RubyGems - passenger - Versions diffs - 5.1.10 → 5.1.11 - Mend

passenger 5.1.10 → 5.1.11

Potentially problematic release.

This version of passenger might be problematic. Click here for more details.

Files changed (200) hide show

checksums.yaml +4 -4
data/CHANGELOG +18 -0
data/Rakefile +20 -17
data/bin/passenger-install-apache2-module +14 -11
data/build/agent.rb +45 -18
data/build/apache2.rb +32 -16
data/build/basics.rb +29 -40
data/build/common_library.rb +70 -54
data/build/cxx_tests.rb +34 -43
data/build/integration_tests.rb +10 -10
data/build/misc.rb +6 -6
data/build/node_tests.rb +1 -2
data/build/oxt_tests.rb +7 -5
data/build/packaging.rb +11 -441
data/build/ruby_extension.rb +1 -1
data/build/ruby_tests.rb +1 -2
data/build/support/cplusplus.rb +6 -5
data/build/support/cxx_dependency_map.rb +357 -833
data/build/support/general.rb +23 -1
data/build/test_basics.rb +3 -28
data/dev/ci/tests/rpm/Jenkinsfile +68 -0
data/dev/ci/tests/rpm/run +63 -0
data/dev/ci/tests/source-packaging/run +1 -1
data/dev/ci/tests/source-packaging/setup +1 -1
data/doc/{Packaging.txt.md → Packaging.md} +0 -0
data/resources/templates/apache2/deployment_example.txt.erb +2 -2
data/resources/templates/apache2/multiple_apache_installations_detected.txt.erb +2 -2
data/resources/templates/nginx/deployment_example.txt.erb +1 -1
data/resources/templates/standalone/mass_deployment_default_server.erb +2 -2
data/resources/templates/standalone/server.erb +2 -2
data/src/agent/AgentMain.cpp +0 -4
data/src/agent/Core/CoreMain.cpp +88 -5
data/src/agent/Core/SpawningKit/Spawner.h +2 -1
data/src/agent/Shared/Fundamentals/AbortHandler.cpp +1109 -0
data/src/agent/Shared/Fundamentals/AbortHandler.h +63 -0
data/src/agent/Shared/Fundamentals/Implementation.cpp +7 -0
data/src/agent/Shared/Fundamentals/Initialization.cpp +614 -0
data/src/agent/Shared/{Base.h → Fundamentals/Initialization.h} +23 -14
data/src/agent/Shared/Fundamentals/Utils.cpp +127 -0
data/src/agent/Shared/Fundamentals/Utils.h +46 -0
data/src/agent/TempDirToucher/TempDirToucherMain.cpp +1 -1
data/src/agent/Watchdog/CoreWatcher.cpp +3 -1
data/src/agent/Watchdog/InstanceDirToucher.cpp +90 -53
data/src/agent/Watchdog/WatchdogMain.cpp +13 -29
data/src/apache2_module/Hooks.cpp +4 -1
data/src/cxx_supportlib/ConfigKit/Store.h +32 -5
data/src/cxx_supportlib/Constants.h +1 -2
data/src/cxx_supportlib/Crypto.cpp +2 -1
data/src/cxx_supportlib/Hooks.h +16 -37
data/src/cxx_supportlib/LoggingKit/Context.h +22 -0
data/src/cxx_supportlib/LoggingKit/Forward.h +1 -0
data/src/cxx_supportlib/LoggingKit/Implementation.cpp +106 -22
data/src/cxx_supportlib/ProcessManagement/Ruby.cpp +106 -0
data/src/{agent/UstRouter/FileSink.h → cxx_supportlib/ProcessManagement/Ruby.h} +23 -47
data/src/cxx_supportlib/ProcessManagement/Spawn.cpp +199 -0
data/src/cxx_supportlib/ProcessManagement/Spawn.h +150 -0
data/src/cxx_supportlib/ProcessManagement/Utils.cpp +459 -0
data/src/cxx_supportlib/ProcessManagement/Utils.h +107 -0
data/src/cxx_supportlib/Utils.cpp +41 -561
data/src/cxx_supportlib/Utils.h +0 -68
data/src/cxx_supportlib/Utils/AsyncSignalSafeUtils.h +187 -0
data/src/cxx_supportlib/Utils/ProcessMetricsCollector.h +14 -2
data/src/cxx_supportlib/WatchdogLauncher.h +2 -12
data/src/cxx_supportlib/oxt/dynamic_thread_group.hpp +2 -2
data/src/cxx_supportlib/vendor-modified/jsoncpp/json-forwards.h +4 -0
data/src/cxx_supportlib/vendor-modified/jsoncpp/json.h +16 -1
data/src/cxx_supportlib/vendor-modified/jsoncpp/jsoncpp.cpp +12 -9
data/src/cxx_supportlib/vendor-modified/libev/ev++.h +4 -4
data/src/cxx_supportlib/vendor-modified/libev/ev.h +3 -3
data/src/nginx_module/CacheLocationConfig.c +0 -75
data/src/nginx_module/CacheLocationConfig.c.cxxcodebuilder +1 -0
data/src/nginx_module/Configuration.c +0 -1
data/src/nginx_module/Configuration.h +0 -1
data/src/nginx_module/ConfigurationCommands.c +1 -1
data/src/nginx_module/ContentHandler.c +0 -1
data/src/nginx_module/ContentHandler.h +0 -1
data/src/nginx_module/CreateLocationConfig.c +0 -5
data/src/nginx_module/CreateLocationConfig.c.cxxcodebuilder +1 -0
data/src/nginx_module/LocationConfig.h +0 -4
data/src/nginx_module/LocationConfig.h.cxxcodebuilder +2 -1
data/src/nginx_module/MergeLocationConfig.c +0 -12
data/src/nginx_module/MergeLocationConfig.c.cxxcodebuilder +1 -0
data/src/nginx_module/ngx_http_passenger_module.h +0 -1
data/src/ruby_supportlib/phusion_passenger.rb +1 -1
data/src/ruby_supportlib/phusion_passenger/common_library.rb +20 -11
data/src/ruby_supportlib/phusion_passenger/config/api_call_command.rb +1 -1
data/src/ruby_supportlib/phusion_passenger/config/reopen_logs_command.rb +0 -1
data/src/ruby_supportlib/phusion_passenger/config/validate_install_command.rb +10 -3
data/src/ruby_supportlib/phusion_passenger/console_text_template.rb +3 -1
data/src/ruby_supportlib/phusion_passenger/constants.rb +0 -1
data/src/ruby_supportlib/phusion_passenger/debug_logging.rb +1 -1
data/src/ruby_supportlib/phusion_passenger/loader_shared_helpers.rb +32 -6
data/src/ruby_supportlib/phusion_passenger/nginx/config_options.rb +0 -1
data/src/ruby_supportlib/phusion_passenger/packaging.rb +2 -4
data/src/ruby_supportlib/phusion_passenger/platform_info/apache.rb +101 -20
data/src/ruby_supportlib/phusion_passenger/platform_info/apache_detector.rb +21 -9
data/src/ruby_supportlib/phusion_passenger/platform_info/compiler.rb +34 -31
data/src/ruby_supportlib/phusion_passenger/platform_info/cxx_portability.rb +3 -1
data/src/ruby_supportlib/phusion_passenger/platform_info/depcheck_specs/apache2.rb +2 -14
data/src/ruby_supportlib/phusion_passenger/platform_info/operating_system.rb +40 -3
data/src/ruby_supportlib/phusion_passenger/standalone/app_finder.rb +15 -14
data/src/ruby_supportlib/phusion_passenger/standalone/config_options_list.rb +1 -1
data/src/ruby_supportlib/phusion_passenger/standalone/config_utils.rb +1 -1
data/src/ruby_supportlib/phusion_passenger/standalone/start_command.rb +8 -3
data/src/ruby_supportlib/phusion_passenger/standalone/start_command/nginx_engine.rb +19 -18
data/src/ruby_supportlib/phusion_passenger/standalone/stop_command.rb +6 -1
data/src/ruby_supportlib/phusion_passenger/vendor/daemon_controller.rb +17 -1
metadata +19 -97
data/build/documentation.rb +0 -70
data/doc/CloudLicensingConfiguration.html +0 -172
data/doc/CloudLicensingConfiguration.txt.md +0 -3
data/doc/Packaging.html +0 -488
data/doc/Security of user switching support.idmap.txt +0 -34
data/doc/Security of user switching support.txt +0 -197
data/doc/ServerOptimizationGuide.html +0 -172
data/doc/ServerOptimizationGuide.txt.md +0 -3
data/doc/images/by_sa.png +0 -0
data/doc/images/cloud_licensing_batch_job.png +0 -0
data/doc/images/code_walkthrough.jpg +0 -0
data/doc/images/direct_spawning.png +0 -0
data/doc/images/direct_spawning.svg +0 -251
data/doc/images/glyphicons-halflings-white.png +0 -0
data/doc/images/glyphicons-halflings.png +0 -0
data/doc/images/icons/README +0 -5
data/doc/images/icons/callouts/1.png +0 -0
data/doc/images/icons/callouts/10.png +0 -0
data/doc/images/icons/callouts/11.png +0 -0
data/doc/images/icons/callouts/12.png +0 -0
data/doc/images/icons/callouts/13.png +0 -0
data/doc/images/icons/callouts/14.png +0 -0
data/doc/images/icons/callouts/15.png +0 -0
data/doc/images/icons/callouts/2.png +0 -0
data/doc/images/icons/callouts/3.png +0 -0
data/doc/images/icons/callouts/4.png +0 -0
data/doc/images/icons/callouts/5.png +0 -0
data/doc/images/icons/callouts/6.png +0 -0
data/doc/images/icons/callouts/7.png +0 -0
data/doc/images/icons/callouts/8.png +0 -0
data/doc/images/icons/callouts/9.png +0 -0
data/doc/images/icons/caution.png +0 -0
data/doc/images/icons/example.png +0 -0
data/doc/images/icons/home.png +0 -0
data/doc/images/icons/important.png +0 -0
data/doc/images/icons/next.png +0 -0
data/doc/images/icons/note.png +0 -0
data/doc/images/icons/prev.png +0 -0
data/doc/images/icons/tip.png +0 -0
data/doc/images/icons/up.png +0 -0
data/doc/images/icons/warning.png +0 -0
data/doc/images/many_web_framework_protocols.png +0 -0
data/doc/images/passenger_architecture.png +0 -0
data/doc/images/passenger_architecture.svg +0 -385
data/doc/images/passenger_architecture_overview.png +0 -0
data/doc/images/passenger_core_architecture.png +0 -0
data/doc/images/passenger_nodejs_architecture.svg +0 -558
data/doc/images/phusion_banner.png +0 -0
data/doc/images/rack.png +0 -0
data/doc/images/smart_spawning.png +0 -0
data/doc/images/smart_spawning.svg +0 -323
data/doc/images/spawn_server_architecture.png +0 -0
data/doc/images/spawn_server_architecture.svg +0 -655
data/doc/images/spawning_preparation_work.png +0 -0
data/doc/images/startup_sequence.png +0 -0
data/doc/images/typical_isolated_web_application.png +0 -0
data/doc/images/typical_isolated_web_application.svg +0 -213
data/doc/users_guide_snippets/alternative_for_flying_passenger.txt +0 -1
data/doc/users_guide_snippets/analysis_and_system_maintenance.txt +0 -61
data/doc/users_guide_snippets/appendix_a_about.txt +0 -13
data/doc/users_guide_snippets/appendix_b_terminology.txt +0 -71
data/doc/users_guide_snippets/appendix_c_spawning_methods.txt +0 -36
data/doc/users_guide_snippets/deployment_basics.txt +0 -37
data/doc/users_guide_snippets/enterprise_only.txt +0 -1
data/doc/users_guide_snippets/environment_variables.txt +0 -44
data/doc/users_guide_snippets/global_queueing_explained.txt +0 -74
data/doc/users_guide_snippets/installation.txt +0 -228
data/doc/users_guide_snippets/installation/run_installer.txt +0 -58
data/doc/users_guide_snippets/installation/verify_running_epilogue.txt +0 -6
data/doc/users_guide_snippets/passenger_spawn_method.txt +0 -37
data/doc/users_guide_snippets/rackup_specifications.txt +0 -1
data/doc/users_guide_snippets/rvm_helper_tool.txt +0 -44
data/doc/users_guide_snippets/since_version.txt +0 -1
data/doc/users_guide_snippets/support_information.txt +0 -8
data/doc/users_guide_snippets/tips.txt +0 -302
data/doc/users_guide_snippets/troubleshooting/default.txt +0 -48
data/doc/users_guide_snippets/troubleshooting/rails.txt +0 -59
data/doc/users_guide_snippets/under_the_hood/page_caching_support.txt +0 -24
data/doc/users_guide_snippets/under_the_hood/relationship_with_ruby.txt +0 -10
data/doc/users_guide_snippets/where_to_get_support.txt +0 -9
data/src/agent/Shared/Base.cpp +0 -1678
data/src/agent/UstRouter/ApiServer.h +0 -292
data/src/agent/UstRouter/Client.h +0 -112
data/src/agent/UstRouter/Controller.h +0 -1309
data/src/agent/UstRouter/LogSink.h +0 -145
data/src/agent/UstRouter/OptionParser.h +0 -180
data/src/agent/UstRouter/RemoteSender.h +0 -853
data/src/agent/UstRouter/RemoteSink.h +0 -145
data/src/agent/UstRouter/Transaction.h +0 -278
data/src/agent/UstRouter/UstRouterMain.cpp +0 -681
data/src/agent/Watchdog/UstRouterWatcher.cpp +0 -80
data/src/ruby_supportlib/phusion_passenger/platform_info/macos.rb +0 -45

@@ -25,7 +25,7 @@
 class CxxCodeTemplateRenderer
   def initialize(filename)
     if !defined?(CxxCodeBuilder)
-      require 'build/support/vendor/cxxcodebuilder/lib/cxxcodebuilder'
+      require_build_system_file('support/vendor/cxxcodebuilder/lib/cxxcodebuilder')
     end
     code = File.open(filename, 'rb') do |f|
       f.read
@@ -117,3 +117,25 @@ end
 def shesc(path)
   Shellwords.escape(path)
 end
+LET_CACHE = {}
+def let(name)
+  name = name.to_sym
+  Kernel.send(:define_method, name) do
+    if LET_CACHE.key?(name)
+      LET_CACHE[name]
+    else
+      LET_CACHE[name] = yield
+    end
+  end
+end
+def maybe_eval_lambda(lambda_or_value)
+  if lambda_or_value.respond_to?(:call)
+    lambda_or_value.call
+  else
+    lambda_or_value
+  end
+end

data/build/test_basics.rb CHANGED

@@ -48,10 +48,9 @@ task 'test:install_deps' do
   gem_install = "#{PlatformInfo.ruby_sudo_command} #{gem_install}" if boolean_option('SUDO')
   default = boolean_option('DEVDEPS_DEFAULT', true)
   install_base_deps = boolean_option('BASE_DEPS', default)
-  install_doctools  = boolean_option('DOCTOOLS', default)
   if deps_target = string_option('DEPS_TARGET')
-    bundle_args = "--path #{Shellwords.escape deps_target} #{ENV['BUNDLE_ARGS']}".strip
+    bundle_args = "--path #{shesc deps_target} #{ENV['BUNDLE_ARGS']}".strip
   else
     bundle_args = ENV['BUNDLE_ARGS'].to_s
   end
@@ -62,36 +61,12 @@ task 'test:install_deps' do
     sh "#{gem_install} bundler"
   end
-  if install_base_deps && install_doctools
+  if install_base_deps
     sh "bundle install #{bundle_args} --without="
   else
-    if install_base_deps
-      sh "bundle install #{bundle_args} --without doc release"
-    end
-    if install_doctools
-      sh "bundle install #{bundle_args} --without base"
-    end
+    sh "bundle install #{bundle_args} --without base"
   end
-  if install_doctools
-    # workaround for issue "bluecloth not found" when using 1.12.x
-    sh "#{gem_install} bundler --version 1.11.2"
-    sh "rvm list"
-  end
-  if boolean_option('USH_BUNDLES', default)
-    # see what is available for Submodule tests just in case Travis CI environment changes
-    # || true to avoid missing rvm command triggering a failure on Jenkins CI
-    sh "rvm list || true"
-    sh "cd src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_core" \
-      " && bundle install #{bundle_args} --with travis --without doc notravis"
-    sh "cd src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_rails" \
-      " && bundle install #{bundle_args} --without doc notravis"
-    sh "cd src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_rails" \
-      " && bundle exec rake install_test_app_bundles" \
-      " BUNDLE_ARGS='#{bundle_args}'"
-  end
   if boolean_option('NODE_MODULES', default)
     sh "yarn install #{yarn_args}"
   end

data/dev/ci/tests/rpm/Jenkinsfile ADDED

@@ -0,0 +1,68 @@
+def setupTest(enablerFlag, distribution, architecture, block) {
+  if (enablerFlag) {
+    node('linux') {
+      withEnv([
+        "CACHE_DIR=${env.JENKINS_HOME}/cache/${env.JOB_NAME}/${distribution}-${architecture}",
+        "DISTRIBUTION=${distribution}",
+        "ARCHITECTURE=${architecture}"
+      ], block)
+    }
+  } else {
+    echo 'Test skipped.'
+  }
+}
+pipeline {
+  agent any
+  options {
+    buildDiscarder(logRotator(numToKeepStr: '10'))
+    timeout(time: 45, unit: 'MINUTES')
+    disableConcurrentBuilds()
+    timestamps()
+    ansiColor('xterm')
+  }
+  parameters {
+    booleanParam(name: 'EL6', defaultValue: true, description: 'RHEL 6 tests')
+    booleanParam(name: 'EL7', defaultValue: true, description: 'RHEL 7 tests')
+  }
+  stages {
+    stage('Initialize') {
+      steps {
+        script {
+          if (env.JOB_NAME.indexOf('Enterprise') != -1) {
+            env.ENTERPRISE = '1'
+          } else {
+            env.ENTERPRISE = '0'
+          }
+          // For debugging purposes
+          sh 'env | sort'
+        }
+      }
+    }
+    stage('Test') {
+      steps {
+        script {
+          parallel(
+            'el6 x86_64': {
+              setupTest(params.EL6, 'el6', 'x86_64') {
+                checkout scm
+                sh './dev/ci/tests/rpm/run'
+              }
+            },
+            'el7 x86_64': {
+              setupTest(params.EL7, 'el7', 'x86_64') {
+                checkout scm
+                sh './dev/ci/tests/rpm/run'
+              }
+            }
+          )
+        }
+      }
+    }
+  }
+}

data/dev/ci/tests/rpm/run ADDED

@@ -0,0 +1,63 @@
+#!/bin/bash
+# This script is from the "Passenger RPM packaging test" Jenkins job. It builds
+# packages for a specific distribution and architecture and runs tests on the resulting packages.
+#
+# Required environment variables:
+#
+#   WORKSPACE
+#   DISTRIBUTION
+#   ARCHITECTURE
+#
+# Optional environment variables:
+#
+#   PASSENGER_ROOT (defaults to $WORKSPACE)
+#   CACHE_DIR (defaults to $WORKSPACE/cache)
+#   ENTERPRISE
+#   DEBUG_CONSOLE
+#
+# Sample invocation in Vagrant dev environment:
+#
+#   env WORKSPACE=$HOME DISTRIBUTION=el7 ARCHITECTURE=x86_64 PASSENGER_ROOT=/passenger ./dev/ci/rpm/run
+set -e
+SELFDIR=$(dirname "$0")
+cd "$SELFDIR/../../../../packaging/rpm"
+# shellcheck source=../../../../packaging/rpm/internal/lib/library.sh
+source "./internal/lib/library.sh"
+# shellcheck source=../../../../packaging/rpm/internal/lib/distro_info.sh
+source "./internal/lib/distro_info.sh"
+require_envvar WORKSPACE "$WORKSPACE"
+require_envvar DISTRIBUTION "$DISTRIBUTION"
+require_envvar ARCHITECTURE "$ARCHITECTURE"
+PASSENGER_ROOT="${PASSENGER_ROOT:-$WORKSPACE}"
+CACHE_DIR="${CACHE_DIR:-$WORKSPACE/cache}"
+TEST_DISTRO_NAME=$(el_name_to_distro_name "$DISTRIBUTION")
+if [[ "$DEBUG_CONSOLE" = true ]]; then
+	EXTRA_TEST_PARAMS=-D
+else
+	EXTRA_TEST_PARAMS=
+fi
+if [[ "$ENTERPRISE" = 1 ]]; then
+	EXTRA_TEST_PARAMS="$EXTRA_TEST_PARAMS -e /etc/passenger-enterprise-license"
+fi
+run mkdir -p "$CACHE_DIR"
+run ./build \
+	-w "$WORKSPACE/work" \
+	-c "$CACHE_DIR" \
+	-o "$WORKSPACE/output" \
+	-p "$PASSENGER_ROOT" \
+	-d "$DISTRIBUTION" \
+	-a "$ARCHITECTURE" \
+	-R \
+	rpm:all
+run ./test \
+	-p "$PASSENGER_ROOT" \
+	-d "$WORKSPACE/output/$DISTRIBUTION" \
+	-c "$CACHE_DIR" \
+	-x "$TEST_DISTRO_NAME" \
+	-j \
+	$EXTRA_TEST_PARAMS

data/dev/ci/tests/source-packaging/run CHANGED

@@ -1,4 +1,4 @@
 #!/bin/bash
 set -e
-run bundle exec rspec -f s -c test/integration_tests/source_packaging_test.rb
+run bundle exec drake "-j$COMPILE_CONCURRENCY" test:source_packaging

data/dev/ci/tests/source-packaging/setup CHANGED

@@ -1,4 +1,4 @@
 #!/bin/bash
 set -e
-retry_run 3 rake test:install_deps BASE_DEPS=yes DOCTOOLS=yes
+retry_run 3 rake test:install_deps BASE_DEPS=yes

data/doc/{Packaging.txt.md → Packaging.md} RENAMED

File without changes

data/resources/templates/apache2/deployment_example.txt.erb CHANGED

@@ -5,7 +5,7 @@ guide:
   <yellow><%= @deployment_guide_url %></yellow>
-Enjoy Phusion Passenger, a product of Phusion (<b><%= @phusion_website %></b>) :-)
+Enjoy Phusion Passenger, a product of Phusion® (<b><%= @phusion_website %></b>) :-)
 <b><%= @passenger_website %></b>
-Phusion Passenger is a registered trademark of Hongli Lai & Ninh Bui.
+Passenger® is a registered trademark of Phusion Holding B.V.

data/resources/templates/apache2/multiple_apache_installations_detected.txt.erb CHANGED

@@ -4,12 +4,12 @@ You are about to install <%= PhusionPassenger::PROGRAM_NAME %> against the follo
 Apache installation:
   <b>Apache <%= @current.version %></b>
-  apxs2     : <%= @current.apxs2 %>
+  apxs2     : <%= @current.apxs2 || 'N/A (OS-provided install)' %>
   Executable: <%= @current.httpd %>
 However, <%= @other_installs.size %> other Apache installation(s) have been found on your system:
 <% @other_installs.each do |result| %>
   * Apache <%= result.version %>
-    apxs2     : <%= result.apxs2 %>
+    apxs2     : <%= result.apxs2 || 'N/A (OS-provided install)' %>
     Executable: <%= result.httpd %>
 <% end %>

data/resources/templates/nginx/deployment_example.txt.erb CHANGED

@@ -8,4 +8,4 @@ guide:
 Enjoy Phusion Passenger, a product of Phusion (<b><%= @phusion_website %></b>) :-)
 <b><%= @passenger_website %></b>
-Phusion Passenger is a registered trademark of Hongli Lai & Ninh Bui.
+Passenger® is a registered trademark of Phusion Holding B.V.

data/resources/templates/standalone/mass_deployment_default_server.erb CHANGED

@@ -1,9 +1,9 @@
 <% if @options[:ssl] %>
     <% if @options[:ssl_port] %>
         listen <%= nginx_listen_address %>;
-        listen <%= nginx_listen_address_with_ssl_port %> ssl;
+        listen <%= nginx_listen_address_with_ssl_port %> ssl http2;
     <% else %>
-        listen <%= nginx_listen_address %> ssl;
+        listen <%= nginx_listen_address %> ssl http2;
     <% end %>
 <% else %>
     listen <%= nginx_listen_address %>;

data/resources/templates/standalone/server.erb CHANGED

@@ -2,9 +2,9 @@ server_name <%= app[:server_names].join(' ') %>;
 <% if app[:ssl] %>
     <% if app[:ssl_port] %>
         listen <%= nginx_listen_address(app) %>;
-        listen <%= nginx_listen_address_with_ssl_port(app) %> ssl;
+        listen <%= nginx_listen_address_with_ssl_port(app) %> ssl http2;
     <% else %>
-        listen <%= nginx_listen_address(app) %> ssl;
+        listen <%= nginx_listen_address(app) %> ssl http2;
     <% end %>
     ssl_certificate <%= app[:ssl_certificate] %>;
     ssl_certificate_key <%= app[:ssl_certificate_key] %>;

data/src/agent/AgentMain.cpp CHANGED

@@ -32,7 +32,6 @@ using namespace std;
 int watchdogMain(int argc, char *argv[]);
 int coreMain(int argc, char *argv[]);
-int ustRouterMain(int argc, char *argv[]);
 int systemMetricsMain(int argc, char *argv[]);
 int tempDirToucherMain(int argc, char *argv[]);
 int spawnPreparerMain(int argc, char *argv[]);
@@ -54,7 +53,6 @@ usage(int argc, char *argv[]) {
 	printf("Daemon subcommands:\n");
 	printf("  core\n");
 	printf("  watchdog\n");
-	printf("  ust-router\n");
 	printf("\n");
 	printf("Utility subcommands:\n");
 	printf("  system-metrics\n");
@@ -82,8 +80,6 @@ dispatchSubcommand(int argc, char *argv[]) {
 		exit(watchdogMain(argc, argv));
 	} else if (strcmp(argv[1], "core") == 0) {
 		exit(coreMain(argc, argv));
-	} else if (strcmp(argv[1], "ust-router") == 0) {
-		exit(ustRouterMain(argc, argv));
 	} else if (strcmp(argv[1], "system-metrics") == 0) {
 		exit(systemMetricsMain(argc, argv));
 	} else if (strcmp(argv[1], "temp-dir-toucher") == 0) {

data/src/agent/Core/CoreMain.cpp CHANGED

@@ -71,7 +71,7 @@
 #include <ev++.h>
 #include <jsoncpp/json.h>
-#include <Shared/Base.h>
+#include <Shared/Fundamentals/Initialization.h>
 #include <Shared/ApiServerUtils.h>
 #include <Constants.h>
 #include <ServerKit/Server.h>
@@ -97,6 +97,7 @@
 using namespace boost;
 using namespace oxt;
 using namespace Passenger;
+using namespace Passenger::Agent::Fundamentals;
 using namespace Passenger::ApplicationPool2;
@@ -823,6 +824,80 @@ prestartWebApps() {
 	);
 }
+/**
+ * See warnIfPassengerRootVulnerable()
+ */
+static void
+warnIfPathVulnerable(const char *path, string &warnings) {
+	struct stat pathStat;
+	if (stat(path, &pathStat) == -1) {
+		P_DEBUG("Vulnerability check skipped: stat error on " << path << " (errno: " << errno << ")");
+		return; // fatal: we need that stat for both checks below
+	}
+	// Non-root ownership
+	struct passwd pathOwner;
+	struct passwd *pwdResult;
+	boost::shared_array<char> strings;
+	long stringsBufSize = std::max<long>(1024 * 128, sysconf(_SC_GETPW_R_SIZE_MAX));
+	strings.reset(new char[stringsBufSize]);
+	errno = 0;
+	if (getpwuid_r(pathStat.st_uid, &pathOwner, strings.get(), stringsBufSize, &pwdResult) == -1) {
+		P_DEBUG("Vulnerability check (owner) skipped: getpwuid_r error on " << path << " (owner UID: " <<
+				pathStat.st_uid << ", errno: " << errno << ")");
+	} else if (pwdResult == NULL) {
+		P_DEBUG("Vulnerability check (owner) skipped: getpwuid_r empty on " << path << " (owner UID: " <<
+				pathStat.st_uid << ", errno: " << errno << ")");
+	} else if (pathOwner.pw_uid != 0) {
+		warnings.append("\nThe path \"");
+		warnings.append(path);
+		warnings.append("\" can be modified by user \"");
+		warnings.append(pathOwner.pw_name);
+		warnings.append("\" (or applications running as that user). Change the owner of the path to root, or avoid running Passenger as root.");
+	}
+	// World writeable access rights
+	if ((pathStat.st_mode & S_IWOTH) != 0) {
+		warnings.append("\nThe path \"");
+		warnings.append(path);
+		warnings.append("\" is writeable by any user (or application). Limit write access on the path to only the root user/group.");
+	}
+}
+/*
+ * Emit a warning (log) if the Passenger root dir (and/or its parents) can be modified by non-root users
+ * while Passenger was run as root (because non-root users can then tamper with something running as root).
+ * It's just a convenience warning, so check failures are only logged at the debug level.
+ *
+ * N.B. we limit our checking to use cases that can easily (gotcha) lead to this vulnerable setup, such as
+ * installing Passenger via gem or tarball in a user dir, and then running it as root (for example by installing
+ * it as nginx or apache module). We do not check the entire installation file/dir structure for whether users have
+ * changed owner or access rights.
+ */
+static void
+warnIfPassengerRootVulnerable(const string &passengerRoot) {
+	TRACE_POINT();
+	if (geteuid() != 0) {
+		return; // Passenger is not root, so no escalation.
+	}
+	string checkPath = absolutizePath(passengerRoot);
+	// Check the Passenger root and all dirs above it for ownership and world-writeability
+	string warnings;
+	while (!checkPath.empty() && checkPath != "/") {
+		warnIfPathVulnerable(checkPath.c_str(), warnings);
+		checkPath = extractDirName(checkPath);
+	}
+	if (!warnings.empty()) {
+		P_WARN("WARNING: potential privilege escalation vulnerability. Passenger is running as root, and part(s) of the passenger root path (" <<
+				passengerRoot << ") can be changed by non-root user(s):" << warnings);
+	}
+}
 static void
 reportInitializationInfo() {
 	TRACE_POINT();
@@ -871,7 +946,9 @@ mainLoop() {
 			&& maxCpus <= CPU_SETSIZE;
 	#endif
-	installDiagnosticsDumper(dumpDiagnosticsOnCrash, NULL);
+	Agent::Fundamentals::context->abortHandlerConfig.diagnosticsDumper = dumpDiagnosticsOnCrash;
+	Agent::Fundamentals::abortHandlerConfigChanged();
 	for (unsigned int i = 0; i < wo->threadWorkingObjects.size(); i++) {
 		ThreadWorkingObjects *two = &wo->threadWorkingObjects[i];
 		two->bgloop->start("Main event loop: thread " + toString(i + 1), 0);
@@ -976,7 +1053,8 @@ waitForExitEvent() {
 	TRACE_POINT();
 	if (syscalls::select(largestFd + 1, &fds, NULL, NULL, NULL) == -1) {
 		int e = errno;
-		installDiagnosticsDumper(NULL, NULL);
+		Agent::Fundamentals::context->abortHandlerConfig.diagnosticsDumper = NULL;
+		Agent::Fundamentals::abortHandlerConfigChanged();
 		throw SystemException("select() failed", e);
 	}
@@ -1020,7 +1098,8 @@ waitForExitEvent() {
 			&fds, NULL, NULL, NULL) == -1)
 		{
 			int e = errno;
-			installDiagnosticsDumper(NULL, NULL);
+			Agent::Fundamentals::context->abortHandlerConfig.diagnosticsDumper = NULL;
+			Agent::Fundamentals::abortHandlerConfigChanged();
 			throw SystemException("select() failed", e);
 		}
@@ -1035,7 +1114,10 @@ cleanup() {
 	P_DEBUG("Shutting down " SHORT_PROGRAM_NAME " core...");
 	wo->appPool->destroy();
-	installDiagnosticsDumper(NULL, NULL);
+	Agent::Fundamentals::context->abortHandlerConfig.diagnosticsDumper = dumpDiagnosticsOnCrash;
+	Agent::Fundamentals::abortHandlerConfigChanged();
 	for (unsigned i = 0; i < wo->threadWorkingObjects.size(); i++) {
 		ThreadWorkingObjects *two = &wo->threadWorkingObjects[i];
 		two->bgloop->stop();
@@ -1096,6 +1178,7 @@ runCore() {
 		prestartWebApps();
 		UPDATE_TRACE_POINT();
+		warnIfPassengerRootVulnerable(agentsOptions->get("passenger_root"));
 		reportInitializationInfo();
 		mainLoop();