passenger 5.3.1 → 5.3.2

data/src/agent/Core/SpawningKit/Handshake/Prepare.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2016-2017 Phusion Holding B.V.
+ *  Copyright (c) 2016-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -33,6 +33,7 @@
 #include <vector>
 #include <stdexcept>
 #include <algorithm>
+#include <utility>
 #include <cerrno>
 #include <cstddef>
 #include <cassert>
@@ -143,7 +144,7 @@ private:
 
 	void createWorkDir() {
 		TRACE_POINT();
-		session.workDir.reset(new HandshakeWorkDir(session.uid, session.gid));
+		session.workDir.reset(new HandshakeWorkDir());
 
 		session.envDumpDir = session.workDir->getPath() + "/envdump";
 		makeDirTree(session.envDumpDir,
@@ -216,6 +217,43 @@ private:
 		}
 	}
 
+	// Open various workdir subdirectories because we'll use these file descriptors later in
+	// safeReadFile() calls.
+	void openWorkDirSubdirFds() {
+		session.workDirFd = openDirFd(session.workDir->getPath());
+		session.responseDirFd = openDirFd(session.responseDir);
+		session.responseErrorDirFd = openDirFd(session.responseDir + "/error");
+		session.envDumpDirFd = openDirFd(session.envDumpDir);
+		session.envDumpAnnotationsDirFd = openDirFd(session.envDumpDir + "/annotations");
+		openJourneyStepDirFds(getFirstSubprocessJourneyStep(),
+			getLastSubprocessJourneyStep());
+		openJourneyStepDirFds(getFirstPreloaderJourneyStep(),
+			JourneyStep((int) getLastPreloaderJourneyStep() + 1));
+	}
+
+	void openJourneyStepDirFds(JourneyStep firstStep, JourneyStep lastStep) {
+		JourneyStep step;
+
+		for (step = firstStep; step < lastStep; step = JourneyStep((int) step + 1)) {
+			if (!session.journey.hasStep(step)) {
+				continue;
+			}
+
+			string stepString = journeyStepToStringLowerCase(step);
+			string stepDir = session.responseDir + "/steps/" + stepString;
+			session.stepDirFds.insert(make_pair(step, openDirFd(stepDir)));
+		}
+	}
+
+	int openDirFd(const string &path) {
+		int fd = open(path.c_str(), O_RDONLY);
+		if (fd == -1) {
+			int e = errno;
+			throw FileSystemException("Cannot open " + path, e, path);
+		}
+		return fd;
+	}
+
 	void initializeResult() {
 		session.result.initialize(*context, config);
 	}
@@ -266,10 +304,14 @@ private:
 		TRACE_POINT();
 		P_DEBUG("[App spawn arg] " << args.toStyledString());
 
+		// The workDir is a new random dir. the files that we create here
+		// should not exist, so if any exist then have createFile()
+		// throw an error because it could be a bug or an attack.
+
 		createFile(session.workDir->getPath() + "/args.json",
 			args.toStyledString(), 0600,
 			session.uid, session.gid,
-			true, __FILE__, __LINE__);
+			false, __FILE__, __LINE__);
 
 		const string dir = session.workDir->getPath() + "/args";
 		makeDirTree(dir, "u=rwx,g=,o=",
@@ -289,14 +331,14 @@ private:
 			case Json::booleanValue:
 				createFile(dir + "/" + it.name(),
 					jsonValueToString(*it),
-					0644, session.uid, session.gid,
-					true, __FILE__, __LINE__);
+					0600, session.uid, session.gid,
+					false, __FILE__, __LINE__);
 				break;
 			default:
 				createFile(dir + "/" + it.name() + ".json",
 					jsonValueToString(*it),
-					0644, session.uid, session.gid,
-					true, __FILE__, __LINE__);
+					0600, session.uid, session.gid,
+					false, __FILE__, __LINE__);
 				break;
 			}
 		}
@@ -533,7 +575,7 @@ public:
 		assert(_session.config != NULL);
 	}
 
-	void execute() {
+	HandshakePrepare &execute() {
 		TRACE_POINT();
 
 		// We do not set SPAWNING_KIT_PREPARATION to the IN_PROGRESS or
@@ -545,6 +587,7 @@ public:
 
 			resolveUserAndGroup();
 			createWorkDir();
+			openWorkDirSubdirFds();
 			initializeResult();
 
 			UPDATE_TRACE_POINT();
@@ -572,6 +615,12 @@ public:
 			session.journey.setStepErrored(SPAWNING_KIT_PREPARATION);
 			throw SpawnException(e, session.journey, config).finalize();
 		}
+
+		return *this;
+	}
+
+	void finalize() {
+		session.workDir->finalize(session.uid, session.gid);
 	}
 };
 

data/src/agent/Core/SpawningKit/Handshake/Session.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2016-2017 Phusion Holding B.V.
+ *  Copyright (c) 2016-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -28,6 +28,7 @@
 
 #include <boost/scoped_ptr.hpp>
 #include <string>
+#include <map>
 
 #include <Utils.h>
 #include <Core/SpawningKit/Context.h>
@@ -50,6 +51,12 @@ struct HandshakeSession {
 	boost::scoped_ptr<HandshakeWorkDir> workDir;
 	string responseDir;
 	string envDumpDir;
+	int workDirFd;
+	int responseDirFd;
+	int responseErrorDirFd;
+	int envDumpDirFd;
+	int envDumpAnnotationsDirFd;
+	map<JourneyStep, int> stepDirFds;
 	Journey journey;
 	Result result;
 
@@ -69,6 +76,11 @@ struct HandshakeSession {
 	HandshakeSession(Context &_context, Config &_config, JourneyType journeyType)
 		: context(&_context),
 		  config(&_config),
+		  workDirFd(-1),
+		  responseDirFd(-1),
+		  responseErrorDirFd(-1),
+		  envDumpDirFd(-1),
+		  envDumpAnnotationsDirFd(-1),
 		  journey(journeyType, !_config.genericApp && _config.startsUsingWrapper),
 		  uid(USER_NOT_GIVEN),
 		  gid(GROUP_NOT_GIVEN),
@@ -77,6 +89,27 @@ struct HandshakeSession {
 		{ }
 
 	~HandshakeSession() {
+		if (workDirFd != -1) {
+			safelyClose(workDirFd, true);
+		}
+		if (responseDirFd != -1) {
+			safelyClose(responseDirFd, true);
+		}
+		if (responseErrorDirFd != -1) {
+			safelyClose(responseErrorDirFd, true);
+		}
+		if (envDumpDirFd != -1) {
+			safelyClose(envDumpDirFd, true);
+		}
+		if (envDumpAnnotationsDirFd != -1) {
+			safelyClose(envDumpAnnotationsDirFd, true);
+		}
+
+		map<JourneyStep, int>::iterator it, end = stepDirFds.end();
+		for (it = stepDirFds.begin(); it != end; it++) {
+			safelyClose(it->second);
+		}
+
 		if (config->debugWorkDir && workDir != NULL) {
 			string path = workDir->dontRemoveOnDestruction();
 			P_NOTICE("Work directory " << path << " preserved for debugging");

data/src/agent/Core/SpawningKit/Handshake/WorkDir.h

@@ -54,7 +54,7 @@ private:
 	string path;
 
 public:
-	HandshakeWorkDir(uid_t uid, gid_t gid) {
+	HandshakeWorkDir() {
 		char buf[PATH_MAX + 1];
 		char *pos = buf;
 		const char *end = buf + PATH_MAX;
@@ -70,9 +70,6 @@ public:
 				"in the format of '" + StaticString(buf) + "'", e);
 		} else {
 			path = result;
-			boost::this_thread::disable_interruption di;
-			boost::this_thread::disable_syscall_interruption dsi;
-			syscalls::chown(result, uid, gid);
 		}
 	}
 
@@ -86,11 +83,30 @@ public:
 		return path;
 	}
 
+	void finalize(uid_t uid, gid_t gid) {
+		finalize(path, uid, gid);
+	}
+
 	string dontRemoveOnDestruction() {
 		string result = path;
 		path.clear();
 		return result;
 	}
+
+	static void finalize(const string &path, uid_t uid, gid_t gid) {
+		// We do not chown() the work dir until:
+		//
+		//  - HandshakePrepare is done populating the work dir,
+		//  - SpawnEnvSetupperMain is done reading from and modifying the work dir
+		//
+		// This way, the application user cannot perform symlink attacks
+		// inside the work dir until we are done (at which point the
+		// follow-up code will only perform read/write operations after
+		// dropping root privileges).
+		boost::this_thread::disable_interruption di;
+		boost::this_thread::disable_syscall_interruption dsi;
+		syscalls::chown(path.c_str(), uid, gid);
+	}
 };
 
 

data/src/agent/Core/SpawningKit/SmartSpawner.h

@@ -39,7 +39,7 @@
 #include <sys/wait.h>
 #include <sys/stat.h>
 #include <signal.h>
-#include <cstdio>
+#include <unistd.h>
 #include <cstring>
 #include <cassert>
 
@@ -50,12 +50,13 @@
 #include <Exceptions.h>
 #include <DataStructures/StringKeyTable.h>
 #include <ProcessManagement/Utils.h>
+#include <FileTools/FileManip.h>
 #include <Utils/SystemTime.h>
-#include <Utils/IOUtils.h>
 #include <Utils/BufferedIO.h>
 #include <Utils/JsonUtils.h>
 #include <Utils/ScopeGuard.h>
 #include <Utils/ProcessMetricsCollector.h>
+#include <Utils/AsyncSignalSafeUtils.h>
 #include <LveLoggingDecorator.h>
 #include <Core/SpawningKit/Spawner.h>
 #include <Core/SpawningKit/Exceptions.h>
@@ -177,6 +178,8 @@ private:
 	}
 
 	struct StdChannelsAsyncOpenState {
+		const int workDirFd;
+
 		oxt::thread *stdinOpenThread;
 		FileDescriptor stdinFd;
 		int stdinOpenErrno;
@@ -187,8 +190,9 @@ private:
 
 		BackgroundIOCapturerPtr stdoutAndErrCapturer;
 
-		StdChannelsAsyncOpenState()
-			: stdinOpenThread(NULL),
+		StdChannelsAsyncOpenState(int _workDirFd)
+			: workDirFd(_workDirFd),
+			  stdinOpenThread(NULL),
 			  stdoutAndErrOpenThread(NULL)
 			{ }
 
@@ -211,7 +215,8 @@ private:
 	StdChannelsAsyncOpenStatePtr openStdChannelsFifosAsynchronously(
 		HandshakeSession &session)
 	{
-		StdChannelsAsyncOpenStatePtr state = boost::make_shared<StdChannelsAsyncOpenState>();
+		StdChannelsAsyncOpenStatePtr state = boost::make_shared<StdChannelsAsyncOpenState>(
+			session.workDirFd);
 		state->stdinOpenThread = new oxt::thread(boost::bind(
 			openStdinChannel, state, session.workDir->getPath()),
 			"FIFO opener: " + session.workDir->getPath() + "/stdin", 1024 * 128);
@@ -282,7 +287,7 @@ private:
 	static void openStdinChannel(StdChannelsAsyncOpenStatePtr state,
 		const string &workDir)
 	{
-		int fd = syscalls::open((workDir + "/stdin").c_str(), O_WRONLY | O_APPEND);
+		int fd = syscalls::openat(state->workDirFd, "stdin", O_WRONLY | O_APPEND | O_NOFOLLOW);
 		int e = errno;
 		state->stdinFd.assign(fd, __FILE__, __LINE__);
 		state->stdinOpenErrno = e;
@@ -291,7 +296,7 @@ private:
 	static void openStdoutAndErrChannel(StdChannelsAsyncOpenStatePtr state,
 		const string &workDir)
 	{
-		int fd = syscalls::open((workDir + "/stdout_and_err").c_str(), O_RDONLY);
+		int fd = syscalls::openat(state->workDirFd, "stdout_and_err", O_RDONLY | O_NOFOLLOW);
 		int e = errno;
 		state->stdoutAndErrFd.assign(fd, __FILE__, __LINE__);
 		state->stdoutAndErrOpenErrno = e;
@@ -357,8 +362,11 @@ private:
 
 		pid_t pid = syscalls::fork();
 		if (pid == 0) {
-			purgeStdio(stdout);
-			purgeStdio(stderr);
+			int e;
+			char buf[1024];
+			const char *end = buf + sizeof(buf);
+			namespace ASSU = AsyncSignalSafeUtils;
+
 			resetSignalHandlersAndMask();
 			disableMallocDebugging();
 			int stdinCopy = dup2(stdinChannel.first, 3);
@@ -367,6 +375,7 @@ private:
 			dup2(stdoutAndErrCopy, 1);
 			dup2(stdoutAndErrCopy, 2);
 			closeAllFileDescriptors(2, true);
+
 			execlp(agentFilename.c_str(),
 				agentFilename.c_str(),
 				"spawn-env-setupper",
@@ -374,10 +383,16 @@ private:
 				"--before",
 				NULL);
 
-			int e = errno;
-			fprintf(stderr, "Cannot execute \"%s\": %s (errno=%d)\n",
-				agentFilename.c_str(), strerror(e), e);
-			fflush(stderr);
+			char *pos = buf;
+			e = errno;
+			pos = ASSU::appendData(pos, end, "Cannot execute \"");
+			pos = ASSU::appendData(pos, end, agentFilename.data(), agentFilename.size());
+			pos = ASSU::appendData(pos, end, "\": ");
+			pos = ASSU::appendData(pos, end, ASSU::limitedStrerror(e));
+			pos = ASSU::appendData(pos, end, " (errno=");
+			pos = ASSU::appendInteger<int, 10>(pos, end, e);
+			pos = ASSU::appendData(pos, end, ")\n");
+			ASSU::printError(buf, pos - buf);
 			_exit(1);
 
 		} else if (pid == -1) {
@@ -419,7 +434,7 @@ private:
 			// - bottom of stopPreloader()
 			// - addPreloaderEnvDumps()
 			HandshakePerform::loadBasicInfoFromEnvDumpDir(session.envDumpDir,
-				envvars, userInfo, ulimits);
+				session.envDumpDirFd, envvars, userInfo, ulimits);
 			string socketAddress = findPreloaderCommandSocketAddress(session);
 
 			{
@@ -431,7 +446,7 @@ private:
 				this->preloaderUserInfo = userInfo;
 				this->preloaderUlimits = ulimits;
 				this->preloaderAnnotations = loadAnnotationsFromEnvDumpDir(
-					session.envDumpDir);
+					session.envDumpDir, session.envDumpAnnotationsDirFd);
 			}
 
 			PipeWatcherPtr watcher = boost::make_shared<PipeWatcher>(
@@ -825,16 +840,56 @@ private:
 	{
 		TRACE_POINT();
 		pid_t spawnedPid = doc["pid"].asInt();
-		ScopeGuard guard(boost::bind(nonInterruptableKillAndWaitpid, spawnedPid));
-
-		UPDATE_TRACE_POINT();
-		waitForStdChannelFifosToBeOpenedByPeer(stdChannelsAsyncOpenState,
-			session, spawnedPid);
 
-		UPDATE_TRACE_POINT();
 		// How do we know the preloader actually forked a process
 		// instead of reporting the PID of a random other existing process?
-		// For security reasons we perform a UID check.
+		// For security reasons we perform a bunch of sanity checks,
+		// including checking the PID's UID.
+
+		if (spawnedPid < 1) {
+			UPDATE_TRACE_POINT();
+			session.journey.setStepErrored(SPAWNING_KIT_PROCESS_RESPONSE_FROM_PRELOADER);
+
+			SpawnException e(INTERNAL_ERROR, session.journey, session.config);
+			addPreloaderEnvDumps(e);
+			e.setSummary("The the preloader said it spawned a process with PID "
+				+ toString(spawnedPid) + ", which is not allowed.");
+			e.setSubprocessPid(spawnedPid);
+			e.setStdoutAndErrData(getBackgroundIOCapturerData(
+				stdChannelsAsyncOpenState->stdoutAndErrCapturer));
+			e.setProblemDescriptionHTML(
+				"<h2>Application process has unexpected PID</h2>"
+				"<p>The " PROGRAM_NAME " application server tried"
+				" to start the web application by communicating with a"
+				" helper process that we call a \"preloader\". However,"
+				" the preloader reported that it started a process with"
+				" a PID of " + toString(spawnedPid) + ", which is not"
+				" allowed.</p>");
+			if (!session.config->genericApp && session.config->startsUsingWrapper
+				&& session.config->wrapperSuppliedByThirdParty)
+			{
+				e.setSolutionDescriptionHTML(
+					"<h2>Please report this bug</h2>"
+					"<p class=\"sole-solution\">"
+					"This is probably a bug in the preloader process. The preloader "
+					"wrapper program is not written by the " PROGRAM_NAME " authors, "
+					"but by a third party. Please report this bug to the author of "
+					"the preloader wrapper program."
+					"</p>");
+			} else {
+				e.setSolutionDescriptionHTML(
+					"<h2>Please report this bug</h2>"
+					"<p class=\"sole-solution\">"
+					"This is probably a bug in the preloader process. The preloader "
+					"is an internal tool part of " PROGRAM_NAME ". Please "
+					"<a href=\"" SUPPORT_URL "\">"
+					"report this bug</a>."
+					"</p>");
+			}
+			throw e.finalize();
+		}
+
+		UPDATE_TRACE_POINT();
 		uid_t spawnedUid = getProcessUid(session, spawnedPid,
 			stdChannelsAsyncOpenState->stdoutAndErrCapturer);
 		if (spawnedUid != session.uid) {
@@ -882,6 +937,11 @@ private:
 			throw e.finalize();
 		}
 
+		UPDATE_TRACE_POINT();
+		ScopeGuard guard(boost::bind(nonInterruptableKillAndWaitpid, spawnedPid));
+		waitForStdChannelFifosToBeOpenedByPeer(stdChannelsAsyncOpenState,
+			session, spawnedPid);
+
 		UPDATE_TRACE_POINT();
 		string alreadyReadStdoutAndErrData;
 		if (stdChannelsAsyncOpenState->stdoutAndErrCapturer != NULL) {
@@ -1135,7 +1195,9 @@ private:
 		return string();
 	}
 
-	static StringKeyTable<string> loadAnnotationsFromEnvDumpDir(const string &envDumpDir) {
+	static StringKeyTable<string> loadAnnotationsFromEnvDumpDir(const string &envDumpDir,
+		int envDumpAnnotationsDirFd)
+	{
 		string path = envDumpDir + "/annotations";
 		DIR *dir = opendir(path.c_str());
 		if (dir == NULL) {
@@ -1147,9 +1209,8 @@ private:
 		struct dirent *ent;
 		while ((ent = readdir(dir)) != NULL) {
 			if (ent->d_name[0] != '.') {
-				result.insert(ent->d_name, strip(
-					Passenger::readAll(path + "/" + ent->d_name)),
-					true);
+				result.insert(ent->d_name, strip(safeReadFile(envDumpAnnotationsDirFd,
+					ent->d_name, SPAWNINGKIT_MAX_SUBPROCESS_ENVDUMP_SIZE).first), true);
 			}
 		}
 
@@ -1241,8 +1302,10 @@ public:
 
 		try {
 			UPDATE_TRACE_POINT();
-			HandshakePrepare(session, extraArgs).execute();
+			HandshakePrepare prepare(session, extraArgs);
+			prepare.execute();
 			createStdChannelFifos(session);
+			prepare.finalize();
 			session.journey.setStepPerformed(SPAWNING_KIT_PREPARATION, true);
 
 			UPDATE_TRACE_POINT();