httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Kaluža <>
Subject Re: Run external RewriteMap program as non-root
Date Thu, 05 Mar 2015 08:54:55 GMT
On 03/05/2015 09:03 AM, Ruediger Pluem wrote:
> On 03/05/2015 07:55 AM, Jan Kaluža wrote:
>> Hi,
>> currently, the External Rewriting Program (RewriteMap "prg:") is run as root. I would
like to change it but I see three
>> ways how to do it:
>> 1. Execute it right after drop_privileges hook. This looks like best way, but I haven't
found any hook which could be
>> used for that (except drop_privileges with APR_HOOK_REALLY_LAST, which does not seem
as proper place to me).
>> 2. Execute it in child_init. This is done after drop_privileges, so the user/group
is good. The "problem" here is that
>> it would execute one rewrite program per child. Right now I'm not sure if it's really
problem. It could be useful to
>> have more instances of rewriting program to make its bottleneck lower.
>> 3. Execute it where it is now (post_config), but set user/group using apr_procattr_t.
So far I think this would
>> duplicate the code of mod_unixd and would probably have to also handle the windows
equivalent of that module (if there's
>> any).
>> What way do you think is the best, or would you do it differently?
>> I'm attaching patch for number 2.
> I would tend to 2. as well, but as far as I remember using the rewritemap program is
synchronized across all processes.
> This raises two questions:
> 1. Does rewriting still work with the current patch?

It does work for me. I've done some tests with curl and ab with 
prefork/event/worker MPMs.

> 2. If it does can stuff be optimized to move from a server wide lock to a process wide
lock (or even no lock for
> prefork) to remove the contention here?

This could be possible, I will look at it.

> OTOH looking at the topic of backwards compatibility existing rewrite programs
> might rely on not working in parallel. Some may even have an issue if more then one copy
of them is running in parallel,
> albeit not processing stuff in parallel which of course would cause an issue with the
proposed patch. Furthermore
> existing setups might expect to be run as root. But this stuff only needs to be considered
when we think about
> backporting and is moot for trunk.

Right, I'm currently thinking only about trunk. For the 2.4.x, we would 
have to do it differently with backward compatibility in mind. I think 
something like option 1 with configuration directive to enable new 
behaviour would be more acceptable for 2.4.x. We would have single 
rewritemap program in this case running as an apache user only if admin 
wants it.

> Regards
> Rüdiger

Jan Kaluza

View raw message