[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[myserver-commit] [SCM] GNU MyServer branch, master, updated. a175b9733e
|
From: |
Giuseppe Scrivano |
|
Subject: |
[myserver-commit] [SCM] GNU MyServer branch, master, updated. a175b9733e1c41bae691347f11773f35ffcc4865 |
|
Date: |
Sun, 27 Sep 2009 13:45:37 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU MyServer".
The branch, master has been updated
via a175b9733e1c41bae691347f11773f35ffcc4865 (commit)
via f95977c5721f0abc385d811632079c163c7ec752 (commit)
from b78c1582c451a266d9cdb97c4d01634a1a6c766d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a175b9733e1c41bae691347f11773f35ffcc4865
Author: Giuseppe Scrivano <address@hidden>
Date: Sun Sep 27 15:45:26 2009 +0200
Processes spawned by the ProcessServerManager and CGI ones can specify a
different chroot
diff --git a/myserver/documentation/process_security.texi
b/myserver/documentation/process_security.texi
index 4b7ece9..fb89869 100644
--- a/myserver/documentation/process_security.texi
+++ b/myserver/documentation/process_security.texi
@@ -33,6 +33,13 @@ of the new process with both uid and gid to 1000.
<DEFINE name="cgi.gid" value="1000" />
@end example
+It is also possible to specify a new root directory location using the
+cgi.chroot attribute:
+
address@hidden
+<DEFINE name="cgi.chroot" value="/some/where" />
address@hidden example
+
@section Fork Server
In a POSIX environment the @code{fork} syscall is used to execute new
processes. It clones the caller process keeping any open file or
@@ -71,7 +78,7 @@ FastCGI/SCGI configuration inside MIME types by its name.
<DEFINE name="server.process_servers">
<DEFINE server="/opt/bin/fastcgi_server" domain="fastcgi"
host="localhost" port="2010" local="yes" uid="1000"
- gid="1000"/>
+ chroot="/chroot" gid="1000"/>
</DEFINE>
@end example
@@ -88,6 +95,11 @@ It is possible to specify a different uid/gid for the local
server
process and don't maintain the original myserver process privileges.
It can be done using the @code{uid} and @code{gid} elements.
+Also, it is possible to use a different root directory, mapping the
address@hidden/} path to what is specied in the @code{chroot} attribute.
+Any file lookup can't go upper what is specied in the chroot. Pay
+attention that any path specified in @code{server} must be relative to
+the new chroot.
The following code, declare an already running FastCGI server and
registers it on the @code{fcgi} extension:
diff --git a/myserver/include/base/process/process_server_manager.h
b/myserver/include/base/process/process_server_manager.h
index 2725b6a..1d5754d 100644
--- a/myserver/include/base/process/process_server_manager.h
+++ b/myserver/include/base/process/process_server_manager.h
@@ -51,7 +51,7 @@ public:
string host;
Process process;
u_short port;
- struct ServerDomain* sd;
+ struct ServerDomain *sd;
bool isLocal;
void terminate()
@@ -67,7 +67,7 @@ public:
struct ServerDomain
{
string domainName;
- HashMap<string, vector<Server*>* > servers;
+ HashMap<string, vector<Server*> *> servers;
void (*clear)(Server*);
ServerDomain()
{
@@ -75,30 +75,31 @@ public:
}
};
- ServerDomain* createDomain(const char* name);
- ServerDomain* getDomain(const char* name);
+ ServerDomain *createDomain(const char *name);
+ ServerDomain *getDomain(const char *name);
void clear();
- Server* getServer(const char* domain, const char* name, int seed = 0);
+ Server *getServer(const char *domain, const char *name, int seed = 0);
ProcessServerManager();
~ProcessServerManager();
- int connect(Socket* sock, Server* server);
+ int connect(Socket *sock, Server *server);
void setMaxServers(int max){maxServers = max;}
int getMaxServers(){return maxServers;}
- void removeDomain(const char* domain);
- int domainServers(const char* domain);
+ void removeDomain(const char *domain);
+ int domainServers(const char *domain);
void load();
- Server* runAndAddServer(const char* domain, const char* name,
- int uid = 0, int gid = 0, u_short port = 0);
- Server* addRemoteServer(const char* domain, const char* name,
-
const char* host, u_short port);
+ Server *runAndAddServer(const char *domain, const char *name,
+ const char *chroot = NULL, int uid = 0,
+ int gid = 0, u_short port = 0);
+ Server *addRemoteServer(const char *domain, const char *name,
+
const char *host, u_short port);
private:
int maxServers;
int nServers;
Mutex mutex;
HashMap<string, ServerDomain*> domains;
- int runServer(Server* server, const char* path, int uid = 0,
- int gid = 0, u_short port = 0);
- void addServer(Server* server, const char* domain, const char* name);
+ int runServer (Server *server, const char *path, u_short port = 0,
+ const char *chroot = NULL, int uid = 0, int gid = 0);
+ void addServer (Server *server, const char *domain, const char *name);
};
#endif
diff --git a/myserver/src/base/process/process_server_manager.cpp
b/myserver/src/base/process/process_server_manager.cpp
index 701106b..4ce9f32 100644
--- a/myserver/src/base/process/process_server_manager.cpp
+++ b/myserver/src/base/process/process_server_manager.cpp
@@ -58,6 +58,7 @@ void ProcessServerManager::load ()
string localKey ("local");
string uidKey ("uid");
string gidKey ("gid");
+ string chrootKey ("chroot");
list<NodeTree<string>*> *children = node->getChildren ();
@@ -69,6 +70,7 @@ void ProcessServerManager::load ()
string host;
string name;
string port;
+ const char *chroot = NULL;
string local;
bool localBool = true;
int uid = 0;
@@ -97,6 +99,9 @@ void ProcessServerManager::load ()
if (n->getAttr (gidKey))
gid = atoi (n->getAttr (gidKey)->c_str ());
+ if (n->getAttr (chrootKey))
+ chroot = n->getAttr (chrootKey)->c_str ();
+
if (!local.compare("YES") || !local.compare("yes"))
localBool = true;
else
@@ -110,7 +115,7 @@ void ProcessServerManager::load ()
portN = atoi (port.c_str());
if (localBool)
- runAndAddServer (domain.c_str(), name.c_str(), uid, gid, portN);
+ runAndAddServer (domain.c_str(), name.c_str(), chroot, uid, gid,
portN);
else
{
if (portN)
@@ -236,22 +241,22 @@ ProcessServerManager::getServer(const char* domain, const
char* name, int seed)
if(s && s->isLocal && !s->process.isProcessAlive())
{
- s->socket.close();
- s->process.terminateProcess();
- if(!s->path.length())
- s->path.assign(name);
+ s->socket.close ();
+ s->process.terminateProcess ();
+ if (!s->path.length ())
+ s->path.assign (name);
s->port = 0;
- if(runServer(s, s->path.c_str(), s->port))
- {
- sd->servers.remove(name);
- delete s;
- s = 0;
- }
+ if (runServer (s, s->path.c_str(), s->port))
+ {
+ sd->servers.remove (name);
+ delete s;
+ s = 0;
+ }
}
- mutex.unlock();
+ mutex.unlock ();
return s;
}
@@ -359,16 +364,19 @@ int ProcessServerManager::domainServers(const char*
domain)
*Run and add a server to the collection.
*\param domain The server's domain.
*\param path The path to the executable.
+ *\param chroot The new process chroot.
*\param uid User id to use for the new process.
*\param gid Group id to use for the new process.
*\param port Port to use for the server.
*/
ProcessServerManager::Server*
-ProcessServerManager::runAndAddServer(const char* domain, const char* path,
- int uid, int gid, u_short port)
+ProcessServerManager::runAndAddServer(const char *domain, const char *path,
+ const char *chroot, int uid, int gid,
+ u_short port)
{
Server* server = new Server;
- if(runServer(server, path, uid, gid, port))
+
+ if (runServer (server, path, port, chroot, uid, gid))
{
delete server;
return 0;
@@ -381,13 +389,14 @@ ProcessServerManager::runAndAddServer(const char* domain,
const char* path,
*Run a new server.
*\param server The server object.
*\param path The path to the executable.
+ *\param port The listening port.
+ *\param chroot The new process chroot.
*\param uid User id to use for the new process.
*\param gid Group id to use for the new process.
- *\param port The listening port.
*/
-int ProcessServerManager::runServer(ProcessServerManager::Server* server,
- const char* path, int uid, int gid,
- u_short port)
+int ProcessServerManager::runServer (ProcessServerManager::Server* server,
+ const char* path, u_short port,
+ const char *chroot, int uid, int gid)
{
StartProcInfo spi;
MYSERVER_SOCKADDRIN serverSockAddrIn;
@@ -398,10 +407,9 @@ int
ProcessServerManager::runServer(ProcessServerManager::Server* server,
if(nServers >= maxServers)
{
- ostringstream stream;
- stream << "Cannot run process " << path
- << ": Reached max number of servers";
- ::Server::getInstance()->log(stream.str().c_str(), MYSERVER_LOG_MSG_ERROR);
+ ::Server::getInstance()->log(MYSERVER_LOG_MSG_ERROR,
+ _("Cannot run process %s: Reached max number of
servers"),
+ path);
return 1;
}
@@ -448,6 +456,8 @@ int
ProcessServerManager::runServer(ProcessServerManager::Server* server,
spi.arg.assign(moreArg);
spi.cmdLine.assign(path);
server->path.assign(path);
+ if (chroot)
+ spi.chroot.assign (chroot);
spi.uid = uid;
spi.gid = gid;
diff --git a/myserver/src/http_handler/cgi/cgi.cpp
b/myserver/src/http_handler/cgi/cgi.cpp
index 7851192..16fbe10 100644
--- a/myserver/src/http_handler/cgi/cgi.cpp
+++ b/myserver/src/http_handler/cgi/cgi.cpp
@@ -239,14 +239,18 @@ int Cgi::send (HttpThreadContext* td, const char*
scriptpath,
spi.cmdLine = cmdLine.str ();
spi.cwd.assign (td->scriptDir);
- spi.gid = atoi (td->securityToken.getData ("cgi.gid", MYSERVER_VHOST_CONF |
- MYSERVER_MIME_CONF |
- MYSERVER_SECURITY_CONF |
- MYSERVER_SERVER_CONF,
"0"));
- spi.uid = atoi (td->securityToken.getData ("cgi.uid", MYSERVER_VHOST_CONF |
- MYSERVER_MIME_CONF |
- MYSERVER_SECURITY_CONF |
- MYSERVER_SERVER_CONF,
"0"));
+ spi.gid = atoi (td->securityToken.getData ("cgi.gid", MYSERVER_VHOST_CONF |
+ MYSERVER_MIME_CONF |
+ MYSERVER_SECURITY_CONF |
+ MYSERVER_SERVER_CONF, "0"));
+ spi.uid = atoi (td->securityToken.getData ("cgi.uid", MYSERVER_VHOST_CONF |
+ MYSERVER_MIME_CONF |
+ MYSERVER_SECURITY_CONF |
+ MYSERVER_SERVER_CONF, "0"));
+ spi.chroot.assign (td->securityToken.getData ("cgi.chroot",
MYSERVER_VHOST_CONF |
+ MYSERVER_MIME_CONF |
+ MYSERVER_SECURITY_CONF |
+ MYSERVER_SERVER_CONF, ""));
spi.stdError = (FileHandle) stdOutFile.getWriteHandle ();
spi.stdIn = (FileHandle) stdInFile.getHandle ();
commit f95977c5721f0abc385d811632079c163c7ec752
Author: Giuseppe Scrivano <address@hidden>
Date: Sun Sep 27 14:58:59 2009 +0200
A new process creation supports a chroot now.
diff --git a/myserver/include/base/process/process.h
b/myserver/include/base/process/process.h
index cd9a405..421c8a9 100644
--- a/myserver/include/base/process/process.h
+++ b/myserver/include/base/process/process.h
@@ -66,6 +66,11 @@ struct StartProcInfo
/*! Pointer to a NULL terminated array of
* file pointers to close. */
FileHandle *handlesToClose;
+
+ /* If the length > 0 then change the current root
+ directory to the specified value before execute
+ the process. */
+ string chroot;
};
class Process
@@ -81,6 +86,7 @@ public:
int exec (StartProcInfo *spi, bool waitEnd = false);
int terminateProcess();
int isProcessAlive();
+ static int chroot (const char *root);
static int setuid(const char*);
static int setgid(const char*);
static int setAdditionalGroups(u_long len, u_long *groups);
diff --git a/myserver/src/base/process/fork_server.cpp
b/myserver/src/base/process/fork_server.cpp
index a57d49e..9c88288 100644
--- a/myserver/src/base/process/fork_server.cpp
+++ b/myserver/src/base/process/fork_server.cpp
@@ -127,6 +127,7 @@ int ForkServer::handleRequest (Socket *sock)
char *exec;
char *cwd;
char *arg;
+ char *chroot;
char *env;
readInt (sock, &flags);
@@ -147,6 +148,7 @@ int ForkServer::handleRequest (Socket *sock)
readString (sock, &cwd);
readString (sock, &arg);
+ readString (sock, &chroot);
string argS (arg);
@@ -180,10 +182,9 @@ int ForkServer::handleRequest (Socket *sock)
spi.stdIn = stdIn;
spi.stdOut = stdOut;
spi.stdError = stdErr;
-
spi.uid.assign (uid);
spi.gid.assign (gid);
-
+ spi.chroot.assign (chroot);
spi.cmd.assign (exec);
spi.arg.assign (arg);
spi.cwd.assign (cwd);
@@ -201,6 +202,7 @@ int ForkServer::handleRequest (Socket *sock)
delete [] cwd;
delete [] arg;
delete [] env;
+ delete [] chroot;
if (flags & FLAG_USE_IN)
close (stdIn);
@@ -210,9 +212,8 @@ int ForkServer::handleRequest (Socket *sock)
if (flags & FLAG_USE_ERR)
close (stdErr);
-
- return 0;
#endif
+
return 0;
}
@@ -316,6 +317,7 @@ int ForkServer::executeProcess (StartProcInfo *spi,
writeString (&sock, spi->cmd.c_str (), spi->cmd.length ());
writeString (&sock, spi->cwd.c_str (), spi->cwd.length ());
writeString (&sock, spi->arg.c_str (), spi->arg.length ());
+ writeString (&sock, spi->chroot.c_str (), spi->chroot.length ());
if (env)
for (len = 0; env[len] != '\0' || env[len + 1] != '\0' ; len++);
diff --git a/myserver/src/base/process/process.cpp
b/myserver/src/base/process/process.cpp
index 180ffff..4291c88 100644
--- a/myserver/src/base/process/process.cpp
+++ b/myserver/src/base/process/process.cpp
@@ -135,6 +135,20 @@ int Process::generateArgList (const char **args, size_t
size, const char *proc,
return 0;
}
+/*!
+ * Change the process root directory to the specified one.
+ * \param root The new root directory.
+ * On success 0 is returned.
+ */
+int Process::chroot (const char *root)
+{
+#ifdef WIN32
+ return -1;
+#else
+ return chroot (root);
+#endif
+}
+
/*!
* Generate the env array for execve.
@@ -232,11 +246,14 @@ int Process::exec (StartProcInfo* spi, bool waitEnd)
const char *envp[size];
const char *args[size];
- if (spi->gid.length ())
- Process::setgid (spi->gid.c_str ());
+ if (spi->chroot.length () && Process::chroot (spi->chroot.c_str ()))
+ exit (1);
+
+ if (spi->gid.length () && Process::setgid (spi->gid.c_str ()))
+ exit (1);
- if (spi->uid.length ())
- Process::setuid (spi->uid.c_str ());
+ if (spi->uid.length () && Process::setuid (spi->uid.c_str ()))
+ exit (1);
if (generateArgList (args, size, spi->cmd.c_str (), spi->arg))
exit (1);
@@ -245,7 +262,7 @@ int Process::exec (StartProcInfo* spi, bool waitEnd)
exit (1);
if (spi->cwd.length ()
- && chdir ((const char*)(spi->cwd.c_str())) == -1)
+ && chdir (spi->cwd.c_str()) == -1)
exit (1);
if ((long)spi->stdOut == -1)
-----------------------------------------------------------------------
Summary of changes:
myserver/documentation/process_security.texi | 14 +++++-
myserver/include/base/process/process.h | 6 ++
.../include/base/process/process_server_manager.h | 31 ++++++-----
myserver/src/base/process/fork_server.cpp | 10 ++--
myserver/src/base/process/process.cpp | 27 ++++++++--
.../src/base/process/process_server_manager.cpp | 56 ++++++++++++--------
myserver/src/http_handler/cgi/cgi.cpp | 20 ++++---
7 files changed, 108 insertions(+), 56 deletions(-)
hooks/post-receive
--
GNU MyServer
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [myserver-commit] [SCM] GNU MyServer branch, master, updated. a175b9733e1c41bae691347f11773f35ffcc4865,
Giuseppe Scrivano <=