| /* Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include "ap_config.h" |
| #include "httpd.h" |
| #include "http_config.h" |
| #include "http_main.h" |
| #include "http_core.h" |
| #include "http_log.h" |
| #include "unixd.h" |
| #include "mpm_common.h" |
| #include "os.h" |
| #include "ap_mpm.h" |
| #include "apr_thread_proc.h" |
| #include "apr_signal.h" |
| #include "apr_strings.h" |
| #include "apr_portable.h" |
| #ifdef HAVE_PWD_H |
| #include <pwd.h> |
| #endif |
| #ifdef HAVE_SYS_RESOURCE_H |
| #include <sys/resource.h> |
| #endif |
| /* XXX */ |
| #include <sys/stat.h> |
| #ifdef HAVE_UNISTD_H |
| #include <unistd.h> |
| #endif |
| #ifdef HAVE_GRP_H |
| #include <grp.h> |
| #endif |
| #ifdef HAVE_STRINGS_H |
| #include <strings.h> |
| #endif |
| #ifdef HAVE_SYS_SEM_H |
| #include <sys/sem.h> |
| #endif |
| #ifdef HAVE_SYS_PRCTL_H |
| #include <sys/prctl.h> |
| #endif |
| |
| unixd_config_rec ap_unixd_config; |
| |
| APLOG_USE_MODULE(core); |
| |
| AP_DECLARE(void) ap_unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit, |
| const char *arg, |
| const char * arg2, int type) |
| { |
| #if (defined(RLIMIT_CPU) || defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined(RLIMIT_NPROC) || defined(RLIMIT_AS)) && APR_HAVE_STRUCT_RLIMIT && APR_HAVE_GETRLIMIT |
| char *str; |
| struct rlimit *limit; |
| /* If your platform doesn't define rlim_t then typedef it in ap_config.h */ |
| rlim_t cur = 0; |
| rlim_t max = 0; |
| |
| *plimit = (struct rlimit *)apr_pcalloc(cmd->pool, sizeof(**plimit)); |
| limit = *plimit; |
| if ((getrlimit(type, limit)) != 0) { |
| *plimit = NULL; |
| ap_log_error(APLOG_MARK, APLOG_ERR, errno, cmd->server, APLOGNO(02172) |
| "%s: getrlimit failed", cmd->cmd->name); |
| return; |
| } |
| |
| if (*(str = ap_getword_conf(cmd->temp_pool, &arg)) != '\0') { |
| if (!strcasecmp(str, "max")) { |
| cur = limit->rlim_max; |
| } |
| else { |
| cur = atol(str); |
| } |
| } |
| else { |
| ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, APLOGNO(02173) |
| "Invalid parameters for %s", cmd->cmd->name); |
| return; |
| } |
| |
| if (arg2 && (*(str = ap_getword_conf(cmd->temp_pool, &arg2)) != '\0')) { |
| max = atol(str); |
| } |
| |
| /* if we aren't running as root, cannot increase max */ |
| if (geteuid()) { |
| limit->rlim_cur = cur; |
| if (max && (max > limit->rlim_max)) { |
| ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, APLOGNO(02174) |
| "Must be uid 0 to raise maximum %s", cmd->cmd->name); |
| } |
| else if (max) { |
| limit->rlim_max = max; |
| } |
| } |
| else { |
| if (cur) { |
| limit->rlim_cur = cur; |
| } |
| if (max) { |
| limit->rlim_max = max; |
| } |
| } |
| #else |
| |
| ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, APLOGNO(02175) |
| "Platform does not support rlimit for %s", cmd->cmd->name); |
| #endif |
| } |
| |
| APR_HOOK_STRUCT( |
| APR_HOOK_LINK(get_suexec_identity) |
| ) |
| |
| AP_IMPLEMENT_HOOK_RUN_FIRST(ap_unix_identity_t *, get_suexec_identity, |
| (const request_rec *r), (r), NULL) |
| |
| static apr_status_t ap_unix_create_privileged_process( |
| apr_proc_t *newproc, const char *progname, |
| const char * const *args, |
| const char * const *env, |
| apr_procattr_t *attr, ap_unix_identity_t *ugid, |
| apr_pool_t *p) |
| { |
| int i = 0; |
| const char **newargs; |
| char *newprogname; |
| char *execuser, *execgroup; |
| const char *argv0; |
| |
| if (!ap_unixd_config.suexec_enabled) { |
| return apr_proc_create(newproc, progname, args, env, attr, p); |
| } |
| |
| argv0 = ap_strrchr_c(progname, '/'); |
| /* Allow suexec's "/" check to succeed */ |
| if (argv0 != NULL) { |
| argv0++; |
| } |
| else { |
| argv0 = progname; |
| } |
| |
| |
| if (ugid->userdir) { |
| execuser = apr_psprintf(p, "~%ld", (long) ugid->uid); |
| } |
| else { |
| execuser = apr_psprintf(p, "%ld", (long) ugid->uid); |
| } |
| execgroup = apr_psprintf(p, "%ld", (long) ugid->gid); |
| |
| if (!execuser || !execgroup) { |
| return APR_ENOMEM; |
| } |
| |
| i = 0; |
| while (args[i]) |
| i++; |
| /* allocate space for 4 new args, the input args, and a null terminator */ |
| newargs = apr_palloc(p, sizeof(char *) * (i + 4)); |
| newprogname = SUEXEC_BIN; |
| newargs[0] = SUEXEC_BIN; |
| newargs[1] = execuser; |
| newargs[2] = execgroup; |
| newargs[3] = apr_pstrdup(p, argv0); |
| |
| /* |
| ** using a shell to execute suexec makes no sense thus |
| ** we force everything to be APR_PROGRAM, and never |
| ** APR_SHELLCMD |
| */ |
| if (apr_procattr_cmdtype_set(attr, APR_PROGRAM) != APR_SUCCESS) { |
| return APR_EGENERAL; |
| } |
| |
| i = 1; |
| do { |
| newargs[i + 3] = args[i]; |
| } while (args[i++]); |
| |
| return apr_proc_create(newproc, newprogname, newargs, env, attr, p); |
| } |
| |
| AP_DECLARE(apr_status_t) ap_os_create_privileged_process( |
| const request_rec *r, |
| apr_proc_t *newproc, const char *progname, |
| const char * const *args, |
| const char * const *env, |
| apr_procattr_t *attr, apr_pool_t *p) |
| { |
| ap_unix_identity_t *ugid = ap_run_get_suexec_identity(r); |
| |
| if (ugid == NULL) { |
| return apr_proc_create(newproc, progname, args, env, attr, p); |
| } |
| |
| return ap_unix_create_privileged_process(newproc, progname, args, env, |
| attr, ugid, p); |
| } |
| |
| /* XXX move to APR and externalize (but implement differently :) ) */ |
| static apr_lockmech_e proc_mutex_mech(apr_proc_mutex_t *pmutex) |
| { |
| const char *mechname = apr_proc_mutex_name(pmutex); |
| |
| if (!strcmp(mechname, "sysvsem")) { |
| return APR_LOCK_SYSVSEM; |
| } |
| else if (!strcmp(mechname, "flock")) { |
| return APR_LOCK_FLOCK; |
| } |
| return APR_LOCK_DEFAULT; |
| } |
| |
| AP_DECLARE(apr_status_t) ap_unixd_set_proc_mutex_perms(apr_proc_mutex_t *pmutex) |
| { |
| if (!geteuid()) { |
| apr_lockmech_e mech = proc_mutex_mech(pmutex); |
| |
| switch(mech) { |
| #if APR_HAS_SYSVSEM_SERIALIZE |
| case APR_LOCK_SYSVSEM: |
| { |
| apr_os_proc_mutex_t ospmutex; |
| #if !APR_HAVE_UNION_SEMUN |
| union semun { |
| long val; |
| struct semid_ds *buf; |
| unsigned short *array; |
| }; |
| #endif |
| union semun ick; |
| struct semid_ds buf = { { 0 } }; |
| |
| apr_os_proc_mutex_get(&ospmutex, pmutex); |
| buf.sem_perm.uid = ap_unixd_config.user_id; |
| buf.sem_perm.gid = ap_unixd_config.group_id; |
| buf.sem_perm.mode = 0600; |
| ick.buf = &buf; |
| if (semctl(ospmutex.crossproc, 0, IPC_SET, ick) < 0) { |
| return errno; |
| } |
| } |
| break; |
| #endif |
| #if APR_HAS_FLOCK_SERIALIZE |
| case APR_LOCK_FLOCK: |
| { |
| const char *lockfile = apr_proc_mutex_lockfile(pmutex); |
| |
| if (lockfile) { |
| if (chown(lockfile, ap_unixd_config.user_id, |
| -1 /* no gid change */) < 0) { |
| return errno; |
| } |
| } |
| } |
| break; |
| #endif |
| default: |
| /* do nothing */ |
| break; |
| } |
| } |
| return APR_SUCCESS; |
| } |
| |
| AP_DECLARE(apr_status_t) ap_unixd_set_global_mutex_perms(apr_global_mutex_t *gmutex) |
| { |
| #if !APR_PROC_MUTEX_IS_GLOBAL |
| apr_os_global_mutex_t osgmutex; |
| apr_os_global_mutex_get(&osgmutex, gmutex); |
| return ap_unixd_set_proc_mutex_perms(osgmutex.proc_mutex); |
| #else /* APR_PROC_MUTEX_IS_GLOBAL */ |
| /* In this case, apr_proc_mutex_t and apr_global_mutex_t are the same. */ |
| return ap_unixd_set_proc_mutex_perms(gmutex); |
| #endif /* APR_PROC_MUTEX_IS_GLOBAL */ |
| } |
| |
| AP_DECLARE(apr_status_t) ap_unixd_accept(void **accepted, ap_listen_rec *lr, |
| apr_pool_t *ptrans) |
| { |
| apr_socket_t *csd; |
| apr_status_t status; |
| #ifdef _OSD_POSIX |
| int sockdes; |
| #endif |
| |
| *accepted = NULL; |
| status = apr_socket_accept(&csd, lr->sd, ptrans); |
| if (status == APR_SUCCESS) { |
| *accepted = csd; |
| #ifdef _OSD_POSIX |
| apr_os_sock_get(&sockdes, csd); |
| if (sockdes >= FD_SETSIZE) { |
| ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ap_server_conf, APLOGNO(02176) |
| "new file descriptor %d is too large; you probably need " |
| "to rebuild Apache with a larger FD_SETSIZE " |
| "(currently %d)", |
| sockdes, FD_SETSIZE); |
| apr_socket_close(csd); |
| return APR_EINTR; |
| } |
| #endif |
| return APR_SUCCESS; |
| } |
| |
| if (APR_STATUS_IS_EINTR(status)) { |
| return status; |
| } |
| |
| /* Let the caller handle slightly more varied return values */ |
| if ((lr->flags & AP_LISTEN_SPECIFIC_ERRORS) && ap_accept_error_is_nonfatal(status)) { |
| return status; |
| } |
| |
| /* Our old behaviour here was to continue after accept() |
| * errors. But this leads us into lots of troubles |
| * because most of the errors are quite fatal. For |
| * example, EMFILE can be caused by slow descriptor |
| * leaks (say in a 3rd party module, or libc). It's |
| * foolish for us to continue after an EMFILE. We also |
| * seem to tickle kernel bugs on some platforms which |
| * lead to never-ending loops here. So it seems best |
| * to just exit in most cases. |
| */ |
| switch (status) { |
| #if defined(HPUX11) && defined(ENOBUFS) |
| /* On HPUX 11.x, the 'ENOBUFS, No buffer space available' |
| * error occurs because the accept() cannot complete. |
| * You will not see ENOBUFS with 10.20 because the kernel |
| * hides any occurrence from being returned to user space. |
| * ENOBUFS with 11.x's TCP/IP stack is possible, and could |
| * occur intermittently. As a work-around, we are going to |
| * ignore ENOBUFS. |
| */ |
| case ENOBUFS: |
| #endif |
| |
| #ifdef EPROTO |
| /* EPROTO on certain older kernels really means |
| * ECONNABORTED, so we need to ignore it for them. |
| * See discussion in new-httpd archives nh.9701 |
| * search for EPROTO. |
| * |
| * Also see nh.9603, search for EPROTO: |
| * There is potentially a bug in Solaris 2.x x<6, |
| * and other boxes that implement tcp sockets in |
| * userland (i.e. on top of STREAMS). On these |
| * systems, EPROTO can actually result in a fatal |
| * loop. See PR#981 for example. It's hard to |
| * handle both uses of EPROTO. |
| */ |
| case EPROTO: |
| #endif |
| #ifdef ECONNABORTED |
| case ECONNABORTED: |
| #endif |
| /* Linux generates the rest of these, other tcp |
| * stacks (i.e. bsd) tend to hide them behind |
| * getsockopt() interfaces. They occur when |
| * the net goes sour or the client disconnects |
| * after the three-way handshake has been done |
| * in the kernel but before userland has picked |
| * up the socket. |
| */ |
| #ifdef ECONNRESET |
| case ECONNRESET: |
| #endif |
| #ifdef ETIMEDOUT |
| case ETIMEDOUT: |
| #endif |
| #ifdef EHOSTUNREACH |
| case EHOSTUNREACH: |
| #endif |
| #ifdef ENETUNREACH |
| case ENETUNREACH: |
| #endif |
| /* EAGAIN/EWOULDBLOCK can be returned on BSD-derived |
| * TCP stacks when the connection is aborted before |
| * we call connect, but only because our listener |
| * sockets are non-blocking (AP_NONBLOCK_WHEN_MULTI_LISTEN) |
| */ |
| #ifdef EAGAIN |
| case EAGAIN: |
| #endif |
| #ifdef EWOULDBLOCK |
| #if !defined(EAGAIN) || EAGAIN != EWOULDBLOCK |
| case EWOULDBLOCK: |
| #endif |
| #endif |
| break; |
| #ifdef ENETDOWN |
| case ENETDOWN: |
| /* |
| * When the network layer has been shut down, there |
| * is not much use in simply exiting: the parent |
| * would simply re-create us (and we'd fail again). |
| * Use the CHILDFATAL code to tear the server down. |
| * @@@ Martin's idea for possible improvement: |
| * A different approach would be to define |
| * a new APEXIT_NETDOWN exit code, the reception |
| * of which would make the parent shutdown all |
| * children, then idle-loop until it detected that |
| * the network is up again, and restart the children. |
| * Ben Hyde noted that temporary ENETDOWN situations |
| * occur in mobile IP. |
| */ |
| ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf, APLOGNO(02177) |
| "apr_socket_accept: giving up."); |
| return APR_EGENERAL; |
| #endif /*ENETDOWN*/ |
| |
| default: |
| /* If the socket has been closed in ap_close_listeners() |
| * by the restart/stop action, we may get EBADF. |
| * Do not print an error in this case. |
| */ |
| if (!lr->active) { |
| ap_log_error(APLOG_MARK, APLOG_DEBUG, status, ap_server_conf, APLOGNO(02178) |
| "apr_socket_accept failed for inactive listener"); |
| return status; |
| } |
| ap_log_error(APLOG_MARK, APLOG_ERR, status, ap_server_conf, APLOGNO(02179) |
| "apr_socket_accept: (client socket)"); |
| return APR_EGENERAL; |
| } |
| return status; |
| } |
| |
| |
| /* Unixes MPMs' */ |
| |
| static ap_unixd_mpm_retained_data *retained_data = NULL; |
| static apr_status_t retained_data_cleanup(void *unused) |
| { |
| (void)unused; |
| retained_data = NULL; |
| return APR_SUCCESS; |
| } |
| |
| AP_DECLARE(ap_unixd_mpm_retained_data *) ap_unixd_mpm_get_retained_data() |
| { |
| if (!retained_data) { |
| retained_data = ap_retained_data_create("ap_unixd_mpm_retained_data", |
| sizeof(*retained_data)); |
| apr_pool_pre_cleanup_register(ap_pglobal, NULL, retained_data_cleanup); |
| retained_data->mpm_state = AP_MPMQ_STARTING; |
| } |
| return retained_data; |
| } |
| |
| static void sig_term(int sig) |
| { |
| if (!retained_data) { |
| /* Main process (ap_pglobal) is dying */ |
| return; |
| } |
| retained_data->mpm_state = AP_MPMQ_STOPPING; |
| if (retained_data->shutdown_pending |
| && (retained_data->is_ungraceful |
| || sig == AP_SIG_GRACEFUL_STOP)) { |
| /* Already handled */ |
| return; |
| } |
| |
| retained_data->shutdown_pending = 1; |
| if (sig != AP_SIG_GRACEFUL_STOP) { |
| retained_data->is_ungraceful = 1; |
| } |
| } |
| |
| static void sig_restart(int sig) |
| { |
| if (!retained_data) { |
| /* Main process (ap_pglobal) is dying */ |
| return; |
| } |
| retained_data->mpm_state = AP_MPMQ_STOPPING; |
| if (retained_data->restart_pending |
| && (retained_data->is_ungraceful |
| || sig == AP_SIG_GRACEFUL)) { |
| /* Already handled */ |
| return; |
| } |
| |
| retained_data->restart_pending = 1; |
| if (sig != AP_SIG_GRACEFUL) { |
| retained_data->is_ungraceful = 1; |
| } |
| } |
| |
| static apr_status_t unset_signals(void *unused) |
| { |
| if (!retained_data) { |
| /* Main process (ap_pglobal) is dying */ |
| return APR_SUCCESS; |
| } |
| retained_data->shutdown_pending = retained_data->restart_pending = 0; |
| retained_data->was_graceful = !retained_data->is_ungraceful; |
| retained_data->is_ungraceful = 0; |
| |
| return APR_SUCCESS; |
| } |
| |
| static void ap_terminate(void) |
| { |
| ap_main_state = AP_SQ_MS_EXITING; |
| apr_pool_destroy(ap_pglobal); |
| apr_terminate(); |
| } |
| |
| AP_DECLARE(void) ap_unixd_mpm_set_signals(apr_pool_t *pconf, int one_process) |
| { |
| #ifndef NO_USE_SIGACTION |
| struct sigaction sa; |
| #endif |
| |
| if (!one_process) { |
| ap_fatal_signal_setup(ap_server_conf, pconf); |
| } |
| else if (!ap_retained_data_get("ap_unixd_mpm_one_process_cleanup")) { |
| /* In one process mode (debug), httpd will exit immediately when asked |
| * to (SIGTERM/SIGINT) and never restart. We still want the cleanups to |
| * run though (such that e.g. temporary files/IPCs don't leak on the |
| * system), so the first time around we use atexit() to cleanup after |
| * ourselves. |
| */ |
| ap_retained_data_create("ap_unixd_mpm_one_process_cleanup", 1); |
| atexit(ap_terminate); |
| } |
| |
| /* Signals' handlers depend on retained data */ |
| (void)ap_unixd_mpm_get_retained_data(); |
| |
| #ifndef NO_USE_SIGACTION |
| memset(&sa, 0, sizeof sa); |
| sigemptyset(&sa.sa_mask); |
| |
| #ifdef SIGPIPE |
| sa.sa_handler = SIG_IGN; |
| if (sigaction(SIGPIPE, &sa, NULL) < 0) |
| ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00269) |
| "sigaction(SIGPIPE)"); |
| #endif |
| #ifdef SIGXCPU |
| sa.sa_handler = SIG_DFL; |
| if (sigaction(SIGXCPU, &sa, NULL) < 0) |
| ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00267) |
| "sigaction(SIGXCPU)"); |
| #endif |
| #ifdef SIGXFSZ |
| /* For systems following the LFS standard, ignoring SIGXFSZ allows |
| * a write() beyond the 2GB limit to fail gracefully with E2BIG |
| * rather than terminate the process. */ |
| sa.sa_handler = SIG_IGN; |
| if (sigaction(SIGXFSZ, &sa, NULL) < 0) |
| ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00268) |
| "sigaction(SIGXFSZ)"); |
| #endif |
| |
| sa.sa_handler = sig_term; |
| if (sigaction(SIGTERM, &sa, NULL) < 0) |
| ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00264) |
| "sigaction(SIGTERM)"); |
| #ifdef SIGINT |
| if (sigaction(SIGINT, &sa, NULL) < 0) |
| ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00266) |
| "sigaction(SIGINT)"); |
| #endif |
| #ifdef AP_SIG_GRACEFUL_STOP |
| if (sigaction(AP_SIG_GRACEFUL_STOP, &sa, NULL) < 0) |
| ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00265) |
| "sigaction(" AP_SIG_GRACEFUL_STOP_STRING ")"); |
| #endif |
| |
| /* Don't catch restart signals in ONE_PROCESS mode :) */ |
| if (!one_process) { |
| sa.sa_handler = sig_restart; |
| if (sigaction(SIGHUP, &sa, NULL) < 0) |
| ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00270) |
| "sigaction(SIGHUP)"); |
| if (sigaction(AP_SIG_GRACEFUL, &sa, NULL) < 0) |
| ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, APLOGNO(00271) |
| "sigaction(" AP_SIG_GRACEFUL_STRING ")"); |
| } |
| |
| #else /* NO_USE_SIGACTION */ |
| |
| #ifdef SIGPIPE |
| apr_signal(SIGPIPE, SIG_IGN); |
| #endif /* SIGPIPE */ |
| #ifdef SIGXCPU |
| apr_signal(SIGXCPU, SIG_DFL); |
| #endif /* SIGXCPU */ |
| #ifdef SIGXFSZ |
| apr_signal(SIGXFSZ, SIG_IGN); |
| #endif /* SIGXFSZ */ |
| |
| apr_signal(SIGTERM, sig_term); |
| #ifdef AP_SIG_GRACEFUL_STOP |
| apr_signal(AP_SIG_GRACEFUL_STOP, sig_term); |
| #endif /* AP_SIG_GRACEFUL_STOP */ |
| |
| if (!one_process) { |
| /* Don't restart in ONE_PROCESS mode :) */ |
| #ifdef SIGHUP |
| apr_signal(SIGHUP, sig_restart); |
| #endif /* SIGHUP */ |
| #ifdef AP_SIG_GRACEFUL |
| apr_signal(AP_SIG_GRACEFUL, sig_restart); |
| #endif /* AP_SIG_GRACEFUL */ |
| } |
| |
| #endif /* NO_USE_SIGACTION */ |
| |
| apr_pool_cleanup_register(pconf, NULL, unset_signals, |
| apr_pool_cleanup_null); |
| } |
| |
| |
| #ifdef _OSD_POSIX |
| |
| #include "apr_lib.h" |
| |
| #define USER_LEN 8 |
| |
| typedef enum |
| { |
| bs2_unknown, /* not initialized yet. */ |
| bs2_noFORK, /* no fork() because -X flag was specified */ |
| bs2_FORK, /* only fork() because uid != 0 */ |
| bs2_UFORK /* Normally, ufork() is used to switch identities. */ |
| } bs2_ForkType; |
| |
| static bs2_ForkType forktype = bs2_unknown; |
| |
| /* Determine the method for forking off a child in such a way as to |
| * set both the POSIX and BS2000 user id's to the unprivileged user. |
| */ |
| static bs2_ForkType os_forktype(int one_process) |
| { |
| /* have we checked the OS version before? If yes return the previous |
| * result - the OS release isn't going to change suddenly! |
| */ |
| if (forktype == bs2_unknown) { |
| /* not initialized yet */ |
| |
| /* No fork if the one_process option was set */ |
| if (one_process) { |
| forktype = bs2_noFORK; |
| } |
| /* If the user is unprivileged, use the normal fork() only. */ |
| else if (getuid() != 0) { |
| forktype = bs2_FORK; |
| } |
| else |
| forktype = bs2_UFORK; |
| } |
| return forktype; |
| } |
| |
| |
| |
| /* This routine complements the setuid() call: it causes the BS2000 job |
| * environment to be switched to the target user's user id. |
| * That is important if CGI scripts try to execute native BS2000 commands. |
| */ |
| int os_init_job_environment(server_rec *server, const char *user_name, int one_process) |
| { |
| bs2_ForkType type = os_forktype(one_process); |
| |
| /* We can be sure that no change to uid==0 is possible because of |
| * the checks in http_core.c:set_user() |
| */ |
| |
| if (one_process) { |
| |
| type = forktype = bs2_noFORK; |
| |
| ap_log_error(APLOG_MARK, APLOG_ERR, 0, server, APLOGNO(02180) |
| "The debug mode of Apache should only " |
| "be started by an unprivileged user!"); |
| return 0; |
| } |
| |
| return 0; |
| } |
| |
| /* BS2000 requires a "special" version of fork() before a setuid() call */ |
| pid_t os_fork(const char *user) |
| { |
| pid_t pid; |
| char username[USER_LEN+1]; |
| |
| switch (os_forktype(0)) { |
| |
| case bs2_FORK: |
| pid = fork(); |
| break; |
| |
| case bs2_UFORK: |
| apr_cpystrn(username, user, sizeof username); |
| |
| /* Make user name all upper case - for some versions of ufork() */ |
| ap_str_toupper(username); |
| |
| pid = ufork(username); |
| if (pid == -1 && errno == EPERM) { |
| ap_log_error(APLOG_MARK, APLOG_EMERG, errno, ap_server_conf, |
| APLOGNO(02181) "ufork: Possible mis-configuration " |
| "for user %s - Aborting.", user); |
| exit(1); |
| } |
| break; |
| |
| default: |
| pid = 0; |
| break; |
| } |
| |
| return pid; |
| } |
| |
| #endif /* _OSD_POSIX */ |
| |