNC_TAKES_DENTRY) + afs_linux_fsync(struct file *fp, struct dentry *dp, int datasync) ++#elif defined(FOP_FSYNC_TAKES_RANGE) ++afs_linux_fsync(struct file *fp, loff_t start, loff_t end, int datasync) + #else + afs_linux_fsync(struct file *fp, int datasync) + #endif +@@ -433,9 +435,15 @@ afs_linux_fsync(struct file *fp, int datasync) + struct inode *ip = FILE_INODE(fp); + cred_t *credp = crref(); + ++#if defined(FOP_FSYNC_TAKES_RANGE) ++ mutex_lock(&ip->i_mutex); ++#endif + AFS_GLOCK(); + code = afs_fsync(VTOAFS(ip), credp); + AFS_GUNLOCK(); ++#if defined(FOP_FSYNC_TAKES_RANGE) ++ mutex_unlock(&ip->i_mutex); ++#endif + crfree(credp); + return afs_convert_code(code); + +diff --git a/src/cf/linux-test4.m4 b/src/cf/linux-test4.m4 +index 2292f81..35082b3 100644 +--- a/src/cf/linux-test4.m4 ++++ b/src/cf/linux-test4.m4 +@@ -414,6 +414,22 @@ struct dentry _d; + ]) + + ++int (*fsync) (struct file *, loff_t start, loff_t end, int datasync); ++ ++AC_DEFUN([LINUX_FOP_F_FSYNC_TAKES_RANGE], [ ++ AC_CHECK_LINUX_BUILD([whether file_operations.fsync takes a range], ++ [ac_cv_linux_func_f_fsync_takes_range], ++ [#include ], ++[struct inode _inode; ++struct file _file; ++loff_t start, end; ++(void)_inode.i_fop->fsync(&_file, start, end, 0);], ++ [FOP_FSYNC_TAKES_RANGE], ++ [define if your fops.fsync takes range arguments], ++ []) ++]) ++ ++ + AC_DEFUN([LINUX_HAVE_KMEM_CACHE_T], [ + AC_CHECK_LINUX_BUILD([whether kmem_cache_t exists], + [ac_cv_linux_have_kmem_cache_t], Index: trunk/server/common/patches/openafs-linux-3.1-rcu.patch =================================================================== --- trunk/server/common/patches/openafs-linux-3.1-rcu.patch (revision 2066) +++ trunk/server/common/patches/openafs-linux-3.1-rcu.patch (revision 2066) @@ -0,0 +1,45 @@ +From f129142dde2a2637b2e638ca0cca372a45188923 Mon Sep 17 00:00:00 2001 +From: Marc Dionne +Date: Sat, 29 Oct 2011 19:23:07 -0400 +Subject: [PATCH] Linux: 3.1: update RCU path walking detection in permission i_op + +The permission() inode operation changed again with kernel 3.1, +back to the form it had before 2.6.38. This compiles fine, +but is missing the new way of detecting when we get called in +RCU path walking mode, resulting in system hangs. + +Reviewed-on: http://gerrit.openafs.org/5740 +Tested-by: BuildBot +Reviewed-by: Derrick Brashear +(cherry picked from commit 4952df3f0359531e4a660c99c94c51eb0b169f59) + +Change-Id: Ibd497309e6699fb585cf70e618373e800b73cbb8 +Reviewed-on: http://gerrit.openafs.org/6088 +Tested-by: BuildBot +Reviewed-by: Derrick Brashear +--- + src/afs/LINUX/osi_vnodeops.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c +index e9215db..696146b 100644 +--- a/src/afs/LINUX/osi_vnodeops.c ++++ b/src/afs/LINUX/osi_vnodeops.c +@@ -2245,10 +2245,13 @@ afs_linux_permission(struct inode *ip, int mode) + cred_t *credp; + int tmp = 0; + ++ /* Check for RCU path walking */ + #if defined(IOP_PERMISSION_TAKES_FLAGS) +- /* We don't support RCU path walking */ + if (flags & IPERM_FLAG_RCU) + return -ECHILD; ++#elif defined(MAY_NOT_BLOCK) ++ if (mode & MAY_NOT_BLOCK) ++ return -ECHILD; + #endif + + credp = crref(); +-- +1.7.2.5 + Index: trunk/server/common/patches/openafs-linux-3.1-zalloc.patch =================================================================== --- trunk/server/common/patches/openafs-linux-3.1-zalloc.patch (revision 2066) +++ trunk/server/common/patches/openafs-linux-3.1-zalloc.patch (revision 2066) @@ -0,0 +1,32 @@ +From e7669883d5124f85bad6840a4e8280e4de32f7a5 Mon Sep 17 00:00:00 2001 +From: Marc Dionne +Date: Mon, 21 Nov 2011 21:27:06 -0500 +Subject: [PATCH] Linux: make sure backing_dev_info is zeroed + +The afs backing_dev_info structure is allocated dynamically +without zeroing out the contents. In particular there's no +guarantee that congested_fn is NULL, causing spurious oopses +when bdi_congested in the kernel tries to call it. + +(adapted from commit 8e97cf6f215d5575c63d86eaec59031399f4beda) + +Change-Id: I83755b6bb5ec2fada7e077c00d3d8edf8af1cae4 +--- + src/afs/LINUX/osi_vfsops.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/src/afs/LINUX/osi_vfsops.c b/src/afs/LINUX/osi_vfsops.c +index d32720f..0d41bc7 100644 +--- a/src/afs/LINUX/osi_vfsops.c ++++ b/src/afs/LINUX/osi_vfsops.c +@@ -114,6 +114,7 @@ afs_fill_super(struct super_block *sb, void *data, int silent) + + /* used for inodes backing_dev_info field, also */ + afs_backing_dev_info = osi_Alloc(sizeof(struct backing_dev_info)); ++ memset(afs_backing_dev_info, 0, sizeof(struct backing_dev_info)); + #if defined(HAVE_LINUX_BDI_INIT) + bdi_init(afs_backing_dev_info); + #endif +-- +1.7.2.5 + Index: trunk/server/common/patches/openafs-numsysnames.patch =================================================================== --- trunk/server/common/patches/openafs-numsysnames.patch (revision 1931) +++ (revision ) @@ -1,11 +1,0 @@ ---- openafs-1.4.10/src/afs/afs.h.orig 2009-06-06 21:02:53.000000000 -0400 -+++ openafs-1.4.10/src/afs/afs.h 2009-06-06 21:03:28.000000000 -0400 -@@ -75,7 +75,7 @@ - #define PIGGYSIZE 1350 /* max piggyback size */ - #define MAXVOLS 128 /* max vols we can store */ - #define MAXSYSNAME 128 /* max sysname (i.e. @sys) size */ --#define MAXNUMSYSNAMES 16 /* max that current constants allow */ -+#define MAXNUMSYSNAMES 32 /* max that current constants allow */ - #define NOTOKTIMEOUT (2*3600) /* time after which to timeout conns sans tokens */ - #define NOPAG 0xffffffff - #define AFS_NCBRS 300 /* max # of call back return entries */ Index: trunk/server/common/patches/openafs-scripts.patch =================================================================== --- trunk/server/common/patches/openafs-scripts.patch (revision 1931) +++ trunk/server/common/patches/openafs-scripts.patch (revision 2066) @@ -4,4 +4,6 @@ # and Anders Kaseorg # and Edward Z. Yang +# and Benjamin Kaduk +# and Alexander Chernyakhovsky # # This file is available under both the MIT license and the GPL. @@ -43,59 +45,104 @@ # See /COPYRIGHT in this repository for more information. # -diff -ur openafs-1.4/src/afs/afs_analyze.c openafs-1.4+scripts/src/afs/afs_analyze.c ---- openafs-1.4/src/afs/afs_analyze.c -+++ openafs-1.4+scripts/src/afs/afs_analyze.c -@@ -585,7 +585,7 @@ - (afid ? afid->Fid.Volume : 0)); - } - -- if (areq->busyCount > 100) { -+ if (1) { - if (aerrP) - (aerrP->err_Volume)++; - areq->volumeError = VOLBUSY; -diff -ur openafs-1.4/src/afs/LINUX/osi_vnodeops.c openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c ---- openafs-1.4/src/afs/LINUX/osi_vnodeops.c -+++ openafs-1.4+scripts/src/afs/LINUX/osi_vnodeops.c -@@ -896,6 +896,28 @@ +diff --git a/src/afs/LINUX/osi_vnodeops.c b/src/afs/LINUX/osi_vnodeops.c +index 7c7705e..0d0e94f 100644 +--- a/src/afs/LINUX/osi_vnodeops.c ++++ b/src/afs/LINUX/osi_vnodeops.c +@@ -904,6 +904,28 @@ afs_linux_dentry_revalidate(struct dentry *dp, int flags) /* should we always update the attributes at this point? */ /* unlikely--the vcache entry hasn't changed */ + /* [scripts] This code makes hardlinks work correctly. -+ * -+ * We want Apache to be able to read a file with hardlinks -+ * named .htaccess and foo to be able to read it via .htaccess -+ * and not via foo, regardless of which name was looked up -+ * (remember, inodes do not have filenames associated with them.) -+ * -+ * It is important that we modify the existing cache entry even -+ * if it is otherwise totally valid and would not be reloaded. -+ * Otherwise, it won't recover from repeatedly reading the same -+ * inode via multiple hardlinks or different names. Specifically, -+ * Apache will be able to read both names if it was first looked -+ * up (by anyone!) via .htaccess, and neither if it was first -+ * looked up via foo. -+ * -+ * With regards to performance, the strncmp() is bounded by -+ * three characters, so it takes O(3) operations. If this code -+ * is extended to all static-cat extensions, we'll want to do -+ * some clever hashing using gperf here. -+ */ ++ * ++ * We want Apache to be able to read a file with hardlinks ++ * named .htaccess and foo to be able to read it via .htaccess ++ * and not via foo, regardless of which name was looked up ++ * (remember, inodes do not have filenames associated with them.) ++ * ++ * It is important that we modify the existing cache entry even ++ * if it is otherwise totally valid and would not be reloaded. ++ * Otherwise, it won't recover from repeatedly reading the same ++ * inode via multiple hardlinks or different names. Specifically, ++ * Apache will be able to read both names if it was first looked ++ * up (by anyone!) via .htaccess, and neither if it was first ++ * looked up via foo. ++ * ++ * With regards to performance, the strncmp() is bounded by ++ * three characters, so it takes O(3) operations. If this code ++ * is extended to all static-cat extensions, we'll want to do ++ * some clever hashing using gperf here. ++ */ + vcp->apache_access = strncmp(dp->d_name.name, ".ht", 3) == 0; + + dput(parent); } else { #ifdef notyet - pvcp = VTOAFS(dp->d_parent->d_inode); /* dget_parent()? */ -diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c ---- openafs-1.4/src/afs/VNOPS/afs_vnop_lookup.c -+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_lookup.c -@@ -1572,6 +1572,12 @@ +diff --git a/src/afs/VNOPS/afs_vnop_access.c b/src/afs/VNOPS/afs_vnop_access.c +index eabcfeb..6390850 100644 +--- a/src/afs/VNOPS/afs_vnop_access.c ++++ b/src/afs/VNOPS/afs_vnop_access.c +@@ -130,6 +130,15 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, + dirBits = PRSFS_LOOKUP | PRSFS_READ; + return (arights == (dirBits & arights)); + } ++ if ( areq->uid == globalpag && ++ !(areq->realuid == avc->f.fid.Fid.Volume) && ++ !((avc->f.anyAccess | arights) == avc->f.anyAccess) && ++ !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) && ++ !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) && ++ !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && ++ !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { ++ return 0; ++ } + return (arights == afs_GetAccessBits(avc, arights, areq)); + } else { + /* some rights come from dir and some from file. Specifically, you +@@ -183,6 +192,19 @@ afs_AccessOK(struct vcache *avc, afs_int32 arights, struct vrequest *areq, + fileBits |= PRSFS_READ; + } + } ++ ++ if ( areq->uid == globalpag && ++ !(areq->realuid == avc->f.fid.Fid.Volume) && ++ !((avc->f.anyAccess | arights) == avc->f.anyAccess) && ++ !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && ++ !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && ++ !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && ++ (avc->f.m.Mode == 0100777 || avc->apache_access)) && ++ !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && ++ !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { ++ return 0; ++ } ++ + return ((fileBits & arights) == arights); /* true if all rights bits are on */ + } + } +diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c +index b3931e5..71ef05c 100644 +--- a/src/afs/VNOPS/afs_vnop_attrs.c ++++ b/src/afs/VNOPS/afs_vnop_attrs.c +@@ -88,8 +88,8 @@ afs_CopyOutAttrs(struct vcache *avc, struct vattr *attrs) + } + } + #endif /* AFS_DARWIN_ENV */ +- attrs->va_uid = fakedir ? 0 : avc->f.m.Owner; +- attrs->va_gid = fakedir ? 0 : avc->f.m.Group; /* yeah! */ ++ attrs->va_uid = fakedir ? 0 : avc->f.fid.Fid.Volume; ++ attrs->va_gid = (avc->f.m.Owner == DAEMON_SCRIPTS_PTSID ? avc->f.m.Group : avc->f.m.Owner); + #if defined(AFS_SUN56_ENV) + attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0]; + #elif defined(AFS_DARWIN80_ENV) +diff --git a/src/afs/VNOPS/afs_vnop_lookup.c b/src/afs/VNOPS/afs_vnop_lookup.c +index 8e7af1c..7e984e9 100644 +--- a/src/afs/VNOPS/afs_vnop_lookup.c ++++ b/src/afs/VNOPS/afs_vnop_lookup.c +@@ -1877,6 +1877,12 @@ afs_lookup(OSI_VC_DECL(adp), char *aname, struct vcache **avcp, afs_ucred_t *acr } done: + if (tvc) { -+ /* [scripts] check Apache's ability to read this file, so that -+ * we can figure this out on an access() call */ -+ tvc->apache_access = strncmp(aname, ".ht", 3) == 0; ++ /* [scripts] check Apache's ability to read this file, so that ++ * we can figure this out on an access() call */ ++ tvc->apache_access = strncmp(aname, ".ht", 3) == 0; + } + @@ -103,10 +150,11 @@ if (tname != aname && tname) osi_FreeLargeSpace(tname); -diff -ur openafs-1.4/src/afs/afs.h openafs-1.4+scripts/src/afs/afs.h ---- openafs-1.4/src/afs/afs.h -+++ openafs-1.4+scripts/src/afs/afs.h -@@ -208,8 +208,16 @@ - #define QTOC(e) QEntry(e, struct cell, lruq) - #define QTOVH(e) QEntry(e, struct vcache, vhashq) +diff --git a/src/afs/afs.h b/src/afs/afs.h +index fcc4c70..0d53af6 100644 +--- a/src/afs/afs.h ++++ b/src/afs/afs.h +@@ -233,8 +233,16 @@ struct afs_slotlist { + struct afs_slotlist *next; + }; +#define AFSAGENT_UID (101) @@ -123,7 +171,7 @@ afs_int32 flags; /* things like O_SYNC, O_NONBLOCK go here */ char initd; /* if non-zero, Error fields meaningful */ -@@ -743,6 +751,7 @@ +@@ -887,6 +895,7 @@ struct vcache { #ifdef AFS_SUN5_ENV - short multiPage; /* count of multi-page getpages in progress */ + struct afs_q multiPage; /* list of multiPage_range structs */ #endif + int apache_access; /* whether or not Apache has access to a file */ @@ -131,8 +179,22 @@ #define DONT_CHECK_MODE_BITS 0 -diff -ur openafs-1.4/src/afs/afs_osi_pag.c openafs-1.4+scripts/src/afs/afs_osi_pag.c ---- openafs-1.4/src/afs/afs_osi_pag.c -+++ openafs-1.4+scripts/src/afs/afs_osi_pag.c -@@ -49,6 +49,8 @@ +diff --git a/src/afs/afs_analyze.c b/src/afs/afs_analyze.c +index 1834e6d..673a8e6 100644 +--- a/src/afs/afs_analyze.c ++++ b/src/afs/afs_analyze.c +@@ -368,7 +368,7 @@ afs_Analyze(struct afs_conn *aconn, afs_int32 acode, + (afid ? afid->Fid.Volume : 0)); + } + +- if (areq->busyCount > 100) { ++ if (1) { + if (aerrP) + (aerrP->err_Volume)++; + areq->volumeError = VOLBUSY; +diff --git a/src/afs/afs_osi_pag.c b/src/afs/afs_osi_pag.c +index c888605..ff5cf2d 100644 +--- a/src/afs/afs_osi_pag.c ++++ b/src/afs/afs_osi_pag.c +@@ -49,6 +49,8 @@ afs_uint32 pagCounter = 0; #endif /* Local variables */ @@ -143,14 +205,14 @@ * Pags are implemented as follows: the set of groups whose long * representation is '41XXXXXX' hex are used to represent the pags. -@@ -449,6 +451,15 @@ - av->uid = acred->cr_ruid; /* default when no pag is set */ +@@ -484,6 +486,15 @@ afs_InitReq(struct vrequest *av, afs_ucred_t *acred) + av->uid = afs_cr_uid(acred); /* default when no pag is set */ #endif } + -+ av->realuid = acred->cr_ruid; -+ if(!globalpag && acred->cr_ruid == AFSAGENT_UID) { ++ av->realuid = afs_cr_uid(acred); ++ if(!globalpag && av->realuid == AFSAGENT_UID) { + globalpag = av->uid; + } -+ else if (globalpag && av->uid == acred->cr_ruid) { ++ else if (globalpag && av->uid == av->realuid) { + av->uid = globalpag; + } @@ -159,13 +221,14 @@ } -diff -ur openafs-1.4/src/afs/afs_pioctl.c openafs-1.4+scripts/src/afs/afs_pioctl.c ---- openafs-1.4/src/afs/afs_pioctl.c -+++ openafs-1.4+scripts/src/afs/afs_pioctl.c -@@ -1221,6 +1221,10 @@ - struct AFSFetchStatus OutStatus; +diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c +index f282510..00f1360 100644 +--- a/src/afs/afs_pioctl.c ++++ b/src/afs/afs_pioctl.c +@@ -1406,6 +1406,10 @@ DECL_PIOCTL(PSetAcl) + struct rx_connection *rxconn; XSTATS_DECLS; + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { -+ return EACCES; ++ return EACCES; + } + @@ -173,5 +236,5 @@ if (!avc) return EINVAL; -@@ -1441,6 +1445,10 @@ +@@ -1790,6 +1794,10 @@ DECL_PIOCTL(PSetTokens) struct vrequest treq; afs_int32 flag, set_parent_pag = 0; @@ -184,18 +247,19 @@ if (!afs_resourceinit_flag) { return EIO; -@@ -1800,6 +1808,10 @@ - afs_int32 iterator; +@@ -2231,6 +2239,11 @@ DECL_PIOCTL(PGetTokens) int newStyle; + int code = E2BIG; + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID && -+ areq->realuid != 0 && areq->realuid != SIGNUP_UID) ++ areq->realuid != 0 && areq->realuid != SIGNUP_UID) { + return EDOM; ++ } + AFS_STATCNT(PGetTokens); if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ return EIO; /* Inappropriate ioctl for device */ -@@ -1883,6 +1895,10 @@ - register afs_int32 i; - register struct unixuser *tu; +@@ -2341,6 +2354,10 @@ DECL_PIOCTL(PUnlog) + afs_int32 i; + struct unixuser *tu; + if (areq->uid == globalpag && areq->realuid != AFSAGENT_UID) { @@ -206,57 +270,2 @@ if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ return EIO; /* Inappropriate ioctl for device */ -diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_access.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c ---- openafs-1.4/src/afs/VNOPS/afs_vnop_access.c -+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_access.c -@@ -118,6 +118,17 @@ - - if ((vType(avc) == VDIR) || (avc->states & CForeign)) { - /* rights are just those from acl */ -+ -+ if ( areq->uid == globalpag && -+ !(areq->realuid == avc->fid.Fid.Volume) && -+ !((avc->anyAccess | arights) == avc->anyAccess) && -+ !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == HTTPD_UID) && -+ !(((arights & ~(PRSFS_LOOKUP|PRSFS_READ)) == 0) && areq->realuid == POSTFIX_UID) && -+ !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && -+ !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { -+ return 0; -+ } -+ - return (arights == afs_GetAccessBits(avc, arights, areq)); - } else { - /* some rights come from dir and some from file. Specifically, you -@@ -171,6 +182,19 @@ - fileBits |= PRSFS_READ; - } - } -+ -+ if ( areq->uid == globalpag && -+ !(areq->realuid == avc->fid.Fid.Volume) && -+ !((avc->anyAccess | arights) == avc->anyAccess) && -+ !(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) && -+ !(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID) && -+ !(arights == PRSFS_READ && areq->realuid == HTTPD_UID && -+ (avc->m.Mode == 0100777 || avc->apache_access)) && -+ !(areq->realuid == 0 && PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq)) && -+ !((areq->realuid == 0 || areq->realuid == SIGNUP_UID) && PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq)) ) { -+ return 0; -+ } -+ - return ((fileBits & arights) == arights); /* true if all rights bits are on */ - } - } -diff -ur openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c ---- openafs-1.4/src/afs/VNOPS/afs_vnop_attrs.c -+++ openafs-1.4+scripts/src/afs/VNOPS/afs_vnop_attrs.c -@@ -87,8 +87,8 @@ - } - } - #endif /* AFS_DARWIN_ENV */ -- attrs->va_uid = fakedir ? 0 : avc->m.Owner; -- attrs->va_gid = fakedir ? 0 : avc->m.Group; /* yeah! */ -+ attrs->va_uid = fakedir ? 0 : avc->fid.Fid.Volume; -+ attrs->va_gid = (avc->m.Owner == DAEMON_SCRIPTS_PTSID ? avc->m.Group : avc->m.Owner); - #if defined(AFS_SUN56_ENV) - attrs->va_fsid = avc->v.v_vfsp->vfs_fsid.val[0]; - #elif defined(AFS_OSF_ENV) Index: trunk/server/common/patches/openafs-systemd-crond.patch =================================================================== --- trunk/server/common/patches/openafs-systemd-crond.patch (revision 2066) +++ trunk/server/common/patches/openafs-systemd-crond.patch (revision 2066) @@ -0,0 +1,17 @@ +diff --git a/src/packaging/RedHat/openafs-client.service b/src/packaging/RedHat/openafs-client.service +index bc95057..9627280 100644 +--- a/src/packaging/RedHat/openafs-client.service ++++ b/src/packaging/RedHat/openafs-client.service +@@ -1,5 +1,6 @@ + [Unit] + Description=OpenAFS Client Service ++Before=crond.service + After=syslog.target network.target + + [Service] +@@ -15,4 +16,4 @@ ExecStop=/sbin/rmmod openafs + KillMode=none + + [Install] +-WantedBy=multi-user.target ++WantedBy=multi-user.target crond.service Index: trunk/server/common/patches/openafs-systemd.patch =================================================================== --- trunk/server/common/patches/openafs-systemd.patch (revision 2066) +++ trunk/server/common/patches/openafs-systemd.patch (revision 2066) @@ -0,0 +1,51 @@ +diff --git a/src/packaging/RedHat/openafs-client.modules b/src/packaging/RedHat/openafs-client.modules +new file mode 100644 +index 0000000..055d117 +--- /dev/null ++++ b/src/packaging/RedHat/openafs-client.modules +@@ -0,0 +1,4 @@ ++#!/bin/sh ++ ++# Load the OpenAFS kernel module at boot ++exec /sbin/modprobe openafs +diff --git a/src/packaging/RedHat/openafs-client.service b/src/packaging/RedHat/openafs-client.service +new file mode 100644 +index 0000000..bc95057 +--- /dev/null ++++ b/src/packaging/RedHat/openafs-client.service +@@ -0,0 +1,18 @@ ++[Unit] ++Description=OpenAFS Client Service ++After=syslog.target network.target ++ ++[Service] ++Type=forking ++EnvironmentFile=/etc/sysconfig/openafs ++ExecStartPre=/bin/sed -n 'w/usr/vice/etc/CellServDB' /usr/vice/etc/CellServDB.local /usr/vice/etc/CellServDB.dist ++ExecStartPre=/bin/chmod 0644 /usr/vice/etc/CellServDB ++ExecStartPre=/sbin/modprobe openafs ++ExecStart=/usr/vice/etc/afsd $AFSD_ARGS ++ExecStop=/bin/umount /afs ++ExecStop=/usr/vice/etc/afsd -shutdown ++ExecStop=/sbin/rmmod openafs ++KillMode=none ++ ++[Install] ++WantedBy=multi-user.target +diff --git a/src/packaging/RedHat/openafs-server.service b/src/packaging/RedHat/openafs-server.service +new file mode 100644 +index 0000000..2d34bb0 +--- /dev/null ++++ b/src/packaging/RedHat/openafs-server.service +@@ -0,0 +1,11 @@ ++[Unit] ++Description=OpenAFS Server Service ++After=syslog.target network.target ++ ++[Service] ++EnvironmentFile=-/etc/sysconfig/openafs ++ExecStart=/usr/afs/bin/bosserver $BOSSERVER_ARGS ++ExecStop=/usr/bin/bos shutdown localhost -wait -localauth ++ ++[Install] ++WantedBy=multi-user.target Index: trunk/server/common/patches/rubygems-rails-require-thread.patch =================================================================== --- trunk/server/common/patches/rubygems-rails-require-thread.patch (revision 2066) +++ trunk/server/common/patches/rubygems-rails-require-thread.patch (revision 2066) @@ -0,0 +1,13 @@ +--- a/lib/rubygems.rb.orig 2011-11-04 14:20:28.000000000 -0400 ++++ b/lib/rubygems.rb 2011-11-04 14:22:00.000000000 -0400 +@@ -30,6 +30,10 @@ + require 'rbconfig' + require "rubygems/deprecate" + ++# HACK: this is here just for rails, see ++# http://stackoverflow.com/questions/5176782/uninitialized-constant-activesupportdependenciesmutex-nameerror ++require "thread" ++ + ## + # RubyGems is the Ruby standard for publishing and managing third party + # libraries.