passenger 5.3.1 → 5.3.2

data/dev/configkit-schemas/index.json

@@ -267,6 +267,10 @@
          "read_only" : true,
          "type" : "string"
       },
+      "max_instances_per_app" : {
+         "read_only" : true,
+         "type" : "unsigned integer"
+      },
       "min_spare_clients" : {
          "default_value" : 0,
          "has_default_value" : "static",
@@ -289,7 +293,7 @@
          "type" : "unsigned integer"
       },
       "server_software" : {
-         "default_value" : "Phusion_Passenger/5.3.1",
+         "default_value" : "Phusion_Passenger/5.3.2",
          "has_default_value" : "static",
          "type" : "string"
       },
@@ -724,6 +728,10 @@
          "has_default_value" : "static",
          "type" : "any"
       },
+      "max_instances_per_app" : {
+         "read_only" : true,
+         "type" : "unsigned integer"
+      },
       "max_pool_size" : {
          "default_value" : 6,
          "has_default_value" : "static",
@@ -787,7 +795,7 @@
          "type" : "string"
       },
       "server_software" : {
-         "default_value" : "Phusion_Passenger/5.3.1",
+         "default_value" : "Phusion_Passenger/5.3.2",
          "has_default_value" : "static",
          "type" : "string"
       },
@@ -1441,6 +1449,10 @@
          "has_default_value" : "static",
          "type" : "any"
       },
+      "max_instances_per_app" : {
+         "read_only" : true,
+         "type" : "unsigned integer"
+      },
       "max_pool_size" : {
          "default_value" : 6,
          "has_default_value" : "static",
@@ -1505,7 +1517,7 @@
          "type" : "string"
       },
       "server_software" : {
-         "default_value" : "Phusion_Passenger/5.3.1",
+         "default_value" : "Phusion_Passenger/5.3.2",
          "has_default_value" : "static",
          "type" : "string"
       },

data/src/agent/Core/AdminPanelConnector.h

@@ -35,6 +35,7 @@
 #include <boost/bind.hpp>
 #include <boost/foreach.hpp>
 
+#include <limits>
 #include <string>
 #include <vector>
 
@@ -45,6 +46,7 @@
 #include <Core/ApplicationPool/Pool.h>
 #include <Core/Controller.h>
 #include <ProcessManagement/Ruby.h>
+#include <FileTools/FileManip.h>
 #include <Utils.h>
 #include <Utils/StrIntUtils.h>
 #include <Utils/IOUtils.h>
@@ -486,7 +488,8 @@ private:
 						_exit(1);
 					} else {
 						pipe.second.close();
-						string out = readAll(pipe.first);
+						string out = readAll(pipe.first,
+							std::numeric_limits<size_t>::max()).first;
 						LoggingKit::context->saveMonitoredFileLog(key, f.c_str(), f.size(),
 							out.data(), out.size());
 						pipe.first.close();
@@ -572,7 +575,7 @@ private:
 		Json::Value doc;
 		Json::Reader reader;
 
-		if (!reader.parse(readAll(instanceDir + "/properties.json"), doc)) {
+		if (!reader.parse(unsafeReadFile(instanceDir + "/properties.json"), doc)) {
 			throw RuntimeException("Cannot parse " + instanceDir + "/properties.json: "
 				+ reader.getFormattedErrorMessages());
 		}

data/src/agent/Core/ApplicationPool/Group/StateInspection.cpp

@@ -70,6 +70,8 @@ Group::processLowerLimitsSatisfied() const {
  */
 bool
 Group::processUpperLimitsReached() const {
+	// check maxInstances limit as set by Enterprise (OSS maxInstancesPerApp piggybacks on this,
+	// see InitRequest.cpp)
 	return options.maxProcesses != 0 && capacityUsed() >= options.maxProcesses;
 }
 

data/src/agent/Core/Config.h

@@ -140,6 +140,7 @@ using namespace std;
  *   integration_mode                                                string             -          default("standalone")
  *   log_level                                                       string             -          default("notice")
  *   log_target                                                      any                -          default({"stderr": true})
+ *   max_instances_per_app                                           unsigned integer   -          read_only
  *   max_pool_size                                                   unsigned integer   -          default(6)
  *   multi_app                                                       boolean            -          default(false),read_only
  *   passenger_root                                                  string             required   read_only
@@ -153,7 +154,7 @@ using namespace std;
  *   security_update_checker_interval                                unsigned integer   -          default(86400)
  *   security_update_checker_proxy_url                               string             -          -
  *   security_update_checker_url                                     string             -          default("https://securitycheck.phusionpassenger.com/v1/check.json")
- *   server_software                                                 string             -          default("Phusion_Passenger/5.3.1")
+ *   server_software                                                 string             -          default("Phusion_Passenger/5.3.2")
  *   show_version_in_header                                          boolean            -          default(true)
  *   single_app_mode_app_root                                        string             -          default,read_only
  *   single_app_mode_app_type                                        string             -          read_only

data/src/agent/Core/Controller/Config.h

@@ -107,11 +107,12 @@ parseControllerBenchmarkMode(const StaticString &mode) {
  *   default_user                                        string             -          default("nobody")
  *   graceful_exit                                       boolean            -          default(true)
  *   integration_mode                                    string             -          default("standalone"),read_only
+ *   max_instances_per_app                               unsigned integer   -          read_only
  *   min_spare_clients                                   unsigned integer   -          default(0)
  *   multi_app                                           boolean            -          default(true),read_only
  *   request_freelist_limit                              unsigned integer   -          default(1024)
  *   response_buffer_high_watermark                      unsigned integer   -          default(134217728)
- *   server_software                                     string             -          default("Phusion_Passenger/5.3.1")
+ *   server_software                                     string             -          default("Phusion_Passenger/5.3.2")
  *   show_version_in_header                              boolean            -          default(true)
  *   start_reading_after_accept                          boolean            -          default(true)
  *   stat_throttle_rate                                  unsigned integer   -          default(10)
@@ -127,6 +128,8 @@ private:
 	void initialize() {
 		using namespace ConfigKit;
 
+		add("max_instances_per_app", UINT_TYPE, OPTIONAL | READ_ONLY);
+
 		add("thread_number", UINT_TYPE, REQUIRED | READ_ONLY);
 		add("multi_app", BOOL_TYPE, OPTIONAL | READ_ONLY, true);
 		add("turbocaching", BOOL_TYPE, OPTIONAL | READ_ONLY, true);
@@ -307,6 +310,7 @@ public:
 	unsigned int responseBufferHighWatermark;
 	StaticString integrationMode;
 	StaticString serverLogName;
+	unsigned int maxInstancesPerApp;
 	ControllerBenchmarkMode benchmarkMode: 3;
 	bool singleAppMode: 1;
 	bool userSwitching: 1;
@@ -324,6 +328,7 @@ public:
 		  responseBufferHighWatermark(config["response_buffer_high_watermark"].asUInt()),
 		  integrationMode(psg_pstrdup(pool, config["integration_mode"].asString())),
 		  serverLogName(createServerLogName()),
+		  maxInstancesPerApp(config["max_instances_per_app"].asUInt()),
 		  benchmarkMode(parseControllerBenchmarkMode(config["benchmark_mode"].asString())),
 		  singleAppMode(!config["multi_app"].asBool()),
 		  userSwitching(config["user_switching"].asBool()),

data/src/agent/Core/Controller/InitRequest.cpp

@@ -358,7 +358,6 @@ Controller::createNewPoolOptions(Client *client, Request *req,
 	fillPoolOption(req, options.user, "!~PASSENGER_USER");
 	fillPoolOption(req, options.group, "!~PASSENGER_GROUP");
 	fillPoolOption(req, options.minProcesses, "!~PASSENGER_MIN_PROCESSES");
-	fillPoolOption(req, options.maxProcesses, "!~PASSENGER_MAX_PROCESSES");
 	fillPoolOption(req, options.spawnMethod, "!~PASSENGER_SPAWN_METHOD");
 	fillPoolOption(req, options.startCommand, "!~PASSENGER_START_COMMAND");
 	fillPoolOptionSecToMsec(req, options.startTimeout, "!~PASSENGER_START_TIMEOUT");
@@ -372,6 +371,12 @@ Controller::createNewPoolOptions(Client *client, Request *req,
 	fillPoolOption(req, options.fileDescriptorUlimit, "!~PASSENGER_APP_FILE_DESCRIPTOR_ULIMIT");
 	fillPoolOption(req, options.raiseInternalError, "!~PASSENGER_RAISE_INTERNAL_ERROR");
 	fillPoolOption(req, options.lveMinUid, "!~PASSENGER_LVE_MIN_UID");
+
+	// maxProcesses is configured per-application by the (Enterprise) maxInstances option (and thus passed
+	// via request headers). In OSS the max processes can also be configured, but on a global level
+	// (i.e. the same for all apps) using the maxInstancesPerApp option. As an easy implementation shortcut
+	// we apply maxInstancesPerApp to options.maxProcesses (which can be overridden by Enterprise).
+	options.maxProcesses = mainConfig.maxInstancesPerApp;
 	/******************/
 
 	boost::shared_ptr<Options> optionsCopy = boost::make_shared<Options>(options);

data/src/agent/Core/CoreMain.cpp

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2010-2017 Phusion Holding B.V.
+ *  Copyright (c) 2010-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -38,6 +38,7 @@
 
 #include <boost/config.hpp>
 #include <boost/scoped_ptr.hpp>
+#include <boost/foreach.hpp>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
@@ -86,10 +87,10 @@
 #include <ResourceLocator.h>
 #include <BackgroundEventLoop.cpp>
 #include <FileTools/FileManip.h>
+#include <FileTools/PathSecurityCheck.h>
 #include <Exceptions.h>
 #include <Utils.h>
 #include <Utils/Timer.h>
-#include <Utils/IOUtils.h>
 #include <Utils/MessageIO.h>
 #include <Utils/VariantMap.h>
 #include <Core/OptionParser.h>
@@ -239,7 +240,7 @@ initializePrivilegedWorkingObjects() {
 	if (password.isString()) {
 		wo->controllerSecureHeadersPassword = password.asString();
 	} else if (password.isObject()) {
-		wo->controllerSecureHeadersPassword = strip(readAll(password["path"].asString()));
+		wo->controllerSecureHeadersPassword = strip(unsafeReadFile(password["path"].asString()));
 	}
 }
 
@@ -885,50 +886,6 @@ prestartWebApps() {
 	);
 }
 
-/**
- * See warnIfPassengerRootVulnerable()
- */
-static void
-warnIfPathVulnerable(const char *path, string &warnings) {
-	struct stat pathStat;
-
-	if (stat(path, &pathStat) == -1) {
-		P_DEBUG("Vulnerability check skipped: stat error on " << path << " (errno: " << errno << ")");
-		return; // fatal: we need that stat for both checks below
-	}
-
-	// Non-root ownership
-	struct passwd pathOwner;
-	struct passwd *pwdResult;
-
-	boost::shared_array<char> strings;
-	long stringsBufSize = std::max<long>(1024 * 128, sysconf(_SC_GETPW_R_SIZE_MAX));
-	strings.reset(new char[stringsBufSize]);
-	errno = 0;
-	if (getpwuid_r(pathStat.st_uid, &pathOwner, strings.get(), stringsBufSize, &pwdResult) == -1) {
-		P_DEBUG("Vulnerability check (owner) skipped: getpwuid_r error on " << path << " (owner UID: " <<
-				pathStat.st_uid << ", errno: " << errno << ")");
-	} else if (pwdResult == NULL) {
-		P_DEBUG("Vulnerability check (owner) skipped: getpwuid_r empty on " << path << " (owner UID: " <<
-				pathStat.st_uid << ", errno: " << errno << ")");
-	} else if (pathOwner.pw_uid != 0) {
-		warnings.append("\nThe path \"");
-		warnings.append(path);
-		warnings.append("\" can be modified by user \"");
-		warnings.append(pathOwner.pw_name);
-		warnings.append("\" (or applications running as that user)."
-			" Change the owner of the path to root, or avoid running " SHORT_PROGRAM_NAME " as root.");
-	}
-
-	// World writeable access rights
-	if ((pathStat.st_mode & S_IWOTH) != 0) {
-		warnings.append("\nThe path \"");
-		warnings.append(path);
-		warnings.append("\" is writeable by any user (or application)."
-			" Limit write access on the path to only the root user/group.");
-	}
-}
-
 /*
  * Emit a warning (log) if the Passenger root dir (and/or its parents) can be modified by non-root users
  * while Passenger was run as root (because non-root users can then tamper with something running as root).
@@ -948,19 +905,28 @@ warnIfPassengerRootVulnerable() {
 	}
 
 	string root = workingObjects->resourceLocator.getInstallSpec();
-	string checkPath = absolutizePath(root);
-	// Check the Passenger root and all dirs above it for ownership and world-writeability
-	string warnings;
-	while (!checkPath.empty() && checkPath != "/") {
-		warnIfPathVulnerable(checkPath.c_str(), warnings);
-
-		checkPath = extractDirName(checkPath);
-	}
-	if (!warnings.empty()) {
-		P_WARN("WARNING: potential privilege escalation vulnerability. "
-			PROGRAM_NAME " is running as root, and part(s) of the "
-			SHORT_PROGRAM_NAME " root path (" << root
-			<< ") can be changed by non-root user(s):" << warnings);
+	vector<string> errors, checkErrors;
+	if (isPathProbablySecureForRootUse(root, errors, checkErrors)) {
+		if (!checkErrors.empty()) {
+			string message = "WARNING: unable to perform privilege escalation vulnerability detection:\n";
+			foreach (string line, checkErrors) {
+				message.append("\n - " + line);
+			}
+			P_WARN(message);
+		}
+	} else {
+		string message = "WARNING: potential privilege escalation vulnerability detected. " \
+			PROGRAM_NAME " is running as root, and part(s) of the " SHORT_PROGRAM_NAME
+			" root path (" + root + ") can be changed by non-root user(s):\n";
+		foreach (string line, errors) {
+			message.append("\n - " + line);
+		}
+		foreach (string line, checkErrors) {
+			message.append("\n - " + line);
+		}
+		message.append("\n\nPlease either fix up the permissions for the insecure paths, or install "
+			SHORT_PROGRAM_NAME " in a different location that can only be modified by root.");
+		P_WARN(message);
 	}
 }
 

data/src/agent/Core/SpawningKit/DirectSpawner.h

@@ -37,9 +37,11 @@
 #include <LoggingKit/LoggingKit.h>
 #include <LveLoggingDecorator.h>
 #include <Utils/IOUtils.h>
+#include <Utils/AsyncSignalSafeUtils.h>
 
 #include <limits.h>  // for PTHREAD_STACK_MIN
 #include <pthread.h>
+#include <unistd.h>
 #include <adhoc_lve.h>
 
 namespace Passenger {
@@ -150,8 +152,11 @@ private:
 
 		pid_t pid = syscalls::fork();
 		if (pid == 0) {
-			purgeStdio(stdout);
-			purgeStdio(stderr);
+			int e;
+			char buf[1024];
+			const char *end = buf + sizeof(buf);
+			namespace ASSU = AsyncSignalSafeUtils;
+
 			resetSignalHandlersAndMask();
 			disableMallocDebugging();
 			int stdinCopy = dup2(stdinChannel.first, 3);
@@ -160,6 +165,7 @@ private:
 			dup2(stdoutAndErrCopy, 1);
 			dup2(stdoutAndErrCopy, 2);
 			closeAllFileDescriptors(2, true);
+
 			execlp(agentFilename.c_str(),
 				agentFilename.c_str(),
 				"spawn-env-setupper",
@@ -167,10 +173,16 @@ private:
 				"--before",
 				NULL);
 
-			int e = errno;
-			fprintf(stderr, "Cannot execute \"%s\": %s (errno=%d)\n",
-				agentFilename.c_str(), strerror(e), e);
-			fflush(stderr);
+			char *pos = buf;
+			e = errno;
+			pos = ASSU::appendData(pos, end, "Cannot execute \"");
+			pos = ASSU::appendData(pos, end, agentFilename.data(), agentFilename.size());
+			pos = ASSU::appendData(pos, end, "\": ");
+			pos = ASSU::appendData(pos, end, ASSU::limitedStrerror(e));
+			pos = ASSU::appendData(pos, end, " (errno=");
+			pos = ASSU::appendInteger<int, 10>(pos, end, e);
+			pos = ASSU::appendData(pos, end, ")\n");
+			ASSU::printError(buf, pos - buf);
 			_exit(1);
 
 		} else if (pid == -1) {

data/src/agent/Core/SpawningKit/ErrorRenderer.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2014-2017 Phusion Holding B.V.
+ *  Copyright (c) 2014-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -34,8 +34,8 @@
 
 #include <Constants.h>
 #include <StaticString.h>
+#include <FileTools/FileManip.h>
 #include <Utils/Template.h>
-#include <Utils/IOUtils.h>
 #include <Core/SpawningKit/Context.h>
 #include <Core/SpawningKit/Exceptions.h>
 
@@ -61,8 +61,8 @@ public:
 		string htmlFile = templatesDir + "/with_details/src/index.html.template";
 		string cssFile = templatesDir + "/with_details/dist/styles.css";
 		string jsFile = templatesDir + "/with_details/dist/bundle.js";
-		string cssContent = readAll(cssFile);
-		string jsContent = readAll(jsFile);
+		string cssContent = unsafeReadFile(cssFile);
+		string jsContent = unsafeReadFile(jsFile);
 
 		Json::Value spec;
 		spec["program_name"] = PROGRAM_NAME;
@@ -85,7 +85,7 @@ public:
 		params.set("TITLE", "Web application could not be started");
 		params.set("SPEC", specContent);
 
-		return Template::apply(readAll(htmlFile), params);
+		return Template::apply(unsafeReadFile(htmlFile), params);
 	}
 
 	string renderWithoutDetails(const SpawningKit::SpawnException &e) const {
@@ -93,8 +93,8 @@ public:
 		string htmlFile = templatesDir + "/without_details/src/index.html.template";
 		string cssFile = templatesDir + "/without_details/dist/styles.css";
 		string jsFile = templatesDir + "/without_details/dist/bundle.js";
-		string cssContent = readAll(cssFile);
-		string jsContent = readAll(jsFile);
+		string cssContent = unsafeReadFile(cssFile);
+		string jsContent = unsafeReadFile(jsFile);
 
 		params.set("CSS", cssContent);
 		params.set("JS", jsContent);
@@ -106,7 +106,7 @@ public:
 		params.set("PROGRAM_WEBSITE", PROGRAM_WEBSITE);
 		params.set("PROGRAM_AUTHOR", PROGRAM_AUTHOR);
 
-		return Template::apply(readAll(htmlFile), params);
+		return Template::apply(unsafeReadFile(htmlFile), params);
 	}
 };
 

data/src/agent/Core/SpawningKit/Handshake/Perform.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2016-2017 Phusion Holding B.V.
+ *  Copyright (c) 2016-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -48,6 +48,8 @@
 #include <Constants.h>
 #include <Exceptions.h>
 #include <FileDescriptor.h>
+#include <FileTools/FileManip.h>
+#include <FileTools/PathManip.h>
 #include <Utils.h>
 #include <Utils/ScopeGuard.h>
 #include <Utils/SystemTime.h>
@@ -146,7 +148,8 @@ private:
 		TRACE_POINT();
 		try {
 			string path = session.responseDir + "/finish";
-			int fd = syscalls::open(path.c_str(), O_RDONLY);
+			int fd = syscalls::openat(session.responseDirFd, "finish",
+				O_RDONLY | O_NOFOLLOW);
 			if (fd == -1) {
 				int e = errno;
 				throw FileSystemException("Error opening FIFO " + path,
@@ -370,6 +373,7 @@ private:
 	}
 
 	void loadResultPropertiesFromResponseDir(bool socketsRequired) {
+		TRACE_POINT();
 		Result &result = session.result;
 		string path = session.responseDir + "/properties.json";
 		Json::Reader reader;
@@ -377,19 +381,29 @@ private:
 		vector<string> errors;
 
 		// We already checked whether properties.json exists before invoking
-		// this method, so if readAll() fails then we can't be sure that
+		// this method, so if safeReadFile() fails then we can't be sure that
 		// it's an application problem. This is why we want the SystemException
 		// to propagate to higher layers so that there it can be turned into
 		// a generic filesystem-related or IO-related SpawnException, as opposed
 		// to one about this problem specifically.
 
-		if (!reader.parse(readAll(path), doc)) {
+		UPDATE_TRACE_POINT();
+		pair<string, bool> jsonContent = safeReadFile(session.responseDirFd, "properties.json",
+			SPAWNINGKIT_MAX_PROPERTIES_JSON_SIZE);
+		if (!jsonContent.second) {
+			errors.push_back("Error parsing " + path + ": file bigger than "
+				+ toString(SPAWNINGKIT_MAX_PROPERTIES_JSON_SIZE) + " bytes");
+			throwSpawnExceptionBecauseOfResultValidationErrors(vector<string>(),
+				errors);
+		}
+		if (!reader.parse(jsonContent.first, doc)) {
 			errors.push_back("Error parsing " + path + ": " +
 				reader.getFormattedErrorMessages());
 			throwSpawnExceptionBecauseOfResultValidationErrors(vector<string>(),
 				errors);
 		}
 
+		UPDATE_TRACE_POINT();
 		validateResultPropertiesFile(doc, socketsRequired, errors);
 		if (!errors.empty()) {
 			errors.insert(errors.begin(), "The following errors were detected in "
@@ -402,6 +416,7 @@ private:
 			return;
 		}
 
+		UPDATE_TRACE_POINT();
 		Json::Value::iterator it, end = doc["sockets"].end();
 		for (it = doc["sockets"].begin(); it != end; it++) {
 			const Json::Value &socketDoc = *it;
@@ -423,44 +438,50 @@ private:
 	void validateResultPropertiesFile(const Json::Value &doc, bool socketsRequired,
 		vector<string> &errors) const
 	{
+		TRACE_POINT();
 		if (!doc.isMember("sockets")) {
 			if (socketsRequired) {
 				errors.push_back("'sockets' must be specified");
 			}
-		} else if (!doc["sockets"].isArray()) {
+			return;
+		}
+		if (!doc["sockets"].isArray()) {
 			errors.push_back("'sockets' must be an array");
-		} else {
-			if (socketsRequired && doc["sockets"].empty()) {
-				errors.push_back("'sockets' must be non-empty");
-				return;
-			}
-
-			Json::Value::const_iterator it, end = doc["sockets"].end();
-			for (it = doc["sockets"].begin(); it != end; it++) {
-				const Json::Value &socketDoc = *it;
+			return;
+		}
+		if (socketsRequired && doc["sockets"].empty()) {
+			errors.push_back("'sockets' must be non-empty");
+			return;
+		}
 
-				if (!socketDoc.isObject()) {
-					errors.push_back("'sockets[" + toString(it.index())
-						+ "]' must be an object");
-					continue;
-				}
+		UPDATE_TRACE_POINT();
+		Json::Value::const_iterator it, end = doc["sockets"].end();
+		for (it = doc["sockets"].begin(); it != end; it++) {
+			const Json::Value &socketDoc = *it;
 
-				validateResultPropertiesFileSocketField(socketDoc,
-					"address", Json::stringValue, it.index(),
-					true, true, errors);
-				validateResultPropertiesFileSocketField(socketDoc,
-					"protocol", Json::stringValue, it.index(),
-					true, true, errors);
-				validateResultPropertiesFileSocketField(socketDoc,
-					"description", Json::stringValue, it.index(),
-					false, true, errors);
-				validateResultPropertiesFileSocketField(socketDoc,
-					"concurrency", Json::intValue, it.index(),
-					true, false, errors);
-				validateResultPropertiesFileSocketField(socketDoc,
-					"accept_http_requests", Json::booleanValue, it.index(),
-					false, false, errors);
+			if (!socketDoc.isObject()) {
+				errors.push_back("'sockets[" + toString(it.index())
+					+ "]' must be an object");
+				continue;
 			}
+
+			validateResultPropertiesFileSocketField(socketDoc,
+				"address", Json::stringValue, it.index(),
+				true, true, errors);
+			validateResultPropertiesFileSocketField(socketDoc,
+				"protocol", Json::stringValue, it.index(),
+				true, true, errors);
+			validateResultPropertiesFileSocketField(socketDoc,
+				"description", Json::stringValue, it.index(),
+				false, true, errors);
+			validateResultPropertiesFileSocketField(socketDoc,
+				"concurrency", Json::intValue, it.index(),
+				true, false, errors);
+			validateResultPropertiesFileSocketField(socketDoc,
+				"accept_http_requests", Json::booleanValue, it.index(),
+				false, false, errors);
+			validateResultPropertiesFileSocketAddress(socketDoc,
+				it.index(), errors);
 		}
 	}
 
@@ -497,6 +518,93 @@ private:
 		}
 	}
 
+	void validateResultPropertiesFileSocketAddress(const Json::Value &doc,
+		unsigned int index, vector<string> &errors) const
+	{
+		TRACE_POINT();
+		if (!doc["address"].isString()
+		 || getSocketAddressType(doc["address"].asString()) != SAT_UNIX)
+		{
+			return;
+		}
+
+		string filename = parseUnixSocketAddress(doc["address"].asString());
+
+		if (filename.empty()) {
+			errors.push_back("'sockets[" + toString(index)
+				+ "].address' contains an empty Unix domain socket filename");
+			return;
+		}
+
+		if (filename[0] != '/') {
+			errors.push_back("'sockets[" + toString(index)
+				+ "].address' when referring to a Unix domain socket, must be"
+				" an absolute path (given path: " + filename + ")");
+			return;
+		}
+
+		// If any of the parent directories is writable by a normal user
+		// (Joe) that is not the app's user (Jane), then Joe can swap that
+		// directory with something else, with contents controlled by Joe.
+		// That way, Joe can cause Passenger to connect to (and forward
+		// Jane's traffic to) a process that does not actually belong to
+		// Jane.
+		//
+		// To mitigate this risk, we insist that the socket be placed in a
+		// directory that we know is safe (instanceDir + "/apps.s").
+		// We don't rely on isPathProbablySecureForRootUse() because that
+		// function cannot be 100% sure that it is correct.
+
+		UPDATE_TRACE_POINT();
+		// instanceDir is only empty in tests
+		if (!session.context->instanceDir.empty()) {
+			StaticString actualDir = extractDirNameStatic(filename);
+			string expectedDir = session.context->instanceDir + "/apps.s";
+			if (actualDir != expectedDir) {
+				errors.push_back("'sockets[" + toString(index)
+					+ "].address', when referring to a Unix domain socket,"
+					" must be an absolute path to a file in '"
+					+ expectedDir + "' (given path: " + filename + ")");
+				return;
+			}
+		}
+
+		UPDATE_TRACE_POINT();
+		struct stat s;
+		int ret;
+		do {
+			ret = lstat(filename.c_str(), &s);
+		} while (ret == -1 && errno == EAGAIN);
+
+		if (ret == -1) {
+			int e = errno;
+			if (e == EEXIST) {
+				errors.push_back("'sockets[" + toString(index)
+					+ "].address' refers to a non-existant Unix domain"
+					" socket file (given path: " + filename + ")");
+				return;
+			} else {
+				throw FileSystemException("Cannot stat " + filename,
+					e, filename);
+			}
+		}
+
+		// We only check the UID, not the GID, because the socket
+		// may be automatically made with a different GID than
+		// the creating process's due to the setgid bit being set
+		// the directory that contains the socket. Furthermore,
+		// on macOS it seems that all directories behave as if
+		// they have the setgid bit set.
+
+		UPDATE_TRACE_POINT();
+		if (s.st_uid != session.uid) {
+			errors.push_back("'sockets[" + toString(index)
+				+ "].address', when referring to a Unix domain socket file,"
+				" must be owned by user " + getUserName(session.uid)
+				+ " (actual owner: " + getUserName(s.st_uid) + ")");
+		}
+	}
+
 	bool resultHasSocketWithPreloaderProtocol() const {
 		const vector<Result::Socket> &sockets = session.result.sockets;
 		vector<Result::Socket>::const_iterator it, end = sockets.end();
@@ -553,6 +661,7 @@ private:
 			SpawnException e(INTERNAL_ERROR, session.journey, config);
 			e.setSubprocessPid(pid);
 			e.setStdoutAndErrData(getStdoutErrData());
+			loadBasicInfoFromEnvDumpDir(e);
 			loadAnnotationsFromEnvDumpDir(e);
 
 			if (config->wrapperSuppliedByThirdParty) {
@@ -614,6 +723,7 @@ private:
 			SpawnException e(INTERNAL_ERROR, session.journey, config);
 			e.setSubprocessPid(pid);
 			e.setStdoutAndErrData(getStdoutErrData());
+			loadBasicInfoFromEnvDumpDir(e);
 			loadAnnotationsFromEnvDumpDir(e);
 
 			e.setSummary("Error spawning the web application: the application"
@@ -660,6 +770,7 @@ private:
 			SpawnException e(INTERNAL_ERROR, session.journey, config);
 			e.setSubprocessPid(pid);
 			e.setStdoutAndErrData(getStdoutErrData());
+			loadBasicInfoFromEnvDumpDir(e);
 			loadAnnotationsFromEnvDumpDir(e);
 
 			if (config->wrapperSuppliedByThirdParty) {
@@ -731,6 +842,7 @@ private:
 			SpawnException e(INTERNAL_ERROR, session.journey, config);
 			e.setSubprocessPid(pid);
 			e.setStdoutAndErrData(getStdoutErrData());
+			loadBasicInfoFromEnvDumpDir(e);
 			loadAnnotationsFromEnvDumpDir(e);
 
 			e.setSummary("Error spawning the web application: the application"
@@ -773,6 +885,8 @@ private:
 			e.setSubprocessPid(pid);
 			e.setStdoutAndErrData(getStdoutErrData());
 			e.setAdvancedProblemDetails(toString(internalFieldErrors));
+			loadBasicInfoFromEnvDumpDir(e);
+			loadAnnotationsFromEnvDumpDir(e);
 
 			e.setSummary("Error spawning the web application:"
 				" a bug in " SHORT_PROGRAM_NAME " caused the"
@@ -802,12 +916,23 @@ private:
 		} else if (!config->genericApp && config->startsUsingWrapper) {
 			UPDATE_TRACE_POINT();
 			loadJourneyStateFromResponseDir();
-			session.journey.setStepErrored(SUBPROCESS_WRAPPER_PREPARATION, true);
+			switch (session.journey.getType()) {
+			case SPAWN_DIRECTLY:
+			case START_PRELOADER:
+				session.journey.setStepErrored(SUBPROCESS_WRAPPER_PREPARATION, true);
+				break;
+			case SPAWN_THROUGH_PRELOADER:
+				session.journey.setStepErrored(SUBPROCESS_PREPARE_AFTER_FORKING_FROM_PRELOADER, true);
+				break;
+			default:
+				P_BUG("Unknown journey type " << (int) session.journey.getType());
+			}
 
 			SpawnException e(INTERNAL_ERROR, session.journey, config);
 			e.setSubprocessPid(pid);
 			e.setStdoutAndErrData(getStdoutErrData());
 			e.setAdvancedProblemDetails(toString(appSuppliedFieldErrors));
+			loadBasicInfoFromEnvDumpDir(e);
 			loadAnnotationsFromEnvDumpDir(e);
 
 			if (config->wrapperSuppliedByThirdParty) {
@@ -883,6 +1008,7 @@ private:
 			e.setAdvancedProblemDetails(toString(appSuppliedFieldErrors));
 			e.setSubprocessPid(pid);
 			e.setStdoutAndErrData(getStdoutErrData());
+			loadBasicInfoFromEnvDumpDir(e);
 			loadAnnotationsFromEnvDumpDir(e);
 
 			message = "<p>The " PROGRAM_NAME " application server tried"
@@ -922,13 +1048,15 @@ private:
 	ErrorCategory inferErrorCategoryFromResponseDir(ErrorCategory defaultValue) const {
 		TRACE_POINT();
 		if (fileExists(session.responseDir + "/error/category")) {
-			string value = strip(readAll(session.responseDir + "/error/category"));
+			string value = strip(safeReadFile(session.responseErrorDirFd,
+				"category", SPAWNINGKIT_MAX_ERROR_CATEGORY_SIZE).first);
 			ErrorCategory category = stringToErrorCategory(value);
 
 			if (category == UNKNOWN_ERROR_CATEGORY) {
 				SpawnException e(INTERNAL_ERROR, session.journey, config);
 				e.setStdoutAndErrData(getStdoutErrData());
 				e.setSubprocessPid(pid);
+				loadBasicInfoFromEnvDumpDir(e);
 				loadAnnotationsFromEnvDumpDir(e);
 
 				if (!config->genericApp && config->startsUsingWrapper) {
@@ -1047,18 +1175,24 @@ private:
 				continue;
 			}
 
+			map<JourneyStep, int>::const_iterator it = session.stepDirFds.find(step);
+			if (it == session.stepDirFds.end()) {
+				P_BUG("No fd opened for step " << stepString);
+			}
+
 			loadJourneyStateFromResponseDirForSpecificStep(
-				session, pid, stdoutAndErrCapturer, step, stepDir);
+				session, pid, stdoutAndErrCapturer, step, stepDir, it->second);
 		}
 	}
 
 	static void loadJourneyStateFromResponseDirForSpecificStep(HandshakeSession &session,
 		pid_t pid, const BackgroundIOCapturerPtr &stdoutAndErrCapturer,
-		JourneyStep step, const string &stepDir)
+		JourneyStep step, const string &stepDir, int stepDirFd)
 	{
 		TRACE_POINT_WITH_DATA(journeyStepToString(step).data());
 		string summary;
-		string value = strip(readAll(stepDir + "/state"));
+		string value = strip(safeReadFile(stepDirFd, "state",
+			SPAWNINGKIT_MAX_JOURNEY_STEP_FILE_SIZE).first);
 		JourneyStepState state = stringToJourneyStepState(value);
 		const Config *config = session.config;
 
@@ -1095,6 +1229,7 @@ private:
 				SpawnException e(INTERNAL_ERROR, session.journey, config);
 				e.setStdoutAndErrData(getStdoutErrData(stdoutAndErrCapturer));
 				e.setSubprocessPid(pid);
+				loadBasicInfoFromEnvDumpDir(e, session);
 				loadAnnotationsFromEnvDumpDir(e, session);
 
 				if (!config->genericApp && config->startsUsingWrapper) {
@@ -1187,6 +1322,7 @@ private:
 			SpawnException e(INTERNAL_ERROR, session.journey, config);
 			e.setStdoutAndErrData(getStdoutErrData(stdoutAndErrCapturer));
 			e.setSubprocessPid(pid);
+			loadBasicInfoFromEnvDumpDir(e, session);
 			loadAnnotationsFromEnvDumpDir(e, session);
 
 			if (!config->genericApp && config->startsUsingWrapper) {
@@ -1274,13 +1410,15 @@ private:
 
 		UPDATE_TRACE_POINT();
 		if (fileExists(stepDir + "/begin_time_monotonic")) {
-			value = readAll(stepDir + "/begin_time_monotonic");
+			value = safeReadFile(stepDirFd, "begin_time_monotonic",
+				SPAWNINGKIT_MAX_JOURNEY_STEP_FILE_SIZE).first;
 			MonotonicTimeUsec beginTimeMonotonic = atof(value.c_str()) * 1000000;
 			P_DEBUG("[App " << pid << " journey] Step " << journeyStepToString(step)
 				<< ": monotonic begin time is \"" << cEscapeString(value) << "\"");
 			session.journey.setStepBeginTime(step, beginTimeMonotonic);
 		} else if (fileExists(stepDir + "/begin_time")) {
-			value = readAll(stepDir + "/begin_time");
+			value = safeReadFile(stepDirFd, "begin_time",
+				SPAWNINGKIT_MAX_JOURNEY_STEP_FILE_SIZE).first;
 			unsigned long long beginTime = atof(value.c_str()) * 1000000;
 			MonotonicTimeUsec beginTimeMonotonic = usecTimestampToMonoTime(beginTime);
 			P_DEBUG("[App " << pid << " journey] Step " << journeyStepToString(step)
@@ -1294,13 +1432,15 @@ private:
 
 		UPDATE_TRACE_POINT();
 		if (fileExists(stepDir + "/end_time_monotonic")) {
-			value = readAll(stepDir + "/end_time_monotonic");
+			value = safeReadFile(stepDirFd, "end_time_monotonic",
+				SPAWNINGKIT_MAX_JOURNEY_STEP_FILE_SIZE).first;
 			MonotonicTimeUsec endTimeMonotonic = atof(value.c_str()) * 1000000;
 			P_DEBUG("[App " << pid << " journey] Step " << journeyStepToString(step)
 				<< ": monotonic end time is \"" << cEscapeString(value) << "\"");
 			session.journey.setStepEndTime(step, endTimeMonotonic);
 		} else if (fileExists(stepDir + "/end_time")) {
-			value = readAll(stepDir + "/end_time");
+			value = safeReadFile(stepDirFd, "end_time",
+				SPAWNINGKIT_MAX_JOURNEY_STEP_FILE_SIZE).first;
 			unsigned long long endTime = atof(value.c_str()) * 1000000;
 			MonotonicTimeUsec endTimeMonotonic = usecTimestampToMonoTime(endTime);
 			P_DEBUG("[App " << pid << " journey] Step " << journeyStepToString(step)
@@ -1330,40 +1470,51 @@ private:
 	void loadSubprocessErrorMessagesAndEnvDump(SpawnException &e) const {
 		TRACE_POINT();
 		const string &responseDir = session.responseDir;
-		const string &envDumpDir = session.envDumpDir;
 
 		if (fileExists(responseDir + "/error/summary")) {
-			e.setSummary(strip(readAll(responseDir + "/error/summary")));
+			e.setSummary(strip(safeReadFile(session.responseErrorDirFd, "summary",
+				SPAWNINGKIT_MAX_SUBPROCESS_ERROR_MESSAGE_SIZE).first));
 		}
 
 		if (e.getAdvancedProblemDetails().empty()
 		 && fileExists(responseDir + "/error/advanced_problem_details"))
 		{
-			e.setAdvancedProblemDetails(strip(readAll(responseDir
-				+ "/error/advanced_problem_details")));
+			e.setAdvancedProblemDetails(strip(safeReadFile(session.responseErrorDirFd,
+				"advanced_problem_details", SPAWNINGKIT_MAX_SUBPROCESS_ERROR_MESSAGE_SIZE).first));
 		}
 
 		if (fileExists(responseDir + "/error/problem_description.html")) {
-			e.setProblemDescriptionHTML(readAll(responseDir + "/error/problem_description.html"));
+			e.setProblemDescriptionHTML(safeReadFile(session.responseErrorDirFd,
+				"problem_description.html", SPAWNINGKIT_MAX_SUBPROCESS_ERROR_MESSAGE_SIZE).first);
 		} else if (fileExists(responseDir + "/error/problem_description.txt")) {
-			e.setProblemDescriptionHTML(escapeHTML(strip(readAll(
-				responseDir + "/error/problem_description.txt"))));
+			e.setProblemDescriptionHTML(escapeHTML(strip(safeReadFile(session.responseErrorDirFd,
+				"problem_description.txt", SPAWNINGKIT_MAX_SUBPROCESS_ERROR_MESSAGE_SIZE).first)));
 		}
 
 		if (fileExists(responseDir + "/error/solution_description.html")) {
-			e.setSolutionDescriptionHTML(readAll(responseDir + "/error/solution_description.html"));
+			e.setSolutionDescriptionHTML(safeReadFile(session.responseErrorDirFd,
+				"solution_description.html", SPAWNINGKIT_MAX_SUBPROCESS_ERROR_MESSAGE_SIZE).first);
 		} else if (fileExists(responseDir + "/error/solution_description.txt")) {
-			e.setSolutionDescriptionHTML(escapeHTML(strip(readAll(
-				responseDir + "/error/solution_description.txt"))));
+			e.setSolutionDescriptionHTML(escapeHTML(strip(safeReadFile(session.responseErrorDirFd,
+				"solution_description.txt", SPAWNINGKIT_MAX_SUBPROCESS_ERROR_MESSAGE_SIZE).first)));
 		}
 
+		loadBasicInfoFromEnvDumpDir(e);
+		loadAnnotationsFromEnvDumpDir(e);
+	}
+
+	void loadBasicInfoFromEnvDumpDir(SpawnException &e) const {
+		loadBasicInfoFromEnvDumpDir(e, session);
+	}
+
+	static void loadBasicInfoFromEnvDumpDir(SpawnException &e, HandshakeSession &session) {
 		string envvars, userInfo, ulimits;
-		loadBasicInfoFromEnvDumpDir(envDumpDir, envvars, userInfo, ulimits);
+
+		loadBasicInfoFromEnvDumpDir(session.envDumpDir, session.envDumpDirFd,
+			envvars, userInfo, ulimits);
 		e.setSubprocessEnvvars(envvars);
 		e.setSubprocessUserInfo(userInfo);
 		e.setSubprocessUlimits(ulimits);
-
-		loadAnnotationsFromEnvDumpDir(e);
 	}
 
 	static void doClosedir(DIR *dir) {
@@ -1387,7 +1538,9 @@ private:
 		while ((ent = readdir(dir)) != NULL) {
 			if (ent->d_name[0] != '.') {
 				e.setAnnotation(ent->d_name, strip(
-					Passenger::readAll(path + "/" + ent->d_name)));
+					safeReadFile(session.envDumpAnnotationsDirFd,
+						ent->d_name, SPAWNINGKIT_MAX_SUBPROCESS_ENVDUMP_SIZE).first
+				));
 			}
 		}
 	}
@@ -1629,16 +1782,19 @@ public:
 	}
 
 	static void loadBasicInfoFromEnvDumpDir(const string &envDumpDir,
-		string &envvars, string &userInfo, string &ulimits)
+		int envDumpDirFd, string &envvars, string &userInfo, string &ulimits)
 	{
 		if (fileExists(envDumpDir + "/envvars")) {
-			envvars = readAll(envDumpDir + "/envvars");
+			envvars = safeReadFile(envDumpDirFd, "envvars",
+				SPAWNINGKIT_MAX_SUBPROCESS_ENVDUMP_SIZE).first;
 		}
 		if (fileExists(envDumpDir + "/user_info")) {
-			userInfo = readAll(envDumpDir + "/user_info");
+			userInfo = safeReadFile(envDumpDirFd, "user_info",
+				SPAWNINGKIT_MAX_SUBPROCESS_ENVDUMP_SIZE).first;
 		}
 		if (fileExists(envDumpDir + "/ulimits")) {
-			ulimits = readAll(envDumpDir + "/ulimits");
+			ulimits = safeReadFile(envDumpDirFd, "ulimits",
+				SPAWNINGKIT_MAX_SUBPROCESS_ENVDUMP_SIZE).first;
 		}
 	}
 };