1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include "ap_config.h"
19 #include "http_config.h"
20 #include "http_main.h"
23 #include "mpm_common.h"
26 #include "apr_thread_proc.h"
27 #include "apr_strings.h"
28 #include "apr_portable.h"
29 #include "apr_perms_set.h"
33 #ifdef HAVE_SYS_RESOURCE_H
34 #include <sys/resource.h>
50 #ifdef HAVE_SYS_PRCTL_H
51 #include <sys/prctl.h>
54 unixd_config_rec ap_unixd_config;
57 AP_DECLARE(void) ap_unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit,
59 const char * arg2, int type)
61 #if (defined(RLIMIT_CPU) || defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined(RLIMIT_NPROC) || defined(RLIMIT_AS)) && APR_HAVE_STRUCT_RLIMIT && APR_HAVE_GETRLIMIT
64 /* If your platform doesn't define rlim_t then typedef it in ap_config.h */
68 *plimit = (struct rlimit *)apr_pcalloc(cmd->pool, sizeof(**plimit));
70 if ((getrlimit(type, limit)) != 0) {
72 ap_log_error(APLOG_MARK, APLOG_ERR, errno, cmd->server,
73 "%s: getrlimit failed", cmd->cmd->name);
77 if ((str = ap_getword_conf(cmd->pool, &arg))) {
78 if (!strcasecmp(str, "max")) {
79 cur = limit->rlim_max;
86 ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
87 "Invalid parameters for %s", cmd->cmd->name);
91 if (arg2 && (str = ap_getword_conf(cmd->pool, &arg2))) {
95 /* if we aren't running as root, cannot increase max */
97 limit->rlim_cur = cur;
99 ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
100 "Must be uid 0 to raise maximum %s", cmd->cmd->name);
105 limit->rlim_cur = cur;
108 limit->rlim_max = max;
113 ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server,
114 "Platform does not support rlimit for %s", cmd->cmd->name);
119 APR_HOOK_LINK(get_suexec_identity)
122 AP_IMPLEMENT_HOOK_RUN_FIRST(ap_unix_identity_t *, get_suexec_identity,
123 (const request_rec *r), (r), NULL)
125 static apr_status_t ap_unix_create_privileged_process(
126 apr_proc_t *newproc, const char *progname,
127 const char * const *args,
128 const char * const *env,
129 apr_procattr_t *attr, ap_unix_identity_t *ugid,
133 const char **newargs;
135 char *execuser, *execgroup;
138 if (!ap_unixd_config.suexec_enabled) {
139 return apr_proc_create(newproc, progname, args, env, attr, p);
142 argv0 = ap_strrchr_c(progname, '/');
143 /* Allow suexec's "/" check to succeed */
153 execuser = apr_psprintf(p, "~%ld", (long) ugid->uid);
156 execuser = apr_psprintf(p, "%ld", (long) ugid->uid);
158 execgroup = apr_psprintf(p, "%ld", (long) ugid->gid);
160 if (!execuser || !execgroup) {
170 /* allocate space for 4 new args, the input args, and a null terminator */
171 newargs = apr_palloc(p, sizeof(char *) * (i + 4));
172 newprogname = SUEXEC_BIN;
173 newargs[0] = SUEXEC_BIN;
174 newargs[1] = execuser;
175 newargs[2] = execgroup;
176 newargs[3] = apr_pstrdup(p, argv0);
179 ** using a shell to execute suexec makes no sense thus
180 ** we force everything to be APR_PROGRAM, and never
183 if(apr_procattr_cmdtype_set(attr, APR_PROGRAM) != APR_SUCCESS) {
189 newargs[i + 3] = args[i];
192 return apr_proc_create(newproc, newprogname, newargs, env, attr, p);
195 AP_DECLARE(apr_status_t) ap_os_create_privileged_process(
196 const request_rec *r,
197 apr_proc_t *newproc, const char *progname,
198 const char * const *args,
199 const char * const *env,
200 apr_procattr_t *attr, apr_pool_t *p)
202 ap_unix_identity_t *ugid = ap_run_get_suexec_identity(r);
205 return apr_proc_create(newproc, progname, args, env, attr, p);
208 return ap_unix_create_privileged_process(newproc, progname, args, env,
212 AP_DECLARE(apr_status_t) ap_unixd_set_proc_mutex_perms(apr_proc_mutex_t *pmutex)
214 apr_status_t rv = APR_SUCCESS;
216 rv = APR_PERMS_SET_FN(proc_mutex)(pmutex,
217 APR_FPROT_GWRITE | APR_FPROT_UWRITE,
218 ap_unixd_config.user_id,
219 ap_unixd_config.group_id);
220 if (rv == APR_ENOTIMPL) {
227 AP_DECLARE(apr_status_t) ap_unixd_set_global_mutex_perms(apr_global_mutex_t *gmutex)
229 #if !APR_PROC_MUTEX_IS_GLOBAL
230 apr_os_global_mutex_t osgmutex;
231 apr_os_global_mutex_get(&osgmutex, gmutex);
232 return ap_unixd_set_proc_mutex_perms(osgmutex.proc_mutex);
233 #else /* APR_PROC_MUTEX_IS_GLOBAL */
234 /* In this case, apr_proc_mutex_t and apr_global_mutex_t are the same. */
235 return ap_unixd_set_proc_mutex_perms(gmutex);
236 #endif /* APR_PROC_MUTEX_IS_GLOBAL */
239 AP_DECLARE(apr_status_t) ap_unixd_accept(void **accepted, ap_listen_rec *lr,
249 status = apr_socket_accept(&csd, lr->sd, ptrans);
250 if (status == APR_SUCCESS) {
253 apr_os_sock_get(&sockdes, csd);
254 if (sockdes >= FD_SETSIZE) {
255 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
256 "new file descriptor %d is too large; you probably need "
257 "to rebuild Apache with a larger FD_SETSIZE "
259 sockdes, FD_SETSIZE);
260 apr_socket_close(csd);
267 if (APR_STATUS_IS_EINTR(status)) {
270 /* Our old behaviour here was to continue after accept()
271 * errors. But this leads us into lots of troubles
272 * because most of the errors are quite fatal. For
273 * example, EMFILE can be caused by slow descriptor
274 * leaks (say in a 3rd party module, or libc). It's
275 * foolish for us to continue after an EMFILE. We also
276 * seem to tickle kernel bugs on some platforms which
277 * lead to never-ending loops here. So it seems best
278 * to just exit in most cases.
281 #if defined(HPUX11) && defined(ENOBUFS)
282 /* On HPUX 11.x, the 'ENOBUFS, No buffer space available'
283 * error occurs because the accept() cannot complete.
284 * You will not see ENOBUFS with 10.20 because the kernel
285 * hides any occurrence from being returned to user space.
286 * ENOBUFS with 11.x's TCP/IP stack is possible, and could
287 * occur intermittently. As a work-around, we are going to
294 /* EPROTO on certain older kernels really means
295 * ECONNABORTED, so we need to ignore it for them.
296 * See discussion in new-httpd archives nh.9701
299 * Also see nh.9603, search for EPROTO:
300 * There is potentially a bug in Solaris 2.x x<6,
301 * and other boxes that implement tcp sockets in
302 * userland (i.e. on top of STREAMS). On these
303 * systems, EPROTO can actually result in a fatal
304 * loop. See PR#981 for example. It's hard to
305 * handle both uses of EPROTO.
312 /* Linux generates the rest of these, other tcp
313 * stacks (i.e. bsd) tend to hide them behind
314 * getsockopt() interfaces. They occur when
315 * the net goes sour or the client disconnects
316 * after the three-way handshake has been done
317 * in the kernel but before userland has picked
332 /* EAGAIN/EWOULDBLOCK can be returned on BSD-derived
333 * TCP stacks when the connection is aborted before
334 * we call connect, but only because our listener
335 * sockets are non-blocking (AP_NONBLOCK_WHEN_MULTI_LISTEN)
341 #if !defined(EAGAIN) || EAGAIN != EWOULDBLOCK
349 * When the network layer has been shut down, there
350 * is not much use in simply exiting: the parent
351 * would simply re-create us (and we'd fail again).
352 * Use the CHILDFATAL code to tear the server down.
353 * @@@ Martin's idea for possible improvement:
354 * A different approach would be to define
355 * a new APEXIT_NETDOWN exit code, the reception
356 * of which would make the parent shutdown all
357 * children, then idle-loop until it detected that
358 * the network is up again, and restart the children.
359 * Ben Hyde noted that temporary ENETDOWN situations
360 * occur in mobile IP.
362 ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf,
363 "apr_socket_accept: giving up.");
368 #ifdef _OSD_POSIX /* Possibly on other platforms too */
369 /* If the socket has been closed in ap_close_listeners()
370 * by the restart/stop action, we may get EBADF.
371 * Do not print an error in this case.
373 if (!lr->active && status == EBADF)
376 ap_log_error(APLOG_MARK, APLOG_ERR, status, ap_server_conf,
377 "apr_socket_accept: (client socket)");
392 bs2_unknown, /* not initialized yet. */
393 bs2_noFORK, /* no fork() because -X flag was specified */
394 bs2_FORK, /* only fork() because uid != 0 */
395 bs2_UFORK /* Normally, ufork() is used to switch identities. */
398 static bs2_ForkType forktype = bs2_unknown;
401 static void ap_str_toupper(char *str)
404 *str = apr_toupper(*str);
409 /* Determine the method for forking off a child in such a way as to
410 * set both the POSIX and BS2000 user id's to the unprivileged user.
412 static bs2_ForkType os_forktype(int one_process)
414 /* have we checked the OS version before? If yes return the previous
415 * result - the OS release isn't going to change suddenly!
417 if (forktype == bs2_unknown) {
418 /* not initialized yet */
420 /* No fork if the one_process option was set */
422 forktype = bs2_noFORK;
424 /* If the user is unprivileged, use the normal fork() only. */
425 else if (getuid() != 0) {
429 forktype = bs2_UFORK;
436 /* This routine complements the setuid() call: it causes the BS2000 job
437 * environment to be switched to the target user's user id.
438 * That is important if CGI scripts try to execute native BS2000 commands.
440 int os_init_job_environment(server_rec *server, const char *user_name, int one_process)
442 bs2_ForkType type = os_forktype(one_process);
444 /* We can be sure that no change to uid==0 is possible because of
445 * the checks in http_core.c:set_user()
450 type = forktype = bs2_noFORK;
452 ap_log_error(APLOG_MARK, APLOG_ERR, 0, server,
453 "The debug mode of Apache should only "
454 "be started by an unprivileged user!");
461 /* BS2000 requires a "special" version of fork() before a setuid() call */
462 pid_t os_fork(const char *user)
465 char username[USER_LEN+1];
467 switch (os_forktype(0)) {
474 apr_cpystrn(username, user, sizeof username);
476 /* Make user name all upper case - for some versions of ufork() */
477 ap_str_toupper(username);
479 pid = ufork(username);
480 if (pid == -1 && errno == EPERM) {
481 ap_log_error(APLOG_MARK, APLOG_EMERG, errno,
482 NULL, "ufork: Possible mis-configuration "
483 "for user %s - Aborting.", user);
496 #endif /* _OSD_POSIX */