#include "http_config.h"
#include "http_main.h"
#include "http_log.h"
-#include "unixd.h"
#include "mpm_common.h"
#include "os.h"
#include "ap_mpm.h"
#include <sys/prctl.h>
#endif
-unixd_config_rec unixd_config;
-int unixd_status = 0;
+
+#ifndef DEFAULT_USER
+#define DEFAULT_USER "#-1"
+#endif
+#ifndef DEFAULT_GROUP
+#define DEFAULT_GROUP "#-1"
+#endif
+
+typedef struct {
+ const char *user_name;
+ uid_t user_id;
+ gid_t group_id;
+ const char *chroot_dir;
+} unixd_config_t;
+
+
+unixd_config_t unixd_config;
/* Set group privileges.
*
}
-static void unixd_setup_child(apr_pool_t *pool, server_rec *s)
+static void
+unixd_setup_child(apr_pool_t *pool, server_rec *s)
{
if (set_group_privs()) {
- unixd_status = -1;
return;
}
if (geteuid()) {
ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
"Cannot chroot when not started as root");
- unixd_status = -1;
return;
}
if (chdir(unixd_config.chroot_dir) != 0) {
ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
"Can't chdir to %s", unixd_config.chroot_dir);
- unixd_status = -1;
return;
}
if (chroot(unixd_config.chroot_dir) != 0) {
ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
"Can't chroot to %s", unixd_config.chroot_dir);
- unixd_status = -1;
return;
}
if (chdir("/") != 0) {
ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
"Can't chdir to new root");
- unixd_status = -1;
return;
}
}
ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
"setuid: unable to change to uid: %ld",
(long) unixd_config.user_id);
- unixd_status = -1;
return;
}
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
#endif
#endif
#endif
- unixd_status = 0;
}
return NULL;
}
-AP_DECLARE(const char *) unixd_set_group(cmd_parms *cmd, void *dummy,
+static const char*
+unixd_set_group(cmd_parms *cmd, void *dummy,
const char *arg)
{
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
return NULL;
}
-AP_DECLARE(const char *) unixd_set_chroot_dir(cmd_parms *cmd, void *dummy,
- const char *arg)
+
+static const char*
+unixd_set_chroot_dir(cmd_parms *cmd, void *dummy,
+ const char *arg)
{
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
if (err != NULL) {
return NULL;
}
-AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp)
+static int
+unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
+ apr_pool_t *ptemp)
{
- apr_finfo_t wrapper;
-
unixd_config.user_name = DEFAULT_USER;
unixd_config.user_id = ap_uname2id(DEFAULT_USER);
unixd_config.group_id = ap_gname2id(DEFAULT_GROUP);
-
- unixd_config.chroot_dir = NULL; /* none */
-
- /* Check for suexec */
- unixd_config.suexec_enabled = 0;
- if ((apr_stat(&wrapper, SUEXEC_BIN,
- APR_FINFO_NORM, ptemp)) != APR_SUCCESS) {
- return;
- }
-
- if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
- unixd_config.suexec_enabled = 1;
- }
-}
-
-
-AP_DECLARE(void) unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit,
- const char *arg, const char * arg2, int type)
-{
-#if (defined(RLIMIT_CPU) || defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined(RLIMIT_NPROC) || defined(RLIMIT_AS)) && APR_HAVE_STRUCT_RLIMIT && APR_HAVE_GETRLIMIT
- char *str;
- struct rlimit *limit;
- /* If your platform doesn't define rlim_t then typedef it in ap_config.h */
- rlim_t cur = 0;
- rlim_t max = 0;
-
- *plimit = (struct rlimit *)apr_pcalloc(cmd->pool, sizeof(**plimit));
- limit = *plimit;
- if ((getrlimit(type, limit)) != 0) {
- *plimit = NULL;
- ap_log_error(APLOG_MARK, APLOG_ERR, errno, cmd->server,
- "%s: getrlimit failed", cmd->cmd->name);
- return;
- }
-
- if ((str = ap_getword_conf(cmd->pool, &arg))) {
- if (!strcasecmp(str, "max")) {
- cur = limit->rlim_max;
- }
- else {
- cur = atol(str);
- }
- }
- else {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
- "Invalid parameters for %s", cmd->cmd->name);
- return;
- }
- if (arg2 && (str = ap_getword_conf(cmd->pool, &arg2))) {
- max = atol(str);
- }
-
- /* if we aren't running as root, cannot increase max */
- if (geteuid()) {
- limit->rlim_cur = cur;
- if (max) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
- "Must be uid 0 to raise maximum %s", cmd->cmd->name);
- }
- }
- else {
- if (cur) {
- limit->rlim_cur = cur;
- }
- if (max) {
- limit->rlim_max = max;
- }
- }
-#else
-
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
- "Platform does not support rlimit for %s", cmd->cmd->name);
-#endif
-}
-
-APR_HOOK_STRUCT(
- APR_HOOK_LINK(get_suexec_identity)
-)
-
-AP_IMPLEMENT_HOOK_RUN_FIRST(ap_unix_identity_t *, get_suexec_identity,
- (const request_rec *r), (r), NULL)
-
-static apr_status_t ap_unix_create_privileged_process(
- apr_proc_t *newproc, const char *progname,
- const char * const *args,
- const char * const *env,
- apr_procattr_t *attr, ap_unix_identity_t *ugid,
- apr_pool_t *p)
-{
- int i = 0;
- const char **newargs;
- char *newprogname;
- char *execuser, *execgroup;
- const char *argv0;
-
- if (!unixd_config.suexec_enabled) {
- return apr_proc_create(newproc, progname, args, env, attr, p);
- }
-
- argv0 = ap_strrchr_c(progname, '/');
- /* Allow suexec's "/" check to succeed */
- if (argv0 != NULL) {
- argv0++;
- }
- else {
- argv0 = progname;
- }
-
-
- if (ugid->userdir) {
- execuser = apr_psprintf(p, "~%ld", (long) ugid->uid);
- }
- else {
- execuser = apr_psprintf(p, "%ld", (long) ugid->uid);
- }
- execgroup = apr_psprintf(p, "%ld", (long) ugid->gid);
-
- if (!execuser || !execgroup) {
- return APR_ENOMEM;
- }
-
- i = 0;
- if (args) {
- while (args[i]) {
- i++;
- }
- }
- /* allocate space for 4 new args, the input args, and a null terminator */
- newargs = apr_palloc(p, sizeof(char *) * (i + 4));
- newprogname = SUEXEC_BIN;
- newargs[0] = SUEXEC_BIN;
- newargs[1] = execuser;
- newargs[2] = execgroup;
- newargs[3] = apr_pstrdup(p, argv0);
-
- /*
- ** using a shell to execute suexec makes no sense thus
- ** we force everything to be APR_PROGRAM, and never
- ** APR_SHELLCMD
- */
- if(apr_procattr_cmdtype_set(attr, APR_PROGRAM) != APR_SUCCESS) {
- return APR_EGENERAL;
- }
-
- i = 1;
- do {
- newargs[i + 3] = args[i];
- } while (args[i++]);
-
- return apr_proc_create(newproc, newprogname, newargs, env, attr, p);
-}
-
-AP_DECLARE(apr_status_t) ap_os_create_privileged_process(
- const request_rec *r,
- apr_proc_t *newproc, const char *progname,
- const char * const *args,
- const char * const *env,
- apr_procattr_t *attr, apr_pool_t *p)
-{
- ap_unix_identity_t *ugid = ap_run_get_suexec_identity(r);
-
- if (ugid == NULL) {
- return apr_proc_create(newproc, progname, args, env, attr, p);
- }
-
- return ap_unix_create_privileged_process(newproc, progname, args, env,
- attr, ugid, p);
-}
-
-/* XXX move to APR and externalize (but implement differently :) ) */
-static apr_lockmech_e proc_mutex_mech(apr_proc_mutex_t *pmutex)
-{
- const char *mechname = apr_proc_mutex_name(pmutex);
-
- if (!strcmp(mechname, "sysvsem")) {
- return APR_LOCK_SYSVSEM;
- }
- else if (!strcmp(mechname, "flock")) {
- return APR_LOCK_FLOCK;
- }
- return APR_LOCK_DEFAULT;
-}
-
-AP_DECLARE(apr_status_t) unixd_set_proc_mutex_perms(apr_proc_mutex_t *pmutex)
-{
- if (!geteuid()) {
- apr_lockmech_e mech = proc_mutex_mech(pmutex);
-
- switch(mech) {
-#if APR_HAS_SYSVSEM_SERIALIZE
- case APR_LOCK_SYSVSEM:
- {
- apr_os_proc_mutex_t ospmutex;
-#if !APR_HAVE_UNION_SEMUN
- union semun {
- long val;
- struct semid_ds *buf;
- unsigned short *array;
- };
-#endif
- union semun ick;
- struct semid_ds buf;
-
- apr_os_proc_mutex_get(&ospmutex, pmutex);
- buf.sem_perm.uid = unixd_config.user_id;
- buf.sem_perm.gid = unixd_config.group_id;
- buf.sem_perm.mode = 0600;
- ick.buf = &buf;
- if (semctl(ospmutex.crossproc, 0, IPC_SET, ick) < 0) {
- return errno;
- }
- }
- break;
-#endif
-#if APR_HAS_FLOCK_SERIALIZE
- case APR_LOCK_FLOCK:
- {
- const char *lockfile = apr_proc_mutex_lockfile(pmutex);
-
- if (lockfile) {
- if (chown(lockfile, unixd_config.user_id,
- -1 /* no gid change */) < 0) {
- return errno;
- }
- }
- }
- break;
-#endif
- default:
- /* do nothing */
- break;
- }
- }
- return APR_SUCCESS;
-}
-
-AP_DECLARE(apr_status_t) unixd_set_global_mutex_perms(apr_global_mutex_t *gmutex)
-{
-#if !APR_PROC_MUTEX_IS_GLOBAL
- apr_os_global_mutex_t osgmutex;
- apr_os_global_mutex_get(&osgmutex, gmutex);
- return unixd_set_proc_mutex_perms(osgmutex.proc_mutex);
-#else /* APR_PROC_MUTEX_IS_GLOBAL */
- /* In this case, apr_proc_mutex_t and apr_global_mutex_t are the same. */
- return unixd_set_proc_mutex_perms(gmutex);
-#endif /* APR_PROC_MUTEX_IS_GLOBAL */
-}
-
-AP_DECLARE(apr_status_t) unixd_accept(void **accepted, ap_listen_rec *lr,
- apr_pool_t *ptrans)
-{
- apr_socket_t *csd;
- apr_status_t status;
-#ifdef _OSD_POSIX
- int sockdes;
-#endif
-
- *accepted = NULL;
- status = apr_socket_accept(&csd, lr->sd, ptrans);
- if (status == APR_SUCCESS) {
- *accepted = csd;
-#ifdef _OSD_POSIX
- apr_os_sock_get(&sockdes, csd);
- if (sockdes >= FD_SETSIZE) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
- "new file descriptor %d is too large; you probably need "
- "to rebuild Apache with a larger FD_SETSIZE "
- "(currently %d)",
- sockdes, FD_SETSIZE);
- apr_socket_close(csd);
- return APR_EINTR;
- }
-#endif
- return APR_SUCCESS;
- }
-
- if (APR_STATUS_IS_EINTR(status)) {
- return status;
- }
- /* Our old behaviour here was to continue after accept()
- * errors. But this leads us into lots of troubles
- * because most of the errors are quite fatal. For
- * example, EMFILE can be caused by slow descriptor
- * leaks (say in a 3rd party module, or libc). It's
- * foolish for us to continue after an EMFILE. We also
- * seem to tickle kernel bugs on some platforms which
- * lead to never-ending loops here. So it seems best
- * to just exit in most cases.
- */
- switch (status) {
-#if defined(HPUX11) && defined(ENOBUFS)
- /* On HPUX 11.x, the 'ENOBUFS, No buffer space available'
- * error occurs because the accept() cannot complete.
- * You will not see ENOBUFS with 10.20 because the kernel
- * hides any occurrence from being returned to user space.
- * ENOBUFS with 11.x's TCP/IP stack is possible, and could
- * occur intermittently. As a work-around, we are going to
- * ignore ENOBUFS.
- */
- case ENOBUFS:
-#endif
-
-#ifdef EPROTO
- /* EPROTO on certain older kernels really means
- * ECONNABORTED, so we need to ignore it for them.
- * See discussion in new-httpd archives nh.9701
- * search for EPROTO.
- *
- * Also see nh.9603, search for EPROTO:
- * There is potentially a bug in Solaris 2.x x<6,
- * and other boxes that implement tcp sockets in
- * userland (i.e. on top of STREAMS). On these
- * systems, EPROTO can actually result in a fatal
- * loop. See PR#981 for example. It's hard to
- * handle both uses of EPROTO.
- */
- case EPROTO:
-#endif
-#ifdef ECONNABORTED
- case ECONNABORTED:
-#endif
- /* Linux generates the rest of these, other tcp
- * stacks (i.e. bsd) tend to hide them behind
- * getsockopt() interfaces. They occur when
- * the net goes sour or the client disconnects
- * after the three-way handshake has been done
- * in the kernel but before userland has picked
- * up the socket.
- */
-#ifdef ECONNRESET
- case ECONNRESET:
-#endif
-#ifdef ETIMEDOUT
- case ETIMEDOUT:
-#endif
-#ifdef EHOSTUNREACH
- case EHOSTUNREACH:
-#endif
-#ifdef ENETUNREACH
- case ENETUNREACH:
-#endif
- /* EAGAIN/EWOULDBLOCK can be returned on BSD-derived
- * TCP stacks when the connection is aborted before
- * we call connect, but only because our listener
- * sockets are non-blocking (AP_NONBLOCK_WHEN_MULTI_LISTEN)
- */
-#ifdef EAGAIN
- case EAGAIN:
-#endif
-#ifdef EWOULDBLOCK
-#if !defined(EAGAIN) || EAGAIN != EWOULDBLOCK
- case EWOULDBLOCK:
-#endif
-#endif
- break;
-#ifdef ENETDOWN
- case ENETDOWN:
- /*
- * When the network layer has been shut down, there
- * is not much use in simply exiting: the parent
- * would simply re-create us (and we'd fail again).
- * Use the CHILDFATAL code to tear the server down.
- * @@@ Martin's idea for possible improvement:
- * A different approach would be to define
- * a new APEXIT_NETDOWN exit code, the reception
- * of which would make the parent shutdown all
- * children, then idle-loop until it detected that
- * the network is up again, and restart the children.
- * Ben Hyde noted that temporary ENETDOWN situations
- * occur in mobile IP.
- */
- ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf,
- "apr_socket_accept: giving up.");
- return APR_EGENERAL;
-#endif /*ENETDOWN*/
-
-#ifdef TPF
- case EINACT:
- ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf,
- "offload device inactive");
- return APR_EGENERAL;
- break;
- default:
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf,
- "select/accept error (%d)", status);
- return APR_EGENERAL;
-#else
- default:
-#ifdef _OSD_POSIX /* Possibly on other platforms too */
- /* If the socket has been closed in ap_close_listeners()
- * by the restart/stop action, we may get EBADF.
- * Do not print an error in this case.
- */
- if (!lr->active && status == EBADF)
- return status;
-#endif
- ap_log_error(APLOG_MARK, APLOG_ERR, status, ap_server_conf,
- "apr_socket_accept: (client socket)");
- return APR_EGENERAL;
-#endif
- }
- return status;
-}
-
-
-#ifdef _OSD_POSIX
-
-#include "apr_lib.h"
-
-#define USER_LEN 8
-
-typedef enum
-{
- bs2_unknown, /* not initialized yet. */
- bs2_noFORK, /* no fork() because -X flag was specified */
- bs2_FORK, /* only fork() because uid != 0 */
- bs2_UFORK /* Normally, ufork() is used to switch identities. */
-} bs2_ForkType;
-
-static bs2_ForkType forktype = bs2_unknown;
-
-
-static void ap_str_toupper(char *str)
-{
- while (*str) {
- *str = apr_toupper(*str);
- ++str;
- }
-}
-
-/* Determine the method for forking off a child in such a way as to
- * set both the POSIX and BS2000 user id's to the unprivileged user.
- */
-static bs2_ForkType os_forktype(int one_process)
-{
- /* have we checked the OS version before? If yes return the previous
- * result - the OS release isn't going to change suddenly!
- */
- if (forktype == bs2_unknown) {
- /* not initialized yet */
-
- /* No fork if the one_process option was set */
- if (one_process) {
- forktype = bs2_noFORK;
- }
- /* If the user is unprivileged, use the normal fork() only. */
- else if (getuid() != 0) {
- forktype = bs2_FORK;
- }
- else
- forktype = bs2_UFORK;
- }
- return forktype;
-}
-
-
-
-/* This routine complements the setuid() call: it causes the BS2000 job
- * environment to be switched to the target user's user id.
- * That is important if CGI scripts try to execute native BS2000 commands.
- */
-int os_init_job_environment(server_rec *server, const char *user_name, int one_process)
-{
- bs2_ForkType type = os_forktype(one_process);
-
- /* We can be sure that no change to uid==0 is possible because of
- * the checks in http_core.c:set_user()
- */
-
- if (one_process) {
-
- type = forktype = bs2_noFORK;
-
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, server,
- "The debug mode of Apache should only "
- "be started by an unprivileged user!");
- return 0;
- }
-
- return 0;
-}
-
-/* BS2000 requires a "special" version of fork() before a setuid() call */
-pid_t os_fork(const char *user)
-{
- pid_t pid;
- char username[USER_LEN+1];
-
- switch (os_forktype(0)) {
-
- case bs2_FORK:
- pid = fork();
- break;
-
- case bs2_UFORK:
- apr_cpystrn(username, user, sizeof username);
-
- /* Make user name all upper case - for some versions of ufork() */
- ap_str_toupper(username);
-
- pid = ufork(username);
- if (pid == -1 && errno == EPERM) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, errno,
- NULL, "ufork: Possible mis-configuration "
- "for user %s - Aborting.", user);
- exit(1);
- }
- break;
-
- default:
- pid = 0;
- break;
- }
+ unixd_config.chroot_dir = NULL; /* none */
- return pid;
+ return OK;
}
-#endif /* _OSD_POSIX */
-
static void unixd_hooks(apr_pool_t *pool)
{
+ ap_hook_pre_config(unixd_pre_config,
+ NULL, NULL, APR_HOOK_FIRST);
+
ap_hook_child_init(unixd_setup_child, NULL, NULL, APR_HOOK_FIRST);
}
static const command_rec unixd_cmds[] = {
- UNIX_DAEMON_COMMANDS,
+ AP_INIT_TAKE1("User", unixd_set_user, NULL, RSRC_CONF,
+ "Effective user id for this server"),
+ AP_INIT_TAKE1("Group", unixd_set_group, NULL, RSRC_CONF,
+ "Effective group id for this server"),
+ AP_INIT_TAKE1("ChrootDir", unixd_set_chroot_dir, NULL, RSRC_CONF,
+ "The directory to chroot(2) into"),
{NULL}
};
projects / thirdparty / apache / httpd.git / commitdiff
