passenger 2.1.2 → 2.1.3

data/ext/apache2/ApplicationPoolServer.h

@@ -403,7 +403,8 @@ private:
 				UPDATE_TRACE_POINT();
 				data->disconnect();
 				throw IOException("The ApplicationPool server unexpectedly "
-					"closed the connection.");
+					"closed the connection while we're reading a response "
+					"for the 'get' command.");
 			}
 			if (args[0] == "ok") {
 				UPDATE_TRACE_POINT();
@@ -433,7 +434,8 @@ private:
 					}
 					if (!result) {
 						throw IOException("The ApplicationPool server "
-							"unexpectedly closed the connection.");
+							"unexpectedly closed the connection while "
+							"we're reading the error page data.");
 					}
 					throw SpawnException(args[1], errorPage);
 				} else {
@@ -495,7 +497,7 @@ private:
 	void shutdownServer() {
 		TRACE_POINT();
 		this_thread::disable_syscall_interruption dsi;
-		int ret;
+		int ret, status;
 		time_t begin;
 		bool done = false;
 		
@@ -514,21 +516,34 @@ private:
 			 * Some Apache modules fork(), but don't close file descriptors.
 			 * mod_wsgi is one such example. Because of that, closing serverSocket
 			 * won't always cause the ApplicationPool server to exit. So we send it a
+			 * signal. This must be the same as the oxt/system_calls.hpp interruption
 			 * signal.
 			 */
 			syscalls::kill(serverPid, SIGINT);
 			
-			ret = syscalls::waitpid(serverPid, NULL, WNOHANG);
+			ret = syscalls::waitpid(serverPid, &status, WNOHANG);
 			done = ret > 0 || ret == -1;
 			if (!done) {
 				syscalls::usleep(100000);
 			}
 		}
 		if (done) {
-			P_TRACE(2, "ApplicationPoolServerExecutable exited.");
+			if (ret > 0) {
+				if (WIFEXITED(status)) {
+					P_TRACE(2, "ApplicationPoolServerExecutable exited with exit status " <<
+						WEXITSTATUS(status) << ".");
+				} else if (WIFSIGNALED(status)) {
+					P_TRACE(2, "ApplicationPoolServerExecutable exited because of signal " <<
+						WTERMSIG(status) << ".");
+				} else {
+					P_TRACE(2, "ApplicationPoolServerExecutable exited for an unknown reason.");
+				}
+			} else {
+				P_TRACE(2, "ApplicationPoolServerExecutable exited.");
+			}
 		} else {
 			P_DEBUG("ApplicationPoolServerExecutable not exited in time. Killing it...");
-			syscalls::kill(serverPid, SIGTERM);
+			syscalls::kill(serverPid, SIGKILL);
 			syscalls::waitpid(serverPid, NULL, 0);
 		}
 		
@@ -612,17 +627,12 @@ private:
 		TRACE_POINT();
 		char filename[PATH_MAX];
 		int ret;
-		mode_t permissions;
-		
-		createPassengerTempDir();
+		mode_t permissions = S_IRUSR | S_IWUSR;
 		
-		if (m_user.empty()) {
-			permissions = S_IRUSR | S_IWUSR;
-		} else {
-			permissions = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH;
-		}
+		createPassengerTempDir(getSystemTempDir(), m_user.empty(),
+			"nobody", geteuid(), getegid());
 		
-		snprintf(filename, sizeof(filename), "%s/status.fifo",
+		snprintf(filename, sizeof(filename), "%s/info/status.fifo",
 				getPassengerTempDir().c_str());
 		filename[PATH_MAX - 1] = '\0';
 		do {
@@ -642,6 +652,24 @@ private:
 			do {
 				ret = chmod(filename, permissions);
 			} while (ret == -1 && errno == EINTR);
+			
+			// Set the FIFO's owner according to whether we're running as root
+			// and whether user switching is enabled.
+			if (geteuid() == 0 && !m_user.empty()) {
+				uid_t uid;
+				gid_t gid;
+				
+				determineLowestUserAndGroup(m_user, uid, gid);
+				do {
+					ret = chown(filename, uid, gid);
+				} while (ret == -1 && errno == EINTR);
+				if (errno == -1) {
+					int e = errno;
+					P_WARN("*** WARNING: Unable to set the FIFO file '" <<
+						filename << "' its owner and group to that of user " <<
+						m_user << ": " << strerror(e) << " (" << e << ")");
+				}
+			}
 		}
 	}
 

data/ext/apache2/ApplicationPoolServerExecutable.cpp

@@ -164,34 +164,9 @@ private:
 	 */
 	void lowerPrivilege(const string &username) {
 		struct passwd *entry;
-		int ret, e;
 		
 		entry = getpwnam(username.c_str());
 		if (entry != NULL) {
-			do {
-				ret = chown(getPassengerTempDir().c_str(),
-					entry->pw_uid, entry->pw_gid);
-			} while (ret == -1 && errno == EINTR);
-			if (ret == -1) {
-				e = errno;
-				P_WARN("WARNING: Unable to change owner for directory '" <<
-					getPassengerTempDir() << "' to '" << username <<
-					"': " << strerror(e) << " (" << e << ")");
-			} else {
-				do {
-					ret = chmod(getPassengerTempDir().c_str(),
-						S_IRUSR | S_IWUSR | S_IXUSR);
-				} while (ret == -1 && errno == EINTR);
-				if (ret == -1) {
-					e = errno;
-					P_WARN("WARNING: Unable to change "
-						"permissions for directory " <<
-						getPassengerTempDir() << ": " <<
-						strerror(e) <<
-						" (" << e << ")");
-				}
-			}
-			
 			if (initgroups(username.c_str(), entry->pw_gid) != 0) {
 				int e = errno;
 				P_WARN("WARNING: Unable to lower ApplicationPoolServerExecutable's "
@@ -221,29 +196,22 @@ private:
 	}
 	
 	static void fatalSignalHandler(int signum) {
-		static void (* const defaultHandler)(int) = SIG_DFL;
-		static bool calledBefore = false;
+		char message[1024];
 		
-		if (calledBefore) {
-			// If we're here then it means that this signal
-			// handler crashed, and we weren't even able to
-			// call write() or system()! Abort immediately:
-			defaultHandler(signum);
-		} else {
-			calledBefore = true;
-			write(STDERR_FILENO,
-				"*** ERROR: ApplicationPoolServerExecutable received a "
-				"fatal signal. Running gdb to obtain the backtrace:\n\n",
-				sizeof("*** ERROR: ApplicationPoolServerExecutable caught "
-				       "fatal signal. Running gdb to obtain the backtrace:\n\n") - 1
-			);
-			write(STDERR_FILENO, "----------------- Begin gdb output -----------------\n",
-				sizeof("----------------- Begin gdb output -----------------\n") - 1);
-			system(gdbBacktraceGenerationCommandStr);
-			write(STDERR_FILENO, "----------------- End gdb output -----------------\n",
-				sizeof("----------------- End gdb output -----------------\n") - 1);
-			defaultHandler(signum);
-		}
+		snprintf(message, sizeof(message) - 1,
+			"*** ERROR: ApplicationPoolServerExecutable received fatal signal "
+			"%d. Running gdb to obtain the backtrace:\n\n",
+			signum);
+		message[sizeof(message) - 1] = '\0';
+		write(STDERR_FILENO, message, strlen(message));
+		write(STDERR_FILENO, "----------------- Begin gdb output -----------------\n",
+			sizeof("----------------- Begin gdb output -----------------\n") - 1);
+		system(gdbBacktraceGenerationCommandStr);
+		write(STDERR_FILENO, "----------------- End gdb output -----------------\n",
+			sizeof("----------------- End gdb output -----------------\n") - 1);
+		
+		// Invoke default signal handler.
+		kill(getpid(), signum);
 	}
 	
 	void setupSignalHandlers() {
@@ -259,7 +227,7 @@ private:
 		FILE *f;
 		string gdbCommandFile;
 		
-		gdbCommandFile = getPassengerTempDir() + "/gdb_backtrace_command.txt";
+		gdbCommandFile = getPassengerTempDir() + "/info/gdb_backtrace_command.txt";
 		f = fopen(gdbCommandFile.c_str(), "w");
 		if (f != NULL) {
 			// Write a file which contains commands for gdb to obtain
@@ -276,12 +244,17 @@ private:
 			
 			// Install the signal handlers.
 			action.sa_handler = fatalSignalHandler;
-			action.sa_flags   = 0;
+			action.sa_flags   = SA_RESETHAND;
 			sigemptyset(&action.sa_mask);
-			sigaction(SIGSEGV, &action, NULL);
+			sigaction(SIGQUIT, &action, NULL);
+			sigaction(SIGILL,  &action, NULL);
 			sigaction(SIGABRT, &action, NULL);
-			sigaction(SIGILL, &action, NULL);
-			sigaction(SIGFPE, &action, NULL);
+			sigaction(SIGFPE,  &action, NULL);
+			sigaction(SIGBUS,  &action, NULL);
+			sigaction(SIGSEGV, &action, NULL);
+			sigaction(SIGALRM, &action, NULL);
+			sigaction(SIGUSR1, &action, NULL);
+			sigaction(SIGUSR2, &action, NULL);
 		}
 	}
 
@@ -299,6 +272,8 @@ public:
 		this->serverSocket = serverSocket;
 		this->statusReportFIFO = statusReportFIFO;
 		this->user = user;
+		
+		P_TRACE(2, "ApplicationPoolServerExecutable initialized (PID " << getpid() << ")");
 	}
 	
 	~Server() {

data/ext/apache2/CachedFileStat.h

@@ -103,28 +103,19 @@ public:
 	 * @return 0 if the stat() call succeeded or if no stat() was performed,
 	 *         -1 if something went wrong while statting the file. In the latter
 	 *         case, <tt>errno</tt> will be populated with an appropriate error code.
-	 * @throws SystemException Something went wrong while retrieving the system time.
+	 * @throws SystemException Something went wrong while retrieving the
+	 *         system time. stat() errors will <em>not</em> result in SystemException
+	 *         being thrown.
 	 * @throws boost::thread_interrupted
 	 */
 	int refresh(unsigned int throttleRate) {
 		time_t currentTime;
-		int ret;
 		
 		if (expired(last_time, throttleRate, currentTime)) {
-			ret = stat(filename.c_str(), &info);
-			if (ret == -1 && errno == EINTR) {
-				/* If the stat() call was interrupted, then don't
-				 * update any state so that the caller can call
-				 * this function again without us returning a
-				 * cached EINTR error.
-				 */
-				return -1;
-			} else {
-				last_result = ret;
-				last_errno = errno;
-				last_time = currentTime;
-				return ret;
-			}
+			last_result = syscalls::stat(filename.c_str(), &info);
+			last_errno = errno;
+			last_time = currentTime;
+			return last_result;
 		} else {
 			errno = last_errno;
 			return last_result;

data/ext/apache2/Configuration.h

@@ -41,7 +41,7 @@
  */
 
 /** Module version number. */
-#define PASSENGER_VERSION "2.1.2"
+#define PASSENGER_VERSION "2.1.3"
 
 #ifdef __cplusplus
 	#include <set>
@@ -301,6 +301,14 @@
 					return "nobody";
 				}
 			}
+			
+			const char *getTempDir() const {
+				if (tempDir != NULL) {
+					return tempDir;
+				} else {
+					return getSystemTempDir();
+				}
+			}
 		};
 	}
 

data/ext/apache2/FileChecker.h

@@ -77,7 +77,9 @@ public:
 	 * @param throttleRate When set to a non-zero value, throttling will be
 	 *                     enabled. stat() will be called at most once per
 	 *                     throttleRate seconds.
-	 * @throws SystemException Something went wrong.
+	 * @throws SystemException Something went wrong while retrieving the
+	 *         system time. stat() errors will <em>not</em> result in SystemException
+	 *         being thrown.
 	 * @throws boost::thread_interrupted
 	 */
 	bool changed(unsigned int throttleRate = 0) {
@@ -85,10 +87,7 @@ public:
 		time_t ctime, mtime;
 		bool result;
 		
-		do {
-			ret = cstat.refresh(throttleRate);
-		} while (ret == -1 && errno == EINTR);
-		
+		ret = cstat.refresh(throttleRate);
 		if (ret == -1) {
 			ctime = 0;
 			mtime = 0;

data/ext/apache2/Hooks.cpp

@@ -53,6 +53,7 @@
 #include <apr_pools.h>
 #include <apr_strings.h>
 #include <apr_lib.h>
+#include <unixd.h>
 
 using namespace std;
 using namespace Passenger;
@@ -403,7 +404,7 @@ private:
 			apr_bucket *b;
 			Application::SessionPtr session;
 			bool expectingUploadData;
-			shared_ptr<TempFile> uploadData;
+			shared_ptr<BufferedUpload> uploadData;
 			
 			expectingUploadData = ap_should_client_block(r);
 			if (expectingUploadData && atol(lookupHeader(r, "Content-Length"))
@@ -490,11 +491,12 @@ private:
 				// The API documentation for ap_scan_script_err_brigade() says it
 				// returns HTTP_OK on success, but it actually returns OK.
 				
-				// Manually set the Status header because
-				// ap_scan_script_header_err_brigade() filters it
-				// out. Some broken HTTP clients depend on the
-				// Status header for retrieving the HTTP status.
-				if (!r->status_line && *r->status_line == '\0') {
+				/* Manually set the Status header because
+				 * ap_scan_script_header_err_brigade() filters it
+				 * out. Some broken HTTP clients depend on the
+				 * Status header for retrieving the HTTP status.
+				 */
+				if (!r->status_line || *r->status_line == '\0') {
 					r->status_line = apr_psprintf(r->pool,
 						"%d Unknown Status",
 						r->status);
@@ -680,9 +682,9 @@ private:
 		return APR_SUCCESS;
 	}
 	
-	shared_ptr<TempFile> receiveRequestBody(request_rec *r) {
+	shared_ptr<BufferedUpload> receiveRequestBody(request_rec *r) {
 		TRACE_POINT();
-		shared_ptr<TempFile> tempFile(new TempFile());
+		shared_ptr<BufferedUpload> tempFile(new BufferedUpload());
 		char buf[1024 * 32];
 		apr_off_t len;
 		size_t total_written = 0;
@@ -696,7 +698,7 @@ private:
 					string message("An error occured while "
 						"buffering HTTP upload data to "
 						"a temporary file in ");
-					message.append(getTempDir());
+					message.append(BufferedUpload::getDir());
 					if (e == ENOSPC) {
 						message.append(". Please make sure "
 							"that this directory has "
@@ -723,10 +725,9 @@ private:
 		return tempFile;
 	}
 	
-	void sendRequestBody(request_rec *r, Application::SessionPtr &session, shared_ptr<TempFile> &uploadData) {
+	void sendRequestBody(request_rec *r, Application::SessionPtr &session, shared_ptr<BufferedUpload> &uploadData) {
 		TRACE_POINT();
 		rewind(uploadData->handle);
-		P_DEBUG("File upload: Content-Length = " << lookupHeader(r, "Content-Length"));
 		while (!feof(uploadData->handle)) {
 			char buf[1024 * 32];
 			size_t size;
@@ -765,29 +766,26 @@ public:
 		const char *ruby, *user;
 		string applicationPoolServerExe, spawnServer;
 		
-		if (config->tempDir != NULL) {
-			setenv("TMPDIR", config->tempDir, 1);
-		} else {
-			unsetenv("TMPDIR");
-		}
 		/*
 		 * As described in the comment in init_module, upon (re)starting
 		 * Apache, the Hooks constructor is called twice. We unset
-		 * PHUSION_PASSENGER_TMP before calling createPassengerTmpDir()
+		 * PASSENGER_INSTANCE_TEMP_DIR before calling createPassengerTempDir()
 		 * because we want the temp directory's name to contain the PID
 		 * of the process in which the Hooks constructor was called for
 		 * the second time.
 		 */
-		unsetenv("PHUSION_PASSENGER_TMP");
-		createPassengerTempDir();
+		unsetenv("TMPDIR");
+		unsetenv("PASSENGER_INSTANCE_TEMP_DIR");
+		createPassengerTempDir(config->getTempDir(), config->userSwitching,
+			config->getDefaultUser(), unixd_config.user_id,
+			unixd_config.group_id);
+		setenv("TMPDIR", (getPassengerTempDir() + "/var").c_str(), 1);
 		
 		ruby = (config->ruby != NULL) ? config->ruby : DEFAULT_RUBY_COMMAND;
 		if (config->userSwitching) {
 			user = "";
-		} else if (config->defaultUser != NULL) {
-			user = config->defaultUser;
 		} else {
-			user = "nobody";
+			user = config->getDefaultUser();
 		}
 		
 		if (config->root == NULL) {

data/ext/apache2/SpawnManager.h

@@ -326,6 +326,12 @@ private:
 		
 		UPDATE_TRACE_POINT();
 		if (args[2] == "unix") {
+			/* Set tighter permissions on the spawned backend process's
+			 * Unix socket. We try to make it only readable and writable
+			 * by the process that contains the application pool, because
+			 * all attempts to connect to a backend process happens
+			 * through the application pool.
+			 */
 			int ret;
 			do {
 				ret = chmod(args[1].c_str(), S_IRUSR | S_IWUSR);

data/ext/apache2/StandardApplicationPool.h

@@ -356,6 +356,12 @@ private:
 		return result.str();
 	}
 	
+	/**
+	 * Checks whether the given application domain needs to be restarted.
+	 *
+	 * @throws SystemException Something went wrong while retrieving the system time.
+	 * @throws boost::thread_interrupted
+	 */
 	bool needsRestart(const string &appRoot, Domain *domain, const PoolOptions &options) {
 		return domain->alwaysRestartFileStatter.refresh(options.statThrottleRate) == 0
 		    || domain->restartFileChecker.changed(options.statThrottleRate);

data/ext/apache2/Utils.cpp

@@ -19,6 +19,7 @@
  */
 
 #include <cassert>
+#include <pwd.h>
 #include "CachedFileStat.h"
 #include "Utils.h"
 
@@ -217,8 +218,25 @@ escapeForXml(const string &input) {
 	return result;
 }
 
+void
+determineLowestUserAndGroup(const string &user, uid_t &uid, gid_t &gid) {
+	struct passwd *ent;
+	
+	ent = getpwnam(user.c_str());
+	if (ent == NULL) {
+		ent = getpwnam("nobody");
+	}
+	if (ent == NULL) {
+		uid = (uid_t) -1;
+		gid = (gid_t) -1;
+	} else {
+		uid = ent->pw_uid;
+		gid = ent->pw_gid;
+	}
+}
+
 const char *
-getTempDir() {
+getSystemTempDir() {
 	const char *temp_dir = getenv("TMPDIR");
 	if (temp_dir == NULL || *temp_dir == '\0') {
 		temp_dir = "/tmp";
@@ -227,11 +245,11 @@ getTempDir() {
 }
 
 string
-getPassengerTempDir(bool bypassCache) {
+getPassengerTempDir(bool bypassCache, const string &systemTempDir) {
 	if (bypassCache) {
 		goto calculateResult;
 	} else {
-		const char *tmp = getenv("PHUSION_PASSENGER_TMP");
+		const char *tmp = getenv("PASSENGER_INSTANCE_TEMP_DIR");
 		if (tmp != NULL && *tmp != '\0') {
 			return tmp;
 		} else {
@@ -240,25 +258,141 @@ getPassengerTempDir(bool bypassCache) {
 	}
 
 	calculateResult:
-	const char *temp_dir = getTempDir();
+	const char *temp_dir;
 	char buffer[PATH_MAX];
 	
+	if (systemTempDir.empty()) {
+		temp_dir = getSystemTempDir();
+	} else {
+		temp_dir = systemTempDir.c_str();
+	}
 	snprintf(buffer, sizeof(buffer), "%s/passenger.%lu",
 		temp_dir, (unsigned long) getpid());
 	buffer[sizeof(buffer) - 1] = '\0';
-	setenv("PHUSION_PASSENGER_TMP", buffer, 1);
+	setenv("PASSENGER_INSTANCE_TEMP_DIR", buffer, 1);
 	return buffer;
 }
 
 void
-createPassengerTempDir() {
-	makeDirTree(getPassengerTempDir().c_str(), "u=rwxs,g=wx,o=wx");
+createPassengerTempDir(const string &systemTempDir, bool userSwitching,
+                       const string &lowestUser, uid_t workerUid, gid_t workerGid) {
+	string tmpDir(getPassengerTempDir(false, systemTempDir));
+	uid_t lowestUid;
+	gid_t lowestGid;
+	
+	determineLowestUserAndGroup(lowestUser, lowestUid, lowestGid);
+	
+	/* Create the temp directory with the current user as owner (which
+	 * is root if the web server was started as root). Only the owner
+	 * may write to this directory. Everybody else may only access the
+	 * directory. The permissions on the subdirectories will determine
+	 * whether a user may access that specific subdirectory.
+	 */
+	makeDirTree(tmpDir, "u=wxs,g=x,o=x");
+	
+	/* We want this upload buffer directory to be only accessible by the web server's
+	 * worker processs.
+	 *
+	 * It only makes sense to chown webserver_private to workerUid and workerGid if the web server
+	 * is actually able to change the user of the worker processes. That is, if the web server
+	 * is running as root.
+	 */
+	if (geteuid() == 0) {
+		makeDirTree(tmpDir + "/webserver_private", "u=wxs,g=,o=", workerUid, workerGid);
+	} else {
+		makeDirTree(tmpDir + "/webserver_private", "u=wxs,g=,o=");
+	}
+	
+	/* If the web server is running as root (i.e. user switching is possible to begin with)
+	 * but user switching is off...
+	 */
+	if (geteuid() == 0 && !userSwitching) {
+		/* ...then the 'info' subdirectory must be owned by lowestUser, so that only root
+		 * or lowestUser can query Phusion Passenger information.
+		 */
+		makeDirTree(tmpDir + "/info", "u=rwxs,g=,o=", lowestUid, lowestGid);
+	} else {
+		/* Otherwise just use the current user and the directory's owner.
+		 * This way, only the user that the web server's control process
+		 * is running as will be able to query information.
+		 */
+		makeDirTree(tmpDir + "/info", "u=rwxs,g=,o=");
+	}
+	
+	if (geteuid() == 0) {
+		if (userSwitching) {
+			/* If user switching is possible and turned on, then each backend
+			 * process may be running as a different user, so the backends
+			 * subdirectory must be world-writable. However we don't want
+			 * everybody to be able to know the sockets' filenames, so
+			 * the directory is not readable, not even by its owner.
+			 */
+			makeDirTree(tmpDir + "/backends", "u=wxs,g=wx,o=wx");
+		} else {
+			/* If user switching is off then all backend processes will be
+			 * running as lowestUser, so make lowestUser the owner of the
+			 * directory. Nobody else (except root) may access this directory.
+			 *
+			 * The directory is not readable as a security precaution:
+			 * nobody should be able to know the sockets' filenames without
+			 * having access to the application pool.
+			 */
+			makeDirTree(tmpDir + "/backends", "u=wxs,g=,o=", lowestUid, lowestGid);
+		}
+	} else {
+		/* If user switching is not possible then all backend processes will
+		 * be running as the same user as the web server. So we'll make the
+		 * backends subdirectory only writable by this user. Nobody else
+		 * (except root) may access this subdirectory.
+		 *
+		 * The directory is not readable as a security precaution:
+		 * nobody should be able to know the sockets' filenames without having
+		 * access to the application pool.
+		 */
+		makeDirTree(tmpDir + "/backends", "u=wxs,g=,o=");
+	}
+	
+	if (geteuid() == 0) {
+		if (userSwitching) {
+			/* If user switching is possible and is on, then each backend
+			 * process may be running as a different user. So make the var
+			 * directory world-writable.
+			 *
+			 * The directory is not readable as a security precaution.
+			 */
+			makeDirTree(tmpDir + "/var", "u=wxs,g=wx,o=wx");
+		} else {
+			/* If user switching is off then all backend processes
+			 * will be running as lowestUser, so make lowestUser the
+			 * owner of the var directory. Only lowestUser may access
+			 * the directory.
+			 *
+			 * The directory is not readble as a security precaution.
+			 */
+			makeDirTree(tmpDir + "/var", "u=wxs,g=,o=", lowestUid, lowestGid);
+		}
+	} else {
+		/* If user switching is not possible then all backend processes will
+		 * be running as the same user as the web server. So we'll make the
+		 * var subdirectory only accessible by this user. Nobody else
+		 * (except root) may access this subdirectory.
+		 *
+		 * The directory is not readble as a security precaution.
+		 */
+		makeDirTree(tmpDir + "/var", "u=wxs,g=,o=");
+	}
 }
 
 void
-makeDirTree(const char *path, const char *mode) {
+makeDirTree(const string &path, const char *mode, uid_t owner, gid_t group) {
 	char command[PATH_MAX + 10];
-	snprintf(command, sizeof(command), "mkdir -p -m \"%s\" \"%s\"", mode, path);
+	struct stat buf;
+	
+	if (stat(path.c_str(), &buf) == 0) {
+		return;
+	}
+	
+	snprintf(command, sizeof(command), "mkdir -p -m \"%s\" \"%s\"", mode, path.c_str());
 	command[sizeof(command) - 1] = '\0';
 	
 	int result;
@@ -269,7 +403,8 @@ makeDirTree(const char *path, const char *mode) {
 		char message[1024];
 		int e = errno;
 		
-		snprintf(message, sizeof(message) - 1, "Cannot create directory '%s'", path);
+		snprintf(message, sizeof(message) - 1, "Cannot create directory '%s'",
+			path.c_str());
 		message[sizeof(message) - 1] = '\0';
 		if (result == -1) {
 			throw SystemException(message, e);
@@ -277,24 +412,47 @@ makeDirTree(const char *path, const char *mode) {
 			throw IOException(message);
 		}
 	}
+	
+	if (owner != (uid_t) -1 && group != (gid_t) -1) {
+		do {
+			result = chown(path.c_str(), owner, group);
+		} while (result == -1 && errno == EINTR);
+		if (result != 0) {
+			char message[1024];
+			int e = errno;
+			
+			snprintf(message, sizeof(message) - 1,
+				"Cannot change the directory '%s' its UID to %lld and GID to %lld",
+				path.c_str(), (long long) owner, (long long) group);
+			message[sizeof(message) - 1] = '\0';
+			throw FileSystemException(message, e, path);
+		}
+	}
 }
 
 void
-removeDirTree(const char *path) {
-	char command[PATH_MAX + 10];
-	snprintf(command, sizeof(command), "rm -rf \"%s\"", path);
+removeDirTree(const string &path) {
+	char command[PATH_MAX + 30];
+	int result;
+	
+	snprintf(command, sizeof(command), "chmod -R u+rwx \"%s\" 2>/dev/null", path.c_str());
 	command[sizeof(command) - 1] = '\0';
+	do {
+		result = system(command);
+	} while (result == -1 && errno == EINTR);
 	
-	int result;
+	snprintf(command, sizeof(command), "rm -rf \"%s\"", path.c_str());
+	command[sizeof(command) - 1] = '\0';
 	do {
 		result = system(command);
 	} while (result == -1 && errno == EINTR);
 	if (result == -1) {
 		char message[1024];
+		int e = errno;
 		
-		snprintf(message, sizeof(message) - 1, "Cannot create directory '%s'", path);
+		snprintf(message, sizeof(message) - 1, "Cannot remove directory '%s'", path.c_str());
 		message[sizeof(message) - 1] = '\0';
-		throw IOException(message);
+		throw FileSystemException(message, e, path);
 	}
 }