Index: branches/fc17-dev/server/common/oursrc/accountadm/Makefile.in
===================================================================
--- branches/fc17-dev/server/common/oursrc/accountadm/Makefile.in	(revision 2081)
+++ branches/fc17-dev/server/common/oursrc/accountadm/Makefile.in	(revision 2195)
@@ -8,8 +8,8 @@
 sysconfdir = @sysconfdir@
 
-all-local: admof signup-scripts-frontend
+all-local: admof
 
-admof: admof.c
-	$(CC) $(CPPFLAGS) $(CFLAGS) $< -L/usr/lib/afs -L/usr/lib64/afs -lprot -lauth -lrxkad -lubik -laudit -lsys -lrx -llwp -lsys -lafsutil -lcom_err -lresolv -lkrb5 -ldes -o $@
+admof: LDLIBS = -lafsauthent_pic -lafsrpc_pic -lresolv -lkrb5 -lpthread
+admof: admof.o
 
 install:
@@ -18,5 +18,4 @@
 	install -p -m755 -D admof $(DESTDIR)$(bindir)/admof
 	install -p -m755 -D admof $(DESTDIR)$(sbindir)/ssh-admof
-	install -p -m755 -D signup-scripts-frontend $(DESTDIR)$(sbindir)/signup-scripts-frontend
 	install -p -m755 -D signup-scripts-backend $(DESTDIR)$(sbindir)/signup-scripts-backend
 	install -p -m755 -D cronload $(DESTDIR)$(bindir)/cronload
@@ -26,5 +25,5 @@
 
 clean:
-	rm -f admof signup-scripts-frontend
+	rm -f admof admof.o
 
 distclean: clean
Index: branches/fc17-dev/server/common/oursrc/accountadm/admof.c
===================================================================
--- branches/fc17-dev/server/common/oursrc/accountadm/admof.c	(revision 2081)
+++ branches/fc17-dev/server/common/oursrc/accountadm/admof.c	(revision 2195)
@@ -21,4 +21,5 @@
 #include <unistd.h>
 #include <netinet/in.h>
+#include <afs/stds.h>
 #include <afs/vice.h>
 #include <afs/venus.h>
@@ -90,7 +91,5 @@
     }
 
-    /* Note: this first free probably should be xdr_free in OpenAFS 1.5.
-     * See commits b40b606 and f02f2e8 */
-    free(tids.idlist_val);
+    xdr_free((xdrproc_t) xdr_idlist, &tids);
     tids.idlist_val = NULL;
     free(tnames.namelist_val);
Index: branches/fc17-dev/server/common/oursrc/accountadm/configure.in
===================================================================
--- branches/fc17-dev/server/common/oursrc/accountadm/configure.in	(revision 2081)
+++ branches/fc17-dev/server/common/oursrc/accountadm/configure.in	(revision 2195)
@@ -1,3 +1,3 @@
-AC_INIT(signup-scripts-frontend.c)
+AC_INIT(signup-scripts-backend.in)
 
 AC_PROG_CC
Index: branches/fc17-dev/server/common/oursrc/accountadm/mrproper
===================================================================
--- branches/fc17-dev/server/common/oursrc/accountadm/mrproper	(revision 2081)
+++ branches/fc17-dev/server/common/oursrc/accountadm/mrproper	(revision 2195)
@@ -1,5 +1,5 @@
 #!/bin/sh
 
-rm -f signup-scripts-frontend admof signup-scripts-backend mbash
+rm -f admof signup-scripts-backend mbash
 rm -f configure config.* Makefile
 rm -rf auto*.cache
Index: branches/fc17-dev/server/common/oursrc/accountadm/signup-scripts-backend.in
===================================================================
--- branches/fc17-dev/server/common/oursrc/accountadm/signup-scripts-backend.in	(revision 2081)
+++ branches/fc17-dev/server/common/oursrc/accountadm/signup-scripts-backend.in	(revision 2195)
@@ -32,5 +32,5 @@
 while (<BANNEDUSERS>) {
     chomp;
-    complain("banned username") if ($_ eq $username);
+    complain("banned username") if (lc eq lc $username);
 }
 close(BANNEDUSERS);
Index: branches/fc17-dev/server/common/oursrc/accountadm/signup-scripts-frontend.c
===================================================================
--- branches/fc17-dev/server/common/oursrc/accountadm/signup-scripts-frontend.c	(revision 2081)
+++ 	(revision )
@@ -1,48 +1,0 @@
-/*
- * signup-scripts-frontend
- * Copyright (C) 2006  Jeff Arnold <jbarnold@mit.edu>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- *
- * See /COPYRIGHT in this repository for more information.
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-
-extern char **environ;
-
-int main(int argc, char **argv) {
-	environ=NULL;
-	if(argc != 2) {
-		exit(1);
-	}
-
-	char uid[21]; // 64-bit uid requires 21
-	int retval = snprintf(uid, 21, "%d", getuid());
-	if(retval < 0 || retval >= 21) {
-		exit(1);
-	}
-	if(setreuid(geteuid(), -1) != 0) {
-		exit(1);
-	}
-	char *v[3];
-#define BACKEND_PATH "/usr/local/sbin/signup-scripts-backend"
-	v[0] = BACKEND_PATH;
-	v[1] = argv[1];
-	v[2] = NULL;
-	execv(BACKEND_PATH, v);
-	return 1;
-}
Index: branches/fc17-dev/server/common/oursrc/fuse-better-mousetrapfs/better-mousetrapfs
===================================================================
--- branches/fc17-dev/server/common/oursrc/fuse-better-mousetrapfs/better-mousetrapfs	(revision 2195)
+++ branches/fc17-dev/server/common/oursrc/fuse-better-mousetrapfs/better-mousetrapfs	(revision 2195)
@@ -0,0 +1,90 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# better-mousetrapfs: Filesystem that logs and kills any accessors
+# version 1.0, released 2010-03-31
+# Copyright © 2010 Anders Kaseorg <andersk@mit.edu>
+#
+# Permission is hereby granted, free of charge, to any person
+# obtaining a copy of this software and associated documentation files
+# (the “Software”), to deal in the Software without restriction,
+# including without limitation the rights to use, copy, modify, merge,
+# publish, distribute, sublicense, and/or sell copies of the Software,
+# and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+import errno
+import fuse
+import grp
+import os
+import pwd
+import signal
+import stat
+import syslog
+
+fuse.fuse_python_api = (0, 2)
+
+class BetterMousetrapFS(fuse.Fuse):
+    def __init__(self, *args, **kwargs):
+        syslog.openlog('better-mousetrapfs')
+        fuse.Fuse.__init__(self, *args, **kwargs)
+
+    def getattr(self, path):
+        if path == '/':
+            return fuse.Stat(st_mode = stat.S_IFDIR | 0755, st_nlink = 2)
+        else:
+            return -errno.EACCES
+
+    def opendir(self, path):
+        self.spring(fuse.FuseGetContext())
+        return -errno.EACCES
+
+    def spring(self, context):
+        pid = context['pid']
+        uid = context['uid']
+        gid = context['gid']
+        try:
+            user = '%d %r' % (uid, pwd.getpwuid(uid).pw_name)
+        except KeyError:
+            user = '%d' % uid
+        try:
+            group = '%d %r' % (gid, grp.getgrgid(gid).gr_name)
+        except KeyError:
+            group = '%d' % gid
+        cmdline = open('/proc/%d/cmdline' % pid).read().split('\0')[:-1]
+        exe = os.readlink('/proc/%d/exe' % pid)
+        status = dict(tuple(v.strip() for v in l.split(':', 1))
+                      for l in open('/proc/%d/status' % pid).readlines())
+        cwd = os.readlink('/proc/%d/cwd' % pid)
+
+        syslog.syslog(
+            syslog.LOG_WARNING | 80, # 80 = LOG_AUTHPRIV
+            'mousetrap caught process %d, uid=%s, gid=%s, exe=%r, cmdline=%r, cwd=%r' %
+            (pid, user, group, exe, cmdline, cwd))
+
+        try:
+            nonlocal_gid = grp.getgrnam('nss-nonlocal-users').gr_gid
+        except KeyError:
+            nonlocal_gid = None
+        if str(nonlocal_gid) in status['Groups'].split():
+            os.kill(pid, signal.SIGKILL)
+            pass
+
+if __name__ == '__main__':
+    fs = BetterMousetrapFS()
+    fs.parse(errex=1)
+    fs.fuse_args.add('allow_other')
+    fs.fuse_args.add('ro')
+    fs.main()
Index: branches/fc17-dev/server/common/oursrc/whoisd/scripts-whoisd.service
===================================================================
--- branches/fc17-dev/server/common/oursrc/whoisd/scripts-whoisd.service	(revision 2081)
+++ branches/fc17-dev/server/common/oursrc/whoisd/scripts-whoisd.service	(revision 2195)
@@ -1,9 +1,9 @@
 [Unit]
 Description=Scripts whois Service
-After=syslog.target
+After=syslog.target dirsrv.service
 
 [Service]
 Type=simple
-ExecStart=/usr/bin/twistd --nodaemon -l /var/log/scripts-whoisd.log -y /usr/local/libexec/whoisd.tac
+ExecStart=/usr/bin/twistd --nodaemon -l /var/log/scripts-whoisd.log --pidfile /var/run/whoisd.pid -y /usr/local/libexec/whoisd.tac
 
 [Install]
Index: branches/fc17-dev/server/common/patches/httpd-suexec-scripts.patch
===================================================================
--- branches/fc17-dev/server/common/patches/httpd-suexec-scripts.patch	(revision 2081)
+++ branches/fc17-dev/server/common/patches/httpd-suexec-scripts.patch	(revision 2195)
@@ -314,5 +314,5 @@
          exit(121);
      }
-@@ -614,6 +767,23 @@
+@@ -614,6 +767,30 @@
      /*
       * Execute the command, replacing our image with its own.
@@ -331,4 +331,11 @@
 +        argv[1] = PHP_PATH;
 +        argv[2] = "-f";
++        /*
++         * argv[3] is the command to run. argv[4] is either an argument or
++         * already null. We don't want to pass any arguments through from
++         * Apache (since they're untrusted), so we chop off the remainder
++         * of argv here.
++         */
++        argv[4] = 0;
 +        execv(PHP_PATH, &argv[1]);
 +        log_err("(%d)%s: php exec failed (%s)\n", errno, strerror(errno), argv[1]);
Index: branches/fc17-dev/server/common/patches/openafs-linux-3.2-nlink.patch
===================================================================
--- branches/fc17-dev/server/common/patches/openafs-linux-3.2-nlink.patch	(revision 2195)
+++ branches/fc17-dev/server/common/patches/openafs-linux-3.2-nlink.patch	(revision 2195)
@@ -0,0 +1,28 @@
+As of v3.2-rc1~84^2~1, struct inode.i_nlink is now const to prevent
+direct modification.
+
+Original patch was:
+
+From c4442772286c0a1fdb99500d65e7d6f295388feb Mon Sep 17 00:00:00 2001
+From: Anders Kaseorg <andersk@mit.edu>
+Date: Sun, 20 Nov 2011 19:00:00 -0500
+Subject: [PATCH] Linux: 3.2: Use set_nlink to update i_nlink
+Change-Id: I685aa6e8638e8fe864f1a6a7e428dfb6839ebcea
+
+Since handling m4 changes is annoying with spec files, we assume
+that set_nlink is available.  This patch will break on old versions
+of Linux, specifically prior to v3.1-8781-gd211858.
+
+diff --git a/src/afs/LINUX/osi_vfsops.c b/src/afs/LINUX/osi_vfsops.c
+index 596d064..d32720f 100644
+--- a/src/afs/LINUX/osi_vfsops.c
++++ b/src/afs/LINUX/osi_vfsops.c
+@@ -439,7 +439,7 @@ void
+ vattr2inode(struct inode *ip, struct vattr *vp)
+ {
+     ip->i_ino = vp->va_nodeid;
+-    ip->i_nlink = vp->va_nlink;
++    set_nlink(ip, vp->va_nlink);
+     ip->i_blocks = vp->va_blocks;
+ #ifdef STRUCT_INODE_HAS_I_BLKBITS
+     ip->i_blkbits = AFS_BLKBITS;
Index: branches/fc17-dev/server/common/patches/openafs-localcsdb.patch
===================================================================
--- branches/fc17-dev/server/common/patches/openafs-localcsdb.patch	(revision 2081)
+++ 	(revision )
@@ -1,11 +1,0 @@
---- openafs-1.4/src/packaging/RedHat/openafs-client.init.orig	2009-04-14 04:28:32.000000000 -0400
-+++ openafs-1.4/src/packaging/RedHat/openafs-client.init	2009-04-14 04:27:08.000000000 -0400
-@@ -14,7 +14,7 @@
- 
- start() {
-         echo -n $"Updating CellServDB: "
--        cat /usr/vice/etc/CellServDB.local /usr/vice/etc/CellServDB.dist > \
-+        cat /usr/vice/etc/CellServDB.local > \
-                /usr/vice/etc/CellServDB
-         chmod 644 /usr/vice/etc/CellServDB
-         echo
Index: branches/fc17-dev/server/common/patches/openafs-systemd-crond.patch
===================================================================
--- branches/fc17-dev/server/common/patches/openafs-systemd-crond.patch	(revision 2081)
+++ branches/fc17-dev/server/common/patches/openafs-systemd-crond.patch	(revision 2195)
@@ -14,4 +14,4 @@
  
  [Install]
--WantedBy=multi-user.target
-+WantedBy=multi-user.target crond.service
+-WantedBy=multi-user.target remote-fs.target
++WantedBy=multi-user.target remote-fs.target crond.service
Index: branches/fc17-dev/server/common/patches/openafs-systemd-csdb.patch
===================================================================
--- branches/fc17-dev/server/common/patches/openafs-systemd-csdb.patch	(revision 2195)
+++ branches/fc17-dev/server/common/patches/openafs-systemd-csdb.patch	(revision 2195)
@@ -0,0 +1,11 @@
+--- a/src/packaging/RedHat/openafs-client.service	2012-03-26 17:04:18.177919348 -0400
++++ b/src/packaging/RedHat/openafs-client.service	2012-03-26 17:15:17.206630779 -0400
+@@ -6,7 +6,7 @@
+ [Service]
+ Type=forking
+ EnvironmentFile=/etc/sysconfig/openafs
+-ExecStartPre=/bin/sed -n 'w/usr/vice/etc/CellServDB' /usr/vice/etc/CellServDB.local /usr/vice/etc/CellServDB.dist
++ExecStartPre=-/bin/sed -n 'w/usr/vice/etc/CellServDB' /usr/vice/etc/CellServDB.local /usr/vice/etc/CellServDB.mousetrap
+ ExecStartPre=/bin/chmod 0644 /usr/vice/etc/CellServDB
+ ExecStartPre=/sbin/modprobe openafs
+ ExecStart=/usr/vice/etc/afsd $AFSD_ARGS
Index: branches/fc17-dev/server/common/patches/openafs-systemd.patch
===================================================================
--- branches/fc17-dev/server/common/patches/openafs-systemd.patch	(revision 2081)
+++ branches/fc17-dev/server/common/patches/openafs-systemd.patch	(revision 2195)
@@ -32,5 +32,5 @@
 +
 +[Install]
-+WantedBy=multi-user.target
++WantedBy=multi-user.target remote-fs.target
 diff --git a/src/packaging/RedHat/openafs-server.service b/src/packaging/RedHat/openafs-server.service
 new file mode 100644
Index: branches/fc17-dev/server/common/patches/php-cve-2012-1823.patch
===================================================================
--- branches/fc17-dev/server/common/patches/php-cve-2012-1823.patch	(revision 2195)
+++ branches/fc17-dev/server/common/patches/php-cve-2012-1823.patch	(revision 2195)
@@ -0,0 +1,20 @@
+--- sapi/cgi/cgi_main.c.orig	2012-05-03 14:33:04.243763906 -0400
++++ sapi/cgi/cgi_main.c	2012-05-03 14:34:03.294241200 -0400
+@@ -1552,7 +1552,7 @@
+ 		}
+ 	}
+ 
+-	while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
++	if (!cgi) while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
+ 		switch (c) {
+ 			case 'c':
+ 				if (cgi_sapi_module.php_ini_path_override) {
+@@ -1801,7 +1801,7 @@
+ 	}
+ 
+ 	zend_first_try {
+-		while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
++		if (!cgi) while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
+ 			switch (c) {
+ 				case 'T':
+ 					benchmark = 1;