From: Nick Kew <niq@apache.org>
Date: Mon, 3 Nov 2008 00:46:54 +0000 (+0000)
Subject: Switch all unix MPMs to use drop_privileges hook (mod_unixd) for startup
X-Git-Tag: 2.3.0~162
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72119d92f52e65b666337762daef3023ad4ebee0;p=thirdparty%2Fapache%2Fhttpd.git

Switch all unix MPMs to use drop_privileges hook (mod_unixd) for startup
and add a flag to prevent running without any module taking responsibility
for managing system privileges!


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@709993 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/include/mpm_common.h b/include/mpm_common.h
index 27bca5da7b0..91bb1902e76 100644
--- a/include/mpm_common.h
+++ b/include/mpm_common.h
@@ -364,6 +364,10 @@ extern const char *ap_mpm_set_exception_hook(cmd_parms *cmd, void *dummy,
 
 AP_DECLARE_HOOK(int,monitor,(apr_pool_t *p))
 
+/* register modules that undertake to manage system security */
+extern int sys_privileges;
+AP_DECLARE_HOOK(int, drop_privileges, (apr_pool_t * pchild, server_rec * s))
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/modules/arch/unix/mod_unixd.c b/modules/arch/unix/mod_unixd.c
index 5d9ee5e0546..1a443f023f1 100644
--- a/modules/arch/unix/mod_unixd.c
+++ b/modules/arch/unix/mod_unixd.c
@@ -49,8 +49,6 @@
 #include <sys/prctl.h>
 #endif
 
-#include "simple_api.h"
-
 #ifndef DEFAULT_USER
 #define DEFAULT_USER "#-1"
 #endif
@@ -281,6 +279,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
 
     unixd_config.chroot_dir = NULL; /* none */
 
+    ++sys_privileges;
     return OK;
 }
 
@@ -289,8 +288,8 @@ static void unixd_hooks(apr_pool_t *pool)
     ap_hook_pre_config(unixd_pre_config,
                        NULL, NULL, APR_HOOK_FIRST);
 
-    ap_hook_simple_drop_privileges(unixd_drop_privileges,
-                                   NULL, NULL, APR_HOOK_FIRST);
+    ap_hook_drop_privileges(unixd_drop_privileges,
+                            NULL, NULL, APR_HOOK_FIRST);
 }
 
 static const command_rec unixd_cmds[] = {
diff --git a/server/core.c b/server/core.c
index 79067fedbd7..c47fa5b5345 100644
--- a/server/core.c
+++ b/server/core.c
@@ -3884,6 +3884,22 @@ static int core_pre_connection(conn_rec *c, void *csd)
     return DONE;
 }
 
+/* Insist that at least one module will undertake to provide system
+ * security by dropping startup privileges.
+ */
+AP_DECLARE(int) sys_privileges = 0;
+static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp)
+{
+    if (!sys_privileges) {
+        ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL,
+                     "Server MUST relinquish startup privileges before "
+                     "accepting connections.  Please ensure mod_unixd "
+                     "or other system security module is loaded.");
+        return !OK;
+    }
+    return OK;
+}
+
 static void register_hooks(apr_pool_t *p)
 {
     /* create_connection and install_transport_filters are
@@ -3896,6 +3912,7 @@ static void register_hooks(apr_pool_t *p)
     ap_hook_pre_connection(core_pre_connection, NULL, NULL,
                            APR_HOOK_REALLY_LAST);
 
+    ap_hook_pre_config(core_pre_config,NULL,NULL,APR_HOOK_LAST);
     ap_hook_post_config(core_post_config,NULL,NULL,APR_HOOK_REALLY_FIRST);
     ap_hook_translate_name(ap_core_translate,NULL,NULL,APR_HOOK_REALLY_LAST);
     ap_hook_map_to_storage(core_map_to_storage,NULL,NULL,APR_HOOK_REALLY_LAST);
diff --git a/server/mpm/experimental/event/event.c b/server/mpm/experimental/event/event.c
index 3aa10e686ae..bef7b85e399 100644
--- a/server/mpm/experimental/event/event.c
+++ b/server/mpm/experimental/event/event.c
@@ -1575,7 +1575,7 @@ static void child_main(int child_num_arg)
     /*stuff to do before we switch id's, so we have permissions. */
     ap_reopen_scoreboard(pchild, NULL, 0);
 
-    if (unixd_setup_child()) {
+    if (ap_run_drop_privileges(pchild, ap_server_conf)) {
         clean_child_exit(APEXIT_CHILDFATAL);
     }
 
diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c
index df2c689ffe6..28cfcfdca98 100644
--- a/server/mpm/prefork/prefork.c
+++ b/server/mpm/prefork/prefork.c
@@ -473,7 +473,7 @@ static void child_main(int child_num_arg)
         clean_child_exit(APEXIT_CHILDFATAL);
     }
 
-    if (unixd_setup_child()) {
+    if (ap_run_drop_privileges(pchild, ap_server_conf)) {
         clean_child_exit(APEXIT_CHILDFATAL);
     }
 
diff --git a/server/mpm/simple/simple_api.c b/server/mpm/simple/simple_api.c
index 05a0d475d40..07cd9f0d0fc 100644
--- a/server/mpm/simple/simple_api.c
+++ b/server/mpm/simple/simple_api.c
@@ -25,7 +25,6 @@
 #include "simple_types.h"
 #include "simple_run.h"
 #include "http_core.h"
-#include "simple_api.h"
 
 /* Thie file contains the absolute minimal MPM API, to interface with httpd. */
 
@@ -33,13 +32,6 @@ ap_generation_t volatile ap_my_generation = 0;
 server_rec *ap_server_conf = NULL;
 
 
-APR_HOOK_STRUCT(APR_HOOK_LINK(simple_drop_privileges)
-    )
-
-AP_IMPLEMENT_HOOK_RUN_ALL(int, simple_drop_privileges,
-                          (apr_pool_t * pchild, server_rec * s),
-                          (pchild, s), OK, DECLINED)
-
      int ap_mpm_run(apr_pool_t * pconf, apr_pool_t * plog, server_rec * s)
 {
     simple_core_t *sc = simple_core_get();
diff --git a/server/mpm/simple/simple_api.h b/server/mpm/simple/simple_api.h
deleted file mode 100644
index 4ef4d80a21c..00000000000
--- a/server/mpm/simple/simple_api.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/* Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "apr.h"
-#include "apr_pools.h"
-#include "apr_poll.h"
-#include "apr_hash.h"
-#include "apr_ring.h"
-#include "apr_thread_pool.h"
-#include "apr_buckets.h"
-#include "httpd.h"
-
-#ifndef APACHE_MPM_SIMPLE_API_H
-#define APACHE_MPM_SIMPLE_API_H
-
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-
-/* Called after child as forked, before child_init, to be used by modules that 
- * wish to chroot or change the processes running UserID before we begin serving requests.
- */
-    AP_DECLARE_HOOK(int, simple_drop_privileges,
-                    (apr_pool_t * pchild, server_rec * s))
-#ifdef __cplusplus
-}
-#endif
-
-#endif                          /* APACHE_MPM_SIMPLE_API_H */
diff --git a/server/mpm/simple/simple_run.c b/server/mpm/simple/simple_run.c
index b6982af5231..b9febc70c0c 100644
--- a/server/mpm/simple/simple_run.c
+++ b/server/mpm/simple/simple_run.c
@@ -27,7 +27,6 @@
 #include "scoreboard.h"
 
 #include "ap_listen.h"
-#include "simple_api.h"
 #include "mpm.h"
 
 /**
@@ -240,11 +239,11 @@ void simple_single_process_hack(simple_core_t * sc)
 
 static int simple_setup_privs(simple_core_t * sc)
 {
-    int rv = ap_run_simple_drop_privileges(sc->pool, ap_server_conf);
+    int rv = ap_run_drop_privileges(sc->pool, ap_server_conf);
 
     if (rv) {
         ap_log_error(APLOG_MARK, APLOG_CRIT, rv, NULL,
-                     "simple_setup_privs: ap_run_simple_drop_privileges failed");
+                     "simple_setup_privs: ap_run_drop_privileges failed");
         return rv;
     }
 
@@ -296,8 +295,7 @@ int simple_child_loop(simple_core_t * sc)
 
     rv = simple_setup_privs(sc);
     if (rv) {
-        ap_log_error(APLOG_MARK, APLOG_CRIT, rv, NULL,
-                     "simple_child_loop: simple_drop_privs failed");
+        /* simple_setup_privs already logged error */
         return !OK;
     }
 
diff --git a/server/mpm/worker/worker.c b/server/mpm/worker/worker.c
index ed032df7631..16ade8fcac9 100644
--- a/server/mpm/worker/worker.c
+++ b/server/mpm/worker/worker.c
@@ -1143,7 +1143,7 @@ static void child_main(int child_num_arg)
         clean_child_exit(APEXIT_CHILDFATAL);
     }
 
-    if (unixd_setup_child()) {
+    if (ap_run_drop_privileges(pchild, ap_server_conf)) {
         clean_child_exit(APEXIT_CHILDFATAL);
     }
 
diff --git a/server/mpm_common.c b/server/mpm_common.c
index 3c04350496b..1b292814f40 100644
--- a/server/mpm_common.c
+++ b/server/mpm_common.c
@@ -64,16 +64,21 @@
 APR_HOOK_STRUCT(
     APR_HOOK_LINK(fatal_exception)
     APR_HOOK_LINK(monitor)
+    APR_HOOK_LINK(drop_privileges)
 )
 AP_IMPLEMENT_HOOK_RUN_ALL(int, fatal_exception,
                           (ap_exception_info_t *ei), (ei), OK, DECLINED)
 #else
 APR_HOOK_STRUCT(
     APR_HOOK_LINK(monitor)
+    APR_HOOK_LINK(drop_privileges)
 )
 #endif
 AP_IMPLEMENT_HOOK_RUN_ALL(int, monitor,
                           (apr_pool_t *p), (p), OK, DECLINED)
+AP_IMPLEMENT_HOOK_RUN_ALL(int, drop_privileges,
+                          (apr_pool_t * pchild, server_rec * s),
+                          (pchild, s), OK, DECLINED)
 
 
 #ifdef AP_MPM_WANT_RECLAIM_CHILD_PROCESSES
@@ -1299,4 +1304,3 @@ AP_DECLARE(void) ap_mpm_register_timed_callback(apr_time_t t,
 }
 
 #endif /* AP_MPM_HAS_USER_CALLBACKS */
-