#define DEFAULT_GROUP "#-1"
#endif
+#if 0
typedef struct {
const char *user_name;
uid_t user_id;
gid_t group_id;
const char *chroot_dir;
} unixd_config_t;
+#else
+#include "unixd.h"
+#endif
-unixd_config_t unixd_config;
+//unixd_config_t unixd_config;
/* Set group privileges.
*
unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp)
{
+ apr_finfo_t wrapper;
unixd_config.user_name = DEFAULT_USER;
unixd_config.user_id = ap_uname2id(DEFAULT_USER);
unixd_config.group_id = ap_gname2id(DEFAULT_GROUP);
unixd_config.chroot_dir = NULL; /* none */
+ /* Check for suexec */
+ unixd_config.suexec_enabled = 0;
+ if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp))
+ == APR_SUCCESS) {
+ if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
+ unixd_config.suexec_enabled = 1;
+ }
+ }
+
sys_privileges_handlers(1);
return OK;
}
unixd_cmds,
unixd_hooks
};
+
+AP_DECLARE(int) unixd_setup_child(void)
+{
+ if (set_group_privs()) {
+ return -1;
+ }
+
+ if (NULL != unixd_config.chroot_dir) {
+ if (geteuid()) {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "Cannot chroot when not started as root");
+ return -1;
+ }
+ if (chdir(unixd_config.chroot_dir) != 0) {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "Can't chdir to %s", unixd_config.chroot_dir);
+ return -1;
+ }
+ if (chroot(unixd_config.chroot_dir) != 0) {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "Can't chroot to %s", unixd_config.chroot_dir);
+ return -1;
+ }
+ if (chdir("/") != 0) {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "Can't chdir to new root");
+ return -1;
+ }
+ }
+
+#ifdef MPE
+ /* Only try to switch if we're running as MANAGER.SYS */
+ if (geteuid() == 1 && unixd_config.user_id > 1) {
+ GETPRIVMODE();
+ if (setuid(unixd_config.user_id) == -1) {
+ GETUSERMODE();
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "setuid: unable to change to uid: %ld",
+ (long) unixd_config.user_id);
+ exit(1);
+ }
+ GETUSERMODE();
+ }
+#else
+ /* Only try to switch if we're running as root */
+ if (!geteuid() && (
+#ifdef _OSD_POSIX
+ os_init_job_environment(NULL, unixd_config.user_name, ap_exists_config_define("DEBUG")) != 0 ||
+#endif
+ setuid(unixd_config.user_id) == -1)) {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "setuid: unable to change to uid: %ld",
+ (long) unixd_config.user_id);
+ return -1;
+ }
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ /* this applies to Linux 2.4+ */
+#ifdef AP_MPM_WANT_SET_COREDUMPDIR
+ if (ap_coredumpdir_configured) {
+ if (prctl(PR_SET_DUMPABLE, 1)) {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "set dumpable failed - this child will not coredump"
+ " after software errors");
+ }
+ }
+#endif
+#endif
+#endif
+ return 0;
+}
+
unixd_config_rec unixd_config;
-/* Set group privileges.
- *
- * Note that we use the username as set in the config files, rather than
- * the lookup of to uid --- the same uid may have multiple passwd entries,
- * with different sets of groups for each.
- */
-
-static int set_group_privs(void)
-{
- if (!geteuid()) {
- const char *name;
-
- /* Get username if passed as a uid */
-
- if (unixd_config.user_name[0] == '#') {
- struct passwd *ent;
- uid_t uid = atol(&unixd_config.user_name[1]);
-
- if ((ent = getpwuid(uid)) == NULL) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "getpwuid: couldn't determine user name from uid %ld, "
- "you probably need to modify the User directive",
- (long)uid);
- return -1;
- }
-
- name = ent->pw_name;
- }
- else
- name = unixd_config.user_name;
-
-#if !defined(OS2) && !defined(TPF)
- /* OS/2 and TPF don't support groups. */
-
- /*
- * Set the GID before initgroups(), since on some platforms
- * setgid() is known to zap the group list.
- */
- if (setgid(unixd_config.group_id) == -1) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "setgid: unable to set group id to Group %u",
- (unsigned)unixd_config.group_id);
- return -1;
- }
-
- /* Reset `groups' attributes. */
-
- if (initgroups(name, unixd_config.group_id) == -1) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "initgroups: unable to set groups for User %s "
- "and Group %u", name, (unsigned)unixd_config.group_id);
- return -1;
- }
-#endif /* !defined(OS2) && !defined(TPF) */
- }
- return 0;
-}
-
-
-AP_DECLARE(int) unixd_setup_child(void)
-{
- if (set_group_privs()) {
- return -1;
- }
-
- if (NULL != unixd_config.chroot_dir) {
- if (geteuid()) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "Cannot chroot when not started as root");
- return -1;
- }
- if (chdir(unixd_config.chroot_dir) != 0) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "Can't chdir to %s", unixd_config.chroot_dir);
- return -1;
- }
- if (chroot(unixd_config.chroot_dir) != 0) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "Can't chroot to %s", unixd_config.chroot_dir);
- return -1;
- }
- if (chdir("/") != 0) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "Can't chdir to new root");
- return -1;
- }
- }
-
-#ifdef MPE
- /* Only try to switch if we're running as MANAGER.SYS */
- if (geteuid() == 1 && unixd_config.user_id > 1) {
- GETPRIVMODE();
- if (setuid(unixd_config.user_id) == -1) {
- GETUSERMODE();
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "setuid: unable to change to uid: %ld",
- (long) unixd_config.user_id);
- exit(1);
- }
- GETUSERMODE();
- }
-#else
- /* Only try to switch if we're running as root */
- if (!geteuid() && (
-#ifdef _OSD_POSIX
- os_init_job_environment(NULL, unixd_config.user_name, ap_exists_config_define("DEBUG")) != 0 ||
-#endif
- setuid(unixd_config.user_id) == -1)) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "setuid: unable to change to uid: %ld",
- (long) unixd_config.user_id);
- return -1;
- }
-#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
- /* this applies to Linux 2.4+ */
-#ifdef AP_MPM_WANT_SET_COREDUMPDIR
- if (ap_coredumpdir_configured) {
- if (prctl(PR_SET_DUMPABLE, 1)) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
- "set dumpable failed - this child will not coredump"
- " after software errors");
- }
- }
-#endif
-#endif
-#endif
- return 0;
-}
-
-
-AP_DECLARE(const char *) unixd_set_user(cmd_parms *cmd, void *dummy,
- const char *arg)
-{
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
- if (err != NULL) {
- return err;
- }
-
- unixd_config.user_name = arg;
- unixd_config.user_id = ap_uname2id(arg);
-#if !defined (BIG_SECURITY_HOLE) && !defined (OS2)
- if (unixd_config.user_id == 0) {
- return "Error:\tApache has not been designed to serve pages while\n"
- "\trunning as root. There are known race conditions that\n"
- "\twill allow any local user to read any file on the system.\n"
- "\tIf you still desire to serve pages as root then\n"
- "\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n"
- "\tand then rebuild the server.\n"
- "\tIt is strongly suggested that you instead modify the User\n"
- "\tdirective in your httpd.conf file to list a non-root\n"
- "\tuser.\n";
- }
-#endif
-
- return NULL;
-}
-
-AP_DECLARE(const char *) unixd_set_group(cmd_parms *cmd, void *dummy,
- const char *arg)
-{
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
- if (err != NULL) {
- return err;
- }
-
- unixd_config.group_id = ap_gname2id(arg);
-
- return NULL;
-}
-AP_DECLARE(const char *) unixd_set_chroot_dir(cmd_parms *cmd, void *dummy,
- const char *arg)
-{
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
- if (err != NULL) {
- return err;
- }
- if (!ap_is_directory(cmd->pool, arg)) {
- return "ChrootDir must be a valid directory";
- }
-
- unixd_config.chroot_dir = arg;
- return NULL;
-}
-
-AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp)
-{
- apr_finfo_t wrapper;
-
- unixd_config.user_name = DEFAULT_USER;
- unixd_config.user_id = ap_uname2id(DEFAULT_USER);
- unixd_config.group_id = ap_gname2id(DEFAULT_GROUP);
-
- unixd_config.chroot_dir = NULL; /* none */
-
- /* Check for suexec */
- unixd_config.suexec_enabled = 0;
- if ((apr_stat(&wrapper, SUEXEC_BIN,
- APR_FINFO_NORM, ptemp)) != APR_SUCCESS) {
- return;
- }
-
- if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
- unixd_config.suexec_enabled = 1;
- }
-}
-
AP_DECLARE(void) unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit,
const char *arg, const char * arg2, int type)
projects / apache / commitdiff