Index: trunk/server/fedora/config/etc/cron.d/check-filecaps =================================================================== --- trunk/server/fedora/config/etc/cron.d/check-filecaps (revision 2066) +++ trunk/server/fedora/config/etc/cron.d/check-filecaps (revision 2066) @@ -0,0 +1,2 @@ +MAILTO=scripts-root@mit.edu +27 5 * * * root find / -xdev -not -perm -o=x -prune -o -type f -print0 | xargs -0r /usr/sbin/getcap | cut -d' ' -f1 | grep -Fxvf /etc/scripts/allowed-filecaps.list | sed 's/^/Extra file_caps binary: /' Index: trunk/server/fedora/config/etc/cron.d/slapdagent =================================================================== --- trunk/server/fedora/config/etc/cron.d/slapdagent (revision 2053) +++ trunk/server/fedora/config/etc/cron.d/slapdagent (revision 2066) @@ -1,3 +1,3 @@ KRB5CCNAME=/var/run/dirsrv/krb5cc MAILTO=scripts-root@mit.edu -0 */3 * * * fedora-ds /usr/kerberos/bin/kinit -k -t /etc/dirsrv/keytab ldap/$(hostname) +0 */3 * * * fedora-ds /usr/bin/kinit -k -t /etc/dirsrv/keytab ldap/$(hostname) Index: trunk/server/fedora/config/etc/cron.d/whoisd =================================================================== --- trunk/server/fedora/config/etc/cron.d/whoisd (revision 2053) +++ (revision ) @@ -1,1 +1,0 @@ -@reboot root /usr/bin/twistd -l /var/log/scripts-whoisd.log --pidfile /var/run/whoisd.pid -y /usr/local/libexec/whoisd.tac Index: trunk/server/fedora/config/etc/hosts =================================================================== --- trunk/server/fedora/config/etc/hosts (revision 2053) +++ trunk/server/fedora/config/etc/hosts (revision 2066) @@ -18,5 +18,6 @@ 18.181.0.234 busy-beaver.mit.edu busy-beaver scripts7.mit.edu scripts7 18.181.0.235 real-mccoy.mit.edu real-mccoy scripts8.mit.edu scripts8 -18.181.0.135 shining-armor.mit.edu shining-armor # scripts9.mit.edu scripts9 +18.181.0.135 shining-armor.mit.edu shining-armor scripts9.mit.edu scripts9 +18.181.0.141 golden-egg.mit.edu golden-egg scripts10.mit.edu scripts10 172.21.0.57 better-mousetrap.mit.edu @@ -29,2 +30,3 @@ 172.21.0.235 real-mccoy.mit.edu 172.21.0.135 shining-armor.mit.edu +172.21.0.141 golden-egg.mit.edu Index: trunk/server/fedora/config/etc/httpd/conf.d/scripts-special.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/conf.d/scripts-special.conf (revision 2053) +++ trunk/server/fedora/config/etc/httpd/conf.d/scripts-special.conf (revision 2066) @@ -1,4 +1,4 @@ Alias /__scripts/heartbeat /afs/athena.mit.edu/contrib/scripts/web_scripts/heartbeat -Alias /__scripts/django/media /usr/lib/python2.6/site-packages/django/contrib/admin/media +Alias /__scripts/django/media /usr/lib/python2.7/site-packages/django/contrib/admin/media Alias /__scripts /afs/athena.mit.edu/contrib/scripts/www @@ -9,5 +9,5 @@ - + SetHandler none Index: trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf (revision 2053) +++ trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost-names.conf (revision 2066) @@ -1,2 +1,16 @@ ServerName scripts.mit.edu -ServerAlias scripts 18.181.0.43 scripts-vhosts.mit.edu scripts-vhosts 18.181.0.46 scripts-test.mit.edu scripts-test 18.181.0.229 better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 bees-knees.mit.edu bees-knees b-k.mit.edu b-k sx-blade-4.mit.edu sx-blade-4 scripts3.mit.edu scripts3 18.181.0.167 cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.181.0.228 whole-enchilada.mit.edu whole-enchilada w-e.mit.edu w-e scripts5.mit.edu scripts5 18.181.0.236 pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.181.0.237 busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.181.0.234 real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.181.0.235 shining-armor.mit.edu shining-armor s-a.mit.edu s-a scripts9.mit.edu scripts9 18.181.0.135 localhost 127.0.0.1 ::1 +ServerAlias \ + scripts 18.181.0.43 \ + scripts-vhosts.mit.edu scripts-vhosts 18.181.0.46 \ + scripts-test.mit.edu scripts-test 18.181.0.229 \ + better-mousetrap.mit.edu better-mousetrap b-m.mit.edu b-m scripts1.mit.edu scripts1 18.181.0.57 \ + old-faithful.mit.edu old-faithful o-f.mit.edu o-f scripts2.mit.edu scripts2 18.181.0.53 \ + bees-knees.mit.edu bees-knees b-k.mit.edu b-k sx-blade-4.mit.edu sx-blade-4 scripts3.mit.edu scripts3 18.181.0.167 \ + cats-whiskers.mit.edu cats-whiskers c-w.mit.edu c-w scripts4.mit.edu scripts4 18.181.0.228 \ + whole-enchilada.mit.edu whole-enchilada w-e.mit.edu w-e scripts5.mit.edu scripts5 18.181.0.236 \ + pancake-bunny.mit.edu pancake-bunny p-b.mit.edu p-b scripts6.mit.edu scripts6 18.181.0.237 \ + busy-beaver.mit.edu busy-beaver b-b.mit.edu b-b scripts7.mit.edu scripts7 18.181.0.234 \ + real-mccoy.mit.edu real-mccoy r-m.mit.edu r-m scripts8.mit.edu scripts8 18.181.0.235 \ + shining-armor.mit.edu shining-armor s-a.mit.edu s-a scripts9.mit.edu scripts9 18.181.0.135 \ + golden-egg.mit.edu golden-egg g-e.mit.edu g-e scripts10.mit.edu scripts10 18.181.0.141 \ + localhost 127.0.0.1 ::1 Index: trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost.conf =================================================================== --- trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost.conf (revision 2053) +++ trunk/server/fedora/config/etc/httpd/conf.d/scripts-vhost.conf (revision 2066) @@ -1,4 +1,5 @@ DocumentRoot /afs/athena.mit.edu/contrib/scripts/web_scripts/home SuExecUserGroup scripts users +UserDir enabled UserDir web_scripts # Comment the following line out to take the machine out of the LVS pool Index: trunk/server/fedora/config/etc/krb.conf =================================================================== --- trunk/server/fedora/config/etc/krb.conf (revision 2053) +++ (revision ) @@ -1,5 +1,0 @@ -ATHENA.MIT.EDU -ATHENA.MIT.EDU KERBEROS.MIT.EDU admin server -ATHENA.MIT.EDU KERBEROS-1.MIT.EDU -ATHENA.MIT.EDU KERBEROS-2.MIT.EDU -ATHENA.MIT.EDU KERBEROS-3.MIT.EDU Index: trunk/server/fedora/config/etc/krb.realms =================================================================== --- trunk/server/fedora/config/etc/krb.realms (revision 2053) +++ (revision ) @@ -1,54 +1,0 @@ -sics.se SICS.SE -.sics.se SICS.SE -nada.kth.se NADA.KTH.SE -pdc.kth.se NADA.KTH.SE -.hydro.kth.se NADA.KTH.SE -.mech.kth.se MECH.KTH.SE -.nada.kth.se NADA.KTH.SE -.pdc.kth.se NADA.KTH.SE -.sans.kth.se NADA.KTH.SE -.admin.kth.se ADMIN.KTH.SE -.e.kth.se E.KTH.SE -.s3.kth.se E.KTH.SE -.radio.kth.se E.KTH.SE -.ttt.kth.se E.KTH.SE -.electrum.kth.se IT.KTH.SE -.math.kth.se MATH.KTH.SE -.it.kth.se IT.KTH.SE -.sth.sunet.se SUNET.SE -.pilsnet.sunet.se SUNET.SE -.sunet.se SUNET.SE -.ml.kva.se ML.KVA.SE -pi.se PI.SE -.pi.se PI.SE -.adm.pi.se PI.SE -.stacken.kth.se STACKEN.KTH.SE -kth.se KTH.SE -.kth.se KTH.SE -.bion.kth.se BION.KTH.SE -.lib.kth.se LIB.KTH.SE -.dsv.su.se DSV.SU.SE -.MIT.EDU ATHENA.MIT.EDU -.MIT.EDU. ATHENA.MIT.EDU -MIT.EDU ATHENA.MIT.EDU -DODO.MIT.EDU SMS_TEST.MIT.EDU -.UCSC.EDU CATS.UCSC.EDU -.UCSC.EDU. CATS.UCSC.EDU -CYGNUS.COM CYGNUS.COM -.CYGNUS.COM CYGNUS.COM -MIRKWOOD.CYGNUS.COM MIRKWOOD.CYGNUS.COM -KITHRUP.COM KITHRUP.COM -.KITHRUP.COM KITHRUP.COM -.berkeley.edu EECS.BERKELEY.EDU -.CS.berkeley.edu EECS.BERKELEY.EDU -.MIT.EDU ATHENA.MIT.EDU -.mit.edu ATHENA.MIT.EDU -.BSDI.COM BSDI.COM -ARMADILLO.COM ARMADILLO.COM -.ARMADILLO.COM ARMADILLO.COM -ZEN.ORG ZEN.ORG -.ZEN.ORG ZEN.ORG -toad.com TOAD.COM -.toad.com TOAD.COM -lloyd.com LLOYD.COM -.lloyd.com LLOYD.COM Index: trunk/server/fedora/config/etc/krb5.conf =================================================================== --- trunk/server/fedora/config/etc/krb5.conf (revision 2053) +++ trunk/server/fedora/config/etc/krb5.conf (revision 2066) @@ -1,3 +1,4 @@ [libdefaults] + allow_weak_crypto = true default_realm = ATHENA.MIT.EDU # The following krb5.conf variables are only for MIT Kerberos. Index: trunk/server/fedora/config/etc/ldap.conf =================================================================== --- trunk/server/fedora/config/etc/ldap.conf (revision 2053) +++ (revision ) @@ -1,296 +1,0 @@ -# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ -# -# This is the configuration file for the LDAP nameservice -# switch library and the LDAP PAM module. -# -# The man pages for this file are nss_ldap(5) and pam_ldap(5) -# -# PADL Software -# http://www.padl.com -# - -# Your LDAP server. Must be resolvable without using LDAP. -# Multiple hosts may be specified, each separated by a -# space. How long nss_ldap takes to failover depends on -# whether your LDAP client library supports configurable -# network or connect timeouts (see bind_timelimit). -#host 127.0.0.1 - -# The distinguished name of the search base. -base dc=scripts,dc=mit,dc=edu - -# Another way to specify your LDAP server is to provide an -# uri with the server name. This allows to use -# Unix Domain Sockets to connect to a local LDAP Server. -#uri ldap://127.0.0.1/ -#uri ldaps://127.0.0.1/ -#uri ldapi://%2fvar%2frun%2fldapi_sock/ -# Note: %2f encodes the '/' used as directory separator -uri ldapi://%2fvar%2frun%2fslapd-scripts.socket/ - -# The LDAP version to use (defaults to 3 -# if supported by client library) -#ldap_version 3 - -# The distinguished name to bind to the server with. -# Optional: default is to bind anonymously. -#binddn cn=proxyuser,dc=example,dc=com - -# The credentials to bind with. -# Optional: default is no credential. -#bindpw secret - -# The distinguished name to bind to the server with -# if the effective user ID is root. Password is -# stored in /etc/ldap.secret (mode 600) -#rootbinddn cn=manager,dc=example,dc=com - -# The port. -# Optional: default is 389. -#port 389 - -# The search scope. -#scope sub -#scope one -#scope base - -# Search timelimit -#timelimit 30 -timelimit 120 - -# Bind/connect timelimit -#bind_timelimit 30 -bind_timelimit 120 - -# Reconnect policy: hard (default) will retry connecting to -# the software with exponential backoff, soft will fail -# immediately. -#bind_policy hard - -# Idle timelimit; client will close connections -# (nss_ldap only) if the server has not been contacted -# for the number of seconds specified below. -#idle_timelimit 3600 -idle_timelimit 3600 - -# Filter to AND with uid=%s -#pam_filter objectclass=account - -# The user ID attribute (defaults to uid) -#pam_login_attribute uid - -# Search the root DSE for the password policy (works -# with Netscape Directory Server) -#pam_lookup_policy yes - -# Check the 'host' attribute for access control -# Default is no; if set to yes, and user has no -# value for the host attribute, and pam_ldap is -# configured for account management (authorization) -# then the user will not be allowed to login. -#pam_check_host_attr yes - -# Check the 'authorizedService' attribute for access -# control -# Default is no; if set to yes, and the user has no -# value for the authorizedService attribute, and -# pam_ldap is configured for account management -# (authorization) then the user will not be allowed -# to login. -#pam_check_service_attr yes - -# Group to enforce membership of -#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com - -# Group member attribute -#pam_member_attribute uniquemember - -# Specify a minium or maximum UID number allowed -#pam_min_uid 0 -#pam_max_uid 0 - -# Template login attribute, default template user -# (can be overriden by value of former attribute -# in user's entry) -#pam_login_attribute userPrincipalName -#pam_template_login_attribute uid -#pam_template_login nobody - -# HEADS UP: the pam_crypt, pam_nds_passwd, -# and pam_ad_passwd options are no -# longer supported. -# -# Do not hash the password at all; presume -# the directory server will do it, if -# necessary. This is the default. -#pam_password clear - -# Hash password locally; required for University of -# Michigan LDAP server, and works with Netscape -# Directory Server if you're using the UNIX-Crypt -# hash mechanism and not using the NT Synchronization -# service. -#pam_password crypt - -# Remove old password first, then update in -# cleartext. Necessary for use with Novell -# Directory Services (NDS) -#pam_password clear_remove_old -#pam_password nds - -# RACF is an alias for the above. For use with -# IBM RACF -#pam_password racf - -# Update Active Directory password, by -# creating Unicode password and updating -# unicodePwd attribute. -#pam_password ad - -# Use the OpenLDAP password change -# extended operation to update the password. -#pam_password exop - -# Redirect users to a URL or somesuch on password -# changes. -#pam_password_prohibit_message Please visit http://internal to change your password. - -# RFC2307bis naming contexts -# Syntax: -# nss_base_XXX base?scope?filter -# where scope is {base,one,sub} -# and filter is a filter to be &'d with the -# default filter. -# You can omit the suffix eg: -# nss_base_passwd ou=People, -# to append the default base DN but this -# may incur a small performance impact. -nss_base_passwd ou=People,dc=scripts,dc=mit,dc=edu?one -#nss_base_shadow ou=People,dc=example,dc=com?one -nss_base_group ou=Groups,dc=scripts,dc=mit,dc=edu?one -#nss_base_hosts ou=Hosts,dc=example,dc=com?one -#nss_base_services ou=Services,dc=example,dc=com?one -#nss_base_networks ou=Networks,dc=example,dc=com?one -#nss_base_protocols ou=Protocols,dc=example,dc=com?one -#nss_base_rpc ou=Rpc,dc=example,dc=com?one -#nss_base_ethers ou=Ethers,dc=example,dc=com?one -#nss_base_netmasks ou=Networks,dc=example,dc=com?ne -#nss_base_bootparams ou=Ethers,dc=example,dc=com?one -#nss_base_aliases ou=Aliases,dc=example,dc=com?one -#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one - -# Just assume that there are no supplemental groups for these named users -nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd - -# attribute/objectclass mapping -# Syntax: -#nss_map_attribute rfc2307attribute mapped_attribute -#nss_map_objectclass rfc2307objectclass mapped_objectclass - -# configure --enable-nds is no longer supported. -# NDS mappings -#nss_map_attribute uniqueMember member - -# Services for UNIX 3.5 mappings -#nss_map_objectclass posixAccount User -#nss_map_objectclass shadowAccount User -#nss_map_attribute uid msSFU30Name -#nss_map_attribute uniqueMember msSFU30PosixMember -#nss_map_attribute userPassword msSFU30Password -#nss_map_attribute homeDirectory msSFU30HomeDirectory -#nss_map_attribute homeDirectory msSFUHomeDirectory -#nss_map_objectclass posixGroup Group -#pam_login_attribute msSFU30Name -#pam_filter objectclass=User -#pam_password ad - -# configure --enable-mssfu-schema is no longer supported. -# Services for UNIX 2.0 mappings -#nss_map_objectclass posixAccount User -#nss_map_objectclass shadowAccount user -#nss_map_attribute uid msSFUName -#nss_map_attribute uniqueMember posixMember -#nss_map_attribute userPassword msSFUPassword -#nss_map_attribute homeDirectory msSFUHomeDirectory -#nss_map_attribute shadowLastChange pwdLastSet -#nss_map_objectclass posixGroup Group -#nss_map_attribute cn msSFUName -#pam_login_attribute msSFUName -#pam_filter objectclass=User -#pam_password ad - -# RFC 2307 (AD) mappings -#nss_map_objectclass posixAccount user -#nss_map_objectclass shadowAccount user -#nss_map_attribute uid sAMAccountName -#nss_map_attribute homeDirectory unixHomeDirectory -#nss_map_attribute shadowLastChange pwdLastSet -#nss_map_objectclass posixGroup group -#nss_map_attribute uniqueMember member -#pam_login_attribute sAMAccountName -#pam_filter objectclass=User -#pam_password ad - -# configure --enable-authpassword is no longer supported -# AuthPassword mappings -#nss_map_attribute userPassword authPassword - -# AIX SecureWay mappings -#nss_map_objectclass posixAccount aixAccount -#nss_base_passwd ou=aixaccount,?one -#nss_map_attribute uid userName -#nss_map_attribute gidNumber gid -#nss_map_attribute uidNumber uid -#nss_map_attribute userPassword passwordChar -#nss_map_objectclass posixGroup aixAccessGroup -#nss_base_group ou=aixgroup,?one -#nss_map_attribute cn groupName -#nss_map_attribute uniqueMember member -#pam_login_attribute userName -#pam_filter objectclass=aixAccount -#pam_password clear - -# Netscape SDK LDAPS -#ssl on - -# Netscape SDK SSL options -#sslpath /etc/ssl/certs - -# OpenLDAP SSL mechanism -# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 -#ssl start_tls -#ssl on - -# OpenLDAP SSL options -# Require and verify server certificate (yes/no) -# Default is to use libldap's default behavior, which can be configured in -# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for -# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". -#tls_checkpeer yes - -# CA certificates for server certificate verification -# At least one of these are required if tls_checkpeer is "yes" -#tls_cacertfile /etc/ssl/ca.cert -#tls_cacertdir /etc/ssl/certs - -# Seed the PRNG if /dev/urandom is not provided -#tls_randfile /var/run/egd-pool - -# SSL cipher suite -# See man ciphers for syntax -#tls_ciphers TLSv1 - -# Client certificate and key -# Use these, if your server requires client authentication. -#tls_cert -#tls_key - -# Disable SASL security layers. This is needed for AD. -#sasl_secprops maxssf=0 - -# Override the default Kerberos ticket cache location. -#krb5_ccname FILE:/etc/.ldapcache - -# SASL mechanism for PAM authentication - use is experimental -# at present and does not support password policy control -#pam_sasl_mech DIGEST-MD5 Index: trunk/server/fedora/config/etc/mock/scripts-fc15-i386.cfg =================================================================== --- trunk/server/fedora/config/etc/mock/scripts-fc15-i386.cfg (revision 2066) +++ trunk/server/fedora/config/etc/mock/scripts-fc15-i386.cfg (revision 2066) @@ -0,0 +1,44 @@ +config_opts['root'] = 'fedora-15-i386' +config_opts['target_arch'] = 'i686' +config_opts['legal_host_arches'] = ('i386', 'i586', 'i686', 'x86_64') +config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' +config_opts['dist'] = 'fc15' # only useful for --resultdir variable subst + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= + +# repos + +[fedora] +name=fedora +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-15&arch=i386 +failovermethod=priority + +[updates-released] +name=updates +#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f15&arch=i386 +baseurl=http://download3.fedora.redhat.com/pub/fedora/linux/updates/15/i386/ +failovermethod=priority + +[local] +name=local +baseurl=file:///home/scripts-build/mock-local/ +cost=2000 +enabled=1 + +[scripts] +name=Scripts +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ +enabled=0 +gpgcheck=0 +""" Index: trunk/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg =================================================================== --- trunk/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg (revision 2066) +++ trunk/server/fedora/config/etc/mock/scripts-fc15-x86_64.cfg (revision 2066) @@ -0,0 +1,48 @@ +config_opts['root'] = 'fedora-15-x86_64' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64') +config_opts['chroot_setup_cmd'] = 'groupinstall buildsys-build' +config_opts['dist'] = 'fc15' # only useful for --resultdir variable subst + +config_opts['yum.conf'] = """ +[main] +cachedir=/var/cache/yum +debuglevel=1 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= +# grub/syslinux on x86_64 need glibc-devel.i386 which pulls in glibc.i386, need to exclude all +# .i?86 packages except these. +#exclude=[0-9A-Za-fh-z]*.i?86 g[0-9A-Za-km-z]*.i?86 gl[0-9A-Za-hj-z]*.i?86 gli[0-9A-Zac-z]*.i?86 glib[0-9A-Za-bd-z]*.i?86 +# The above is not needed anymore with yum multilib policy of "best" which is the default in Fedora. + +# repos + +[fedora] +name=fedora +mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-15&arch=x86_64 +failovermethod=priority + +[updates-released] +name=updates +#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f15&arch=x86_64 +baseurl=http://download3.fedora.redhat.com/pub/fedora/linux/updates/15/x86_64/ +failovermethod=priority + +[local] +name=local +baseurl=file:///home/scripts-build/mock-local/ +cost=2000 +enabled=1 + +[scripts] +name=Scripts +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ +enabled=0 +gpgcheck=0 +""" Index: trunk/server/fedora/config/etc/php.d/_scripts.ini =================================================================== --- trunk/server/fedora/config/etc/php.d/_scripts.ini (revision 2053) +++ trunk/server/fedora/config/etc/php.d/_scripts.ini (revision 2066) @@ -3,2 +3,3 @@ cgi.force_redirect = 0 memory_limit = 1024M +date.timezone = America/New_York Index: trunk/server/fedora/config/etc/php.d/tidy.ini =================================================================== --- trunk/server/fedora/config/etc/php.d/tidy.ini (revision 2053) +++ trunk/server/fedora/config/etc/php.d/tidy.ini (revision 2066) @@ -1,1 +1,0 @@ - Index: trunk/server/fedora/config/etc/postfix/main.cf =================================================================== --- trunk/server/fedora/config/etc/postfix/main.cf (revision 2053) +++ trunk/server/fedora/config/etc/postfix/main.cf (revision 2066) @@ -17,6 +17,6 @@ recipient_delimiter = + inet_interfaces = all -readme_directory = /usr/share/doc/postfix-2.7.4/README_FILES -sample_directory = /usr/share/doc/postfix-2.7.4/samples +readme_directory = /usr/share/doc/postfix-2.8.5/README_FILES +sample_directory = /usr/share/doc/postfix-2.8.5/samples sendmail_path = /usr/sbin/sendmail html_directory = no Index: trunk/server/fedora/config/etc/rc.d/rc.local =================================================================== --- trunk/server/fedora/config/etc/rc.d/rc.local (revision 2053) +++ trunk/server/fedora/config/etc/rc.d/rc.local (revision 2066) @@ -3,7 +3,3 @@ touch /var/lock/subsys/local -if [ -r "/afs/athena.mit.edu" ]; then - /sbin/service postfix start -fi - /bin/mkdir -pm 1773 /tmp/sessions Index: trunk/server/fedora/config/etc/scripts/allowed-filecaps.list =================================================================== --- trunk/server/fedora/config/etc/scripts/allowed-filecaps.list (revision 2066) +++ trunk/server/fedora/config/etc/scripts/allowed-filecaps.list (revision 2066) @@ -0,0 +1,2 @@ +/bin/ping +/bin/ping6 Index: trunk/server/fedora/config/etc/scripts/allowed-setugid.list =================================================================== --- trunk/server/fedora/config/etc/scripts/allowed-setugid.list (revision 2053) +++ trunk/server/fedora/config/etc/scripts/allowed-setugid.list (revision 2066) @@ -1,4 +1,2 @@ -/bin/ping -/bin/ping6 /sbin/pam_timestamp_check /sbin/unix_chkpwd Index: trunk/server/fedora/config/etc/ssh/shosts.equiv =================================================================== --- trunk/server/fedora/config/etc/ssh/shosts.equiv (revision 2053) +++ trunk/server/fedora/config/etc/ssh/shosts.equiv (revision 2066) @@ -8,4 +8,5 @@ shining-armor.mit.edu whole-enchilada.mit.edu +golden-egg.mit.edu 172.21.0.53 172.21.0.57 @@ -17,2 +18,3 @@ 172.21.0.135 172.21.0.236 +172.21.0.141 Index: trunk/server/fedora/config/etc/ssh/ssh_known_hosts =================================================================== --- trunk/server/fedora/config/etc/ssh/ssh_known_hosts (revision 2053) +++ trunk/server/fedora/config/etc/ssh/ssh_known_hosts (revision 2066) @@ -8,2 +8,3 @@ whole-enchilada.mit.edu,whole-enchilada,w-e.mit.edu,w-e,scripts5.mit.edu,scripts5,18.181.0.236,172.21.0.236 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== shining-armor.mit.edu,shining-armor,s-a.mit.edu,s-a,scripts9.mit.edu,scripts9,18.181.0.135,172.21.0.135 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== +golden-egg.mit.edu.golden-egg,g-e.mit.edu,g-e,scripts10.mit.edu,scripts10,18.181.0.141,172.21.0.141 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuEpkEgaIgjK7F1gV81lLSYTwSqIZX/9IJs37VaJCsJFv3D86uuJSdfI3Y94fPn2OH6AxfdaqGNksVdi27mKQfzvCB4ogjQgxmM391MIDLd+izZDY0YvCb4DqJLMJUpX49cNUMkj+/rJg1O0K2w/lb8DGr7wdoLSPKCUJNJv5WMMDxpFL253lPELsmnds4T+R6LpTt6W9+FalHl84me51sEjV9PbmhcTaNwuoJStAjhrKPfgHHDIKNyCUvaVkoHPXEsdzz00yY7i57djyZlzPV/jM7LKar+Xw2LB0Z3098IQcdbD8zmz2DdakPTlShxavNPC6kZDZ3WVqziC+bszaSQ== Index: trunk/server/fedora/config/etc/ssh/sshd_config =================================================================== --- trunk/server/fedora/config/etc/ssh/sshd_config (revision 2053) +++ trunk/server/fedora/config/etc/ssh/sshd_config (revision 2066) @@ -20,3 +20,3 @@ IgnoreRhosts yes IgnoreUserKnownHosts yes -DenyUsers root@old-faithful.mit.edu root@better-mousetrap.mit.edu root@bees-knees.mit.edu root@cats-whiskers.mit.edu root@pancake-bunny.mit.edu root@busy-beaver.mit.edu root@real-mccoy.mit.edu root@whole-enchilada.mit.edu root@shining-armor.mit.edu +DenyUsers root@old-faithful.mit.edu root@better-mousetrap.mit.edu root@bees-knees.mit.edu root@cats-whiskers.mit.edu root@pancake-bunny.mit.edu root@busy-beaver.mit.edu root@real-mccoy.mit.edu root@whole-enchilada.mit.edu root@shining-armor.mit.edu root@golden-egg.mit.edu Index: trunk/server/fedora/config/etc/sysconfig/dirsrv =================================================================== --- trunk/server/fedora/config/etc/sysconfig/dirsrv (revision 2053) +++ trunk/server/fedora/config/etc/sysconfig/dirsrv (revision 2066) @@ -32,5 +32,5 @@ # slapdagent cronjob) -- geofft 30 October 2010 KRB5CCNAME=/var/run/dirsrv/krb5cc; export KRB5CCNAME -/usr/kerberos/bin/kinit -k -t "$KRB5_KTNAME" ldap/"$(hostname)" +/usr/bin/kinit -k -t "$KRB5_KTNAME" ldap/"$(hostname)" chown --reference="$KRB5_KTNAME" "$KRB5CCNAME" Index: trunk/server/fedora/config/etc/sysconfig/httpd =================================================================== --- trunk/server/fedora/config/etc/sysconfig/httpd (revision 2053) +++ trunk/server/fedora/config/etc/sysconfig/httpd (revision 2066) @@ -21,2 +21,10 @@ # #HTTPD_LANG=C + +# +# When stopping the server a 10 second timeout is allowed before +# forcibly terminating the parent process (with a SIGKILL signal). +# To allow a longer delay, set the STOP_TIMEOUT variable. +# +#STOP_TIMEOUT=10 +# Index: trunk/server/fedora/config/etc/sysconfig/network-scripts/route-eth1 =================================================================== --- trunk/server/fedora/config/etc/sysconfig/network-scripts/route-eth1 (revision 2053) +++ trunk/server/fedora/config/etc/sysconfig/network-scripts/route-eth1 (revision 2066) @@ -12,2 +12,3 @@ 18.181.0.235 via 172.21.0.235 18.181.0.135 via 172.21.0.135 +18.181.0.141 via 172.21.0.141 Index: trunk/server/fedora/config/etc/sysconfig/openafs =================================================================== --- trunk/server/fedora/config/etc/sysconfig/openafs (revision 2053) +++ trunk/server/fedora/config/etc/sysconfig/openafs (revision 2066) @@ -1,21 +1,2 @@ AFSD_ARGS="-afsdb -dynroot -fakestat-all -stat 25000 -daemons 100 -volumes 4000 -files 400000 -chunksize 19" BOSSERVER_ARGS= - -postinit () { - /sbin/sysctl -q afs.GCPAGs=0 - /usr/bin/fs setcrypt on - case "$(lsb_release -cs)" in - Moonshine) - /usr/bin/fs sysname 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora7' 'amd64_linux26' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' 'i386_linux1' ;; - Sulphur) - /usr/bin/fs sysname 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;; - Leonidas) - /usr/bin/fs sysname 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;; - Goddard) - /usr/bin/fs sysname 'amd64_fedora13_scripts' 'amd64_fedora11_scripts' 'amd64_fedora9_scripts' 'amd64_fedora7_scripts' 'scripts' 'amd64_fedora13' 'amd64_fedora11' 'amd64_fedora9' 'amd64_fedora7' 'amd64_linux26' 'i386_deb50' 'i386_deb40' 'i386_rhel4' 'i386_rhel3' 'i386_rh9' 'i386_linux26' 'i386_linux24' 'i386_linux22' 'i386_linux3' 'i386_linux2' ;; - *) - echo "Warning: unknown platform. AFS sysname not set." - esac - /usr/bin/fs setcell -nosuid -c athena -} -AFS_POST_INIT=postinit Index: trunk/server/fedora/config/etc/sysconfig/sysstat =================================================================== --- trunk/server/fedora/config/etc/sysconfig/sysstat (revision 2053) +++ trunk/server/fedora/config/etc/sysconfig/sysstat (revision 2066) @@ -1,2 +1,13 @@ -# How long to keep log files (days), maximum is a month +# sysstat-9.0.6.1 configuration file. + +# How long to keep log files (in days). +# If value is greater than 28, then log files are kept in +# multiple directories, one for each month. HISTORY=30 + +# Compress (using gzip or bzip2) sa and sar files older than (in days): +COMPRESSAFTER=10 + +# Parameters for system activity collector (see sadc man-page) which +# are used for the generation of log files +SADC_OPTIONS="-S DISK" Index: trunk/server/fedora/config/etc/syslog-ng/d_zroot.pl =================================================================== --- trunk/server/fedora/config/etc/syslog-ng/d_zroot.pl (revision 2053) +++ trunk/server/fedora/config/etc/syslog-ng/d_zroot.pl (revision 2066) @@ -32,5 +32,5 @@ sub buildKeyMap($) { my ($file) = @_; - open (KEYS, $file) or warn "Couldn't open $file: $!"; + open (KEYS, $file) or (warn "Couldn't open $file: $!\n" and return); while () { chomp; @@ -58,6 +58,8 @@ buildKeyMap("/root/.ssh/authorized_keys2"); -while (1) { - my @message = scalar(<>); +my @message; + +while (my $line = <>) { + @message = $line; eval { local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required @@ -80,6 +82,6 @@ } elsif ($message =~ m|Root (\S+) shell|) { sendmsg($message); - } elsif ($message =~ m|session \S+ for user (\S+)|) { - sendmsg($message) if exists $USERS{$1}; + } elsif ($message =~ m|pam_unix\(([^:]+):session\): session \S+ for user (\S+)|) { + sendmsg($message) if $1 ne "cron" and exists $USERS{$2}; } elsif ($message =~ m|^Found matching (\w+) key: (\S+)|) { if ($sshkeys{$2}) { @@ -117,4 +119,5 @@ } elsif ($message =~ m|^ *root : TTY=|) { } elsif ($message =~ m|^Set /proc/self/oom_adj to |) { + } elsif ($message =~ m|^fatal: mm_request_receive: read: Connection reset by peer$|) { } else { sendmsg($message, "scripts-spew"); Index: trunk/server/fedora/config/etc/syslog-ng/syslog-ng.conf =================================================================== --- trunk/server/fedora/config/etc/syslog-ng/syslog-ng.conf (revision 2053) +++ trunk/server/fedora/config/etc/syslog-ng/syslog-ng.conf (revision 2066) @@ -1,2 +1,4 @@ +@version:3.2 + # syslog-ng configuration file. # @@ -8,5 +10,5 @@ options { - sync (0); + flush_lines (0); time_reopen (10); log_fifo_size (1000); @@ -16,8 +18,9 @@ create_dirs (no); keep_hostname (yes); + stats_freq (0); }; source s_sys { - file ("/proc/kmsg" log_prefix("kernel: ")); + file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); @@ -28,5 +31,5 @@ destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; -destination d_mail { file("/var/log/maillog" sync(10)); }; +destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; Index: trunk/server/fedora/config/etc/yum.conf =================================================================== --- trunk/server/fedora/config/etc/yum.conf (revision 2053) +++ trunk/server/fedora/config/etc/yum.conf (revision 2066) @@ -9,5 +9,5 @@ plugins=1 metadata_expire=1800 -installonlypkgs=kernel kernel-devel kmod-openafs +installonlypkgs=kernel kernel-devel kmod-openafs ghc-cgi ghc-cgi-devel # PUT YOUR REPOS HERE OR IN separate files named file.repo Index: trunk/server/fedora/config/etc/yum.repos.d/scripts.repo =================================================================== --- trunk/server/fedora/config/etc/yum.repos.d/scripts.repo (revision 2053) +++ trunk/server/fedora/config/etc/yum.repos.d/scripts.repo (revision 2066) @@ -1,5 +1,5 @@ [scripts] name=Scripts -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc13/ +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15/ enabled=1 gpgcheck=0 @@ -7,5 +7,5 @@ [scripts-testing] name=Scripts Testing -baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc13-testing/ +baseurl=http://web.mit.edu/scripts/yum-repos/rpm-fc15-testing/ enabled=0 gpgcheck=0 Index: trunk/server/fedora/config/etc/yum/post-actions/capoverride.action =================================================================== --- trunk/server/fedora/config/etc/yum/post-actions/capoverride.action (revision 2066) +++ trunk/server/fedora/config/etc/yum/post-actions/capoverride.action (revision 2066) @@ -0,0 +1,7 @@ +/usr/sbin/mtr:install:setcap -r /usr/sbin/mtr +/usr/bin/rsh:install:setcap -r /usr/bin/rsh +/usr/bin/rcp:install:setcap -r /usr/bin/rcp +/usr/bin/gnome-keyring-daemon:install:setcap -r /usr/bin/gnome-keyring-daemon +/usr/bin/newrole:install:setcap -r /usr/bin/newrole +/usr/bin/rlogin:install:setcap -r /usr/bin/rlogin +/usr/libexec/pt_chown:install:setcap -r /usr/libexec/pt_chown Index: trunk/server/fedora/config/etc/yum/post-actions/statoverride.action =================================================================== --- trunk/server/fedora/config/etc/yum/post-actions/statoverride.action (revision 2053) +++ trunk/server/fedora/config/etc/yum/post-actions/statoverride.action (revision 2066) @@ -22,8 +22,10 @@ /usr/bin/write:install:chmod ug-s /usr/bin/write /usr/bin/Xorg:install:chmod ug-s /usr/bin/Xorg -/usr/kerberos/bin/ksu:install:chmod ug-s /usr/kerberos/bin/ksu +/usr/bin/ksu:install:chmod ug-s /usr/bin/ksu /usr/lib64/nspluginwrapper/plugin-config:install:chmod ug-s /usr/lib64/nspluginwrapper/plugin-config /usr/lib64/vte/gnome-pty-helper:install:chmod ug-s /usr/lib64/vte/gnome-pty-helper +/usr/libexec/kde4/kpac_dhcp_helper:install:chmod ug-s /usr/libexec/kde4/kpac_dhcp_helper /usr/sbin/ccreds_chkpwd:install:chmod ug-s /usr/sbin/ccreds_chkpwd /usr/sbin/userisdnctl:install:chmod ug-s /usr/sbin/userisdnctl /usr/sbin/usernetctl:install:chmod ug-s /usr/sbin/usernetctl +/usr/bin/pkexec:install:chmod ug-s /usr/bin/pkexec