*) mod_rewrite: Add support for starting External Rewriting Programs

   as non-root user on UNIX systems by specifying username and group name
   as third argument of RewriteMap directive.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1664565 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 064446d61118e9c799c51eb7105df54d7040af87..15c469ebfa6b5a969f939489760acbd276341f82 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@ Changes with Apache 2.5.0
      to a local URL-path with the INCLUDES filter active, introduced
      in 2.4.11. PR 57531. [Yann Ylavic]
 
+  *) mod_rewrite: Add support for starting External Rewriting Programs
+     as non-root user on UNIX systems by specifying username and group name
+     as third argument of RewriteMap directive. [Jan Kaluza]
+
   *) core: If explicitly configured, use the KeepaliveTimeout value of the
      virtual host which handled the latest request on the connection, or by
      default the one of the first virtual host bound to the same IP:port.

diff --git a/docs/manual/rewrite/rewritemap.xml b/docs/manual/rewrite/rewritemap.xml
index a403f541acdd4fb792501fc63c1fdd69a646ec7b..7e4bebdd20fa528d210b87454918cb3ee1034ead 100644 (file)
--- a/docs/manual/rewrite/rewritemap.xml
+++ b/docs/manual/rewrite/rewritemap.xml
@@ -349,6 +349,11 @@ by many requests.
     module="mod_rewrite">RewriteEngine</directive> set to
     <code>on</code>.</p>
 
+    <p>By default, external rewriting programs are started as root.
+    This can be changed on UNIX systems by passing user name and
+    group name as third argument to <directive module="mod_rewrite">
+    RewriteMap</directive> in the <code>username:groupname</code> format.</p>
+
     <p>This feature utilizes the <code>rewrite-map</code> mutex,
     which is required for reliable communication with the program.
     The mutex mechanism and lock file can be configured with the
@@ -360,7 +365,7 @@ by many requests.
 <p><strong>Rewrite configuration</strong></p>
     <highlight language="config">
 
-RewriteMap d2u prg:/www/bin/dash2under.pl<br />
+RewriteMap d2u prg:/www/bin/dash2under.pl apache:apache<br />
 RewriteRule - ${d2u:%{REQUEST_URI}}
     </highlight>
 

diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index cc60b5edd40178bf55e1e75214183d86533bfe0b..e22a280ad5002541237a185ff3329942a1e120f1 100644 (file)
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -267,6 +267,8 @@ typedef struct {
     const char *dbdq;              /* SQL SELECT statement for rewritemap */
     const char *checkfile2;        /* filename to check for map existence
                                       NULL if only one file               */
+    const char *user;              /* run RewriteMap program as this user */
+    const char *group;             /* run RewriteMap program as this group */
 } rewritemap_entry;
 
 /* special pattern types for RewriteCond */
@@ -1171,6 +1173,7 @@ static void rewrite_child_errfn(apr_pool_t *p, apr_status_t err,
 
 static apr_status_t rewritemap_program_child(apr_pool_t *p,
                                              const char *progname, char **argv,
+                                             const char *user, const char *group,
                                              apr_file_t **fpout,
                                              apr_file_t **fpin)
 {
@@ -1183,6 +1186,8 @@ static apr_status_t rewritemap_program_child(apr_pool_t *p,
                                                   APR_FULL_BLOCK, APR_NO_PIPE))
         && APR_SUCCESS == (rc=apr_procattr_dir_set(procattr,
                                              ap_make_dirstr_parent(p, argv[0])))
+        && (!user || APR_SUCCESS == (rc=apr_procattr_user_set(procattr, user, "")))
+        && (!group || APR_SUCCESS == (rc=apr_procattr_group_set(procattr, group)))
         && APR_SUCCESS == (rc=apr_procattr_cmdtype_set(procattr, APR_PROGRAM))
         && APR_SUCCESS == (rc=apr_procattr_child_errfn_set(procattr,
                                                            rewrite_child_errfn))
@@ -1240,6 +1245,7 @@ static apr_status_t run_rewritemap_programs(server_rec *s, apr_pool_t *p)
         }
 
         rc = rewritemap_program_child(p, map->argv[0], map->argv,
+                                      map->user, map->group,
                                       &fpout, &fpin);
         if (rc != APR_SUCCESS || fpin == NULL || fpout == NULL) {
             ap_log_error(APLOG_MARK, APLOG_ERR, rc, s, APLOGNO(00654)
@@ -3018,7 +3024,7 @@ static const char *cmd_rewriteoptions(cmd_parms *cmd,
 }
 
 static const char *cmd_rewritemap(cmd_parms *cmd, void *dconf, const char *a1,
-                                  const char *a2)
+                                  const char *a2, const char *a3)
 {
     rewrite_server_conf *sconf;
     rewritemap_entry *newmap;
@@ -3124,6 +3130,11 @@ static const char *cmd_rewritemap(cmd_parms *cmd, void *dconf, const char *a1,
 
         newmap->type      = MAPTYPE_PRG;
         newmap->checkfile = newmap->argv[0];
+        if (a3) {
+            char *tok_cntx;
+            newmap->user = apr_strtok(apr_pstrdup(cmd->pool, a3), ":", &tok_cntx);
+            newmap->group = apr_strtok(NULL, ":", &tok_cntx);
+        }
     }
     else if (strncasecmp(a2, "int:", 4) == 0) {
         newmap->type      = MAPTYPE_INT;
@@ -5205,8 +5216,8 @@ static const command_rec command_table[] = {
                      "an input string and a to be applied regexp-pattern"),
     AP_INIT_RAW_ARGS("RewriteRule",     cmd_rewriterule,     NULL, OR_FILEINFO,
                      "an URL-applied regexp-pattern and a substitution URL"),
-    AP_INIT_TAKE2(   "RewriteMap",      cmd_rewritemap,      NULL, RSRC_CONF,
-                     "a mapname and a filename"),
+    AP_INIT_TAKE23(   "RewriteMap",      cmd_rewritemap,      NULL, RSRC_CONF,
+                     "a mapname and a filename and options"),
     { NULL }
 };