httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n..@apache.org
Subject svn commit: r708935 - in /httpd/httpd/trunk: CHANGES modules/system/ modules/system/mod_unixd.c server/mpm/simple/simple_run.c
Date Wed, 29 Oct 2008 16:41:10 GMT
Author: niq
Date: Wed Oct 29 09:41:10 2008
New Revision: 708935

URL: http://svn.apache.org/viewvc?rev=708935&view=rev
Log:
Introduce modules/system, and mod_unixd.c

mod_unixd.c is only os/unix/unixd.c, turned into a module.
(or more accurately, an ugly hack).  Work in progress, and the
old unixd will have to go once the module build stuff is in place.

This re-introduces some of the unixd stuff (set user, group and chroot)
to mpm_simple, and should work equally well with existing MPMs.
It also paves the way for alternative privilege management schemes,
which can be implemented in alternative modules: this´ll be
necessary to run mpm_simple on non-unix-family platforms, and
of interest for alternative Unix implementations.  By relegating
everything to a child_init hook, we can mix-and-match, though
weĺl need to add a regime that prevents just going right ahead
with nothing and running as root.

Round tuits permitting, we should be able to simplify unixd.h too,
and look towards eliminating it.


Added:
    httpd/httpd/trunk/modules/system/
    httpd/httpd/trunk/modules/system/mod_unixd.c
Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/server/mpm/simple/simple_run.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=708935&r1=708934&r2=708935&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Oct 29 09:41:10 2008
@@ -2,6 +2,9 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) unixd: turn existing code into a module, and turn the set user/group
+     and chroot into a child_init function. [Nick Kew]
+
   *) core: Add ap_timeout_parameter_parse to public API. [Ruediger Pluem]
 
   *) mod_proxy: Prevent segmentation faults by correctly flushing all buckets

Added: httpd/httpd/trunk/modules/system/mod_unixd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/system/mod_unixd.c?rev=708935&view=auto
==============================================================================
--- httpd/httpd/trunk/modules/system/mod_unixd.c (added)
+++ httpd/httpd/trunk/modules/system/mod_unixd.c Wed Oct 29 09:41:10 2008
@@ -0,0 +1,791 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "ap_config.h"
+#include "httpd.h"
+#include "http_config.h"
+#include "http_main.h"
+#include "http_log.h"
+#include "unixd.h"
+#include "mpm_common.h"
+#include "os.h"
+#include "ap_mpm.h"
+#include "apr_thread_proc.h"
+#include "apr_strings.h"
+#include "apr_portable.h"
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+/* XXX */
+#include <sys/stat.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#ifdef HAVE_STRINGS_H
+#include <strings.h>
+#endif
+#ifdef HAVE_SYS_SEM_H
+#include <sys/sem.h>
+#endif
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#endif
+
+unixd_config_rec unixd_config;
+int unixd_status = 0;
+
+/* Set group privileges.
+ *
+ * Note that we use the username as set in the config files, rather than
+ * the lookup of to uid --- the same uid may have multiple passwd entries,
+ * with different sets of groups for each.
+ */
+
+static int set_group_privs(void)
+{
+    if (!geteuid()) {
+        const char *name;
+
+        /* Get username if passed as a uid */
+
+        if (unixd_config.user_name[0] == '#') {
+            struct passwd *ent;
+            uid_t uid = atoi(&unixd_config.user_name[1]);
+
+            if ((ent = getpwuid(uid)) == NULL) {
+                ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                         "getpwuid: couldn't determine user name from uid %u, "
+                         "you probably need to modify the User directive",
+                         (unsigned)uid);
+                return -1;
+            }
+
+            name = ent->pw_name;
+        }
+        else
+            name = unixd_config.user_name;
+
+#if !defined(OS2) && !defined(TPF)
+        /* OS/2 and TPF don't support groups. */
+
+        /*
+         * Set the GID before initgroups(), since on some platforms
+         * setgid() is known to zap the group list.
+         */
+        if (setgid(unixd_config.group_id) == -1) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                        "setgid: unable to set group id to Group %u",
+                        (unsigned)unixd_config.group_id);
+            return -1;
+        }
+
+        /* Reset `groups' attributes. */
+
+        if (initgroups(name, unixd_config.group_id) == -1) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                        "initgroups: unable to set groups for User %s "
+                        "and Group %u", name, (unsigned)unixd_config.group_id);
+            return -1;
+        }
+#endif /* !defined(OS2) && !defined(TPF) */
+    }
+    return 0;
+}
+
+
+static void unixd_setup_child(apr_pool_t *pool, server_rec *s)
+{
+    if (set_group_privs()) {
+        unixd_status = -1;
+        return;
+    }
+
+    if (NULL != unixd_config.chroot_dir) {
+        if (geteuid()) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                         "Cannot chroot when not started as root");
+            unixd_status = -1;
+            return;
+        }
+        if (chdir(unixd_config.chroot_dir) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                         "Can't chdir to %s", unixd_config.chroot_dir);
+            unixd_status = -1;
+            return;
+        }
+        if (chroot(unixd_config.chroot_dir) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                         "Can't chroot to %s", unixd_config.chroot_dir);
+            unixd_status = -1;
+            return;
+        }
+        if (chdir("/") != 0) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                         "Can't chdir to new root");
+            unixd_status = -1;
+            return;
+        }
+    }
+
+#ifdef MPE
+    /* Only try to switch if we're running as MANAGER.SYS */
+    if (geteuid() == 1 && unixd_config.user_id > 1) {
+        GETPRIVMODE();
+        if (setuid(unixd_config.user_id) == -1) {
+            GETUSERMODE();
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                        "setuid: unable to change to uid: %ld",
+                        (long) unixd_config.user_id);
+            exit(1);
+        }
+        GETUSERMODE();
+    }
+#else
+    /* Only try to switch if we're running as root */
+    if (!geteuid() && (
+#ifdef _OSD_POSIX
+        os_init_job_environment(NULL, unixd_config.user_name, ap_exists_config_define("DEBUG"))
!= 0 ||
+#endif
+        setuid(unixd_config.user_id) == -1)) {
+        ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                    "setuid: unable to change to uid: %ld",
+                    (long) unixd_config.user_id);
+        unixd_status = -1;
+        return;
+    }
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+    /* this applies to Linux 2.4+ */
+#ifdef AP_MPM_WANT_SET_COREDUMPDIR
+    if (ap_coredumpdir_configured) {
+        if (prctl(PR_SET_DUMPABLE, 1)) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                         "set dumpable failed - this child will not coredump"
+                         " after software errors");
+        }
+    }
+#endif
+#endif
+#endif
+    unixd_status = 0;
+}
+
+
+AP_DECLARE(const char *) unixd_set_user(cmd_parms *cmd, void *dummy,
+                                        const char *arg)
+{
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+    if (err != NULL) {
+        return err;
+    }
+
+    unixd_config.user_name = arg;
+    unixd_config.user_id = ap_uname2id(arg);
+#if !defined (BIG_SECURITY_HOLE) && !defined (OS2)
+    if (unixd_config.user_id == 0) {
+        return "Error:\tApache has not been designed to serve pages while\n"
+                "\trunning as root.  There are known race conditions that\n"
+                "\twill allow any local user to read any file on the system.\n"
+                "\tIf you still desire to serve pages as root then\n"
+                "\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n"
+                "\tand then rebuild the server.\n"
+                "\tIt is strongly suggested that you instead modify the User\n"
+                "\tdirective in your httpd.conf file to list a non-root\n"
+                "\tuser.\n";
+    }
+#endif
+
+    return NULL;
+}
+
+AP_DECLARE(const char *) unixd_set_group(cmd_parms *cmd, void *dummy,
+                                         const char *arg)
+{
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+    if (err != NULL) {
+        return err;
+    }
+
+    unixd_config.group_id = ap_gname2id(arg);
+
+    return NULL;
+}
+AP_DECLARE(const char *) unixd_set_chroot_dir(cmd_parms *cmd, void *dummy,
+                                              const char *arg)
+{
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+    if (err != NULL) {
+        return err;
+    }
+    if (!ap_is_directory(cmd->pool, arg)) {
+        return "ChrootDir must be a valid directory";
+    }
+
+    unixd_config.chroot_dir = arg;
+    return NULL;
+}
+
+AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp)
+{
+    apr_finfo_t wrapper;
+
+    unixd_config.user_name = DEFAULT_USER;
+    unixd_config.user_id = ap_uname2id(DEFAULT_USER);
+    unixd_config.group_id = ap_gname2id(DEFAULT_GROUP);
+    
+    unixd_config.chroot_dir = NULL; /* none */
+
+    /* Check for suexec */
+    unixd_config.suexec_enabled = 0;
+    if ((apr_stat(&wrapper, SUEXEC_BIN,
+                  APR_FINFO_NORM, ptemp)) != APR_SUCCESS) {
+        return;
+    }
+
+    if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
+        unixd_config.suexec_enabled = 1;
+    }
+}
+
+
+AP_DECLARE(void) unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit,
+                           const char *arg, const char * arg2, int type)
+{
+#if (defined(RLIMIT_CPU) || defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined(RLIMIT_NPROC)
|| defined(RLIMIT_AS)) && APR_HAVE_STRUCT_RLIMIT && APR_HAVE_GETRLIMIT
+    char *str;
+    struct rlimit *limit;
+    /* If your platform doesn't define rlim_t then typedef it in ap_config.h */
+    rlim_t cur = 0;
+    rlim_t max = 0;
+
+    *plimit = (struct rlimit *)apr_pcalloc(cmd->pool, sizeof(**plimit));
+    limit = *plimit;
+    if ((getrlimit(type, limit)) != 0)  {
+        *plimit = NULL;
+        ap_log_error(APLOG_MARK, APLOG_ERR, errno, cmd->server,
+                     "%s: getrlimit failed", cmd->cmd->name);
+        return;
+    }
+
+    if ((str = ap_getword_conf(cmd->pool, &arg))) {
+        if (!strcasecmp(str, "max")) {
+            cur = limit->rlim_max;
+        }
+        else {
+            cur = atol(str);
+        }
+    }
+    else {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
+                     "Invalid parameters for %s", cmd->cmd->name);
+        return;
+    }
+
+    if (arg2 && (str = ap_getword_conf(cmd->pool, &arg2))) {
+        max = atol(str);
+    }
+
+    /* if we aren't running as root, cannot increase max */
+    if (geteuid()) {
+        limit->rlim_cur = cur;
+        if (max) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
+                         "Must be uid 0 to raise maximum %s", cmd->cmd->name);
+        }
+    }
+    else {
+        if (cur) {
+            limit->rlim_cur = cur;
+        }
+        if (max) {
+            limit->rlim_max = max;
+        }
+    }
+#else
+
+    ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
+                 "Platform does not support rlimit for %s", cmd->cmd->name);
+#endif
+}
+
+APR_HOOK_STRUCT(
+               APR_HOOK_LINK(get_suexec_identity)
+)
+
+AP_IMPLEMENT_HOOK_RUN_FIRST(ap_unix_identity_t *, get_suexec_identity,
+                         (const request_rec *r), (r), NULL)
+
+static apr_status_t ap_unix_create_privileged_process(
+                              apr_proc_t *newproc, const char *progname,
+                              const char * const *args,
+                              const char * const *env,
+                              apr_procattr_t *attr, ap_unix_identity_t *ugid,
+                              apr_pool_t *p)
+{
+    int i = 0;
+    const char **newargs;
+    char *newprogname;
+    char *execuser, *execgroup;
+    const char *argv0;
+
+    if (!unixd_config.suexec_enabled) {
+        return apr_proc_create(newproc, progname, args, env, attr, p);
+    }
+
+    argv0 = ap_strrchr_c(progname, '/');
+    /* Allow suexec's "/" check to succeed */
+    if (argv0 != NULL) {
+        argv0++;
+    }
+    else {
+        argv0 = progname;
+    }
+
+
+    if (ugid->userdir) {
+        execuser = apr_psprintf(p, "~%ld", (long) ugid->uid);
+    }
+    else {
+        execuser = apr_psprintf(p, "%ld", (long) ugid->uid);
+    }
+    execgroup = apr_psprintf(p, "%ld", (long) ugid->gid);
+
+    if (!execuser || !execgroup) {
+        return APR_ENOMEM;
+    }
+
+    i = 0;
+    if (args) {
+        while (args[i]) {
+            i++;
+            }
+    }
+    /* allocate space for 4 new args, the input args, and a null terminator */
+    newargs = apr_palloc(p, sizeof(char *) * (i + 4));
+    newprogname = SUEXEC_BIN;
+    newargs[0] = SUEXEC_BIN;
+    newargs[1] = execuser;
+    newargs[2] = execgroup;
+    newargs[3] = apr_pstrdup(p, argv0);
+
+    /*
+    ** using a shell to execute suexec makes no sense thus
+    ** we force everything to be APR_PROGRAM, and never
+    ** APR_SHELLCMD
+    */
+    if(apr_procattr_cmdtype_set(attr, APR_PROGRAM) != APR_SUCCESS) {
+        return APR_EGENERAL;
+    }
+
+    i = 1;
+    do {
+        newargs[i + 3] = args[i];
+    } while (args[i++]);
+
+    return apr_proc_create(newproc, newprogname, newargs, env, attr, p);
+}
+
+AP_DECLARE(apr_status_t) ap_os_create_privileged_process(
+    const request_rec *r,
+    apr_proc_t *newproc, const char *progname,
+    const char * const *args,
+    const char * const *env,
+    apr_procattr_t *attr, apr_pool_t *p)
+{
+    ap_unix_identity_t *ugid = ap_run_get_suexec_identity(r);
+
+    if (ugid == NULL) {
+        return apr_proc_create(newproc, progname, args, env, attr, p);
+    }
+
+    return ap_unix_create_privileged_process(newproc, progname, args, env,
+                                              attr, ugid, p);
+}
+
+/* XXX move to APR and externalize (but implement differently :) ) */
+static apr_lockmech_e proc_mutex_mech(apr_proc_mutex_t *pmutex)
+{
+    const char *mechname = apr_proc_mutex_name(pmutex);
+
+    if (!strcmp(mechname, "sysvsem")) {
+        return APR_LOCK_SYSVSEM;
+    }
+    else if (!strcmp(mechname, "flock")) {
+        return APR_LOCK_FLOCK;
+    }
+    return APR_LOCK_DEFAULT;
+}
+
+AP_DECLARE(apr_status_t) unixd_set_proc_mutex_perms(apr_proc_mutex_t *pmutex)
+{
+    if (!geteuid()) {
+        apr_lockmech_e mech = proc_mutex_mech(pmutex);
+
+        switch(mech) {
+#if APR_HAS_SYSVSEM_SERIALIZE
+        case APR_LOCK_SYSVSEM:
+        {
+            apr_os_proc_mutex_t ospmutex;
+#if !APR_HAVE_UNION_SEMUN
+            union semun {
+                long val;
+                struct semid_ds *buf;
+                unsigned short *array;
+            };
+#endif
+            union semun ick;
+            struct semid_ds buf;
+
+            apr_os_proc_mutex_get(&ospmutex, pmutex);
+            buf.sem_perm.uid = unixd_config.user_id;
+            buf.sem_perm.gid = unixd_config.group_id;
+            buf.sem_perm.mode = 0600;
+            ick.buf = &buf;
+            if (semctl(ospmutex.crossproc, 0, IPC_SET, ick) < 0) {
+                return errno;
+            }
+        }
+        break;
+#endif
+#if APR_HAS_FLOCK_SERIALIZE
+        case APR_LOCK_FLOCK:
+        {
+            const char *lockfile = apr_proc_mutex_lockfile(pmutex);
+
+            if (lockfile) {
+                if (chown(lockfile, unixd_config.user_id,
+                          -1 /* no gid change */) < 0) {
+                    return errno;
+                }
+            }
+        }
+        break;
+#endif
+        default:
+            /* do nothing */
+            break;
+        }
+    }
+    return APR_SUCCESS;
+}
+
+AP_DECLARE(apr_status_t) unixd_set_global_mutex_perms(apr_global_mutex_t *gmutex)
+{
+#if !APR_PROC_MUTEX_IS_GLOBAL
+    apr_os_global_mutex_t osgmutex;
+    apr_os_global_mutex_get(&osgmutex, gmutex);
+    return unixd_set_proc_mutex_perms(osgmutex.proc_mutex);
+#else  /* APR_PROC_MUTEX_IS_GLOBAL */
+    /* In this case, apr_proc_mutex_t and apr_global_mutex_t are the same. */
+    return unixd_set_proc_mutex_perms(gmutex);
+#endif /* APR_PROC_MUTEX_IS_GLOBAL */
+}
+
+AP_DECLARE(apr_status_t) unixd_accept(void **accepted, ap_listen_rec *lr,
+                                        apr_pool_t *ptrans)
+{
+    apr_socket_t *csd;
+    apr_status_t status;
+#ifdef _OSD_POSIX
+    int sockdes;
+#endif
+
+    *accepted = NULL;
+    status = apr_socket_accept(&csd, lr->sd, ptrans);
+    if (status == APR_SUCCESS) {
+        *accepted = csd;
+#ifdef _OSD_POSIX
+        apr_os_sock_get(&sockdes, csd);
+        if (sockdes >= FD_SETSIZE) {
+            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                         "new file descriptor %d is too large; you probably need "
+                         "to rebuild Apache with a larger FD_SETSIZE "
+                         "(currently %d)",
+                         sockdes, FD_SETSIZE);
+            apr_socket_close(csd);
+            return APR_EINTR;
+        }
+#endif
+        return APR_SUCCESS;
+    }
+
+    if (APR_STATUS_IS_EINTR(status)) {
+        return status;
+    }
+    /* Our old behaviour here was to continue after accept()
+     * errors.  But this leads us into lots of troubles
+     * because most of the errors are quite fatal.  For
+     * example, EMFILE can be caused by slow descriptor
+     * leaks (say in a 3rd party module, or libc).  It's
+     * foolish for us to continue after an EMFILE.  We also
+     * seem to tickle kernel bugs on some platforms which
+     * lead to never-ending loops here.  So it seems best
+     * to just exit in most cases.
+     */
+    switch (status) {
+#if defined(HPUX11) && defined(ENOBUFS)
+        /* On HPUX 11.x, the 'ENOBUFS, No buffer space available'
+         * error occurs because the accept() cannot complete.
+         * You will not see ENOBUFS with 10.20 because the kernel
+         * hides any occurrence from being returned to user space.
+         * ENOBUFS with 11.x's TCP/IP stack is possible, and could
+         * occur intermittently. As a work-around, we are going to
+         * ignore ENOBUFS.
+         */
+        case ENOBUFS:
+#endif
+
+#ifdef EPROTO
+        /* EPROTO on certain older kernels really means
+         * ECONNABORTED, so we need to ignore it for them.
+         * See discussion in new-httpd archives nh.9701
+         * search for EPROTO.
+         *
+         * Also see nh.9603, search for EPROTO:
+         * There is potentially a bug in Solaris 2.x x<6,
+         * and other boxes that implement tcp sockets in
+         * userland (i.e. on top of STREAMS).  On these
+         * systems, EPROTO can actually result in a fatal
+         * loop.  See PR#981 for example.  It's hard to
+         * handle both uses of EPROTO.
+         */
+        case EPROTO:
+#endif
+#ifdef ECONNABORTED
+        case ECONNABORTED:
+#endif
+        /* Linux generates the rest of these, other tcp
+         * stacks (i.e. bsd) tend to hide them behind
+         * getsockopt() interfaces.  They occur when
+         * the net goes sour or the client disconnects
+         * after the three-way handshake has been done
+         * in the kernel but before userland has picked
+         * up the socket.
+         */
+#ifdef ECONNRESET
+        case ECONNRESET:
+#endif
+#ifdef ETIMEDOUT
+        case ETIMEDOUT:
+#endif
+#ifdef EHOSTUNREACH
+        case EHOSTUNREACH:
+#endif
+#ifdef ENETUNREACH
+        case ENETUNREACH:
+#endif
+        /* EAGAIN/EWOULDBLOCK can be returned on BSD-derived
+         * TCP stacks when the connection is aborted before
+         * we call connect, but only because our listener
+         * sockets are non-blocking (AP_NONBLOCK_WHEN_MULTI_LISTEN)
+         */
+#ifdef EAGAIN
+        case EAGAIN:
+#endif
+#ifdef EWOULDBLOCK
+#if !defined(EAGAIN) || EAGAIN != EWOULDBLOCK
+        case EWOULDBLOCK:
+#endif
+#endif
+            break;
+#ifdef ENETDOWN
+        case ENETDOWN:
+            /*
+             * When the network layer has been shut down, there
+             * is not much use in simply exiting: the parent
+             * would simply re-create us (and we'd fail again).
+             * Use the CHILDFATAL code to tear the server down.
+             * @@@ Martin's idea for possible improvement:
+             * A different approach would be to define
+             * a new APEXIT_NETDOWN exit code, the reception
+             * of which would make the parent shutdown all
+             * children, then idle-loop until it detected that
+             * the network is up again, and restart the children.
+             * Ben Hyde noted that temporary ENETDOWN situations
+             * occur in mobile IP.
+             */
+            ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf,
+                         "apr_socket_accept: giving up.");
+            return APR_EGENERAL;
+#endif /*ENETDOWN*/
+
+#ifdef TPF
+        case EINACT:
+            ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf,
+                         "offload device inactive");
+            return APR_EGENERAL;
+            break;
+        default:
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
+                         "select/accept error (%d)", status);
+            return APR_EGENERAL;
+#else
+        default:
+#ifdef _OSD_POSIX /* Possibly on other platforms too */
+            /* If the socket has been closed in ap_close_listeners()
+             * by the restart/stop action, we may get EBADF.
+             * Do not print an error in this case.
+             */
+            if (!lr->active && status == EBADF)
+                return status;
+#endif
+            ap_log_error(APLOG_MARK, APLOG_ERR, status, ap_server_conf,
+                         "apr_socket_accept: (client socket)");
+            return APR_EGENERAL;
+#endif
+    }
+    return status;
+}
+
+
+#ifdef _OSD_POSIX
+
+#include "apr_lib.h"
+
+#define USER_LEN 8
+
+typedef enum
+{
+    bs2_unknown,     /* not initialized yet. */
+    bs2_noFORK,      /* no fork() because -X flag was specified */
+    bs2_FORK,        /* only fork() because uid != 0 */
+    bs2_UFORK        /* Normally, ufork() is used to switch identities. */
+} bs2_ForkType;
+
+static bs2_ForkType forktype = bs2_unknown;
+
+
+static void ap_str_toupper(char *str)
+{
+    while (*str) {
+        *str = apr_toupper(*str);
+        ++str;
+    }
+}
+
+/* Determine the method for forking off a child in such a way as to
+ * set both the POSIX and BS2000 user id's to the unprivileged user.
+ */
+static bs2_ForkType os_forktype(int one_process)
+{
+    /* have we checked the OS version before? If yes return the previous
+     * result - the OS release isn't going to change suddenly!
+     */
+    if (forktype == bs2_unknown) {
+        /* not initialized yet */
+
+        /* No fork if the one_process option was set */
+        if (one_process) {
+            forktype = bs2_noFORK;
+        }
+        /* If the user is unprivileged, use the normal fork() only. */
+        else if (getuid() != 0) {
+            forktype = bs2_FORK;
+        }
+        else
+            forktype = bs2_UFORK;
+    }
+    return forktype;
+}
+
+
+
+/* This routine complements the setuid() call: it causes the BS2000 job
+ * environment to be switched to the target user's user id.
+ * That is important if CGI scripts try to execute native BS2000 commands.
+ */
+int os_init_job_environment(server_rec *server, const char *user_name, int one_process)
+{
+    bs2_ForkType            type = os_forktype(one_process);
+
+    /* We can be sure that no change to uid==0 is possible because of
+     * the checks in http_core.c:set_user()
+     */
+
+    if (one_process) {
+
+        type = forktype = bs2_noFORK;
+
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, server,
+                     "The debug mode of Apache should only "
+                     "be started by an unprivileged user!");
+        return 0;
+    }
+
+    return 0;
+}
+
+/* BS2000 requires a "special" version of fork() before a setuid() call */
+pid_t os_fork(const char *user)
+{
+    pid_t pid;
+    char  username[USER_LEN+1];
+
+    switch (os_forktype(0)) {
+
+      case bs2_FORK:
+        pid = fork();
+        break;
+
+      case bs2_UFORK:
+        apr_cpystrn(username, user, sizeof username);
+
+        /* Make user name all upper case - for some versions of ufork() */
+        ap_str_toupper(username);
+
+        pid = ufork(username);
+        if (pid == -1 && errno == EPERM) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, errno,
+                         NULL, "ufork: Possible mis-configuration "
+                         "for user %s - Aborting.", user);
+            exit(1);
+        }
+        break;
+
+      default:
+        pid = 0;
+        break;
+    }
+
+    return pid;
+}
+
+#endif /* _OSD_POSIX */
+
+static void unixd_hooks(apr_pool_t *pool)
+{
+    ap_hook_child_init(unixd_setup_child, NULL, NULL, APR_HOOK_FIRST);
+}
+
+static const command_rec unixd_cmds[] = {
+    UNIX_DAEMON_COMMANDS,
+    {NULL}
+};
+
+module AP_MODULE_DECLARE_DATA unixd_module = {
+    STANDARD20_MODULE_STUFF,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    unixd_cmds,
+    unixd_hooks
+};

Modified: httpd/httpd/trunk/server/mpm/simple/simple_run.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/mpm/simple/simple_run.c?rev=708935&r1=708934&r2=708935&view=diff
==============================================================================
--- httpd/httpd/trunk/server/mpm/simple/simple_run.c (original)
+++ httpd/httpd/trunk/server/mpm/simple/simple_run.c Wed Oct 29 09:41:10 2008
@@ -28,6 +28,8 @@
 
 #include "ap_listen.h"
 
+#include "mpm.h"
+
 /**
  * Create Timers.
  */
@@ -263,6 +265,11 @@
   /* TODO: These should be a series of hooks, chroot, drop user, SELinux support, etc. */
   /* TODO: chroot support */
   /* TODO: drop to configured user */
+
+  /* TODO: none of the above.  Just a child_init hook, which can be
+   * instantianted in a module
+   */
+  ap_run_child_init(sc->pool, ap_server_conf);
   return 0;
 }
 



Mime
View raw message