httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Kaluža <>
Subject Re: Run external RewriteMap program as non-root
Date Thu, 05 Mar 2015 09:39:03 GMT
On 03/05/2015 09:54 AM, Jan Kaluža wrote:
> On 03/05/2015 09:03 AM, Ruediger Pluem wrote:
>> On 03/05/2015 07:55 AM, Jan Kaluža wrote:
>>> Hi,
>>> currently, the External Rewriting Program (RewriteMap "prg:") is run
>>> as root. I would like to change it but I see three
>>> ways how to do it:
>>> 1. Execute it right after drop_privileges hook. This looks like best
>>> way, but I haven't found any hook which could be
>>> used for that (except drop_privileges with APR_HOOK_REALLY_LAST,
>>> which does not seem as proper place to me).
>>> 2. Execute it in child_init. This is done after drop_privileges, so
>>> the user/group is good. The "problem" here is that
>>> it would execute one rewrite program per child. Right now I'm not
>>> sure if it's really problem. It could be useful to
>>> have more instances of rewriting program to make its bottleneck lower.
>>> 3. Execute it where it is now (post_config), but set user/group using
>>> apr_procattr_t. So far I think this would
>>> duplicate the code of mod_unixd and would probably have to also
>>> handle the windows equivalent of that module (if there's
>>> any).
>>> What way do you think is the best, or would you do it differently?
>>> I'm attaching patch for number 2.
>> I would tend to 2. as well, but as far as I remember using the
>> rewritemap program is synchronized across all processes.
>> This raises two questions:
>> 1. Does rewriting still work with the current patch?
> It does work for me. I've done some tests with curl and ab with
> prefork/event/worker MPMs.
>> 2. If it does can stuff be optimized to move from a server wide lock
>> to a process wide lock (or even no lock for
>> prefork) to remove the contention here?
> This could be possible, I will look at it.

Attached patch does it and works for me. RewriteMap with external 
program is also 24% faster with prefork with this patch.

Jan Kaluza

>> OTOH looking at the topic of backwards compatibility existing rewrite
>> programs
>> might rely on not working in parallel. Some may even have an issue if
>> more then one copy of them is running in parallel,
>> albeit not processing stuff in parallel which of course would cause an
>> issue with the proposed patch. Furthermore
>> existing setups might expect to be run as root. But this stuff only
>> needs to be considered when we think about
>> backporting and is moot for trunk.
> Right, I'm currently thinking only about trunk. For the 2.4.x, we would
> have to do it differently with backward compatibility in mind. I think
> something like option 1 with configuration directive to enable new
> behaviour would be more acceptable for 2.4.x. We would have single
> rewritemap program in this case running as an apache user only if admin
> wants it.
>> Regards
>> Rüdiger
> Regards,
> Jan Kaluza

View raw message