From: Paul Querna Date: Thu, 30 Oct 2008 00:36:39 +0000 (+0000) Subject: Strip down mod_unixd to only do chroot and changing the UID. X-Git-Tag: 2.3.0~204 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0519c3836ff2a05c79e494857cfc0c30704c7f19;p=thirdparty%2Fapache%2Fhttpd.git Strip down mod_unixd to only do chroot and changing the UID. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@709058 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/arch/unix/mod_unixd.c b/modules/arch/unix/mod_unixd.c index 92ec6aaa86b..678f2fe3dd0 100644 --- a/modules/arch/unix/mod_unixd.c +++ b/modules/arch/unix/mod_unixd.c @@ -19,7 +19,6 @@ #include "http_config.h" #include "http_main.h" #include "http_log.h" -#include "unixd.h" #include "mpm_common.h" #include "os.h" #include "ap_mpm.h" @@ -50,8 +49,23 @@ #include #endif -unixd_config_rec unixd_config; -int unixd_status = 0; + +#ifndef DEFAULT_USER +#define DEFAULT_USER "#-1" +#endif +#ifndef DEFAULT_GROUP +#define DEFAULT_GROUP "#-1" +#endif + +typedef struct { + const char *user_name; + uid_t user_id; + gid_t group_id; + const char *chroot_dir; +} unixd_config_t; + + +unixd_config_t unixd_config; /* Set group privileges. * @@ -112,10 +126,10 @@ static int set_group_privs(void) } -static void unixd_setup_child(apr_pool_t *pool, server_rec *s) +static void +unixd_setup_child(apr_pool_t *pool, server_rec *s) { if (set_group_privs()) { - unixd_status = -1; return; } @@ -123,25 +137,21 @@ static void unixd_setup_child(apr_pool_t *pool, server_rec *s) if (geteuid()) { ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL, "Cannot chroot when not started as root"); - unixd_status = -1; return; } if (chdir(unixd_config.chroot_dir) != 0) { ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL, "Can't chdir to %s", unixd_config.chroot_dir); - unixd_status = -1; return; } if (chroot(unixd_config.chroot_dir) != 0) { ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL, "Can't chroot to %s", unixd_config.chroot_dir); - unixd_status = -1; return; } if (chdir("/") != 0) { ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL, "Can't chdir to new root"); - unixd_status = -1; return; } } @@ -169,7 +179,6 @@ static void unixd_setup_child(apr_pool_t *pool, server_rec *s) ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL, "setuid: unable to change to uid: %ld", (long) unixd_config.user_id); - unixd_status = -1; return; } #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) @@ -185,7 +194,6 @@ static void unixd_setup_child(apr_pool_t *pool, server_rec *s) #endif #endif #endif - unixd_status = 0; } @@ -216,7 +224,8 @@ AP_DECLARE(const char *) unixd_set_user(cmd_parms *cmd, void *dummy, return NULL; } -AP_DECLARE(const char *) unixd_set_group(cmd_parms *cmd, void *dummy, +static const char* +unixd_set_group(cmd_parms *cmd, void *dummy, const char *arg) { const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); @@ -228,8 +237,10 @@ AP_DECLARE(const char *) unixd_set_group(cmd_parms *cmd, void *dummy, return NULL; } -AP_DECLARE(const char *) unixd_set_chroot_dir(cmd_parms *cmd, void *dummy, - const char *arg) + +static const char* +unixd_set_chroot_dir(cmd_parms *cmd, void *dummy, + const char *arg) { const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); if (err != NULL) { @@ -243,540 +254,34 @@ AP_DECLARE(const char *) unixd_set_chroot_dir(cmd_parms *cmd, void *dummy, return NULL; } -AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp) +static int +unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, + apr_pool_t *ptemp) { - apr_finfo_t wrapper; - unixd_config.user_name = DEFAULT_USER; unixd_config.user_id = ap_uname2id(DEFAULT_USER); unixd_config.group_id = ap_gname2id(DEFAULT_GROUP); - - unixd_config.chroot_dir = NULL; /* none */ - - /* Check for suexec */ - unixd_config.suexec_enabled = 0; - if ((apr_stat(&wrapper, SUEXEC_BIN, - APR_FINFO_NORM, ptemp)) != APR_SUCCESS) { - return; - } - - if ((wrapper.protection & APR_USETID) && wrapper.user == 0) { - unixd_config.suexec_enabled = 1; - } -} - - -AP_DECLARE(void) unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit, - const char *arg, const char * arg2, int type) -{ -#if (defined(RLIMIT_CPU) || defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined(RLIMIT_NPROC) || defined(RLIMIT_AS)) && APR_HAVE_STRUCT_RLIMIT && APR_HAVE_GETRLIMIT - char *str; - struct rlimit *limit; - /* If your platform doesn't define rlim_t then typedef it in ap_config.h */ - rlim_t cur = 0; - rlim_t max = 0; - - *plimit = (struct rlimit *)apr_pcalloc(cmd->pool, sizeof(**plimit)); - limit = *plimit; - if ((getrlimit(type, limit)) != 0) { - *plimit = NULL; - ap_log_error(APLOG_MARK, APLOG_ERR, errno, cmd->server, - "%s: getrlimit failed", cmd->cmd->name); - return; - } - - if ((str = ap_getword_conf(cmd->pool, &arg))) { - if (!strcasecmp(str, "max")) { - cur = limit->rlim_max; - } - else { - cur = atol(str); - } - } - else { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, - "Invalid parameters for %s", cmd->cmd->name); - return; - } - if (arg2 && (str = ap_getword_conf(cmd->pool, &arg2))) { - max = atol(str); - } - - /* if we aren't running as root, cannot increase max */ - if (geteuid()) { - limit->rlim_cur = cur; - if (max) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, - "Must be uid 0 to raise maximum %s", cmd->cmd->name); - } - } - else { - if (cur) { - limit->rlim_cur = cur; - } - if (max) { - limit->rlim_max = max; - } - } -#else - - ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, - "Platform does not support rlimit for %s", cmd->cmd->name); -#endif -} - -APR_HOOK_STRUCT( - APR_HOOK_LINK(get_suexec_identity) -) - -AP_IMPLEMENT_HOOK_RUN_FIRST(ap_unix_identity_t *, get_suexec_identity, - (const request_rec *r), (r), NULL) - -static apr_status_t ap_unix_create_privileged_process( - apr_proc_t *newproc, const char *progname, - const char * const *args, - const char * const *env, - apr_procattr_t *attr, ap_unix_identity_t *ugid, - apr_pool_t *p) -{ - int i = 0; - const char **newargs; - char *newprogname; - char *execuser, *execgroup; - const char *argv0; - - if (!unixd_config.suexec_enabled) { - return apr_proc_create(newproc, progname, args, env, attr, p); - } - - argv0 = ap_strrchr_c(progname, '/'); - /* Allow suexec's "/" check to succeed */ - if (argv0 != NULL) { - argv0++; - } - else { - argv0 = progname; - } - - - if (ugid->userdir) { - execuser = apr_psprintf(p, "~%ld", (long) ugid->uid); - } - else { - execuser = apr_psprintf(p, "%ld", (long) ugid->uid); - } - execgroup = apr_psprintf(p, "%ld", (long) ugid->gid); - - if (!execuser || !execgroup) { - return APR_ENOMEM; - } - - i = 0; - if (args) { - while (args[i]) { - i++; - } - } - /* allocate space for 4 new args, the input args, and a null terminator */ - newargs = apr_palloc(p, sizeof(char *) * (i + 4)); - newprogname = SUEXEC_BIN; - newargs[0] = SUEXEC_BIN; - newargs[1] = execuser; - newargs[2] = execgroup; - newargs[3] = apr_pstrdup(p, argv0); - - /* - ** using a shell to execute suexec makes no sense thus - ** we force everything to be APR_PROGRAM, and never - ** APR_SHELLCMD - */ - if(apr_procattr_cmdtype_set(attr, APR_PROGRAM) != APR_SUCCESS) { - return APR_EGENERAL; - } - - i = 1; - do { - newargs[i + 3] = args[i]; - } while (args[i++]); - - return apr_proc_create(newproc, newprogname, newargs, env, attr, p); -} - -AP_DECLARE(apr_status_t) ap_os_create_privileged_process( - const request_rec *r, - apr_proc_t *newproc, const char *progname, - const char * const *args, - const char * const *env, - apr_procattr_t *attr, apr_pool_t *p) -{ - ap_unix_identity_t *ugid = ap_run_get_suexec_identity(r); - - if (ugid == NULL) { - return apr_proc_create(newproc, progname, args, env, attr, p); - } - - return ap_unix_create_privileged_process(newproc, progname, args, env, - attr, ugid, p); -} - -/* XXX move to APR and externalize (but implement differently :) ) */ -static apr_lockmech_e proc_mutex_mech(apr_proc_mutex_t *pmutex) -{ - const char *mechname = apr_proc_mutex_name(pmutex); - - if (!strcmp(mechname, "sysvsem")) { - return APR_LOCK_SYSVSEM; - } - else if (!strcmp(mechname, "flock")) { - return APR_LOCK_FLOCK; - } - return APR_LOCK_DEFAULT; -} - -AP_DECLARE(apr_status_t) unixd_set_proc_mutex_perms(apr_proc_mutex_t *pmutex) -{ - if (!geteuid()) { - apr_lockmech_e mech = proc_mutex_mech(pmutex); - - switch(mech) { -#if APR_HAS_SYSVSEM_SERIALIZE - case APR_LOCK_SYSVSEM: - { - apr_os_proc_mutex_t ospmutex; -#if !APR_HAVE_UNION_SEMUN - union semun { - long val; - struct semid_ds *buf; - unsigned short *array; - }; -#endif - union semun ick; - struct semid_ds buf; - - apr_os_proc_mutex_get(&ospmutex, pmutex); - buf.sem_perm.uid = unixd_config.user_id; - buf.sem_perm.gid = unixd_config.group_id; - buf.sem_perm.mode = 0600; - ick.buf = &buf; - if (semctl(ospmutex.crossproc, 0, IPC_SET, ick) < 0) { - return errno; - } - } - break; -#endif -#if APR_HAS_FLOCK_SERIALIZE - case APR_LOCK_FLOCK: - { - const char *lockfile = apr_proc_mutex_lockfile(pmutex); - - if (lockfile) { - if (chown(lockfile, unixd_config.user_id, - -1 /* no gid change */) < 0) { - return errno; - } - } - } - break; -#endif - default: - /* do nothing */ - break; - } - } - return APR_SUCCESS; -} - -AP_DECLARE(apr_status_t) unixd_set_global_mutex_perms(apr_global_mutex_t *gmutex) -{ -#if !APR_PROC_MUTEX_IS_GLOBAL - apr_os_global_mutex_t osgmutex; - apr_os_global_mutex_get(&osgmutex, gmutex); - return unixd_set_proc_mutex_perms(osgmutex.proc_mutex); -#else /* APR_PROC_MUTEX_IS_GLOBAL */ - /* In this case, apr_proc_mutex_t and apr_global_mutex_t are the same. */ - return unixd_set_proc_mutex_perms(gmutex); -#endif /* APR_PROC_MUTEX_IS_GLOBAL */ -} - -AP_DECLARE(apr_status_t) unixd_accept(void **accepted, ap_listen_rec *lr, - apr_pool_t *ptrans) -{ - apr_socket_t *csd; - apr_status_t status; -#ifdef _OSD_POSIX - int sockdes; -#endif - - *accepted = NULL; - status = apr_socket_accept(&csd, lr->sd, ptrans); - if (status == APR_SUCCESS) { - *accepted = csd; -#ifdef _OSD_POSIX - apr_os_sock_get(&sockdes, csd); - if (sockdes >= FD_SETSIZE) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, - "new file descriptor %d is too large; you probably need " - "to rebuild Apache with a larger FD_SETSIZE " - "(currently %d)", - sockdes, FD_SETSIZE); - apr_socket_close(csd); - return APR_EINTR; - } -#endif - return APR_SUCCESS; - } - - if (APR_STATUS_IS_EINTR(status)) { - return status; - } - /* Our old behaviour here was to continue after accept() - * errors. But this leads us into lots of troubles - * because most of the errors are quite fatal. For - * example, EMFILE can be caused by slow descriptor - * leaks (say in a 3rd party module, or libc). It's - * foolish for us to continue after an EMFILE. We also - * seem to tickle kernel bugs on some platforms which - * lead to never-ending loops here. So it seems best - * to just exit in most cases. - */ - switch (status) { -#if defined(HPUX11) && defined(ENOBUFS) - /* On HPUX 11.x, the 'ENOBUFS, No buffer space available' - * error occurs because the accept() cannot complete. - * You will not see ENOBUFS with 10.20 because the kernel - * hides any occurrence from being returned to user space. - * ENOBUFS with 11.x's TCP/IP stack is possible, and could - * occur intermittently. As a work-around, we are going to - * ignore ENOBUFS. - */ - case ENOBUFS: -#endif - -#ifdef EPROTO - /* EPROTO on certain older kernels really means - * ECONNABORTED, so we need to ignore it for them. - * See discussion in new-httpd archives nh.9701 - * search for EPROTO. - * - * Also see nh.9603, search for EPROTO: - * There is potentially a bug in Solaris 2.x x<6, - * and other boxes that implement tcp sockets in - * userland (i.e. on top of STREAMS). On these - * systems, EPROTO can actually result in a fatal - * loop. See PR#981 for example. It's hard to - * handle both uses of EPROTO. - */ - case EPROTO: -#endif -#ifdef ECONNABORTED - case ECONNABORTED: -#endif - /* Linux generates the rest of these, other tcp - * stacks (i.e. bsd) tend to hide them behind - * getsockopt() interfaces. They occur when - * the net goes sour or the client disconnects - * after the three-way handshake has been done - * in the kernel but before userland has picked - * up the socket. - */ -#ifdef ECONNRESET - case ECONNRESET: -#endif -#ifdef ETIMEDOUT - case ETIMEDOUT: -#endif -#ifdef EHOSTUNREACH - case EHOSTUNREACH: -#endif -#ifdef ENETUNREACH - case ENETUNREACH: -#endif - /* EAGAIN/EWOULDBLOCK can be returned on BSD-derived - * TCP stacks when the connection is aborted before - * we call connect, but only because our listener - * sockets are non-blocking (AP_NONBLOCK_WHEN_MULTI_LISTEN) - */ -#ifdef EAGAIN - case EAGAIN: -#endif -#ifdef EWOULDBLOCK -#if !defined(EAGAIN) || EAGAIN != EWOULDBLOCK - case EWOULDBLOCK: -#endif -#endif - break; -#ifdef ENETDOWN - case ENETDOWN: - /* - * When the network layer has been shut down, there - * is not much use in simply exiting: the parent - * would simply re-create us (and we'd fail again). - * Use the CHILDFATAL code to tear the server down. - * @@@ Martin's idea for possible improvement: - * A different approach would be to define - * a new APEXIT_NETDOWN exit code, the reception - * of which would make the parent shutdown all - * children, then idle-loop until it detected that - * the network is up again, and restart the children. - * Ben Hyde noted that temporary ENETDOWN situations - * occur in mobile IP. - */ - ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf, - "apr_socket_accept: giving up."); - return APR_EGENERAL; -#endif /*ENETDOWN*/ - -#ifdef TPF - case EINACT: - ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf, - "offload device inactive"); - return APR_EGENERAL; - break; - default: - ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, - "select/accept error (%d)", status); - return APR_EGENERAL; -#else - default: -#ifdef _OSD_POSIX /* Possibly on other platforms too */ - /* If the socket has been closed in ap_close_listeners() - * by the restart/stop action, we may get EBADF. - * Do not print an error in this case. - */ - if (!lr->active && status == EBADF) - return status; -#endif - ap_log_error(APLOG_MARK, APLOG_ERR, status, ap_server_conf, - "apr_socket_accept: (client socket)"); - return APR_EGENERAL; -#endif - } - return status; -} - - -#ifdef _OSD_POSIX - -#include "apr_lib.h" - -#define USER_LEN 8 - -typedef enum -{ - bs2_unknown, /* not initialized yet. */ - bs2_noFORK, /* no fork() because -X flag was specified */ - bs2_FORK, /* only fork() because uid != 0 */ - bs2_UFORK /* Normally, ufork() is used to switch identities. */ -} bs2_ForkType; - -static bs2_ForkType forktype = bs2_unknown; - - -static void ap_str_toupper(char *str) -{ - while (*str) { - *str = apr_toupper(*str); - ++str; - } -} - -/* Determine the method for forking off a child in such a way as to - * set both the POSIX and BS2000 user id's to the unprivileged user. - */ -static bs2_ForkType os_forktype(int one_process) -{ - /* have we checked the OS version before? If yes return the previous - * result - the OS release isn't going to change suddenly! - */ - if (forktype == bs2_unknown) { - /* not initialized yet */ - - /* No fork if the one_process option was set */ - if (one_process) { - forktype = bs2_noFORK; - } - /* If the user is unprivileged, use the normal fork() only. */ - else if (getuid() != 0) { - forktype = bs2_FORK; - } - else - forktype = bs2_UFORK; - } - return forktype; -} - - - -/* This routine complements the setuid() call: it causes the BS2000 job - * environment to be switched to the target user's user id. - * That is important if CGI scripts try to execute native BS2000 commands. - */ -int os_init_job_environment(server_rec *server, const char *user_name, int one_process) -{ - bs2_ForkType type = os_forktype(one_process); - - /* We can be sure that no change to uid==0 is possible because of - * the checks in http_core.c:set_user() - */ - - if (one_process) { - - type = forktype = bs2_noFORK; - - ap_log_error(APLOG_MARK, APLOG_ERR, 0, server, - "The debug mode of Apache should only " - "be started by an unprivileged user!"); - return 0; - } - - return 0; -} - -/* BS2000 requires a "special" version of fork() before a setuid() call */ -pid_t os_fork(const char *user) -{ - pid_t pid; - char username[USER_LEN+1]; - - switch (os_forktype(0)) { - - case bs2_FORK: - pid = fork(); - break; - - case bs2_UFORK: - apr_cpystrn(username, user, sizeof username); - - /* Make user name all upper case - for some versions of ufork() */ - ap_str_toupper(username); - - pid = ufork(username); - if (pid == -1 && errno == EPERM) { - ap_log_error(APLOG_MARK, APLOG_EMERG, errno, - NULL, "ufork: Possible mis-configuration " - "for user %s - Aborting.", user); - exit(1); - } - break; - - default: - pid = 0; - break; - } + unixd_config.chroot_dir = NULL; /* none */ - return pid; + return OK; } -#endif /* _OSD_POSIX */ - static void unixd_hooks(apr_pool_t *pool) { + ap_hook_pre_config(unixd_pre_config, + NULL, NULL, APR_HOOK_FIRST); + ap_hook_child_init(unixd_setup_child, NULL, NULL, APR_HOOK_FIRST); } static const command_rec unixd_cmds[] = { - UNIX_DAEMON_COMMANDS, + AP_INIT_TAKE1("User", unixd_set_user, NULL, RSRC_CONF, + "Effective user id for this server"), + AP_INIT_TAKE1("Group", unixd_set_group, NULL, RSRC_CONF, + "Effective group id for this server"), + AP_INIT_TAKE1("ChrootDir", unixd_set_chroot_dir, NULL, RSRC_CONF, + "The directory to chroot(2) into"), {NULL} };