passenger 5.0.30 → 5.1.0

data/src/agent/Shared/Base.cpp

@@ -48,7 +48,7 @@
 #include <signal.h>
 #include <libgen.h>
 
-#if defined(__APPLE__) || defined(__linux__)
+#if defined(__APPLE__) || defined(__GNU_LIBRARY__)
 	#define LIBC_HAS_BACKTRACE_FUNC
 #endif
 #ifdef LIBC_HAS_BACKTRACE_FUNC
@@ -1647,6 +1647,11 @@ shutdownAgent(VariantMap *agentOptions) {
 	oxt::shutdown();
 }
 
+/**
+ * Linux-only way to change OOM killer configuration for
+ * current process. Requires root privileges, which we
+ * should have.
+ */
 void
 restoreOomScore(VariantMap *agentOptions) {
 	TRACE_POINT();

data/src/agent/TempDirToucher/TempDirToucherMain.cpp

@@ -31,6 +31,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -57,6 +58,7 @@ static int shouldDaemonize = 0;
 static bool verbose = false;
 static const char *pidFile = NULL;
 static const char *logFile = NULL;
+static uid_t uid = 0;
 static int sleepInterval = 1800;
 static int terminationPipe[2];
 static sig_atomic_t shouldIgnoreNextTermSignal = 0;
@@ -114,6 +116,18 @@ parseArguments(int argc, char *argv[], int offset) {
 			i++;
 		} else if (strcmp(argv[i], "--verbose") == 0) {
 			verbose = true;
+		} else if (strcmp(argv[i], "--user") == 0) {
+			const char *user = argv[i + 1];
+			struct passwd *pwUser = getpwnam(user);
+			if (pwUser == NULL) {
+				int e = errno;
+				fprintf(stderr, ERROR_PREFIX
+					"Cannot lookup user information for user %s, %s (errno %d)\n",
+					user, strerror(e), e);
+			}else{
+				uid = pwUser->pw_uid;
+			}
+			i++;
 		} else {
 			fprintf(stderr, ERROR_PREFIX ": unrecognized argument %s\n",
 				argv[i]);
@@ -150,12 +164,38 @@ setNonBlocking(int fd) {
 	}
 }
 
+static void down_privilege() {
+	if (getuid() == 0 && uid != 0) {
+		if (setreuid(uid,0) != 0) {
+			int e = errno;
+			fprintf(stderr, ERROR_PREFIX
+					": cannot set effective user to %d for sleeping: %s (errno %d)\n",
+					uid, strerror(e), e);
+			exit(1);
+		}
+	}
+}
+
+static void up_privilege() {
+	if (getuid() != 0 && uid != 0) {
+		if (setuid(0) != 0) {
+			int e = errno;
+			fprintf(stderr, ERROR_PREFIX
+					": cannot set effective user to %d for touching files: %s (errno %d)\n",
+					uid, strerror(e), e);
+			exit(1);
+		}
+	}
+}
+
 static void
 initialize(int argc, char *argv[], int offset) {
 	int e, fd;
 
 	parseArguments(argc, argv, offset);
 
+	down_privilege();// drop priv. until needed.
+
 	if (logFile != NULL) {
 		fd = open(logFile, O_WRONLY | O_APPEND | O_CREAT, 0644);
 		if (fd == -1) {
@@ -266,22 +306,31 @@ maybeWritePidfile() {
 	FILE *f;
 
 	if (pidFile != NULL) {
+		up_privilege(); // need permission to write to pid file, and set permissions
 		f = fopen(pidFile, "w");
 		if (f != NULL) {
 			fprintf(f, "%d\n", (int) getpid());
+			if (fchmod(fileno(f), S_IRWXU|S_IRWXG|S_IROTH) == -1){
+				int e = errno;
+				fprintf(stderr, ERROR_PREFIX
+					": cannot change permissions on pid file %s, process may remain after passenger shutdown: %s (errno %d)\n", pidFile, strerror(e), e);
+			}
 			fclose(f);
 		} else {
 			fprintf(stderr, ERROR_PREFIX ": cannot open PID file %s for writing\n",
 				pidFile);
 			exit(1);
 		}
+		down_privilege(); // drop priv now that unneeded
 	}
 }
 
 static int
 dirExists(const char *dir) {
+	up_privilege(); // raise priv. to stat file
 	struct stat buf;
 	return stat(dir, &buf) == 0 && S_ISDIR(buf.st_mode);
+	down_privilege(); // drop priv now that unneeded
 }
 
 static void
@@ -289,6 +338,7 @@ touchDir(const char *dir) {
 	pid_t pid;
 	int e, status;
 
+	up_privilege(); // raise priv. to touch files
 	pid = fork();
 	if (pid == 0) {
 		close(terminationPipe[0]);
@@ -327,6 +377,7 @@ touchDir(const char *dir) {
 			exit(1);
 		}
 	}
+	down_privilege(); // drop priv now that unneeded
 }
 
 static int
@@ -365,6 +416,7 @@ performCleanup(const char *dir) {
 	pid_t pid;
 	int e, status;
 
+	up_privilege(); // raise priv. so we can delete files
 	pid = fork();
 	if (pid == 0) {
 		close(terminationPipe[0]);

data/src/agent/Watchdog/InstanceDirToucher.cpp

@@ -78,8 +78,7 @@ private:
 					fflush(stderr);
 					_exit(1);
 				}
-
-				setOomScore(oldOomScore);
+				restoreOomScore(agentsOptions);
 
 				execlp("/bin/sh", "/bin/sh", "-c", "find . | xargs touch", (char *) 0);
 				e = errno;

data/src/agent/Watchdog/WatchdogMain.cpp

@@ -42,6 +42,9 @@
 	#define HAVE_FLOCK
 #endif
 
+#ifdef __linux__
+#include <sys/prctl.h>
+#endif
 #include <sys/select.h>
 #include <sys/types.h>
 #include <sys/time.h>
@@ -148,9 +151,7 @@ using namespace Passenger::WatchdogAgent;
 
 static VariantMap *agentsOptions;
 static WorkingObjects *workingObjects;
-static string oldOomScore;
 
-static void setOomScore(const StaticString &score);
 static void cleanup(const WorkingObjectsPtr &wo);
 
 #include "AgentWatcher.cpp"
@@ -188,40 +189,6 @@ openOomAdjFileForcedType(const char *mode, OomFileType &type) {
 	}
 }
 
-/**
- * Linux-only way to change OOM killer configuration for
- * current process. Requires root privileges, which we
- * should have.
- */
-static void
-setOomScore(const StaticString &score) {
-	if (score.empty()) {
-		return;
-	}
-
-	FILE *f;
-	OomFileType type;
-	string filteredScore;
-
-	if (score.at(0) == 'l') {
-		filteredScore = score.substr(1);
-		type = OOM_ADJ;
-	} else {
-		filteredScore = score;
-		type = OOM_SCORE_ADJ;
-	}
-	f = openOomAdjFileForcedType("w", type);
-	if (f != NULL) {
-		size_t ret = fwrite(filteredScore.data(), 1, filteredScore.size(), f);
-		// We can't do anything about failures, so ignore compiler
-		// warnings about not doing anything with the result.
-		(void) ret;
-		fclose(f);
-	} else {
-		P_WARN("setOomScore(" << filteredScore << ", " << type << ") failed due to error: " << strerror(errno));
-	}
-}
-
 /**
  * Set the current process's OOM score to "never kill".
  */
@@ -358,12 +325,18 @@ waitForStarterProcessOrWatchers(const WorkingObjectsPtr &wo, vector<AgentWatcher
 	}
 }
 
+string
+relative(string filename){
+	string dir = filename.substr(filename.find_last_of('/')+1);
+	return dir;
+}
+
 static vector<pid_t>
 readCleanupPids(const WorkingObjectsPtr &wo) {
 	vector<pid_t> result;
 
 	foreach (string filename, wo->cleanupPidfiles) {
-		FILE *f = fopen(filename.c_str(), "r");
+		FILE *f = fopen(relative(filename).c_str(), "r");
 		if (f != NULL) {
 			char buf[33];
 			size_t ret;
@@ -388,7 +361,10 @@ static void
 killCleanupPids(const vector<pid_t> &cleanupPids) {
 	foreach (pid_t pid, cleanupPids) {
 		P_DEBUG("Sending SIGTERM to cleanup PID " << pid);
-		kill(pid, SIGTERM);
+		if(kill(pid, SIGTERM) == -1){
+			int e = errno;
+			P_WARN("Failed to send SIGTERM to " << pid << ", error: " << e << " " << strerror(e));
+		}
 	}
 }
 
@@ -800,7 +776,7 @@ initializeBareEssentials(int argc, char *argv[], WorkingObjectsPtr &wo) {
 	 * for this watchdog. Note that the OOM score is inherited by child processes
 	 * so we need to restore it after each fork().
 	 */
-	oldOomScore = setOomScoreNeverKill();
+	string oldOomScore = setOomScoreNeverKill();
 
 	agentsOptions = new VariantMap();
 	*agentsOptions = initializeAgent(argc, &argv, SHORT_PROGRAM_NAME " watchdog",
@@ -925,6 +901,18 @@ openReportFile(const WorkingObjectsPtr &wo) {
 	}
 }
 
+static void
+chdirToTmpDir() {
+	vector<string> pidfiles = agentsOptions->getStrSet("cleanup_pidfiles", false);
+	if (pidfiles.size() > 0) {
+		string str = pidfiles.front();
+		string dir = str.substr(0,str.find_last_of('/'));
+		if (dir != "" && chdir(dir.c_str()) == -1) {
+			throw RuntimeException("Cannot change working directory to " + dir);
+		}
+	}
+}
+
 static void
 lowerPrivilege() {
 	TRACE_POINT();
@@ -960,7 +948,9 @@ lowerPrivilege() {
 				"to that of user '" + userName + "' and group '" + groupName +
 				"': cannot set user ID to " + toString(pwUser->pw_uid), e);
 		}
-
+#ifdef __linux__
+		prctl(PR_SET_DUMPABLE, 1);
+#endif
 		setenv("USER", pwUser->pw_name, 1);
 		setenv("HOME", pwUser->pw_dir, 1);
 		setenv("UID", toString(gid).c_str(), 1);
@@ -1300,6 +1290,7 @@ watchdogMain(int argc, char *argv[]) {
 		maybeDaemonize();
 		createPidFile();
 		openReportFile(wo);
+		chdirToTmpDir();
 		lowerPrivilege();
 		initializeWorkingObjects(wo, instanceDirToucher, uidBeforeLoweringPrivilege);
 		initializeAgentWatchers(wo, watchers);

data/src/apache2_module/Configuration.cpp

@@ -303,6 +303,8 @@ DEFINE_SERVER_STR_CONFIG_SETTER(cmd_passenger_default_user, defaultUser)
 DEFINE_SERVER_STR_CONFIG_SETTER(cmd_passenger_default_group, defaultGroup)
 DEFINE_SERVER_STR_CONFIG_SETTER(cmd_passenger_data_buffer_dir, dataBufferDir)
 DEFINE_SERVER_STR_CONFIG_SETTER(cmd_passenger_instance_registry_dir, instanceRegistryDir)
+DEFINE_SERVER_BOOLEAN_CONFIG_SETTER(cmd_passenger_disable_security_update_check, disableSecurityUpdateCheck)
+DEFINE_SERVER_STR_CONFIG_SETTER(cmd_passenger_security_update_check_proxy, securityUpdateCheckProxy)
 DEFINE_SERVER_STR_CONFIG_SETTER(cmd_union_station_gateway_address, unionStationGatewayAddress)
 DEFINE_SERVER_INT_CONFIG_SETTER(cmd_union_station_gateway_port, unionStationGatewayPort, int, 1)
 DEFINE_SERVER_STR_CONFIG_SETTER(cmd_union_station_gateway_cert, unionStationGatewayCert)
@@ -509,6 +511,16 @@ const command_rec passenger_commands[] = {
 		NULL,
 		RSRC_CONF,
 		"The directory to register the instance to."),
+	AP_INIT_FLAG("PassengerDisableSecurityUpdateCheck",
+		(FlagFunc) cmd_passenger_disable_security_update_check,
+		NULL,
+		RSRC_CONF,
+		"Whether to enable the security update check & notify."),
+	AP_INIT_TAKE1("PassengerSecurityUpdateCheckProxy",
+		(Take1Func) cmd_passenger_security_update_check_proxy,
+		NULL,
+		RSRC_CONF,
+		"Use specified http/SOCKS proxy for the security update check."),
 	AP_INIT_TAKE1("PassengerMaxPreloaderIdleTime",
 		(Take1Func) cmd_passenger_max_preloader_idle_time,
 		NULL,

data/src/apache2_module/Configuration.hpp

@@ -194,6 +194,9 @@ struct ServerConfig {
 	string dataBufferDir;
 	string instanceRegistryDir;
 
+	bool disableSecurityUpdateCheck;
+	string securityUpdateCheckProxy;
+
 	bool unionStationSupport;
 	string unionStationGatewayAddress;
 	int unionStationGatewayPort;
@@ -220,6 +223,8 @@ struct ServerConfig {
 		responseBufferHighWatermark = DEFAULT_RESPONSE_BUFFER_HIGH_WATERMARK;
 		statThrottleRate   = DEFAULT_STAT_THROTTLE_RATE;
 		userSwitching      = true;
+		disableSecurityUpdateCheck = false;
+		securityUpdateCheckProxy = string();
 		defaultUser        = DEFAULT_WEB_APP_USER;
 		unionStationSupport        = false;
 		unionStationGatewayAddress = DEFAULT_UNION_STATION_GATEWAY_ADDRESS;

data/src/apache2_module/ConfigurationCommands.cpp

@@ -1,27 +1,27 @@
 /*
- * Phusion Passenger - https://www.phusionpassenger.com/
- * Copyright (c) 2010-2016 Phusion Holding B.V.
+ *  Phusion Passenger - https://www.phusionpassenger.com/
+ *  Copyright (c) 2010-2016 Phusion Holding B.V.
  *
- * "Passenger", "Phusion Passenger" and "Union Station" are registered
- * trademarks of Phusion Holding B.V.
+ *  "Passenger", "Phusion Passenger" and "Union Station" are registered
+ *  trademarks of Phusion Holding B.V.
  *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy
+ *  of this software and associated documentation files (the "Software"), to deal
+ *  in the Software without restriction, including without limitation the rights
+ *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *  copies of the Software, and to permit persons to whom the Software is
+ *  furnished to do so, subject to the following conditions:
  *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
  *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
  */
 
 /*

data/src/apache2_module/ConfigurationCommands.cpp.cxxcodebuilder

@@ -23,12 +23,12 @@
 #  THE SOFTWARE.
 
 # This file uses the cxxcodebuilder API. Learn more at:
-# https://github.com/phusion/passenger/cxxcodebuilder
+# https://github.com/phusion/cxxcodebuilder
 
 require 'phusion_passenger/apache2/config_options'
 
 def main
-  comment copyright_header_for(__FILE__)
+  comment copyright_header_for(__FILE__), 1
 
   separator
 

data/src/apache2_module/ConfigurationFields.hpp

@@ -1,27 +1,27 @@
 /*
- * Phusion Passenger - https://www.phusionpassenger.com/
- * Copyright (c) 2010-2016 Phusion Holding B.V.
+ *  Phusion Passenger - https://www.phusionpassenger.com/
+ *  Copyright (c) 2010-2016 Phusion Holding B.V.
  *
- * "Passenger", "Phusion Passenger" and "Union Station" are registered
- * trademarks of Phusion Holding B.V.
+ *  "Passenger", "Phusion Passenger" and "Union Station" are registered
+ *  trademarks of Phusion Holding B.V.
  *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy
+ *  of this software and associated documentation files (the "Software"), to deal
+ *  in the Software without restriction, including without limitation the rights
+ *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *  copies of the Software, and to permit persons to whom the Software is
+ *  furnished to do so, subject to the following conditions:
  *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
  *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
  */
 
 /*