1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "ap_config.h"
18 #include "httpd.h"
19 #include "http_config.h"
20 #include "http_main.h"
21 #include "http_log.h"
22 #include "unixd.h"
23 #include "mpm_common.h"
24 #include "os.h"
25 #include "ap_mpm.h"
26 #include "apr_thread_proc.h"
27 #include "apr_strings.h"
28 #include "apr_portable.h"
29 #ifdef HAVE_PWD_H
30 #include <pwd.h>
31 #endif
32 #ifdef HAVE_SYS_RESOURCE_H
33 #include <sys/resource.h>
34 #endif
35 /* XXX */
36 #include <sys/stat.h>
37 #ifdef HAVE_UNISTD_H
38 #include <unistd.h>
39 #endif
40 #ifdef HAVE_GRP_H
41 #include <grp.h>
42 #endif
43 #ifdef HAVE_STRINGS_H
44 #include <strings.h>
45 #endif
46 #ifdef HAVE_SYS_SEM_H
47 #include <sys/sem.h>
48 #endif
49 #ifdef HAVE_SYS_PRCTL_H
50 #include <sys/prctl.h>
51 #endif
52
53 unixd_config_rec ap_unixd_config;
54
55 APLOG_USE_MODULE(core);
56
ap_unixd_set_rlimit(cmd_parms * cmd,struct rlimit ** plimit,const char * arg,const char * arg2,int type)57 AP_DECLARE(void) ap_unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit,
58 const char *arg,
59 const char * arg2, int type)
60 {
61 #if (defined(RLIMIT_CPU) || defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined(RLIMIT_NPROC) || defined(RLIMIT_AS)) && APR_HAVE_STRUCT_RLIMIT && APR_HAVE_GETRLIMIT
62 char *str;
63 struct rlimit *limit;
64 /* If your platform doesn't define rlim_t then typedef it in ap_config.h */
65 rlim_t cur = 0;
66 rlim_t max = 0;
67
68 *plimit = (struct rlimit *)apr_pcalloc(cmd->pool, sizeof(**plimit));
69 limit = *plimit;
70 if ((getrlimit(type, limit)) != 0) {
71 *plimit = NULL;
72 ap_log_error(APLOG_MARK, APLOG_ERR, errno, cmd->server, APLOGNO(02172)
73 "%s: getrlimit failed", cmd->cmd->name);
74 return;
75 }
76
77 if ((str = ap_getword_conf(cmd->pool, &arg))) {
78 if (!strcasecmp(str, "max")) {
79 cur = limit->rlim_max;
80 }
81 else {
82 cur = atol(str);
83 }
84 }
85 else {
86 ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, APLOGNO(02173)
87 "Invalid parameters for %s", cmd->cmd->name);
88 return;
89 }
90
91 if (arg2 && (str = ap_getword_conf(cmd->pool, &arg2))) {
92 max = atol(str);
93 }
94
95 /* if we aren't running as root, cannot increase max */
96 if (geteuid()) {
97 limit->rlim_cur = cur;
98 if (max && (max > limit->rlim_max)) {
99 ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, APLOGNO(02174)
100 "Must be uid 0 to raise maximum %s", cmd->cmd->name);
101 }
102 else if (max) {
103 limit->rlim_max = max;
104 }
105 }
106 else {
107 if (cur) {
108 limit->rlim_cur = cur;
109 }
110 if (max) {
111 limit->rlim_max = max;
112 }
113 }
114 #else
115
116 ap_log_error(APLOG_MARK, APLOG_ERR, 0, cmd->server, APLOGNO(02175)
117 "Platform does not support rlimit for %s", cmd->cmd->name);
118 #endif
119 }
120
121 APR_HOOK_STRUCT(
122 APR_HOOK_LINK(get_suexec_identity)
123 )
124
125 AP_IMPLEMENT_HOOK_RUN_FIRST(ap_unix_identity_t *, get_suexec_identity,
126 (const request_rec *r), (r), NULL)
127
ap_unix_create_privileged_process(apr_proc_t * newproc,const char * progname,const char * const * args,const char * const * env,apr_procattr_t * attr,ap_unix_identity_t * ugid,apr_pool_t * p)128 static apr_status_t ap_unix_create_privileged_process(
129 apr_proc_t *newproc, const char *progname,
130 const char * const *args,
131 const char * const *env,
132 apr_procattr_t *attr, ap_unix_identity_t *ugid,
133 apr_pool_t *p)
134 {
135 int i = 0;
136 const char **newargs;
137 char *newprogname;
138 char *execuser, *execgroup;
139 const char *argv0;
140
141 if (!ap_unixd_config.suexec_enabled) {
142 return apr_proc_create(newproc, progname, args, env, attr, p);
143 }
144
145 argv0 = ap_strrchr_c(progname, '/');
146 /* Allow suexec's "/" check to succeed */
147 if (argv0 != NULL) {
148 argv0++;
149 }
150 else {
151 argv0 = progname;
152 }
153
154
155 if (ugid->userdir) {
156 execuser = apr_psprintf(p, "~%ld", (long) ugid->uid);
157 }
158 else {
159 execuser = apr_psprintf(p, "%ld", (long) ugid->uid);
160 }
161 execgroup = apr_psprintf(p, "%ld", (long) ugid->gid);
162
163 if (!execuser || !execgroup) {
164 return APR_ENOMEM;
165 }
166
167 i = 0;
168 while (args[i])
169 i++;
170 /* allocate space for 4 new args, the input args, and a null terminator */
171 newargs = apr_palloc(p, sizeof(char *) * (i + 4));
172 newprogname = SUEXEC_BIN;
173 newargs[0] = SUEXEC_BIN;
174 newargs[1] = execuser;
175 newargs[2] = execgroup;
176 newargs[3] = apr_pstrdup(p, argv0);
177
178 /*
179 ** using a shell to execute suexec makes no sense thus
180 ** we force everything to be APR_PROGRAM, and never
181 ** APR_SHELLCMD
182 */
183 if(apr_procattr_cmdtype_set(attr, APR_PROGRAM) != APR_SUCCESS) {
184 return APR_EGENERAL;
185 }
186
187 i = 1;
188 do {
189 newargs[i + 3] = args[i];
190 } while (args[i++]);
191
192 return apr_proc_create(newproc, newprogname, newargs, env, attr, p);
193 }
194
ap_os_create_privileged_process(const request_rec * r,apr_proc_t * newproc,const char * progname,const char * const * args,const char * const * env,apr_procattr_t * attr,apr_pool_t * p)195 AP_DECLARE(apr_status_t) ap_os_create_privileged_process(
196 const request_rec *r,
197 apr_proc_t *newproc, const char *progname,
198 const char * const *args,
199 const char * const *env,
200 apr_procattr_t *attr, apr_pool_t *p)
201 {
202 ap_unix_identity_t *ugid = ap_run_get_suexec_identity(r);
203
204 if (ugid == NULL) {
205 return apr_proc_create(newproc, progname, args, env, attr, p);
206 }
207
208 return ap_unix_create_privileged_process(newproc, progname, args, env,
209 attr, ugid, p);
210 }
211
212 /* XXX move to APR and externalize (but implement differently :) ) */
proc_mutex_mech(apr_proc_mutex_t * pmutex)213 static apr_lockmech_e proc_mutex_mech(apr_proc_mutex_t *pmutex)
214 {
215 const char *mechname = apr_proc_mutex_name(pmutex);
216
217 if (!strcmp(mechname, "sysvsem")) {
218 return APR_LOCK_SYSVSEM;
219 }
220 else if (!strcmp(mechname, "flock")) {
221 return APR_LOCK_FLOCK;
222 }
223 return APR_LOCK_DEFAULT;
224 }
225
ap_unixd_set_proc_mutex_perms(apr_proc_mutex_t * pmutex)226 AP_DECLARE(apr_status_t) ap_unixd_set_proc_mutex_perms(apr_proc_mutex_t *pmutex)
227 {
228 if (!geteuid()) {
229 apr_lockmech_e mech = proc_mutex_mech(pmutex);
230
231 switch(mech) {
232 #if APR_HAS_SYSVSEM_SERIALIZE
233 case APR_LOCK_SYSVSEM:
234 {
235 apr_os_proc_mutex_t ospmutex;
236 #if !APR_HAVE_UNION_SEMUN
237 union semun {
238 long val;
239 struct semid_ds *buf;
240 unsigned short *array;
241 };
242 #endif
243 union semun ick;
244 struct semid_ds buf = { { 0 } };
245
246 apr_os_proc_mutex_get(&ospmutex, pmutex);
247 buf.sem_perm.uid = ap_unixd_config.user_id;
248 buf.sem_perm.gid = ap_unixd_config.group_id;
249 buf.sem_perm.mode = 0600;
250 ick.buf = &buf;
251 if (semctl(ospmutex.crossproc, 0, IPC_SET, ick) < 0) {
252 return errno;
253 }
254 }
255 break;
256 #endif
257 #if APR_HAS_FLOCK_SERIALIZE
258 case APR_LOCK_FLOCK:
259 {
260 const char *lockfile = apr_proc_mutex_lockfile(pmutex);
261
262 if (lockfile) {
263 if (chown(lockfile, ap_unixd_config.user_id,
264 -1 /* no gid change */) < 0) {
265 return errno;
266 }
267 }
268 }
269 break;
270 #endif
271 default:
272 /* do nothing */
273 break;
274 }
275 }
276 return APR_SUCCESS;
277 }
278
ap_unixd_set_global_mutex_perms(apr_global_mutex_t * gmutex)279 AP_DECLARE(apr_status_t) ap_unixd_set_global_mutex_perms(apr_global_mutex_t *gmutex)
280 {
281 #if !APR_PROC_MUTEX_IS_GLOBAL
282 apr_os_global_mutex_t osgmutex;
283 apr_os_global_mutex_get(&osgmutex, gmutex);
284 return ap_unixd_set_proc_mutex_perms(osgmutex.proc_mutex);
285 #else /* APR_PROC_MUTEX_IS_GLOBAL */
286 /* In this case, apr_proc_mutex_t and apr_global_mutex_t are the same. */
287 return ap_unixd_set_proc_mutex_perms(gmutex);
288 #endif /* APR_PROC_MUTEX_IS_GLOBAL */
289 }
290
ap_unixd_accept(void ** accepted,ap_listen_rec * lr,apr_pool_t * ptrans)291 AP_DECLARE(apr_status_t) ap_unixd_accept(void **accepted, ap_listen_rec *lr,
292 apr_pool_t *ptrans)
293 {
294 apr_socket_t *csd;
295 apr_status_t status;
296 #ifdef _OSD_POSIX
297 int sockdes;
298 #endif
299
300 *accepted = NULL;
301 status = apr_socket_accept(&csd, lr->sd, ptrans);
302 if (status == APR_SUCCESS) {
303 *accepted = csd;
304 #ifdef _OSD_POSIX
305 apr_os_sock_get(&sockdes, csd);
306 if (sockdes >= FD_SETSIZE) {
307 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ap_server_conf, APLOGNO(02176)
308 "new file descriptor %d is too large; you probably need "
309 "to rebuild Apache with a larger FD_SETSIZE "
310 "(currently %d)",
311 sockdes, FD_SETSIZE);
312 apr_socket_close(csd);
313 return APR_EINTR;
314 }
315 #endif
316 return APR_SUCCESS;
317 }
318
319 if (APR_STATUS_IS_EINTR(status)) {
320 return status;
321 }
322 /* Our old behaviour here was to continue after accept()
323 * errors. But this leads us into lots of troubles
324 * because most of the errors are quite fatal. For
325 * example, EMFILE can be caused by slow descriptor
326 * leaks (say in a 3rd party module, or libc). It's
327 * foolish for us to continue after an EMFILE. We also
328 * seem to tickle kernel bugs on some platforms which
329 * lead to never-ending loops here. So it seems best
330 * to just exit in most cases.
331 */
332 switch (status) {
333 #if defined(HPUX11) && defined(ENOBUFS)
334 /* On HPUX 11.x, the 'ENOBUFS, No buffer space available'
335 * error occurs because the accept() cannot complete.
336 * You will not see ENOBUFS with 10.20 because the kernel
337 * hides any occurrence from being returned to user space.
338 * ENOBUFS with 11.x's TCP/IP stack is possible, and could
339 * occur intermittently. As a work-around, we are going to
340 * ignore ENOBUFS.
341 */
342 case ENOBUFS:
343 #endif
344
345 #ifdef EPROTO
346 /* EPROTO on certain older kernels really means
347 * ECONNABORTED, so we need to ignore it for them.
348 * See discussion in new-httpd archives nh.9701
349 * search for EPROTO.
350 *
351 * Also see nh.9603, search for EPROTO:
352 * There is potentially a bug in Solaris 2.x x<6,
353 * and other boxes that implement tcp sockets in
354 * userland (i.e. on top of STREAMS). On these
355 * systems, EPROTO can actually result in a fatal
356 * loop. See PR#981 for example. It's hard to
357 * handle both uses of EPROTO.
358 */
359 case EPROTO:
360 #endif
361 #ifdef ECONNABORTED
362 case ECONNABORTED:
363 #endif
364 /* Linux generates the rest of these, other tcp
365 * stacks (i.e. bsd) tend to hide them behind
366 * getsockopt() interfaces. They occur when
367 * the net goes sour or the client disconnects
368 * after the three-way handshake has been done
369 * in the kernel but before userland has picked
370 * up the socket.
371 */
372 #ifdef ECONNRESET
373 case ECONNRESET:
374 #endif
375 #ifdef ETIMEDOUT
376 case ETIMEDOUT:
377 #endif
378 #ifdef EHOSTUNREACH
379 case EHOSTUNREACH:
380 #endif
381 #ifdef ENETUNREACH
382 case ENETUNREACH:
383 #endif
384 /* EAGAIN/EWOULDBLOCK can be returned on BSD-derived
385 * TCP stacks when the connection is aborted before
386 * we call connect, but only because our listener
387 * sockets are non-blocking (AP_NONBLOCK_WHEN_MULTI_LISTEN)
388 */
389 #ifdef EAGAIN
390 case EAGAIN:
391 #endif
392 #ifdef EWOULDBLOCK
393 #if !defined(EAGAIN) || EAGAIN != EWOULDBLOCK
394 case EWOULDBLOCK:
395 #endif
396 #endif
397 break;
398 #ifdef ENETDOWN
399 case ENETDOWN:
400 /*
401 * When the network layer has been shut down, there
402 * is not much use in simply exiting: the parent
403 * would simply re-create us (and we'd fail again).
404 * Use the CHILDFATAL code to tear the server down.
405 * @@@ Martin's idea for possible improvement:
406 * A different approach would be to define
407 * a new APEXIT_NETDOWN exit code, the reception
408 * of which would make the parent shutdown all
409 * children, then idle-loop until it detected that
410 * the network is up again, and restart the children.
411 * Ben Hyde noted that temporary ENETDOWN situations
412 * occur in mobile IP.
413 */
414 ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf, APLOGNO(02177)
415 "apr_socket_accept: giving up.");
416 return APR_EGENERAL;
417 #endif /*ENETDOWN*/
418
419 default:
420 /* If the socket has been closed in ap_close_listeners()
421 * by the restart/stop action, we may get EBADF.
422 * Do not print an error in this case.
423 */
424 if (!lr->active) {
425 ap_log_error(APLOG_MARK, APLOG_DEBUG, status, ap_server_conf, APLOGNO(02178)
426 "apr_socket_accept failed for inactive listener");
427 return status;
428 }
429 ap_log_error(APLOG_MARK, APLOG_ERR, status, ap_server_conf, APLOGNO(02179)
430 "apr_socket_accept: (client socket)");
431 return APR_EGENERAL;
432 }
433 return status;
434 }
435
436
437 #ifdef _OSD_POSIX
438
439 #include "apr_lib.h"
440
441 #define USER_LEN 8
442
443 typedef enum
444 {
445 bs2_unknown, /* not initialized yet. */
446 bs2_noFORK, /* no fork() because -X flag was specified */
447 bs2_FORK, /* only fork() because uid != 0 */
448 bs2_UFORK /* Normally, ufork() is used to switch identities. */
449 } bs2_ForkType;
450
451 static bs2_ForkType forktype = bs2_unknown;
452
453 /* Determine the method for forking off a child in such a way as to
454 * set both the POSIX and BS2000 user id's to the unprivileged user.
455 */
os_forktype(int one_process)456 static bs2_ForkType os_forktype(int one_process)
457 {
458 /* have we checked the OS version before? If yes return the previous
459 * result - the OS release isn't going to change suddenly!
460 */
461 if (forktype == bs2_unknown) {
462 /* not initialized yet */
463
464 /* No fork if the one_process option was set */
465 if (one_process) {
466 forktype = bs2_noFORK;
467 }
468 /* If the user is unprivileged, use the normal fork() only. */
469 else if (getuid() != 0) {
470 forktype = bs2_FORK;
471 }
472 else
473 forktype = bs2_UFORK;
474 }
475 return forktype;
476 }
477
478
479
480 /* This routine complements the setuid() call: it causes the BS2000 job
481 * environment to be switched to the target user's user id.
482 * That is important if CGI scripts try to execute native BS2000 commands.
483 */
os_init_job_environment(server_rec * server,const char * user_name,int one_process)484 int os_init_job_environment(server_rec *server, const char *user_name, int one_process)
485 {
486 bs2_ForkType type = os_forktype(one_process);
487
488 /* We can be sure that no change to uid==0 is possible because of
489 * the checks in http_core.c:set_user()
490 */
491
492 if (one_process) {
493
494 type = forktype = bs2_noFORK;
495
496 ap_log_error(APLOG_MARK, APLOG_ERR, 0, server, APLOGNO(02180)
497 "The debug mode of Apache should only "
498 "be started by an unprivileged user!");
499 return 0;
500 }
501
502 return 0;
503 }
504
505 /* BS2000 requires a "special" version of fork() before a setuid() call */
os_fork(const char * user)506 pid_t os_fork(const char *user)
507 {
508 pid_t pid;
509 char username[USER_LEN+1];
510
511 switch (os_forktype(0)) {
512
513 case bs2_FORK:
514 pid = fork();
515 break;
516
517 case bs2_UFORK:
518 apr_cpystrn(username, user, sizeof username);
519
520 /* Make user name all upper case - for some versions of ufork() */
521 ap_str_toupper(username);
522
523 pid = ufork(username);
524 if (pid == -1 && errno == EPERM) {
525 ap_log_error(APLOG_MARK, APLOG_EMERG, errno,
526 ap_server_conf, APLOGNO(02181) "ufork: Possible mis-configuration "
527 "for user %s - Aborting.", user);
528 exit(1);
529 }
530 break;
531
532 default:
533 pid = 0;
534 break;
535 }
536
537 return pid;
538 }
539
540 #endif /* _OSD_POSIX */
541
542