AP_DECLARE(const char *) unixd_set_user(cmd_parms *cmd, void *dummy,
const char *arg)
{
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
if (err != NULL) {
return err;
}
unixd_config.user_name = arg;
unixd_config.user_id = ap_uname2id(arg);
#if !defined (BIG_SECURITY_HOLE) && !defined (OS2)
if (unixd_config.user_id == 0) {
return "Error:\tApache has not been designed to serve pages while\n"
"\trunning as root. There are known race conditions that\n"
"\twill allow any local user to read any file on the system.\n"
"\tIf you still desire to serve pages as root then\n"
"\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n"
"\tand then rebuild the server.\n"
"\tIt is strongly suggested that you instead modify the User\n"
"\tdirective in your httpd.conf file to list a non-root\n"
"\tuser.\n";
}
#endif
return NULL;
}
static const char *vhost_user(cmd_parms *cmd, void *dir, const char *arg)
{
priv_cfg *cfg = ap_get_module_config(cmd->server->module_config,
&privileges_module);
cfg->uid = ap_uname2id(arg);
if (cfg->uid == 0) {
return apr_pstrcat(cmd->pool, "Invalid userid for VHostUser: ",
arg, NULL);
}
return NULL;
}
static const char *set_defuidgid(cmd_parms *cmd, void *mconfig, const char *uid, const char *gid)
{
process_security_config_t *conf = ap_get_module_config(cmd->server->module_config, &process_security_module);
const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE | NOT_IN_LIMIT);
if (err != NULL)
return err;
conf->default_uid = ap_uname2id(uid);
conf->default_gid = ap_gname2id(gid);
return NULL;
}
static const char *set_uidgid (cmd_parms *cmd, void *mconfig, const char *uid, const char *gid)
{
ruid_dir_config_t *dconf = (ruid_dir_config_t *) mconfig;
const char *err = ap_check_cmd_context (cmd, NOT_IN_FILES | NOT_IN_LIMIT);
if (err != NULL) {
return err;
}
dconf->ruid_uid = ap_uname2id(uid);
dconf->ruid_gid = ap_gname2id(gid);
return NULL;
}
static const char *set_minuidgid (cmd_parms *cmd, void *mconfig, const char *uid, const char *gid)
{
UNUSED(mconfig);
ruid_config_t *conf = ap_get_module_config (cmd->server->module_config, &ruid2_module);
const char *err = ap_check_cmd_context (cmd, NOT_IN_DIR_LOC_FILE | NOT_IN_LIMIT);
if (err != NULL) {
return err;
}
conf->min_uid = ap_uname2id(uid);
conf->min_gid = ap_gname2id(gid);
return NULL;
}
AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp)
{
apr_finfo_t wrapper;
unixd_config.user_name = DEFAULT_USER;
unixd_config.user_id = ap_uname2id(DEFAULT_USER);
unixd_config.group_id = ap_gname2id(DEFAULT_GROUP);
/* Check for suexec */
unixd_config.suexec_enabled = 0;
if ((apr_stat(&wrapper, SUEXEC_BIN,
APR_FINFO_NORM, ptemp)) != APR_SUCCESS) {
return;
}
if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
unixd_config.suexec_enabled = 1;
}
}
static const char *set_suexec_ugid(cmd_parms *cmd, void *mconfig,
const char *uid, const char *gid)
{
suexec_config_t *cfg = (suexec_config_t *) mconfig;
const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT);
if (err != NULL) {
return err;
}
if (unixd_config.suexec_enabled) {
cfg->ugid.uid = ap_uname2id(uid);
cfg->ugid.gid = ap_gname2id(gid);
cfg->ugid.userdir = 0;
cfg->active = 1;
}
else {
fprintf(stderr,
"Warning: SuexecUserGroup directive requires SUEXEC wrapper.\n");
}
return NULL;
}
static const char *set_suexec_ugid(cmd_parms *cmd, void *mconfig,
const char *uid, const char *gid)
{
suexec_config_t *cfg = (suexec_config_t *) mconfig;
const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT);
if (err != NULL) {
return err;
}
if (!ap_unixd_config.suexec_enabled) {
return apr_pstrcat(cmd->pool, "SuexecUserGroup configured, but "
"suEXEC is disabled: ",
ap_unixd_config.suexec_disabled_reason, NULL);
}
cfg->ugid.uid = ap_uname2id(uid);
cfg->ugid.gid = ap_gname2id(gid);
cfg->ugid.userdir = 0;
cfg->active = 1;
return NULL;
}
/*******************************************************************************
* Configure a static FastCGI server that is started/managed elsewhere.
*/
const char *fcgi_config_new_external_server(cmd_parms *cmd, void *dummy, const char *arg)
{
fcgi_server *s;
pool * const p = cmd->pool, *tp = cmd->temp_pool;
const char * const name = cmd->cmd->name;
char *fs_path = ap_getword_conf(p, &arg);
const char *option, *err;
err = ap_check_cmd_context(cmd, NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE);
if (err) {
return err;
}
if (!*fs_path) {
return ap_pstrcat(tp, name, " requires a path and either a -socket or -host option", NULL);
}
#ifdef APACHE2
if (apr_filepath_merge(&fs_path, "", fs_path, 0, p))
return ap_psprintf(tp, "%s %s: invalid filepath", name, fs_path);
#else
fs_path = ap_os_canonical_filename(p, fs_path);
#endif
fs_path = ap_server_root_relative(p, fs_path);
ap_getparents(fs_path);
ap_no2slash(fs_path);
/* See if we've already got one of these bettys configured */
s = fcgi_util_fs_get_by_id(fs_path, fcgi_util_get_server_uid(cmd->server),
fcgi_util_get_server_gid(cmd->server));
if (s != NULL) {
if (fcgi_wrapper) {
return ap_psprintf(tp,
"%s: redefinition of a previously defined class \"%s\" "
"with uid=%ld and gid=%ld",
name, fs_path, (long) fcgi_util_get_server_uid(cmd->server),
(long) fcgi_util_get_server_gid(cmd->server));
}
else
{
return ap_psprintf(tp,
"%s: redefinition of previously defined class \"%s\"", name, fs_path);
}
}
s = fcgi_util_fs_new(p);
s->fs_path = fs_path;
s->directive = APP_CLASS_EXTERNAL;
/* Parse directive arguments */
while (*arg != '\0') {
option = ap_getword_conf(tp, &arg);
if (strcasecmp(option, "-host") == 0) {
if ((err = get_host_n_port(p, &arg, &s->host, &s->port)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-socket") == 0) {
s->socket_path = ap_getword_conf(tp, &arg);
if (*s->socket_path == '\0')
return invalid_value(tp, name, fs_path, option, "\"\"");
}
else if (strcasecmp(option, "-appConnTimeout") == 0) {
if ((err = get_u_int(tp, &arg, &s->appConnectTimeout, 0)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-idle-timeout") == 0) {
if ((err = get_u_int(tp, &arg, &s->idle_timeout, 1)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-nph") == 0) {
s->nph = 1;
}
else if (strcasecmp(option, "-pass-header") == 0) {
if ((err = get_pass_header(p, &arg, &s->pass_headers)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-flush") == 0) {
s->flush = 1;
}
else if (strcasecmp(option, "-user") == 0) {
#ifdef WIN32
return ap_psprintf(tp,
"%s %s: the -user option isn't supported on WIN", name, fs_path);
#else
s->user = ap_getword_conf(tp, &arg);
if (*s->user == '\0')
return invalid_value(tp, name, fs_path, option, "\"\"");
#endif
}
else if (strcasecmp(option, "-group") == 0) {
#ifdef WIN32
return ap_psprintf(tp,
"%s %s: the -group option isn't supported on WIN", name, fs_path);
#else
s->group = ap_getword_conf(tp, &arg);
if (*s->group == '\0')
return invalid_value(tp, name, fs_path, option, "\"\"");
#endif
}
else if (strcasecmp(option, "-fixPaths") == 0) {
s->fixPaths = 1;
}
else {
return ap_psprintf(tp, "%s %s: invalid option: %s", name, fs_path, option);
}
} /* while */
#ifndef WIN32
if (fcgi_wrapper)
{
if (s->group == NULL)
{
s->group = ap_psprintf(tp, "#%ld", (long)fcgi_util_get_server_gid(cmd->server));
}
if (s->user == NULL)
{
s->user = ap_psprintf(p, "#%ld", (long)fcgi_util_get_server_uid(cmd->server));
}
s->uid = ap_uname2id(s->user);
s->gid = ap_gname2id(s->group);
}
else if (s->user || s->group)
{
ap_log_error(FCGI_LOG_WARN, cmd->server, "FastCGI: there is no "
"fastcgi wrapper set, user/group options are ignored");
}
if ((err = fcgi_util_fs_set_uid_n_gid(p, s, s->uid, s->gid)))
{
return ap_psprintf(tp,
"%s %s: invalid user or group: %s", name, fs_path, err);
}
#endif /* !WIN32 */
/* Require one of -socket or -host, but not both */
if (s->socket_path != NULL && s->port != 0) {
return ap_psprintf(tp,
"%s %s: -host and -socket are mutually exclusive options",
name, fs_path);
}
if (s->socket_path == NULL && s->port == 0) {
return ap_psprintf(tp,
"%s %s: -socket or -host option missing", name, fs_path);
}
/* Build the appropriate sockaddr structure */
if (s->port != 0) {
err = fcgi_util_socket_make_inet_addr(p, (struct sockaddr_in **)&s->socket_addr,
&s->socket_addr_len, s->host, s->port);
if (err != NULL)
return ap_psprintf(tp, "%s %s: %s", name, fs_path, err);
} else {
if (fcgi_socket_dir == NULL)
{
#ifdef WIN32
fcgi_socket_dir = DEFAULT_SOCK_DIR;
#else
fcgi_socket_dir = ap_server_root_relative(p, DEFAULT_SOCK_DIR);
#endif
}
s->socket_path = fcgi_util_socket_make_path_absolute(p, s->socket_path, 0);
#ifndef WIN32
err = fcgi_util_socket_make_domain_addr(p, (struct sockaddr_un **)&s->socket_addr,
&s->socket_addr_len, s->socket_path);
if (err != NULL)
return ap_psprintf(tp, "%s %s: %s", name, fs_path, err);
#endif
}
/* Add it to the list of FastCGI servers */
fcgi_util_fs_add(s);
return NULL;
}
/*******************************************************************************
* Configure a static FastCGI server.
*/
const char *fcgi_config_new_static_server(cmd_parms *cmd, void *dummy, const char *arg)
{
fcgi_server *s;
pool *p = cmd->pool, *tp = cmd->temp_pool;
const char *name = cmd->cmd->name;
char *fs_path = ap_getword_conf(p, &arg);
const char *option, *err;
/* Allocate temp storage for the array of initial environment variables */
char **envp = ap_pcalloc(tp, sizeof(char *) * (MAX_INIT_ENV_VARS + 3));
unsigned int envc = 0;
#ifdef WIN32
HANDLE mutex;
#endif
err = ap_check_cmd_context(cmd, NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE);
if (err)
{
return err;
}
if (*fs_path == '\0')
return "AppClass requires a pathname!?";
if ((err = fcgi_config_set_fcgi_uid_n_gid(1)) != NULL)
return ap_psprintf(tp, "%s %s: %s", name, fs_path, err);
#ifdef APACHE2
if (apr_filepath_merge(&fs_path, "", fs_path, 0, p))
return ap_psprintf(tp, "%s %s: invalid filepath", name, fs_path);
#else
fs_path = ap_os_canonical_filename(p, fs_path);
#endif
fs_path = ap_server_root_relative(p, fs_path);
ap_getparents(fs_path);
ap_no2slash(fs_path);
/* See if we've already got one of these configured */
s = fcgi_util_fs_get_by_id(fs_path, fcgi_util_get_server_uid(cmd->server),
fcgi_util_get_server_gid(cmd->server));
if (s != NULL) {
if (fcgi_wrapper) {
return ap_psprintf(tp,
"%s: redefinition of a previously defined FastCGI "
"server \"%s\" with uid=%ld and gid=%ld",
name, fs_path, (long) fcgi_util_get_server_uid(cmd->server),
(long) fcgi_util_get_server_gid(cmd->server));
}
else {
return ap_psprintf(tp,
"%s: redefinition of a previously defined FastCGI server \"%s\"",
name, fs_path);
}
}
err = fcgi_util_fs_is_path_ok(tp, fs_path, NULL);
if (err != NULL) {
return ap_psprintf(tp, "%s: \"%s\" %s", name, fs_path, err);
}
s = fcgi_util_fs_new(p);
s->fs_path = fs_path;
s->directive = APP_CLASS_STANDARD;
s->restartOnExit = TRUE;
s->numProcesses = 1;
#ifdef WIN32
/* TCP FastCGI applications require SystemRoot be present in the environment
* Put it in both for consistency to the application */
fcgi_config_set_env_var(p, envp, &envc, "SystemRoot");
mutex = CreateMutex(NULL, FALSE, fs_path);
if (mutex == NULL)
{
ap_log_error(FCGI_LOG_ALERT, fcgi_apache_main_server,
"FastCGI: CreateMutex() failed");
return "failed to create FastCGI application accept mutex";
}
SetHandleInformation(mutex, HANDLE_FLAG_INHERIT, TRUE);
s->mutex_env_string = ap_psprintf(p, "_FCGI_MUTEX_=%ld", mutex);
#endif
/* Parse directive arguments */
while (*arg) {
option = ap_getword_conf(tp, &arg);
if (strcasecmp(option, "-processes") == 0) {
if ((err = get_u_int(tp, &arg, &s->numProcesses, 1)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-restart-delay") == 0) {
if ((err = get_u_int(tp, &arg, &s->restartDelay, 0)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-init-start-delay") == 0) {
if ((err = get_int(tp, &arg, &s->initStartDelay, 0)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-min-server-life") == 0) {
if ((err = get_u_int(tp, &arg, &s->minServerLife, 0)))
return invalid_value(tp, name, NULL, option, err);
}
else if (strcasecmp(option, "-priority") == 0) {
if ((err = get_u_int(tp, &arg, &s->processPriority, 0)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-listen-queue-depth") == 0) {
if ((err = get_u_int(tp, &arg, &s->listenQueueDepth, 1)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-appConnTimeout") == 0) {
if ((err = get_u_int(tp, &arg, &s->appConnectTimeout, 0)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-idle-timeout") == 0) {
if ((err = get_u_int(tp, &arg, &s->idle_timeout, 1)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-port") == 0) {
if ((err = get_u_short(tp, &arg, &s->port, 1)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-socket") == 0) {
s->socket_path = ap_getword_conf(tp, &arg);
if (*s->socket_path == '\0')
return invalid_value(tp, name, fs_path, option, "\"\"");
}
else if (strcasecmp(option, "-initial-env") == 0) {
if ((err = get_env_var(p, &arg, envp, &envc)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-pass-header") == 0) {
if ((err = get_pass_header(p, &arg, &s->pass_headers)))
return invalid_value(tp, name, fs_path, option, err);
}
else if (strcasecmp(option, "-flush") == 0) {
s->flush = 1;
}
else if (strcasecmp(option, "-nph") == 0) {
s->nph = 1;
}
else if (strcasecmp(option, "-user") == 0) {
#ifdef WIN32
return ap_psprintf(tp,
"%s %s: the -user option isn't supported on WIN", name, fs_path);
#else
s->user = ap_getword_conf(tp, &arg);
if (*s->user == '\0')
return invalid_value(tp, name, fs_path, option, "\"\"");
#endif
}
else if (strcasecmp(option, "-group") == 0) {
#ifdef WIN32
return ap_psprintf(tp,
"%s %s: the -group option isn't supported on WIN", name, fs_path);
#else
s->group = ap_getword_conf(tp, &arg);
if (*s->group == '\0')
return invalid_value(tp, name, fs_path, option, "\"\"");
#endif
}
else {
return ap_psprintf(tp, "%s %s: invalid option: %s", name, fs_path, option);
}
} /* while */
#ifndef WIN32
if (fcgi_wrapper)
{
if (s->group == NULL)
{
s->group = ap_psprintf(tp, "#%ld", (long)fcgi_util_get_server_gid(cmd->server));
}
if (s->user == NULL)
{
s->user = ap_psprintf(p, "#%ld", (long)fcgi_util_get_server_uid(cmd->server));
}
s->uid = ap_uname2id(s->user);
s->gid = ap_gname2id(s->group);
}
else if (s->user || s->group)
{
ap_log_error(FCGI_LOG_WARN, cmd->server, "FastCGI: there is no "
"fastcgi wrapper set, user/group options are ignored");
}
if ((err = fcgi_util_fs_set_uid_n_gid(p, s, s->uid, s->gid)))
{
return ap_psprintf(tp,
"%s %s: invalid user or group: %s", name, fs_path, err);
}
#endif /* !WIN32 */
if (s->socket_path != NULL && s->port != 0) {
return ap_psprintf(tp,
"%s %s: -port and -socket are mutually exclusive options",
name, fs_path);
}
/* Move env array to a surviving pool */
s->envp = (char **)ap_pcalloc(p, sizeof(char *) * (envc + 4));
memcpy(s->envp, envp, sizeof(char *) * envc);
/* Initialize process structs */
s->procs = fcgi_util_fs_create_procs(p, s->numProcesses);
/* Build the appropriate sockaddr structure */
if (s->port != 0) {
err = fcgi_util_socket_make_inet_addr(p, (struct sockaddr_in **)&s->socket_addr,
&s->socket_addr_len, NULL, s->port);
if (err != NULL)
return ap_psprintf(tp, "%s %s: %s", name, fs_path, err);
#ifdef WIN32
err = fcgi_util_socket_make_inet_addr(p, (struct sockaddr_in **)&s->dest_addr,
&s->socket_addr_len, "localhost", s->port);
if (err != NULL)
return ap_psprintf(tp, "%s %s: %s", name, fs_path, err);
#endif
} else {
if (s->socket_path == NULL)
s->socket_path = fcgi_util_socket_hash_filename(tp, fs_path, s->user, s->group);
if (fcgi_socket_dir == NULL)
{
#ifdef WIN32
fcgi_socket_dir = DEFAULT_SOCK_DIR;
#else
fcgi_socket_dir = ap_server_root_relative(p, DEFAULT_SOCK_DIR);
#endif
}
s->socket_path = fcgi_util_socket_make_path_absolute(p, s->socket_path, 0);
#ifndef WIN32
err = fcgi_util_socket_make_domain_addr(p, (struct sockaddr_un **)&s->socket_addr,
&s->socket_addr_len, s->socket_path);
if (err != NULL)
return ap_psprintf(tp, "%s %s: %s", name, fs_path, err);
#endif
}
/* Add it to the list of FastCGI servers */
fcgi_util_fs_add(s);
return NULL;
}
