From: Jan Kaluža <jkaluza@apache.org>
Date: Fri, 6 Mar 2015 09:14:07 +0000 (+0000)
Subject: *) mod_rewrite: Add support for starting External Rewriting Programs
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e7dc8e899a6a942e08784337e827c3772c6bb2b5;p=thirdparty%2Fapache%2Fhttpd.git

*) mod_rewrite: Add support for starting External Rewriting Programs
   as non-root user on UNIX systems by specifying username and group name
   as third argument of RewriteMap directive.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1664565 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 064446d6111..15c469ebfa6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@ Changes with Apache 2.5.0
      to a local URL-path with the INCLUDES filter active, introduced
      in 2.4.11. PR 57531. [Yann Ylavic]
 
+  *) mod_rewrite: Add support for starting External Rewriting Programs
+     as non-root user on UNIX systems by specifying username and group name
+     as third argument of RewriteMap directive. [Jan Kaluza]
+
   *) core: If explicitly configured, use the KeepaliveTimeout value of the
      virtual host which handled the latest request on the connection, or by
      default the one of the first virtual host bound to the same IP:port.
diff --git a/docs/manual/rewrite/rewritemap.xml b/docs/manual/rewrite/rewritemap.xml
index a403f541acd..7e4bebdd20f 100644
--- a/docs/manual/rewrite/rewritemap.xml
+++ b/docs/manual/rewrite/rewritemap.xml
@@ -349,6 +349,11 @@ by many requests.
     module="mod_rewrite">RewriteEngine</directive> set to
     <code>on</code>.</p>
 
+    <p>By default, external rewriting programs are started as root.
+    This can be changed on UNIX systems by passing user name and
+    group name as third argument to <directive module="mod_rewrite">
+    RewriteMap</directive> in the <code>username:groupname</code> format.</p>
+
     <p>This feature utilizes the <code>rewrite-map</code> mutex,
     which is required for reliable communication with the program.
     The mutex mechanism and lock file can be configured with the
@@ -360,7 +365,7 @@ by many requests.
 <p><strong>Rewrite configuration</strong></p>
     <highlight language="config">
 
-RewriteMap d2u prg:/www/bin/dash2under.pl<br />
+RewriteMap d2u prg:/www/bin/dash2under.pl apache:apache<br />
 RewriteRule - ${d2u:%{REQUEST_URI}}
     </highlight>
 
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index cc60b5edd40..e22a280ad50 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -267,6 +267,8 @@ typedef struct {
     const char *dbdq;              /* SQL SELECT statement for rewritemap */
     const char *checkfile2;        /* filename to check for map existence
                                       NULL if only one file               */
+    const char *user;              /* run RewriteMap program as this user */
+    const char *group;             /* run RewriteMap program as this group */
 } rewritemap_entry;
 
 /* special pattern types for RewriteCond */
@@ -1171,6 +1173,7 @@ static void rewrite_child_errfn(apr_pool_t *p, apr_status_t err,
 
 static apr_status_t rewritemap_program_child(apr_pool_t *p,
                                              const char *progname, char **argv,
+                                             const char *user, const char *group,
                                              apr_file_t **fpout,
                                              apr_file_t **fpin)
 {
@@ -1183,6 +1186,8 @@ static apr_status_t rewritemap_program_child(apr_pool_t *p,
                                                   APR_FULL_BLOCK, APR_NO_PIPE))
         && APR_SUCCESS == (rc=apr_procattr_dir_set(procattr,
                                              ap_make_dirstr_parent(p, argv[0])))
+        && (!user || APR_SUCCESS == (rc=apr_procattr_user_set(procattr, user, "")))
+        && (!group || APR_SUCCESS == (rc=apr_procattr_group_set(procattr, group)))
         && APR_SUCCESS == (rc=apr_procattr_cmdtype_set(procattr, APR_PROGRAM))
         && APR_SUCCESS == (rc=apr_procattr_child_errfn_set(procattr,
                                                            rewrite_child_errfn))
@@ -1240,6 +1245,7 @@ static apr_status_t run_rewritemap_programs(server_rec *s, apr_pool_t *p)
         }
 
         rc = rewritemap_program_child(p, map->argv[0], map->argv,
+                                      map->user, map->group,
                                       &fpout, &fpin);
         if (rc != APR_SUCCESS || fpin == NULL || fpout == NULL) {
             ap_log_error(APLOG_MARK, APLOG_ERR, rc, s, APLOGNO(00654)
@@ -3018,7 +3024,7 @@ static const char *cmd_rewriteoptions(cmd_parms *cmd,
 }
 
 static const char *cmd_rewritemap(cmd_parms *cmd, void *dconf, const char *a1,
-                                  const char *a2)
+                                  const char *a2, const char *a3)
 {
     rewrite_server_conf *sconf;
     rewritemap_entry *newmap;
@@ -3124,6 +3130,11 @@ static const char *cmd_rewritemap(cmd_parms *cmd, void *dconf, const char *a1,
 
         newmap->type      = MAPTYPE_PRG;
         newmap->checkfile = newmap->argv[0];
+        if (a3) {
+            char *tok_cntx;
+            newmap->user = apr_strtok(apr_pstrdup(cmd->pool, a3), ":", &tok_cntx);
+            newmap->group = apr_strtok(NULL, ":", &tok_cntx);
+        }
     }
     else if (strncasecmp(a2, "int:", 4) == 0) {
         newmap->type      = MAPTYPE_INT;
@@ -5205,8 +5216,8 @@ static const command_rec command_table[] = {
                      "an input string and a to be applied regexp-pattern"),
     AP_INIT_RAW_ARGS("RewriteRule",     cmd_rewriterule,     NULL, OR_FILEINFO,
                      "an URL-applied regexp-pattern and a substitution URL"),
-    AP_INIT_TAKE2(   "RewriteMap",      cmd_rewritemap,      NULL, RSRC_CONF,
-                     "a mapname and a filename"),
+    AP_INIT_TAKE23(   "RewriteMap",      cmd_rewritemap,      NULL, RSRC_CONF,
+                     "a mapname and a filename and options"),
     { NULL }
 };