passenger 2.1.2 → 2.1.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of passenger might be problematic. Click here for more details.

Files changed (244) hide show
  1. data/Rakefile +7 -5
  2. data/doc/Architectural overview.html +729 -1
  3. data/doc/Architectural overview.txt +0 -5
  4. data/doc/Security of user switching support.html +605 -1
  5. data/doc/Users guide.html +110 -106
  6. data/doc/Users guide.txt +49 -0
  7. data/doc/cxxapi/ApplicationPoolServer_8h-source.html +400 -372
  8. data/doc/cxxapi/ApplicationPool_8h-source.html +1 -1
  9. data/doc/cxxapi/Application_8h-source.html +1 -1
  10. data/doc/cxxapi/Bucket_8h-source.html +1 -1
  11. data/doc/cxxapi/CachedFileStat_8h-source.html +56 -65
  12. data/doc/cxxapi/Configuration_8h-source.html +40 -32
  13. data/doc/cxxapi/DirectoryMapper_8h-source.html +1 -1
  14. data/doc/cxxapi/DummySpawnManager_8h-source.html +1 -1
  15. data/doc/cxxapi/Exceptions_8h-source.html +1 -1
  16. data/doc/cxxapi/FileChecker_8h-source.html +29 -30
  17. data/doc/cxxapi/Hooks_8h-source.html +1 -1
  18. data/doc/cxxapi/Logging_8h-source.html +1 -1
  19. data/doc/cxxapi/MessageChannel_8h-source.html +1 -1
  20. data/doc/cxxapi/PoolOptions_8h-source.html +1 -1
  21. data/doc/cxxapi/SpawnManager_8h-source.html +225 -219
  22. data/doc/cxxapi/StandardApplicationPool_8h-source.html +451 -445
  23. data/doc/cxxapi/SystemTime_8h-source.html +1 -1
  24. data/doc/cxxapi/Utils_8h-source.html +201 -140
  25. data/doc/cxxapi/annotated.html +2 -2
  26. data/doc/cxxapi/classClient-members.html +1 -1
  27. data/doc/cxxapi/classClient.html +1 -1
  28. data/doc/cxxapi/classHooks-members.html +1 -1
  29. data/doc/cxxapi/classHooks.html +1 -1
  30. data/doc/cxxapi/classPassenger_1_1Application-members.html +1 -1
  31. data/doc/cxxapi/classPassenger_1_1Application.html +1 -1
  32. data/doc/cxxapi/classPassenger_1_1ApplicationPool-members.html +1 -1
  33. data/doc/cxxapi/classPassenger_1_1ApplicationPool.html +1 -1
  34. data/doc/cxxapi/classPassenger_1_1ApplicationPoolServer-members.html +1 -1
  35. data/doc/cxxapi/classPassenger_1_1ApplicationPoolServer.html +1 -1
  36. data/doc/cxxapi/classPassenger_1_1ApplicationPool__inherit__graph.png +0 -0
  37. data/doc/cxxapi/classPassenger_1_1Application_1_1Session-members.html +1 -1
  38. data/doc/cxxapi/classPassenger_1_1Application_1_1Session.html +1 -1
  39. data/doc/cxxapi/{classPassenger_1_1TempFile-members.html → classPassenger_1_1BufferedUpload-members.html} +5 -5
  40. data/doc/cxxapi/{classPassenger_1_1TempFile.html → classPassenger_1_1BufferedUpload.html} +33 -43
  41. data/doc/cxxapi/classPassenger_1_1BusyException-members.html +1 -1
  42. data/doc/cxxapi/classPassenger_1_1BusyException.html +1 -1
  43. data/doc/cxxapi/classPassenger_1_1ConfigurationException-members.html +1 -1
  44. data/doc/cxxapi/classPassenger_1_1ConfigurationException.html +1 -1
  45. data/doc/cxxapi/classPassenger_1_1DirectoryMapper-members.html +1 -1
  46. data/doc/cxxapi/classPassenger_1_1DirectoryMapper.html +1 -1
  47. data/doc/cxxapi/classPassenger_1_1DummySpawnManager-members.html +1 -1
  48. data/doc/cxxapi/classPassenger_1_1DummySpawnManager.html +1 -1
  49. data/doc/cxxapi/classPassenger_1_1FileChecker-members.html +1 -1
  50. data/doc/cxxapi/classPassenger_1_1FileChecker.html +2 -2
  51. data/doc/cxxapi/classPassenger_1_1FileNotFoundException-members.html +1 -1
  52. data/doc/cxxapi/classPassenger_1_1FileNotFoundException.html +1 -1
  53. data/doc/cxxapi/classPassenger_1_1FileNotFoundException__inherit__graph.png +0 -0
  54. data/doc/cxxapi/classPassenger_1_1FileSystemException-members.html +1 -1
  55. data/doc/cxxapi/classPassenger_1_1FileSystemException.html +1 -1
  56. data/doc/cxxapi/classPassenger_1_1FileSystemException__inherit__graph.png +0 -0
  57. data/doc/cxxapi/classPassenger_1_1IOException-members.html +1 -1
  58. data/doc/cxxapi/classPassenger_1_1IOException.html +1 -1
  59. data/doc/cxxapi/classPassenger_1_1IOException__inherit__graph.png +0 -0
  60. data/doc/cxxapi/classPassenger_1_1MessageChannel-members.html +1 -1
  61. data/doc/cxxapi/classPassenger_1_1MessageChannel.html +1 -1
  62. data/doc/cxxapi/classPassenger_1_1RuntimeException-members.html +1 -1
  63. data/doc/cxxapi/classPassenger_1_1RuntimeException.html +1 -1
  64. data/doc/cxxapi/classPassenger_1_1SpawnException-members.html +1 -1
  65. data/doc/cxxapi/classPassenger_1_1SpawnException.html +1 -1
  66. data/doc/cxxapi/classPassenger_1_1SpawnManager-members.html +1 -1
  67. data/doc/cxxapi/classPassenger_1_1SpawnManager.html +1 -1
  68. data/doc/cxxapi/classPassenger_1_1StandardApplicationPool-members.html +1 -1
  69. data/doc/cxxapi/classPassenger_1_1StandardApplicationPool.html +1 -1
  70. data/doc/cxxapi/classPassenger_1_1StandardApplicationPool__inherit__graph.png +0 -0
  71. data/doc/cxxapi/classPassenger_1_1SystemException-members.html +1 -1
  72. data/doc/cxxapi/classPassenger_1_1SystemException.html +1 -1
  73. data/doc/cxxapi/classPassenger_1_1SystemException__inherit__graph.png +0 -0
  74. data/doc/cxxapi/classPassenger_1_1SystemTime-members.html +1 -1
  75. data/doc/cxxapi/classPassenger_1_1SystemTime.html +1 -1
  76. data/doc/cxxapi/definitions_8h-source.html +1 -1
  77. data/doc/cxxapi/files.html +1 -1
  78. data/doc/cxxapi/functions.html +12 -11
  79. data/doc/cxxapi/functions_func.html +9 -7
  80. data/doc/cxxapi/functions_type.html +1 -1
  81. data/doc/cxxapi/functions_vars.html +2 -4
  82. data/doc/cxxapi/graph_legend.html +1 -1
  83. data/doc/cxxapi/graph_legend.png +0 -0
  84. data/doc/cxxapi/group__Configuration.html +3 -3
  85. data/doc/cxxapi/group__Configuration.png +0 -0
  86. data/doc/cxxapi/group__Core.html +1 -1
  87. data/doc/cxxapi/group__Core.png +0 -0
  88. data/doc/cxxapi/group__Exceptions.html +1 -1
  89. data/doc/cxxapi/group__Hooks.html +1 -1
  90. data/doc/cxxapi/group__Hooks.png +0 -0
  91. data/doc/cxxapi/group__Support.html +33 -16
  92. data/doc/cxxapi/hierarchy.html +2 -2
  93. data/doc/cxxapi/inherit__graph__0.png +0 -0
  94. data/doc/cxxapi/inherit__graph__1.png +0 -0
  95. data/doc/cxxapi/inherit__graph__10.map +1 -1
  96. data/doc/cxxapi/inherit__graph__10.md5 +1 -1
  97. data/doc/cxxapi/inherit__graph__10.png +0 -0
  98. data/doc/cxxapi/inherit__graph__11.map +1 -1
  99. data/doc/cxxapi/inherit__graph__11.md5 +1 -1
  100. data/doc/cxxapi/inherit__graph__11.png +0 -0
  101. data/doc/cxxapi/inherit__graph__12.map +1 -2
  102. data/doc/cxxapi/inherit__graph__12.md5 +1 -1
  103. data/doc/cxxapi/inherit__graph__12.png +0 -0
  104. data/doc/cxxapi/inherit__graph__13.map +2 -1
  105. data/doc/cxxapi/inherit__graph__13.md5 +1 -1
  106. data/doc/cxxapi/inherit__graph__13.png +0 -0
  107. data/doc/cxxapi/inherit__graph__14.map +1 -1
  108. data/doc/cxxapi/inherit__graph__14.md5 +1 -1
  109. data/doc/cxxapi/inherit__graph__14.png +0 -0
  110. data/doc/cxxapi/inherit__graph__15.map +1 -1
  111. data/doc/cxxapi/inherit__graph__15.md5 +1 -1
  112. data/doc/cxxapi/inherit__graph__15.png +0 -0
  113. data/doc/cxxapi/inherit__graph__16.map +1 -1
  114. data/doc/cxxapi/inherit__graph__16.md5 +1 -1
  115. data/doc/cxxapi/inherit__graph__16.png +0 -0
  116. data/doc/cxxapi/inherit__graph__17.map +1 -1
  117. data/doc/cxxapi/inherit__graph__17.md5 +1 -1
  118. data/doc/cxxapi/inherit__graph__17.png +0 -0
  119. data/doc/cxxapi/inherit__graph__18.map +1 -1
  120. data/doc/cxxapi/inherit__graph__18.md5 +1 -1
  121. data/doc/cxxapi/inherit__graph__18.png +0 -0
  122. data/doc/cxxapi/inherit__graph__19.map +1 -2
  123. data/doc/cxxapi/inherit__graph__19.md5 +1 -1
  124. data/doc/cxxapi/inherit__graph__19.png +0 -0
  125. data/doc/cxxapi/inherit__graph__2.png +0 -0
  126. data/doc/cxxapi/inherit__graph__20.map +2 -1
  127. data/doc/cxxapi/inherit__graph__20.md5 +1 -1
  128. data/doc/cxxapi/inherit__graph__20.png +0 -0
  129. data/doc/cxxapi/inherit__graph__21.map +1 -1
  130. data/doc/cxxapi/inherit__graph__21.md5 +1 -1
  131. data/doc/cxxapi/inherit__graph__21.png +0 -0
  132. data/doc/cxxapi/inherit__graph__3.png +0 -0
  133. data/doc/cxxapi/inherit__graph__4.png +0 -0
  134. data/doc/cxxapi/inherit__graph__5.png +0 -0
  135. data/doc/cxxapi/inherit__graph__6.png +0 -0
  136. data/doc/cxxapi/inherit__graph__7.map +1 -1
  137. data/doc/cxxapi/inherit__graph__7.md5 +1 -1
  138. data/doc/cxxapi/inherit__graph__7.png +0 -0
  139. data/doc/cxxapi/inherit__graph__8.map +1 -1
  140. data/doc/cxxapi/inherit__graph__8.md5 +1 -1
  141. data/doc/cxxapi/inherit__graph__8.png +0 -0
  142. data/doc/cxxapi/inherit__graph__9.map +1 -1
  143. data/doc/cxxapi/inherit__graph__9.md5 +1 -1
  144. data/doc/cxxapi/inherit__graph__9.png +0 -0
  145. data/doc/cxxapi/inherits.html +18 -18
  146. data/doc/cxxapi/main.html +1 -1
  147. data/doc/cxxapi/modules.html +1 -1
  148. data/doc/cxxapi/structPassenger_1_1AnythingToString-members.html +1 -1
  149. data/doc/cxxapi/structPassenger_1_1AnythingToString.html +1 -1
  150. data/doc/cxxapi/structPassenger_1_1AnythingToString_3_01vector_3_01string_01_4_01_4-members.html +1 -1
  151. data/doc/cxxapi/structPassenger_1_1AnythingToString_3_01vector_3_01string_01_4_01_4.html +1 -1
  152. data/doc/cxxapi/structPassenger_1_1PoolOptions-members.html +1 -1
  153. data/doc/cxxapi/structPassenger_1_1PoolOptions.html +1 -1
  154. data/doc/cxxapi/tree.html +4 -4
  155. data/doc/rdoc/classes/ConditionVariable.html +58 -58
  156. data/doc/rdoc/classes/Exception.html +11 -11
  157. data/doc/rdoc/classes/GC.html +4 -4
  158. data/doc/rdoc/classes/IO.html +14 -14
  159. data/doc/rdoc/classes/PhusionPassenger.html +11 -11
  160. data/doc/rdoc/classes/PhusionPassenger/AdminTools.html +1 -1
  161. data/doc/rdoc/classes/PhusionPassenger/AdminTools/ControlProcess.html +40 -39
  162. data/doc/rdoc/classes/PhusionPassenger/Application.html +14 -14
  163. data/doc/rdoc/classes/PhusionPassenger/HTMLTemplate.html +12 -12
  164. data/doc/rdoc/classes/PhusionPassenger/Railz.html +1 -1
  165. data/doc/rdoc/classes/PhusionPassenger/Utils.html +15 -8
  166. data/doc/rdoc/classes/PlatformInfo.html +257 -253
  167. data/doc/rdoc/classes/RakeExtensions.html +2 -2
  168. data/doc/rdoc/classes/Signal.html +26 -26
  169. data/doc/rdoc/created.rid +1 -1
  170. data/doc/rdoc/files/DEVELOPERS_TXT.html +1 -1
  171. data/doc/rdoc/files/README.html +1 -1
  172. data/doc/rdoc/files/ext/phusion_passenger/native_support_c.html +1 -1
  173. data/doc/rdoc/files/lib/phusion_passenger/abstract_request_handler_rb.html +1 -1
  174. data/doc/rdoc/files/lib/phusion_passenger/abstract_server_collection_rb.html +1 -1
  175. data/doc/rdoc/files/lib/phusion_passenger/abstract_server_rb.html +1 -1
  176. data/doc/rdoc/files/lib/phusion_passenger/admin_tools/control_process_rb.html +1 -1
  177. data/doc/rdoc/files/lib/phusion_passenger/admin_tools_rb.html +1 -1
  178. data/doc/rdoc/files/lib/phusion_passenger/application_rb.html +1 -1
  179. data/doc/rdoc/files/lib/phusion_passenger/console_text_template_rb.html +1 -1
  180. data/doc/rdoc/files/lib/phusion_passenger/constants_rb.html +1 -1
  181. data/doc/rdoc/files/lib/phusion_passenger/dependencies_rb.html +1 -1
  182. data/doc/rdoc/files/lib/phusion_passenger/events_rb.html +1 -1
  183. data/doc/rdoc/files/lib/phusion_passenger/exceptions_rb.html +1 -1
  184. data/doc/rdoc/files/lib/phusion_passenger/html_template_rb.html +1 -1
  185. data/doc/rdoc/files/lib/phusion_passenger/message_channel_rb.html +1 -1
  186. data/doc/rdoc/files/lib/phusion_passenger/platform_info_rb.html +1 -1
  187. data/doc/rdoc/files/lib/phusion_passenger/rack/application_spawner_rb.html +1 -1
  188. data/doc/rdoc/files/lib/phusion_passenger/rack/request_handler_rb.html +1 -1
  189. data/doc/rdoc/files/lib/phusion_passenger/railz/application_spawner_rb.html +1 -1
  190. data/doc/rdoc/files/lib/phusion_passenger/railz/cgi_fixed_rb.html +1 -1
  191. data/doc/rdoc/files/lib/phusion_passenger/railz/framework_spawner_rb.html +1 -1
  192. data/doc/rdoc/files/lib/phusion_passenger/railz/request_handler_rb.html +1 -1
  193. data/doc/rdoc/files/lib/phusion_passenger/simple_benchmarking_rb.html +1 -1
  194. data/doc/rdoc/files/lib/phusion_passenger/spawn_manager_rb.html +1 -1
  195. data/doc/rdoc/files/lib/phusion_passenger/utils_rb.html +9 -9
  196. data/doc/rdoc/files/lib/phusion_passenger/wsgi/application_spawner_rb.html +1 -1
  197. data/doc/rdoc/files/{lib → misc}/rake/extensions_rb.html +2 -2
  198. data/doc/rdoc/fr_file_index.html +1 -1
  199. data/doc/rdoc/fr_method_index.html +22 -22
  200. data/ext/apache2/ApplicationPoolServer.h +43 -15
  201. data/ext/apache2/ApplicationPoolServerExecutable.cpp +27 -52
  202. data/ext/apache2/CachedFileStat.h +7 -16
  203. data/ext/apache2/Configuration.h +9 -1
  204. data/ext/apache2/FileChecker.h +4 -5
  205. data/ext/apache2/Hooks.cpp +20 -22
  206. data/ext/apache2/SpawnManager.h +6 -0
  207. data/ext/apache2/StandardApplicationPool.h +6 -0
  208. data/ext/apache2/Utils.cpp +174 -16
  209. data/ext/apache2/Utils.h +99 -38
  210. data/ext/boost/cstdint.hpp +2 -1
  211. data/ext/oxt/system_calls.cpp +20 -2
  212. data/ext/oxt/system_calls.hpp +2 -0
  213. data/lib/phusion_passenger/abstract_request_handler.rb +5 -1
  214. data/lib/phusion_passenger/admin_tools.rb +1 -1
  215. data/lib/phusion_passenger/admin_tools/control_process.rb +2 -1
  216. data/lib/phusion_passenger/dependencies.rb +7 -4
  217. data/lib/phusion_passenger/platform_info.rb +8 -2
  218. data/lib/phusion_passenger/rack/application_spawner.rb +1 -1
  219. data/lib/phusion_passenger/templates/version_not_found.html.erb +9 -0
  220. data/lib/phusion_passenger/utils.rb +13 -6
  221. data/lib/phusion_passenger/wsgi/application_spawner.rb +1 -1
  222. data/{lib → misc}/rake/cplusplus.rb +0 -0
  223. data/{lib → misc}/rake/extensions.rb +0 -0
  224. data/{lib → misc}/rake/gempackagetask.rb +0 -0
  225. data/{lib → misc}/rake/packagetask.rb +0 -0
  226. data/{lib → misc}/rake/rdoctask.rb +0 -0
  227. data/misc/render_error_pages.rb +6 -5
  228. data/test/CxxTestMain.cpp +109 -7
  229. data/test/UtilsTest.cpp +61 -51
  230. data/test/config.yml.example +6 -2
  231. data/test/integration_tests.rb +4 -0
  232. data/test/ruby/abstract_request_handler_spec.rb +9 -3
  233. data/test/ruby/rack/application_spawner_spec.rb +3 -2
  234. data/test/ruby/rails/application_spawner_spec.rb +15 -4
  235. data/test/ruby/rails/framework_spawner_spec.rb +4 -2
  236. data/test/ruby/rails/spawner_error_handling_spec.rb +4 -4
  237. data/test/ruby/spawn_manager_spec.rb +22 -9
  238. data/test/ruby/utils_spec.rb +18 -12
  239. data/test/ruby/wsgi/application_spawner_spec.rb +16 -7
  240. data/test/stub/apache2/httpd.conf.erb +1 -0
  241. data/test/stub/wsgi/passenger_wsgi.pyc +0 -0
  242. metadata +1064 -1090
  243. data/doc/Users guide Apache.html +0 -3127
  244. data/doc/Users guide Nginx.html +0 -1458
@@ -210,11 +210,6 @@ link:cxxapi/index.html[+++the C++ API documentation+++],
210
210
  in particular the documentation about the `ApplicationPool`,
211
211
  `StandardApplicationPool` and `ApplicationPoolServer` classes.
212
212
 
213
- NOTE: At the moment, Passenger does not support Apache with the worker MPM
214
- (which uses threads instead of processes). But because the application pool is
215
- implemented in a modular way, supporting the worker MPM shouldn't take more
216
- than 10 lines of code.
217
-
218
213
  The application pool is responsible for spawning applications, caching
219
214
  spawned applications' handles, and cleaning up applications which have been
220
215
  idle for an extended period of time.
@@ -1 +1,605 @@
1
- asciidoc required to build docs
1
+ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
2
+ "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
3
+ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
4
+ <head>
5
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
6
+ <meta name="generator" content="AsciiDoc 8.2.5" />
7
+ <style type="text/css">
8
+ /* Debug borders */
9
+ p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
10
+ /*
11
+ border: 1px solid red;
12
+ */
13
+ }
14
+
15
+ body {
16
+ margin: 1em 5% 1em 5%;
17
+ }
18
+
19
+ a {
20
+ color: blue;
21
+ text-decoration: underline;
22
+ }
23
+ a:visited {
24
+ color: fuchsia;
25
+ }
26
+
27
+ em {
28
+ font-style: italic;
29
+ }
30
+
31
+ strong {
32
+ font-weight: bold;
33
+ }
34
+
35
+ tt {
36
+ color: navy;
37
+ }
38
+
39
+ h1, h2, h3, h4, h5, h6 {
40
+ color: #527bbd;
41
+ font-family: sans-serif;
42
+ margin-top: 1.2em;
43
+ margin-bottom: 0.5em;
44
+ line-height: 1.3;
45
+ }
46
+
47
+ h1, h2, h3 {
48
+ border-bottom: 2px solid silver;
49
+ }
50
+ h2 {
51
+ padding-top: 0.5em;
52
+ }
53
+ h3 {
54
+ float: left;
55
+ }
56
+ h3 + * {
57
+ clear: left;
58
+ }
59
+
60
+ div.sectionbody {
61
+ font-family: serif;
62
+ margin-left: 0;
63
+ }
64
+
65
+ hr {
66
+ border: 1px solid silver;
67
+ }
68
+
69
+ p {
70
+ margin-top: 0.5em;
71
+ margin-bottom: 0.5em;
72
+ }
73
+
74
+ pre {
75
+ padding: 0;
76
+ margin: 0;
77
+ }
78
+
79
+ span#author {
80
+ color: #527bbd;
81
+ font-family: sans-serif;
82
+ font-weight: bold;
83
+ font-size: 1.1em;
84
+ }
85
+ span#email {
86
+ }
87
+ span#revision {
88
+ font-family: sans-serif;
89
+ }
90
+
91
+ div#footer {
92
+ font-family: sans-serif;
93
+ font-size: small;
94
+ border-top: 2px solid silver;
95
+ padding-top: 0.5em;
96
+ margin-top: 4.0em;
97
+ }
98
+ div#footer-text {
99
+ float: left;
100
+ padding-bottom: 0.5em;
101
+ }
102
+ div#footer-badges {
103
+ float: right;
104
+ padding-bottom: 0.5em;
105
+ }
106
+
107
+ div#preamble,
108
+ div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
109
+ div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
110
+ div.admonitionblock {
111
+ margin-right: 10%;
112
+ margin-top: 1.5em;
113
+ margin-bottom: 1.5em;
114
+ }
115
+ div.admonitionblock {
116
+ margin-top: 2.5em;
117
+ margin-bottom: 2.5em;
118
+ }
119
+
120
+ div.content { /* Block element content. */
121
+ padding: 0;
122
+ }
123
+
124
+ /* Block element titles. */
125
+ div.title, caption.title {
126
+ font-family: sans-serif;
127
+ font-weight: bold;
128
+ text-align: left;
129
+ margin-top: 1.0em;
130
+ margin-bottom: 0.5em;
131
+ }
132
+ div.title + * {
133
+ margin-top: 0;
134
+ }
135
+
136
+ td div.title:first-child {
137
+ margin-top: 0.0em;
138
+ }
139
+ div.content div.title:first-child {
140
+ margin-top: 0.0em;
141
+ }
142
+ div.content + div.title {
143
+ margin-top: 0.0em;
144
+ }
145
+
146
+ div.sidebarblock > div.content {
147
+ background: #ffffee;
148
+ border: 1px solid silver;
149
+ padding: 0.5em;
150
+ }
151
+
152
+ div.listingblock {
153
+ margin-right: 0%;
154
+ }
155
+ div.listingblock > div.content {
156
+ border: 1px solid silver;
157
+ background: #f4f4f4;
158
+ padding: 0.5em;
159
+ }
160
+
161
+ div.quoteblock > div.content {
162
+ padding-left: 2.0em;
163
+ }
164
+
165
+ div.attribution {
166
+ text-align: right;
167
+ }
168
+ div.verseblock + div.attribution {
169
+ text-align: left;
170
+ }
171
+
172
+ div.admonitionblock .icon {
173
+ vertical-align: top;
174
+ font-size: 1.1em;
175
+ font-weight: bold;
176
+ text-decoration: underline;
177
+ color: #527bbd;
178
+ padding-right: 0.5em;
179
+ }
180
+ div.admonitionblock td.content {
181
+ padding-left: 0.5em;
182
+ border-left: 2px solid silver;
183
+ }
184
+
185
+ div.exampleblock > div.content {
186
+ border-left: 2px solid silver;
187
+ padding: 0.5em;
188
+ }
189
+
190
+ div.verseblock div.content {
191
+ white-space: pre;
192
+ }
193
+
194
+ div.imageblock div.content { padding-left: 0; }
195
+ div.imageblock img { border: 1px solid silver; }
196
+ span.image img { border-style: none; }
197
+
198
+ dl {
199
+ margin-top: 0.8em;
200
+ margin-bottom: 0.8em;
201
+ }
202
+ dt {
203
+ margin-top: 0.5em;
204
+ margin-bottom: 0;
205
+ font-style: italic;
206
+ }
207
+ dd > *:first-child {
208
+ margin-top: 0;
209
+ }
210
+
211
+ ul, ol {
212
+ list-style-position: outside;
213
+ }
214
+ div.olist2 ol {
215
+ list-style-type: lower-alpha;
216
+ }
217
+
218
+ div.tableblock > table {
219
+ border: 3px solid #527bbd;
220
+ }
221
+ thead {
222
+ font-family: sans-serif;
223
+ font-weight: bold;
224
+ }
225
+ tfoot {
226
+ font-weight: bold;
227
+ }
228
+
229
+ div.hlist {
230
+ margin-top: 0.8em;
231
+ margin-bottom: 0.8em;
232
+ }
233
+ div.hlist td {
234
+ padding-bottom: 5px;
235
+ }
236
+ td.hlist1 {
237
+ vertical-align: top;
238
+ font-style: italic;
239
+ padding-right: 0.8em;
240
+ }
241
+ td.hlist2 {
242
+ vertical-align: top;
243
+ }
244
+
245
+ @media print {
246
+ div#footer-badges { display: none; }
247
+ }
248
+
249
+ div#toctitle {
250
+ color: #527bbd;
251
+ font-family: sans-serif;
252
+ font-size: 1.1em;
253
+ font-weight: bold;
254
+ margin-top: 1.0em;
255
+ margin-bottom: 0.1em;
256
+ }
257
+
258
+ div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
259
+ margin-top: 0;
260
+ margin-bottom: 0;
261
+ }
262
+ div.toclevel2 {
263
+ margin-left: 2em;
264
+ font-size: 0.9em;
265
+ }
266
+ div.toclevel3 {
267
+ margin-left: 4em;
268
+ font-size: 0.9em;
269
+ }
270
+ div.toclevel4 {
271
+ margin-left: 6em;
272
+ font-size: 0.9em;
273
+ }
274
+ /* Workarounds for IE6's broken and incomplete CSS2. */
275
+
276
+ div.sidebar-content {
277
+ background: #ffffee;
278
+ border: 1px solid silver;
279
+ padding: 0.5em;
280
+ }
281
+ div.sidebar-title, div.image-title {
282
+ font-family: sans-serif;
283
+ font-weight: bold;
284
+ margin-top: 0.0em;
285
+ margin-bottom: 0.5em;
286
+ }
287
+
288
+ div.listingblock div.content {
289
+ border: 1px solid silver;
290
+ background: #f4f4f4;
291
+ padding: 0.5em;
292
+ }
293
+
294
+ div.quoteblock-content {
295
+ padding-left: 2.0em;
296
+ }
297
+
298
+ div.exampleblock-content {
299
+ border-left: 2px solid silver;
300
+ padding-left: 0.5em;
301
+ }
302
+
303
+ /* IE6 sets dynamically generated links as visited. */
304
+ div#toc a:visited { color: blue; }
305
+ </style>
306
+ <script type="text/javascript">
307
+ /*<![CDATA[*/
308
+ window.onload = function(){generateToc(3)}
309
+ /* Author: Mihai Bazon, September 2002
310
+ * http://students.infoiasi.ro/~mishoo
311
+ *
312
+ * Table Of Content generator
313
+ * Version: 0.4
314
+ *
315
+ * Feel free to use this script under the terms of the GNU General Public
316
+ * License, as long as you do not remove or alter this notice.
317
+ */
318
+
319
+ /* modified by Troy D. Hanson, September 2006. License: GPL */
320
+ /* modified by Stuart Rackham, October 2006. License: GPL */
321
+
322
+ function getText(el) {
323
+ var text = "";
324
+ for (var i = el.firstChild; i != null; i = i.nextSibling) {
325
+ if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
326
+ text += i.data;
327
+ else if (i.firstChild != null)
328
+ text += getText(i);
329
+ }
330
+ return text;
331
+ }
332
+
333
+ function TocEntry(el, text, toclevel) {
334
+ this.element = el;
335
+ this.text = text;
336
+ this.toclevel = toclevel;
337
+ }
338
+
339
+ function tocEntries(el, toclevels) {
340
+ var result = new Array;
341
+ var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
342
+ // Function that scans the DOM tree for header elements (the DOM2
343
+ // nodeIterator API would be a better technique but not supported by all
344
+ // browsers).
345
+ var iterate = function (el) {
346
+ for (var i = el.firstChild; i != null; i = i.nextSibling) {
347
+ if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
348
+ var mo = re.exec(i.tagName)
349
+ if (mo)
350
+ result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
351
+ iterate(i);
352
+ }
353
+ }
354
+ }
355
+ iterate(el);
356
+ return result;
357
+ }
358
+
359
+ // This function does the work. toclevels = 1..4.
360
+ function generateToc(toclevels) {
361
+ var toc = document.getElementById("toc");
362
+ var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
363
+ for (var i = 0; i < entries.length; ++i) {
364
+ var entry = entries[i];
365
+ if (entry.element.id == "")
366
+ entry.element.id = "toc" + i;
367
+ var a = document.createElement("a");
368
+ a.href = "#" + entry.element.id;
369
+ a.appendChild(document.createTextNode(entry.text));
370
+ var div = document.createElement("div");
371
+ div.appendChild(a);
372
+ div.className = "toclevel" + entry.toclevel;
373
+ toc.appendChild(div);
374
+ }
375
+ }
376
+ /*]]>*/
377
+ </script>
378
+ <title>Security of user switching support in Passenger</title>
379
+ </head>
380
+ <body>
381
+ <div id="header">
382
+ <h1>Security of user switching support in Passenger</h1>
383
+ <div id="toc">
384
+ <div id="toctitle">Table of Contents</div>
385
+ <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
386
+ </div>
387
+ </div>
388
+ <h2 id="_problem_description">1. Problem description</h2>
389
+ <div class="sectionbody">
390
+ <div class="admonitionblock">
391
+ <table><tr>
392
+ <td class="icon">
393
+ <img src="./images/icons/tip.png" alt="Tip" />
394
+ </td>
395
+ <td class="content">It is strongly recommended that you first read our
396
+ <a href="Architectural%20overview.html">Architectural Overview</a>.</td>
397
+ </tr></table>
398
+ </div>
399
+ <div class="para"><p>A straightforward implementation of Passenger will spawn Rails applications in
400
+ the same user context as Apache itself. On server machines which host multiple
401
+ websites for multiple users, this may not be desired. All Rails applications
402
+ spawned by Passenger will be able to read and write to all directories that the
403
+ web server can. So for example, Joe's Rails applications could read Jane's
404
+ Rails application's <em>database.yml</em> or delete her application files. This is
405
+ also a problem that typically plagues PHP web hosts.</p></div>
406
+ <div class="para"><p>There are multiple ways to solve this problem. The goal of this document is to
407
+ inform the reader about the solutions have we have analyzed, so that
408
+ Passenger's security may be peer reviewed.</p></div>
409
+ </div>
410
+ <h2 id="_analysis_of_possible_solutions">2. Analysis of possible solutions</h2>
411
+ <div class="sectionbody">
412
+ <div class="para"><p>It seems that the only way to solve this problem on Unix, is to run each Rails
413
+ application server as its owner's user and group. Passenger can make use of
414
+ one of the following methods to implement this:</p></div>
415
+ <div class="olist"><ol>
416
+ <li>
417
+ <p>
418
+ Apache (and thus Passenger) must already be running as root.
419
+ </p>
420
+ </li>
421
+ <li>
422
+ <p>
423
+ Using Apache's suEXEC.
424
+ </p>
425
+ </li>
426
+ <li>
427
+ <p>
428
+ A setuid root wrapper application must exist, to allow non-root processes
429
+ to obtain root privileges (or at least, the privilege to switch user).
430
+ </p>
431
+ </li>
432
+ <li>
433
+ <p>
434
+ For each user $X that Passenger will need to switch to, there must exist
435
+ a setuid $X wrapper application.
436
+ </p>
437
+ </li>
438
+ <li>
439
+ <p>
440
+ Using <em>su</em>.
441
+ </p>
442
+ </li>
443
+ <li>
444
+ <p>
445
+ Using <em>sudo</em>.
446
+ </p>
447
+ </li>
448
+ </ol></div>
449
+ <div class="para"><p>Let us take a look at each method in detail.</p></div>
450
+ <h3 id="apache_root">2.1. Apache must already be running as root</h3><div style="clear:left"></div>
451
+ <div class="para"><p>First, let us take a look at the typical Apache setup, in which Apache is bound
452
+ to port 80, and uses the prefork MPM. Binding to any port lower than 1024
453
+ requires root privileges, so Apache is typically run as root. This poses an
454
+ unacceptable security risk, so Apache's prefork MPM will, upon receiving an
455
+ HTTP request, spawn a child process with the privileges of a normal user,
456
+ typically <em>www-data</em> or <em>nobody</em>.
457
+ See <a href="http://httpd.apache.org/docs/2.2/mod/prefork.html">the documentation for the
458
+ prefork MPM</a> - in particular the &#8220;User&#8221; and &#8220;Group&#8221; directives - for details.
459
+ The process which is responsible for spawning child processes (also called the
460
+ control process) is run as root. This is also true for
461
+ <a href="http://httpd.apache.org/docs/2.2/mod/worker.html">the worker MPM</a>.</p></div>
462
+ <div class="para"><p>Since Passenger has access to the control process, in the typical Apache setup,
463
+ Passenger can already launch Rails applications as a different user. But now we
464
+ have to ask this question:</p></div>
465
+ <div class="exampleblock">
466
+ <div class="exampleblock-content">
467
+ <div class="para"><p>If Apache is not running as root, are there still any Passenger users who
468
+ want to run Rails applications as different users?</p></div>
469
+ </div></div>
470
+ <div class="para"><p>If the answer is yes, then we cannot use this method.</p></div>
471
+ <div class="para"><p>The advantage of this method is that setting up Apache to run as root is
472
+ incredibly easy, and requires no new framework to be written. However, testing
473
+ this method in automated unit tests will require running the unit test suit as
474
+ root.</p></div>
475
+ <h3 id="_using_apache_s_suexec">2.2. Using Apache's suEXEC</h3><div style="clear:left"></div>
476
+ <div class="para"><p>Apache's <a href="http://httpd.apache.org/docs/2.0/suexec.html">suEXEC</a> allows one to
477
+ run CGI processes as different users. But it seems that suEXEC can only be
478
+ used for CGI, and is not a general-purpose mechanism. The
479
+ <a href="http://alain.knaff.lu/howto/PhpSuexec/">PHP-suEXEC</a> software allows one to run
480
+ PHP applications via suEXEC, but it requires patching suEXEC. If Passenger is
481
+ to use suEXEC, then it is likely that we'll have to patch suEXEC. The suEXEC
482
+ website strongly discourages patching.</p></div>
483
+ <h3 id="_using_a_setuid_root_wrapper_application">2.3. Using a setuid root wrapper application</h3><div style="clear:left"></div>
484
+ <div class="para"><p>If we use this method, we must be extremely careful. It must not be possible
485
+ for arbitrary processes to gain root privileges. We want Passenger, and only
486
+ Passenger, to be able to gain root privileges.</p></div>
487
+ <div class="para"><p>There are multiple ways to implement this security. The first one is to use
488
+ a password file, which only Apache and the wrapper can read, through
489
+ the use of proper file permissions. The password file must never be world
490
+ readable or writable.</p></div>
491
+ <div class="para"><p>It works as follows:</p></div>
492
+ <div class="olist"><ol>
493
+ <li>
494
+ <p>
495
+ Passenger runs the wrapper.
496
+ </p>
497
+ </li>
498
+ <li>
499
+ <p>
500
+ Passenger passes the content of the password file to the wrapper, via
501
+ an anonymous pipe (or some other anonymous channel, that no other
502
+ processes can access).
503
+ </p>
504
+ </li>
505
+ <li>
506
+ <p>
507
+ The wrapper checks whether the passed content is the same as what is in
508
+ the password file. If it is, then it is proven that whatever application
509
+ ran the wrapper has read access to the password file, and thus is authorized
510
+ to use the wrapper.
511
+ </p>
512
+ </li>
513
+ </ol></div>
514
+ <div class="para"><p>An obvious problem that arises is: how does the wrapper locate its own password
515
+ file? We obviously do not want to be able to specify the password filename as
516
+ an argument to the wrapper: that would defeat the point of the password file.
517
+ The solution is that the filename is to be hardcoded into the binary during
518
+ compile time.</p></div>
519
+ <div class="para"><p>Another way to implement security is to use a whitelist of users that are
520
+ allowed to use the wrapper. The wrapper can then check whether the calling
521
+ process's user is in the whitelist.</p></div>
522
+ <div class="para"><p>Writing a wrapper is not too hard. Furthermore, unit tests do not have to be
523
+ run as root, in contrast to the run-Apache-as-root method.</p></div>
524
+ <h3 id="setuid_root">2.4. Using a setuid $X wrapper application</h3><div style="clear:left"></div>
525
+ <div class="para"><p>A setuid $X wrapper will work in a fashion similar to the setuid root wrapper,
526
+ i.e. it will use a password file for authorization.</p></div>
527
+ <div class="para"><p>Passenger does not spawn Rails applications itself, but does so via the spawn
528
+ server. This spawn server is also responsible for preloading the Rails
529
+ framework and the Rails application code, in order to speed up the spawning
530
+ of Rails applications. See the design document of the spawn server for details.
531
+ The spawn server never calls <tt>exec()</tt>: doing so will make preloading useless.
532
+ If Passenger is to use a setuid $X wrapper, then it must start the spawn
533
+ server via the wrapper. The spawn server itself cannot use the wrapper.</p></div>
534
+ <div class="para"><p>However, doing so will make preloading less efficient. Passenger will be forced
535
+ to run a spawn server for each user. The different spawn servers do not share
536
+ memory with each other, so a lot of memory is wasted compared to the other
537
+ methods.</p></div>
538
+ <div class="para"><p>Implementing this will also take more work. One has to create a different
539
+ wrapper for each user, and to install it.</p></div>
540
+ <h3 id="_using_em_su_em">2.5. Using <em>su</em></h3><div style="clear:left"></div>
541
+ <div class="para"><p>The standard Unix <em>su</em> tool asks for the root password. It's a bad idea for
542
+ Apache to know the root password, so using <em>su</em> is not a viable alternative.</p></div>
543
+ <h3 id="_using_em_sudo_em">2.6. Using <em>sudo</em></h3><div style="clear:left"></div>
544
+ <div class="para"><p>It might be possible to use the <em>sudo</em> utility. sudo can be configured in
545
+ such a way that the user Apache runs as can use sudo without having to enter a
546
+ password.</p></div>
547
+ <div class="para"><p>However, Passenger uses an anonymous communication channel (an unnamed Unix
548
+ socket) to communicate with the spawn server. sudo seems to close all file
549
+ descriptors before executing an application, so Passenger will have to
550
+ communicate with the spawn server via a non-anonymous channel, such as a named
551
+ Unix socket. Because other processes can access this channel, it can introduce
552
+ potential security problems. Note that passing information via program arguments
553
+ is not secure: it is possible to view that information with tools like <em>ps</em>,
554
+ or (on Linux) by reading the file <tt>/proc/$PID/cmdline</tt>.</p></div>
555
+ <div class="para"><p>So it seems <em>sudo</em> is not a viable alternative.</p></div>
556
+ <h3 id="_common_security_issues">2.7. Common security issues</h3><div style="clear:left"></div>
557
+ <div class="para"><p>Whatever method Passenger will use, the following security principles must be
558
+ honored:</p></div>
559
+ <div class="ilist"><ul>
560
+ <li>
561
+ <p>
562
+ Rails applications must never be run as root.
563
+ </p>
564
+ </li>
565
+ </ul></div>
566
+ <div class="para"><p>It might also be worthy to look into suEXEC's security model for inspiration.</p></div>
567
+ <div class="para"><p>Also, the following questions remain:</p></div>
568
+ <div class="ilist"><ul>
569
+ <li>
570
+ <p>
571
+ Is there a need for a user whitelist/blacklist? That is, is there a need for
572
+ the ability to restrict the set of users that Passenger can switch to?
573
+ </p>
574
+ </li>
575
+ </ul></div>
576
+ </div>
577
+ <h2 id="_chosen_solution">3. Chosen solution</h2>
578
+ <div class="sectionbody">
579
+ <div class="para"><p>Running Apache as root and writing a setuid root wrapper are the main
580
+ contestants. The former is preferred, because it's easier to implement.</p></div>
581
+ <div class="para"><p>We have had some conversations with people on the IRC channel #rubyonrails.
582
+ Among those people, nobody has ever run Apache as non-root. Because of this
583
+ we have chosen to implement the <a href="#apache_root">Running Apache as root</a>
584
+ solution, until a significant number of users request us to implement the
585
+ <a href="#setuid_root">setuid root wrapper</a> solution.</p></div>
586
+ <div class="para"><p>Please read <a href="rdoc/index.html">the Ruby API documentation</a> &#8212; in particular
587
+ that of the <em>ApplicationSpawner</em> class &#8212; for implementation details. But to
588
+ make a long story short: it will switch to the owner of the file
589
+ <em>config/environment.rb</em>. User whitelisting/blacklisting is currently not
590
+ implemented. We rely on the system administrator to set the correct owner
591
+ on that file.</p></div>
592
+ <div class="para"><p>We have also not implemented suEXEC's security model. suEXEC's model is quite
593
+ paranoid, and although paranoia is good to a certain extend, it can be in the
594
+ way of usability while proving little extra security. We are not entirely
595
+ convinced that implementing suEXEC's full security model will provide
596
+ significant benefits, but if you have good reasons to think otherwise, please
597
+ feel free to discuss it with us.</p></div>
598
+ </div>
599
+ <div id="footer">
600
+ <div id="footer-text">
601
+ Last updated 2009-03-30 15:30:51 CEST
602
+ </div>
603
+ </div>
604
+ </body>
605
+ </html>