passenger 5.0.9 → 5.0.10

data/ext/common/SpawningKit/UserSwitchingRules.h

@@ -0,0 +1,265 @@
+/*
+ *  Phusion Passenger - https://www.phusionpassenger.com/
+ *  Copyright (c) 2011-2015 Phusion
+ *
+ *  "Phusion Passenger" is a trademark of Hongli Lai & Ninh Bui.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy
+ *  of this software and associated documentation files (the "Software"), to deal
+ *  in the Software without restriction, including without limitation the rights
+ *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *  copies of the Software, and to permit persons to whom the Software is
+ *  furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ */
+#ifndef _PASSENGER_SPAWNING_KIT_USER_SWITCHING_RULES_H_
+#define _PASSENGER_SPAWNING_KIT_USER_SWITCHING_RULES_H_
+
+#include <sys/types.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <string>
+#include <algorithm>
+#include <boost/shared_array.hpp>
+#include <oxt/backtrace.hpp>
+#include <oxt/system_calls.hpp>
+#include <SpawningKit/Options.h>
+#include <Exceptions.h>
+#include <Utils.h>
+
+namespace Passenger {
+namespace SpawningKit {
+
+using namespace std;
+using namespace boost;
+using namespace oxt;
+
+
+struct UserSwitchingInfo {
+	bool enabled;
+	string username;
+	string groupname;
+	string home;
+	string shell;
+	uid_t uid;
+	gid_t gid;
+	int ngroups;
+	shared_array<gid_t> gidset;
+};
+
+inline UserSwitchingInfo
+prepareUserSwitching(const Options &options) {
+	TRACE_POINT();
+	UserSwitchingInfo info;
+
+	if (geteuid() != 0) {
+		struct passwd pwd, *userInfo;
+		long bufSize;
+		shared_array<char> strings;
+
+		// _SC_GETPW_R_SIZE_MAX is not a maximum:
+		// http://tomlee.co/2012/10/problems-with-large-linux-unix-groups-and-getgrgid_r-getgrnam_r/
+		bufSize = std::max<long>(1024 * 128, sysconf(_SC_GETPW_R_SIZE_MAX));
+		strings.reset(new char[bufSize]);
+
+		userInfo = (struct passwd *) NULL;
+		if (getpwuid_r(geteuid(), &pwd, strings.get(), bufSize, &userInfo) != 0
+		 || userInfo == (struct passwd *) NULL)
+		{
+			throw RuntimeException("Cannot get user database entry for user " +
+				getProcessUsername() + "; it looks like your system's " +
+				"user database is broken, please fix it.");
+		}
+
+		info.enabled = false;
+		info.username = userInfo->pw_name;
+		info.groupname = getGroupName(userInfo->pw_gid);
+		info.home = userInfo->pw_dir;
+		info.shell = userInfo->pw_shell;
+		info.uid = geteuid();
+		info.gid = getegid();
+		info.ngroups = 0;
+		return info;
+	}
+
+	UPDATE_TRACE_POINT();
+	string defaultGroup;
+	string startupFile = absolutizePath(options.getStartupFile(),
+		absolutizePath(options.appRoot));
+	struct passwd pwd, *userInfo;
+	struct group  grp;
+	gid_t  groupId = (gid_t) -1;
+	long pwdBufSize, grpBufSize;
+	shared_array<char> pwdBuf, grpBuf;
+	int ret;
+
+	// _SC_GETPW_R_SIZE_MAX/_SC_GETGR_R_SIZE_MAX are not maximums:
+	// http://tomlee.co/2012/10/problems-with-large-linux-unix-groups-and-getgrgid_r-getgrnam_r/
+	pwdBufSize = std::max<long>(1024 * 128, sysconf(_SC_GETPW_R_SIZE_MAX));
+	pwdBuf.reset(new char[pwdBufSize]);
+	grpBufSize = std::max<long>(1024 * 128, sysconf(_SC_GETGR_R_SIZE_MAX));
+	grpBuf.reset(new char[grpBufSize]);
+
+	if (options.defaultGroup.empty()) {
+		struct passwd *info;
+		struct group *group;
+
+		info = (struct passwd *) NULL;
+		ret = getpwnam_r(options.defaultUser.c_str(), &pwd, pwdBuf.get(),
+			pwdBufSize, &info);
+		if (ret != 0) {
+			info = (struct passwd *) NULL;
+		}
+		if (info == (struct passwd *) NULL) {
+			throw RuntimeException("Cannot get user database entry for username '" +
+				options.defaultUser + "'");
+		}
+
+		group = (struct group *) NULL;
+		ret = getgrgid_r(info->pw_gid, &grp, grpBuf.get(), grpBufSize, &group);
+		if (ret != 0) {
+			group = (struct group *) NULL;
+		}
+		if (group == (struct group *) NULL) {
+			throw RuntimeException(string("Cannot get group database entry for ") +
+				"the default group belonging to username '" +
+				options.defaultUser + "'");
+		}
+		defaultGroup = group->gr_name;
+	} else {
+		defaultGroup = options.defaultGroup;
+	}
+
+	UPDATE_TRACE_POINT();
+	userInfo = (struct passwd *) NULL;
+	if (!options.userSwitching) {
+		// Keep userInfo at NULL so that it's set to defaultUser's UID.
+	} else if (!options.user.empty()) {
+		ret = getpwnam_r(options.user.c_str(), &pwd, pwdBuf.get(),
+			pwdBufSize, &userInfo);
+		if (ret != 0) {
+			userInfo = (struct passwd *) NULL;
+		}
+	} else {
+		struct stat buf;
+		if (syscalls::lstat(startupFile.c_str(), &buf) == -1) {
+			int e = errno;
+			throw SystemException("Cannot lstat(\"" + startupFile +
+				"\")", e);
+		}
+		ret = getpwuid_r(buf.st_uid, &pwd, pwdBuf.get(),
+			pwdBufSize, &userInfo);
+		if (ret != 0) {
+			userInfo = (struct passwd *) NULL;
+		}
+	}
+	if (userInfo == (struct passwd *) NULL || userInfo->pw_uid == 0) {
+		userInfo = (struct passwd *) NULL;
+		ret = getpwnam_r(options.defaultUser.c_str(), &pwd,
+			pwdBuf.get(), pwdBufSize, &userInfo);
+		if (ret != 0) {
+			userInfo = (struct passwd *) NULL;
+		}
+	}
+
+	UPDATE_TRACE_POINT();
+	if (!options.userSwitching) {
+		// Keep groupId at -1 so that it's set to defaultGroup's GID.
+	} else if (!options.group.empty()) {
+		struct group *groupInfo = (struct group *) NULL;
+
+		if (options.group == "!STARTUP_FILE!") {
+			struct stat buf;
+
+			if (syscalls::lstat(startupFile.c_str(), &buf) == -1) {
+				int e = errno;
+				throw SystemException("Cannot lstat(\"" +
+					startupFile + "\")", e);
+			}
+
+			ret = getgrgid_r(buf.st_gid, &grp, grpBuf.get(), grpBufSize,
+				&groupInfo);
+			if (ret != 0) {
+				groupInfo = (struct group *) NULL;
+			}
+			if (groupInfo != NULL) {
+				groupId = buf.st_gid;
+			} else {
+				groupId = (gid_t) -1;
+			}
+		} else {
+			ret = getgrnam_r(options.group.c_str(), &grp, grpBuf.get(),
+				grpBufSize, &groupInfo);
+			if (ret != 0) {
+				groupInfo = (struct group *) NULL;
+			}
+			if (groupInfo != NULL) {
+				groupId = groupInfo->gr_gid;
+			} else {
+				groupId = (gid_t) -1;
+			}
+		}
+	} else if (userInfo != (struct passwd *) NULL) {
+		groupId = userInfo->pw_gid;
+	}
+	if (groupId == 0 || groupId == (gid_t) -1) {
+		groupId = lookupGid(defaultGroup);
+	}
+
+	UPDATE_TRACE_POINT();
+	if (userInfo == (struct passwd *) NULL) {
+		throw RuntimeException("Cannot determine a user to lower privilege to");
+	}
+	if (groupId == (gid_t) -1) {
+		throw RuntimeException("Cannot determine a group to lower privilege to");
+	}
+
+	UPDATE_TRACE_POINT();
+	#ifdef __APPLE__
+		int groups[1024];
+		info.ngroups = sizeof(groups) / sizeof(int);
+	#else
+		gid_t groups[1024];
+		info.ngroups = sizeof(groups) / sizeof(gid_t);
+	#endif
+	info.enabled = true;
+	info.username = userInfo->pw_name;
+	info.groupname = getGroupName(groupId);
+	info.home = userInfo->pw_dir;
+	info.shell = userInfo->pw_shell;
+	info.uid = userInfo->pw_uid;
+	info.gid = groupId;
+	#if !defined(HAVE_GETGROUPLIST) && (defined(__linux__) || defined(__APPLE__) || defined(__FreeBSD__))
+		#define HAVE_GETGROUPLIST
+	#endif
+	#ifdef HAVE_GETGROUPLIST
+		ret = getgrouplist(userInfo->pw_name, groupId,
+			groups, &info.ngroups);
+		if (ret == -1) {
+			int e = errno;
+			throw SystemException("getgrouplist() failed", e);
+		}
+		info.gidset = shared_array<gid_t>(new gid_t[info.ngroups]);
+		for (int i = 0; i < info.ngroups; i++) {
+			info.gidset[i] = groups[i];
+		}
+	#endif
+
+	return info;
+}
+
+
+} // namespace SpawningKit
+} // namespace Passenger
+
+#endif /* _PASSENGER_SPAWNING_KIT_USER_SWITCHING_RULES_H_ */

data/ext/common/Utils/BufferedIO.h

@@ -1,3 +1,27 @@
+/*
+ *  Phusion Passenger - https://www.phusionpassenger.com/
+ *  Copyright (c) 2010-2015 Phusion
+ *
+ *  "Phusion Passenger" is a trademark of Hongli Lai & Ninh Bui.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy
+ *  of this software and associated documentation files (the "Software"), to deal
+ *  in the Software without restriction, including without limitation the rights
+ *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *  copies of the Software, and to permit persons to whom the Software is
+ *  furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ */
 #ifndef _PASSENGER_BUFFERED_IO_H_
 #define _PASSENGER_BUFFERED_IO_H_
 

data/ext/common/{ApplicationPool2/SpawnObject.h → Utils/ClassUtils.h}

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2014 Phusion
+ *  Copyright (c) 2015 Phusion
  *
  *  "Phusion Passenger" is a trademark of Hongli Lai & Ninh Bui.
  *
@@ -22,62 +22,35 @@
  *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  *  THE SOFTWARE.
  */
-#ifndef _PASSENGER_APPLICATION_POOL_SPAWNER_OBJECT_H_
-#define _PASSENGER_APPLICATION_POOL_SPAWNER_OBJECT_H_
+#ifndef _PASSENGER_CLASS_UTILS_H_
+#define _PASSENGER_CLASS_UTILS_H_
 
-#include <boost/noncopyable.hpp>
-#include <boost/move/core.hpp>
-#include <MemoryKit/palloc.h>
-#include <ApplicationPool2/Common.h>
-
-namespace Passenger {
-namespace ApplicationPool2 {
-
-
-class SpawnObject: public boost::noncopyable {
-private:
-	BOOST_MOVABLE_BUT_NOT_COPYABLE(SpawnObject)
-
-public:
-	psg_pool_t *pool;
-	ProcessPtr process;
-
-	SpawnObject() {
-		pool = psg_create_pool(PSG_DEFAULT_POOL_SIZE);
-	}
-
-	SpawnObject(BOOST_RV_REF(SpawnObject) r)
-		: pool(r.pool),
-		  process(r.process)
-	{
-		r.pool = NULL;
-		r.process.reset();
+#define P_DEFINE_GETTER_CONST_REF(type, name) \
+	const type &get ## name() const { \
+		return m ## name; \
 	}
 
-	~SpawnObject() {
-		if (pool != NULL) {
-			psg_destroy_pool(pool);
-		}
+#define P_DEFINE_GETTER_REF(type, name) \
+	type &get ## name() { \
+		return m ## name; \
 	}
 
-	SpawnObject &operator=(BOOST_RV_REF(SpawnObject) r) {
-		if (this != &r) {
-			if (pool != r.pool) {
-				if (pool != NULL) {
-					psg_destroy_pool(pool);
-				}
-				pool = r.pool;
-			}
-			r.pool = NULL;
-			process = r.process;
-			r.process.reset();
-		}
-		return *this;
+#define P_DEFINE_SETTER(type, name) \
+	void set ## name(const type &value) { \
+		m ## name = value; \
 	}
-};
 
+#define P_PROPERTY_CONST_REF(visibility, type, name) \
+	public: \
+		P_DEFINE_GETTER_CONST_REF(type, name) \
+		P_DEFINE_SETTER(type, name) \
+	visibility: \
+		type m ## name
 
-} // namespace ApplicationPool2
-} // namespace Passenger
+#define P_RO_PROPERTY_REF(visibility, type, name) \
+	public: \
+		P_DEFINE_GETTER_REF(type, name) \
+	visibility: \
+		type m ## name
 
-#endif /* _PASSENGER_APPLICATION_POOL_SPAWNER_OBJECT_H_ */
+#endif /* _PASSENGER_CLASS_UTILS_H_ */

data/ext/common/Utils/IOUtils.cpp

@@ -26,6 +26,7 @@
 #ifndef _GNU_SOURCE
 	// Needed for IOV_MAX on Linux:
 	// https://bugzilla.redhat.com/show_bug.cgi?id=165427
+	// Also needed for SO_PEERCRED.
 	#define _GNU_SOURCE
 #endif
 
@@ -154,6 +155,30 @@ isLocalSocketAddress(const StaticString &address) {
 	}
 }
 
+void
+setBlocking(int fd) {
+	int flags, ret;
+
+	do {
+		flags = fcntl(fd, F_GETFL);
+	} while (flags == -1 && errno == EINTR);
+	if (flags == -1) {
+		int e = errno;
+		throw SystemException("Cannot set socket to blocking mode: "
+			"cannot get socket flags",
+			e);
+	}
+	do {
+		ret = fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
+	} while (ret == -1 && errno == EINTR);
+	if (ret == -1) {
+		int e = errno;
+		throw SystemException("Cannot set socket to blocking mode: "
+			"cannot set socket flags",
+			e);
+	}
+}
+
 void
 setNonBlocking(int fd) {
 	int flags, ret;
@@ -1160,6 +1185,51 @@ writeFileDescriptor(int fd, int fdToSend, unsigned long long *timeout) {
 	}
 }
 
+void
+readPeerCredentials(int sock, uid_t *uid, gid_t *gid) {
+	union {
+		struct sockaddr genericAddress;
+		struct sockaddr_un unixAddress;
+		struct sockaddr_in inetAddress;
+	} addr;
+	socklen_t len = sizeof(addr);
+
+	/*
+	 * The functions for receiving the peer credentials are not guaranteed to
+	 * fail if the socket is not a Unix domain socket. For example, OS X getpeereid()
+	 * just returns garbage when invoked on a TCP socket. So we check here
+	 * whether 'sock' is a Unix domain socket.
+	 */
+	if (getsockname(sock, &addr.genericAddress, &len) == -1) {
+		int e = errno;
+		throw SystemException("Unable to autodetect socket type (getsockname() failed)", e);
+	}
+	if (addr.genericAddress.sa_family != AF_LOCAL) {
+		throw SystemException("Cannot receive process credentials: the connection is not a Unix domain socket",
+			EPROTONOSUPPORT);
+	}
+
+	#if defined(__linux__)
+		struct ucred credentials;
+		socklen_t ucred_length = sizeof(struct ucred);
+
+		if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &credentials, &ucred_length) != 0) {
+			int e = errno;
+			throw SystemException("Cannot receive process credentials over Unix domain socket", e);
+		}
+
+		*uid = credentials.uid;
+		*gid = credentials.gid;
+	#elif defined(__FreeBSD__) || defined(__APPLE__)
+		if (getpeereid(sock, uid, gid) == -1) {
+			int e = errno;
+			throw SystemException("Cannot receive process credentials over Unix domain socket", e);
+		}
+	#else
+		throw SystemException("Cannot receive process credentials over Unix domain socket", ENOSYS);
+	#endif
+}
+
 void
 safelyClose(int fd, bool ignoreErrors) {
 	if (syscalls::close(fd) == -1) {