httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stodd...@apache.org
Subject svn commit: r178283 - /httpd/mod_arm4/trunk/mod_arm4.c /httpd/mod_arm4/trunk/mod_arm4.h
Date Tue, 24 May 2005 21:13:34 GMT
Author: stoddard
Date: Tue May 24 14:13:32 2005
New Revision: 178283

URL: http://svn.apache.org/viewcvs?rev=178283&view=rev
Log:
Hook post_config to set POSIX process capabilities in the parent to be inherited by the child
processes. Some ARM clients use process capabilities for authorization

Added:
    httpd/mod_arm4/trunk/mod_arm4.h
Modified:
    httpd/mod_arm4/trunk/mod_arm4.c

Modified: httpd/mod_arm4/trunk/mod_arm4.c
URL: http://svn.apache.org/viewcvs/httpd/mod_arm4/trunk/mod_arm4.c?rev=178283&r1=178282&r2=178283&view=diff
==============================================================================
--- httpd/mod_arm4/trunk/mod_arm4.c (original)
+++ httpd/mod_arm4/trunk/mod_arm4.c Tue May 24 14:13:32 2005
@@ -34,7 +34,7 @@
 #include "apr_strings.h"
 #include "apr_base64.h"
 #include "http_request.h"
-
+#include "mod_arm4.h"
 #include <stdio.h>
 
 #ifdef WIN32
@@ -660,6 +660,86 @@
     return;
 }
 
+#ifdef USE_CAP_ARM_APPLICATION
+/*
+ * Some ARM agents (on AIX) authorize users to ARM 4 interfaces thru 
+ * Posix capabilities. For those systems, identify this application as
+ * an ARM Application and propagate the capabilities to the child 
+ * processes.
+ */
+static void set_process_capability(server_rec *s)
+{
+    cap_t mycap;
+    cap_flag_value_t capflag;
+    int cap_array[2];
+
+    /*
+     * Test if the CAP_ARM_APPLICATION can be set on this version
+     * of the operating system.  First, get the process' current
+     * capabilities.
+     */
+    mycap = (cap_t) cap_get_proc();
+    if (!mycap) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, 
+                     "mod_arm: cap_get_proc failed.");
+        return;
+    }
+
+    if (cap_get_flag(mycap, CAP_ARM_APPLICATION, CAP_EFFECTIVE, &capflag)) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, 
+                     "mod_arm: cap_get_flag failed. This OS does not support "
+                     "CAP_ARM_APPLICATION.");
+        goto exit;
+    }
+
+    /*
+     * Add CAP_ARM_APPLICATION capability to current process.
+     * Always set CAP_PROPAGATE capability. Don't let errors
+     * prevent the server from starting.
+     */
+    cap_array[0] = CAP_PROPAGATE;
+    cap_array[1] = CAP_ARM_APPLICATION;
+
+    if (cap_set_flag(mycap, CAP_EFFECTIVE, 2, cap_array, CAP_SET)) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, 
+                     "mod_arm: CAP_EFFECTIVE failed.");
+    }
+
+    if (cap_set_flag(mycap, CAP_INHERITABLE, 2, cap_array, CAP_SET)) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, 
+                     "mod_arm: CAP_INHERITABLE failed.");
+    }
+
+    if (cap_set_flag(mycap, CAP_PERMITTED, 2, cap_array, CAP_SET)) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, 
+                     "mod_arm: CAP_PERMITTED failed.");
+    }   
+
+    /* Set the process's capabilities, you must be root to do this */
+    if (cap_set_proc(mycap)) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, 
+                     "mod_arm: cap_set_proc() call failed.");
+    }
+    
+exit:
+    /* Free the capability allocated by cap_get_proc() */
+    cap_free(mycap);
+    
+    return;
+}
+#endif
+
+static int arm_post_config(apr_pool_t *p,
+                           apr_pool_t *plog,
+                           apr_pool_t *ptemp,
+                           server_rec *s)
+{
+#ifdef USE_CAP_ARM_APPLICATION
+    set_process_capability(s);
+#endif
+    return OK;
+}
+
 /* arm_fixups:
  * Call arm_start_transaction() in this hook rather than in post_read_request
  * because RemoteUser is not known until after access/auth checks have been 
@@ -861,6 +941,7 @@
 
 static void arm_register_hooks(apr_pool_t *p)
 {
+    ap_hook_post_config(arm_post_config, NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_fixups(arm_fixups, NULL, NULL, APR_HOOK_REALLY_FIRST);
     ap_hook_log_transaction(arm_logger, NULL, NULL, APR_HOOK_LAST);
     ap_hook_post_read_request(arm_post_read_request, NULL, NULL, APR_HOOK_MIDDLE);

Added: httpd/mod_arm4/trunk/mod_arm4.h
URL: http://svn.apache.org/viewcvs/httpd/mod_arm4/trunk/mod_arm4.h?rev=178283&view=auto
==============================================================================
--- httpd/mod_arm4/trunk/mod_arm4.h (added)
+++ httpd/mod_arm4/trunk/mod_arm4.h Tue May 24 14:13:32 2005
@@ -0,0 +1,64 @@
+/* Copyright 2001-2005 The Apache Software Foundation or its licensors, as
+ * applicable.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MOD_ARM4_H
+#define MOD_ARM4_H
+
+/*
+ * Some ARM agents authorize users to ARM 4 interfaces
+ * thru Posix capabilities. IBM EWLM on AIX is one such 
+ * agent. 
+ */
+#ifdef _AIX
+#define USE_CAP_ARM_APPLICATION
+#endif
+
+/* Since POSIX capabilities aren't fully standardized across platforms
+ * hide all the cruft here so that we can keep mod_arm4 module as clean
+ * as possible.
+ */
+#ifdef USE_CAP_ARM_APPLICATION
+
+#ifdef _AIX
+#include <sys/capabilities.h>
+/* Define the capability number for the CAP_ARM_APPLICATION 
+ * capability in the case this program is compiled on a version 
+ * of AIX that does not have the capability defined in 
+ * capabilities.h
+ */
+#ifndef CAP_ARM_APPLICATION
+#define CAP_ARM_APPLICATION 5
+#endif
+/* Declare all the agent functions that -should- be declared in
+ * sys/capabilities.h.
+ */
+void cap_clear(cap_t);
+cap_t cap_init();
+cap_t cap_dup(cap_t);
+int cap_free(void *);
+int cap_get_flag(cap_t, cap_value_t, cap_flag_t, cap_flag_value_t *);
+int cap_get_proc(void);
+int cap_set_proc(cap_t);
+int cap_set_flag(cap_t cap_p, cap_flag_t flag, int ncap,
+                    cap_value_t caps[], cap_flag_value_t value);
+#else
+/* Linux (and others?) use capability.h */
+#include <sys/capability.h>
+#endif /* ifdef _AIX */
+
+#endif /* ifdef USE_CAP_ARM_APPLICATION */
+
+#endif /* ifndef MOD_ARM4_H */



Mime
View raw message