diff options
Diffstat (limited to '')
-rw-r--r-- | os/unix/unixd.c | 733 |
1 files changed, 733 insertions, 0 deletions
diff --git a/os/unix/unixd.c b/os/unix/unixd.c new file mode 100644 index 0000000..0245720 --- /dev/null +++ b/os/unix/unixd.c @@ -0,0 +1,733 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "ap_config.h" +#include "httpd.h" +#include "http_config.h" +#include "http_main.h" +#include "http_core.h" +#include "http_log.h" +#include "unixd.h" +#include "mpm_common.h" +#include "os.h" +#include "ap_mpm.h" +#include "apr_thread_proc.h" +#include "apr_signal.h" +#include "apr_strings.h" +#include "apr_portable.h" +#ifdef HAVE_PWD_H +#include <pwd.h> +#endif +#ifdef HAVE_SYS_RESOURCE_H +#include <sys/resource.h> +#endif +/* XXX */ +#include <sys/stat.h> +#ifdef HAVE_UNISTD_H +#include <unistd.h> +#endif +#ifdef HAVE_GRP_H +#include <grp.h> +#endif +#ifdef HAVE_STRINGS_H +#include <strings.h> +#endif +#ifdef HAVE_SYS_SEM_H +#include <sys/sem.h> +#endif +#ifdef HAVE_SYS_PRCTL_H +#include <sys/prctl.h> +#endif + +unixd_config_rec ap_unixd_config; + +APLOG_USE_MODULE(core); + +AP_DECLARE(void) ap_unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit, + const char *arg, + const char * arg2, int type) +{ +#if (defined(RLIMIT_CPU) || defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined(RLIMIT_NPROC) || defined(RLIMIT_AS)) && APR_HAVE_STRUCT_RLIMIT && APR_HAVE_GETRLIMIT + char *str; + struct rlimit *limit; + /* If your platform doesn't define rlim_t then typedef it in ap_config.h */ + rlim_t cur = 0; + rlim_t max = 0; + + *plimit = (struct rlimit *)apr_pcalloc(cmd->pool, sizeof(**plimit)); + limit = *plimit; + if ((getrlimit(type, limit)) != 0) { + *plimit = NULL; + ap_log_error(APLOG_MARK, APLOG_ERR, errno, cmd->server, APLOGNO(02172) + "%s: getrlimit failed", cmd->cmd->name); + return; + } + + if (*(str = ap_getword_conf(cmd->temp_pool, &arg)) != '\0') { + if (!strcasecmp(str, "max")) { + cur = limit->rlim_max; + } + else { + cur = atol(str); + } + } + else { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, APLOGNO(02173) + "Invalid parameters for %s", cmd->cmd->name); + return; + } + + if (arg2 && (*(str = ap_getword_conf(cmd->temp_pool, &arg2)) != '\0')) { + max = atol(str); + } + + /* if we aren't running as root, cannot increase max */ + if (geteuid()) { + limit->rlim_cur = cur; + if (max && (max > limit->rlim_max)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, APLOGNO(02174) + "Must be uid 0 to raise maximum %s", cmd->cmd->name); + } + else if (max) { + limit->rlim_max = max; + } + } + else { + if (cur) { + limit->rlim_cur = cur; + } + if (max) { + limit->rlim_max = max; + } + } +#else + + ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, APLOGNO(02175) + "Platform does not support rlimit for %s", cmd->cmd->name); +#endif +} + +APR_HOOK_STRUCT( + APR_HOOK_LINK(get_suexec_identity) +) + +AP_IMPLEMENT_HOOK_RUN_FIRST(ap_unix_identity_t *, get_suexec_identity, + (const request_rec *r), (r), NULL) + +static apr_status_t ap_unix_create_privileged_process( + apr_proc_t *newproc, const char *progname, + const char * const *args, + const char * const *env, + apr_procattr_t *attr, ap_unix_identity_t *ugid, + apr_pool_t *p) +{ + int i = 0; + const char **newargs; + char *newprogname; + char *execuser, *execgroup; + const char *argv0; + + if (!ap_unixd_config.suexec_enabled) { + return apr_proc_create(newproc, progname, args, env, attr, p); + } + + argv0 = ap_strrchr_c(progname, '/'); + /* Allow suexec's "/" check to succeed */ + if (argv0 != NULL) { + argv0++; + } + else { + argv0 = progname; + } + + + if (ugid->userdir) { + execuser = apr_psprintf(p, "~%ld", (long) ugid->uid); + } + else { + execuser = apr_psprintf(p, "%ld", (long) ugid->uid); + } + execgroup = apr_psprintf(p, "%ld", (long) ugid->gid); + + if (!execuser || !execgroup) { + return APR_ENOMEM; + } + + i = 0; + while (args[i]) + i++; + /* allocate space for 4 new args, the input args, and a null terminator */ + newargs = apr_palloc(p, sizeof(char *) * (i + 4)); + newprogname = SUEXEC_BIN; + newargs[0] = SUEXEC_BIN; + newargs[1] = execuser; + newargs[2] = execgroup; + newargs[3] = apr_pstrdup(p, argv0); + + /* + ** using a shell to execute suexec makes no sense thus + ** we force everything to be APR_PROGRAM, and never + ** APR_SHELLCMD + */ + if (apr_procattr_cmdtype_set(attr, APR_PROGRAM) != APR_SUCCESS) { + return APR_EGENERAL; + } + + i = 1; + do { + newargs[i + 3] = args[i]; + } while (args[i++]); + + return apr_proc_create(newproc, newprogname, newargs, env, attr, p); +} + +AP_DECLARE(apr_status_t) ap_os_create_privileged_process( + const request_rec *r, + apr_proc_t *newproc, const char *progname, + const char * const *args, + const char * const *env, + apr_procattr_t *attr, apr_pool_t *p) +{ + ap_unix_identity_t *ugid = ap_run_get_suexec_identity(r); + + if (ugid == NULL) { + return apr_proc_create(newproc, progname, args, env, attr, p); + } + + return ap_unix_create_privileged_process(newproc, progname, args, env, + attr, ugid, p); +} + +/* XXX move to APR and externalize (but implement differently :) ) */ +static apr_lockmech_e proc_mutex_mech(apr_proc_mutex_t *pmutex) +{ + const char *mechname = apr_proc_mutex_name(pmutex); + + if (!strcmp(mechname, "sysvsem")) { + return APR_LOCK_SYSVSEM; + } + else if (!strcmp(mechname, "flock")) { + return APR_LOCK_FLOCK; + } + return APR_LOCK_DEFAULT; +} + +AP_DECLARE(apr_status_t) ap_unixd_set_proc_mutex_perms(apr_proc_mutex_t *pmutex) +{ + if (!geteuid()) { + apr_lockmech_e mech = proc_mutex_mech(pmutex); + + switch(mech) { +#if APR_HAS_SYSVSEM_SERIALIZE + case APR_LOCK_SYSVSEM: + { + apr_os_proc_mutex_t ospmutex; +#if !APR_HAVE_UNION_SEMUN + union semun { + long val; + struct semid_ds *buf; + unsigned short *array; + }; +#endif + union semun ick; + struct semid_ds buf = { { 0 } }; + + apr_os_proc_mutex_get(&ospmutex, pmutex); + buf.sem_perm.uid = ap_unixd_config.user_id; + buf.sem_perm.gid = ap_unixd_config.group_id; + buf.sem_perm.mode = 0600; + ick.buf = &buf; + if (semctl(ospmutex.crossproc, 0, IPC_SET, ick) < 0) { + return errno; + } + } + break; +#endif +#if APR_HAS_FLOCK_SERIALIZE + case APR_LOCK_FLOCK: + { + const char *lockfile = apr_proc_mutex_lockfile(pmutex); + + if (lockfile) { + if (chown(lockfile, ap_unixd_config.user_id, + -1 /* no gid change */) < 0) { + return errno; + } + } + } + break; +#endif + default: + /* do nothing */ + break; + } + } + return APR_SUCCESS; +} + +AP_DECLARE(apr_status_t) ap_unixd_set_global_mutex_perms(apr_global_mutex_t *gmutex) +{ +#if !APR_PROC_MUTEX_IS_GLOBAL + apr_os_global_mutex_t osgmutex; + apr_os_global_mutex_get(&osgmutex, gmutex); + return ap_unixd_set_proc_mutex_perms(osgmutex.proc_mutex); +#else /* APR_PROC_MUTEX_IS_GLOBAL */ + /* In this case, apr_proc_mutex_t and apr_global_mutex_t are the same. */ + return ap_unixd_set_proc_mutex_perms(gmutex); +#endif /* APR_PROC_MUTEX_IS_GLOBAL */ +} + +AP_DECLARE(apr_status_t) ap_unixd_accept(void **accepted, ap_listen_rec *lr, + apr_pool_t *ptrans) +{ + apr_socket_t *csd; + apr_status_t status; +#ifdef _OSD_POSIX + int sockdes; +#endif + + *accepted = NULL; + status = apr_socket_accept(&csd, lr->sd, ptrans); + if (status == APR_SUCCESS) { + *accepted = csd; +#ifdef _OSD_POSIX + apr_os_sock_get(&sockdes, csd); + if (sockdes >= FD_SETSIZE) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ap_server_conf, APLOGNO(02176) + "new file descriptor %d is too large; you probably need " + "to rebuild Apache with a larger FD_SETSIZE " + "(currently %d)", + sockdes, FD_SETSIZE); + apr_socket_close(csd); + return APR_EINTR; + } +#endif + return APR_SUCCESS; + } + + if (APR_STATUS_IS_EINTR(status)) { + return status; + } + /* Our old behaviour here was to continue after accept() + * errors. But this leads us into lots of troubles + * because most of the errors are quite fatal. For + * example, EMFILE can be caused by slow descriptor + * leaks (say in a 3rd party module, or libc). It's + * foolish for us to continue after an EMFILE. We also + * seem to tickle kernel bugs on some platforms which + * lead to never-ending loops here. So it seems best + * to just exit in most cases. + */ + switch (status) { +#if defined(HPUX11) && defined(ENOBUFS) + /* On HPUX 11.x, the 'ENOBUFS, No buffer space available' + * error occurs because the accept() cannot complete. + * You will not see ENOBUFS with 10.20 because the kernel + * hides any occurrence from being returned to user space. + * ENOBUFS with 11.x's TCP/IP stack is possible, and could + * occur intermittently. As a work-around, we are going to + * ignore ENOBUFS. + */ + case ENOBUFS: +#endif + +#ifdef EPROTO + /* EPROTO on certain older kernels really means + * ECONNABORTED, so we need to ignore it for them. + * See discussion in new-httpd archives nh.9701 + * search for EPROTO. + * + * Also see nh.9603, search for EPROTO: + * There is potentially a bug in Solaris 2.x x<6, + * and other boxes that implement tcp sockets in + * userland (i.e. on top of STREAMS). On these + * systems, EPROTO can actually result in a fatal + * loop. See PR#981 for example. It's hard to + * handle both uses of EPROTO. + */ + case EPROTO: +#endif +#ifdef ECONNABORTED + case ECONNABORTED: +#endif + /* Linux generates the rest of these, other tcp + * stacks (i.e. bsd) tend to hide them behind + * getsockopt() interfaces. They occur when + * the net goes sour or the client disconnects + * after the three-way handshake has been done + * in the kernel but before userland has picked + * up the socket. + */ +#ifdef ECONNRESET + case ECONNRESET: +#endif +#ifdef ETIMEDOUT + case ETIMEDOUT: +#endif +#ifdef EHOSTUNREACH + case EHOSTUNREACH: +#endif +#ifdef ENETUNREACH + case ENETUNREACH: +#endif + /* EAGAIN/EWOULDBLOCK can be returned on BSD-derived + * TCP stacks when the connection is aborted before + * we call connect, but only because our listener + * sockets are non-blocking (AP_NONBLOCK_WHEN_MULTI_LISTEN) + */ +#ifdef EAGAIN + case EAGAIN: +#endif +#ifdef EWOULDBLOCK +#if !defined(EAGAIN) || EAGAIN != EWOULDBLOCK + case EWOULDBLOCK: +#endif +#endif + break; +#ifdef ENETDOWN + case ENETDOWN: + /* + * When the network layer has been shut down, there + * is not much use in simply exiting: the parent + * would simply re-create us (and we'd fail again). + * Use the CHILDFATAL code to tear the server down. + * @@@ Martin's idea for possible improvement: + * A different approach would be to define + * a new APEXIT_NETDOWN exit code, the reception + * of which would make the parent shutdown all + * children, then idle-loop until it detected that + * the network is up again, and restart the children. + * Ben Hyde noted that temporary ENETDOWN situations + * occur in mobile IP. + */ + ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf, APLOGNO(02177) + "apr_socket_accept: giving up."); + return APR_EGENERAL; +#endif /*ENETDOWN*/ + + default: + /* If the socket has been closed in ap_close_listeners() + * by the restart/stop action, we may get EBADF. + * Do not print an error in this case. + */ + if (!lr->active) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, status, ap_server_conf, APLOGNO(02178) + "apr_socket_accept failed for inactive listener"); + return status; + } + ap_log_error(APLOG_MARK, APLOG_ERR, status, ap_server_conf, APLOGNO(02179) + "apr_socket_accept: (client socket)"); + return APR_EGENERAL; + } + return status; +} + + +/* Unixes MPMs' */ + +static ap_unixd_mpm_retained_data *retained_data = NULL; +static apr_status_t retained_data_cleanup(void *unused) +{ + (void)unused; + retained_data = NULL; + return APR_SUCCESS; +} + +AP_DECLARE(ap_unixd_mpm_retained_data *) ap_unixd_mpm_get_retained_data() +{ + if (!retained_data) { + retained_data = ap_retained_data_create("ap_unixd_mpm_retained_data", + sizeof(*retained_data)); + apr_pool_pre_cleanup_register(ap_pglobal, NULL, retained_data_cleanup); + retained_data->mpm_state = AP_MPMQ_STARTING; + } + return retained_data; +} + +static void sig_term(int sig) +{ + if (!retained_data) { + /* Main process (ap_pglobal) is dying */ + return; + } + retained_data->mpm_state = AP_MPMQ_STOPPING; + if (retained_data->shutdown_pending + && (retained_data->is_ungraceful + || sig == AP_SIG_GRACEFUL_STOP)) { + /* Already handled */ + return; + } + + retained_data->shutdown_pending = 1; + if (sig != AP_SIG_GRACEFUL_STOP) { + retained_data->is_ungraceful = 1; + } +} + +static void sig_restart(int sig) +{ + if (!retained_data) { + /* Main process (ap_pglobal) is dying */ + return; + } + retained_data->mpm_state = AP_MPMQ_STOPPING; + if (retained_data->restart_pending + && (retained_data->is_ungraceful + || sig == AP_SIG_GRACEFUL)) { + /* Already handled */ + return; + } + + retained_data->restart_pending = 1; + if (sig != AP_SIG_GRACEFUL) { + retained_data->is_ungraceful = 1; + } +} + +static apr_status_t unset_signals(void *unused) +{ + if (!retained_data) { + /* Main process (ap_pglobal) is dying */ + return APR_SUCCESS; + } + retained_data->shutdown_pending = retained_data->restart_pending = 0; + retained_data->was_graceful = !retained_data->is_ungraceful; + retained_data->is_ungraceful = 0; + + return APR_SUCCESS; +} + +static void ap_terminate(void) +{ + ap_main_state = AP_SQ_MS_EXITING; + apr_pool_destroy(ap_pglobal); + apr_terminate(); +} + +AP_DECLARE(void) ap_unixd_mpm_set_signals(apr_pool_t *pconf, int one_process) +{ +#ifndef NO_USE_SIGACTION + struct sigaction sa; +#endif + + if (!one_process) { + ap_fatal_signal_setup(ap_server_conf, pconf); + } + else if (!ap_retained_data_get("ap_unixd_mpm_one_process_cleanup")) { + /* In one process mode (debug), httpd will exit immediately when asked + * to (SIGTERM/SIGINT) and never restart. We still want the cleanups to + * run though (such that e.g. temporary files/IPCs don't leak on the + * system), so the first time around we use atexit() to cleanup after + * ourselves. + */ + ap_retained_data_create("ap_unixd_mpm_one_process_cleanup", 1); + atexit(ap_terminate); + } + + /* Signals' handlers depend on retained data */ + (void)ap_unixd_mpm_get_retained_data(); + +#ifndef NO_USE_SIGACTION + memset(&sa, 0, sizeof sa); + sigemptyset(&sa.sa_mask); + +#ifdef SIGPIPE + sa.sa_handler = SIG_IGN; + if (sigaction(SIGPIPE, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00269) + "sigaction(SIGPIPE)"); +#endif +#ifdef SIGXCPU + sa.sa_handler = SIG_DFL; + if (sigaction(SIGXCPU, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00267) + "sigaction(SIGXCPU)"); +#endif +#ifdef SIGXFSZ + /* For systems following the LFS standard, ignoring SIGXFSZ allows + * a write() beyond the 2GB limit to fail gracefully with E2BIG + * rather than terminate the process. */ + sa.sa_handler = SIG_IGN; + if (sigaction(SIGXFSZ, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00268) + "sigaction(SIGXFSZ)"); +#endif + + sa.sa_handler = sig_term; + if (sigaction(SIGTERM, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00264) + "sigaction(SIGTERM)"); +#ifdef SIGINT + if (sigaction(SIGINT, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00266) + "sigaction(SIGINT)"); +#endif +#ifdef AP_SIG_GRACEFUL_STOP + if (sigaction(AP_SIG_GRACEFUL_STOP, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00265) + "sigaction(" AP_SIG_GRACEFUL_STOP_STRING ")"); +#endif + + /* Don't catch restart signals in ONE_PROCESS mode :) */ + if (!one_process) { + sa.sa_handler = sig_restart; + if (sigaction(SIGHUP, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00270) + "sigaction(SIGHUP)"); + if (sigaction(AP_SIG_GRACEFUL, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00271) + "sigaction(" AP_SIG_GRACEFUL_STRING ")"); + } + +#else /* NO_USE_SIGACTION */ + +#ifdef SIGPIPE + apr_signal(SIGPIPE, SIG_IGN); +#endif /* SIGPIPE */ +#ifdef SIGXCPU + apr_signal(SIGXCPU, SIG_DFL); +#endif /* SIGXCPU */ +#ifdef SIGXFSZ + apr_signal(SIGXFSZ, SIG_IGN); +#endif /* SIGXFSZ */ + + apr_signal(SIGTERM, sig_term); +#ifdef AP_SIG_GRACEFUL_STOP + apr_signal(AP_SIG_GRACEFUL_STOP, sig_term); +#endif /* AP_SIG_GRACEFUL_STOP */ + + if (!one_process) { + /* Don't restart in ONE_PROCESS mode :) */ +#ifdef SIGHUP + apr_signal(SIGHUP, sig_restart); +#endif /* SIGHUP */ +#ifdef AP_SIG_GRACEFUL + apr_signal(AP_SIG_GRACEFUL, sig_restart); +#endif /* AP_SIG_GRACEFUL */ + } + +#endif /* NO_USE_SIGACTION */ + + apr_pool_cleanup_register(pconf, NULL, unset_signals, + apr_pool_cleanup_null); +} + + +#ifdef _OSD_POSIX + +#include "apr_lib.h" + +#define USER_LEN 8 + +typedef enum +{ + bs2_unknown, /* not initialized yet. */ + bs2_noFORK, /* no fork() because -X flag was specified */ + bs2_FORK, /* only fork() because uid != 0 */ + bs2_UFORK /* Normally, ufork() is used to switch identities. */ +} bs2_ForkType; + +static bs2_ForkType forktype = bs2_unknown; + +/* Determine the method for forking off a child in such a way as to + * set both the POSIX and BS2000 user id's to the unprivileged user. + */ +static bs2_ForkType os_forktype(int one_process) +{ + /* have we checked the OS version before? If yes return the previous + * result - the OS release isn't going to change suddenly! + */ + if (forktype == bs2_unknown) { + /* not initialized yet */ + + /* No fork if the one_process option was set */ + if (one_process) { + forktype = bs2_noFORK; + } + /* If the user is unprivileged, use the normal fork() only. */ + else if (getuid() != 0) { + forktype = bs2_FORK; + } + else + forktype = bs2_UFORK; + } + return forktype; +} + + + +/* This routine complements the setuid() call: it causes the BS2000 job + * environment to be switched to the target user's user id. + * That is important if CGI scripts try to execute native BS2000 commands. + */ +int os_init_job_environment(server_rec *server, const char *user_name, int one_process) +{ + bs2_ForkType type = os_forktype(one_process); + + /* We can be sure that no change to uid==0 is possible because of + * the checks in http_core.c:set_user() + */ + + if (one_process) { + + type = forktype = bs2_noFORK; + + ap_log_error(APLOG_MARK, APLOG_ERR, 0, server, APLOGNO(02180) + "The debug mode of Apache should only " + "be started by an unprivileged user!"); + return 0; + } + + return 0; +} + +/* BS2000 requires a "special" version of fork() before a setuid() call */ +pid_t os_fork(const char *user) +{ + pid_t pid; + char username[USER_LEN+1]; + + switch (os_forktype(0)) { + + case bs2_FORK: + pid = fork(); + break; + + case bs2_UFORK: + apr_cpystrn(username, user, sizeof username); + + /* Make user name all upper case - for some versions of ufork() */ + ap_str_toupper(username); + + pid = ufork(username); + if (pid == -1 && errno == EPERM) { + ap_log_error(APLOG_MARK, APLOG_EMERG, errno, ap_server_conf, + APLOGNO(02181) "ufork: Possible mis-configuration " + "for user %s - Aborting.", user); + exit(1); + } + break; + + default: + pid = 0; + break; + } + + return pid; +} + +#endif /* _OSD_POSIX */ + |