passenger 5.3.1 → 5.3.2

data/src/agent/ExecHelper/ExecHelperMain.cpp

@@ -201,6 +201,9 @@ switchGroup(uid_t uid, const struct passwd *userInfo, gid_t gid) {
 			if (ngroups <= NGROUPS_MAX) {
 				setgroupsCalled = true;
 				gidset.reset(new gid_t[ngroups]);
+				for (int i = 0; i < ngroups; i++) {
+					gidset[i] = groups[i];
+				}
 				if (setgroups(ngroups, gidset.get()) == -1) {
 					int e = errno;
 					fprintf(stderr, "ERROR: setgroups(%d, ...) failed: %s (errno=%d)\n",

data/src/agent/Shared/ApiAccountUtils.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2015-2017 Phusion Holding B.V.
+ *  Copyright (c) 2015-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -262,7 +262,7 @@ struct ApiAccount {
 		if (doc.isMember("password")) {
 			password = doc["password"].asString();
 		} else {
-			password = strip(readAll(doc["password_file"].asString()));
+			password = strip(unsafeReadFile(doc["password_file"].asString()));
 		}
 		readonly = doc["level"].asString() == "readonly";
 	}

data/src/agent/SpawnEnvSetupper/SpawnEnvSetupperMain.cpp

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2012-2017 Phusion Holding B.V.
+ *  Copyright (c) 2012-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -63,8 +63,8 @@
 #include <FileTools/FileManip.h>
 #include <FileTools/PathManip.h>
 #include <Utils.h>
-#include <Utils/IOUtils.h>
 #include <Utils/StrIntUtils.h>
+#include <Core/SpawningKit/Handshake/WorkDir.h>
 #include <Core/SpawningKit/Exceptions.h>
 
 using namespace std;
@@ -100,7 +100,7 @@ static Json::Value
 readArgsJson(const string &workDir) {
 	Json::Reader reader;
 	Json::Value result;
-	string contents = readAll(workDir + "/args.json");
+	string contents = unsafeReadFile(workDir + "/args.json");
 	if (reader.parse(contents, result)) {
 		return result;
 	} else {
@@ -359,7 +359,7 @@ lookupUserGroup(const Context &context, uid_t *uid, struct passwd **userInfo,
 	}
 }
 
-void
+static void
 chownNewWorkDirFiles(const Context &context, uid_t uid, gid_t gid) {
 	chown((context.workDir + "/response/steps/subprocess_before_first_exec/state").c_str(),
 		uid, gid);
@@ -377,6 +377,11 @@ chownNewWorkDirFiles(const Context &context, uid_t uid, gid_t gid) {
 		uid, gid);
 }
 
+static void
+finalizeWorkDir(const Context &context, uid_t uid, gid_t gid) {
+	SpawningKit::HandshakeWorkDir::finalize(context.workDir, uid, gid);
+}
+
 static void
 enterLveJail(const Context &context, const struct passwd *userInfo) {
 	string lveInitErr;
@@ -873,6 +878,8 @@ spawnEnvSetupperMain(int argc, char *argv[]) {
 				lookupUserGroup(context, &uid, &userInfo, &gid);
 				shell = userInfo->pw_shell;
 			} else {
+				uid = geteuid();
+				gid = getegid();
 				shell = lookupCurrentUserShell();
 			}
 			if (setUlimits(context.args)) {
@@ -880,6 +887,7 @@ spawnEnvSetupperMain(int argc, char *argv[]) {
 			}
 			if (shouldTrySwitchUser) {
 				chownNewWorkDirFiles(context, uid, gid);
+				finalizeWorkDir(context, uid, gid);
 
 				enterLveJail(context, userInfo);
 				switchGroup(context, uid, userInfo, gid);
@@ -888,6 +896,8 @@ spawnEnvSetupperMain(int argc, char *argv[]) {
 				switchUser(context, uid, userInfo);
 				dumpEnvvars(context.workDir);
 				dumpUserInfo(context.workDir);
+			} else {
+				finalizeWorkDir(context, uid, gid);
 			}
 		} else if (executedThroughShell(context)) {
 			recordJourneyStepEnd(context, SpawningKit::SUBPROCESS_OS_SHELL,

data/src/agent/Watchdog/Config.h

@@ -132,6 +132,7 @@ using namespace std;
  *   integration_mode                                                         string             -          default("standalone")
  *   log_level                                                                string             -          default("notice")
  *   log_target                                                               any                -          default({"stderr": true})
+ *   max_instances_per_app                                                    unsigned integer   -          read_only
  *   max_pool_size                                                            unsigned integer   -          default(6)
  *   multi_app                                                                boolean            -          default(false),read_only
  *   passenger_root                                                           string             required   read_only
@@ -145,7 +146,7 @@ using namespace std;
  *   security_update_checker_interval                                         unsigned integer   -          default(86400)
  *   security_update_checker_proxy_url                                        string             -          -
  *   security_update_checker_url                                              string             -          default("https://securitycheck.phusionpassenger.com/v1/check.json")
- *   server_software                                                          string             -          default("Phusion_Passenger/5.3.1")
+ *   server_software                                                          string             -          default("Phusion_Passenger/5.3.2")
  *   setsid                                                                   boolean            -          default(false)
  *   show_version_in_header                                                   boolean            -          default(true)
  *   single_app_mode_app_root                                                 string             -          default,read_only

data/src/agent/Watchdog/WatchdogMain.cpp

@@ -71,6 +71,7 @@
 #include <Constants.h>
 #include <InstanceDirectory.h>
 #include <FileDescriptor.h>
+#include <FileTools/PathSecurityCheck.h>
 #include <RandomGenerator.h>
 #include <BackgroundEventLoop.h>
 #include <LoggingKit/LoggingKit.h>
@@ -977,6 +978,39 @@ lookupDefaultUidGid(uid_t &uid, gid_t &gid) {
 	}
 }
 
+static void
+warnIfInstanceDirVulnerable(const string &root) {
+	TRACE_POINT();
+
+	if (geteuid() != 0) {
+		return; // Passenger is not root, so no escalation.
+	}
+
+	vector<string> errors, checkErrors;
+	if (isPathProbablySecureForRootUse(root, errors, checkErrors)) {
+		if (!checkErrors.empty()) {
+			string message = "WARNING: unable to perform privilege escalation vulnerability detection:\n";
+			foreach (string line, checkErrors) {
+				message.append("\n - " + line);
+			}
+			P_WARN(message);
+		}
+	} else {
+		string message = "WARNING: potential privilege escalation vulnerability detected. " \
+			PROGRAM_NAME " is running as root, and part(s) of the " SHORT_PROGRAM_NAME
+			" instance directory (" + root + ") can be changed by non-root user(s):\n";
+		foreach (string line, errors) {
+			message.append("\n - " + line);
+		}
+		foreach (string line, checkErrors) {
+			message.append("\n - " + line);
+		}
+		message.append("\n\nPlease either fix up the permissions for the insecure paths, or use" \
+					   " a different location for the instance dir that can only be modified by root.");
+		P_WARN(message);
+	}
+}
+
 static void
 initializeWorkingObjects(const WorkingObjectsPtr &wo, InstanceDirToucherPtr &instanceDirToucher,
 	uid_t uidBeforeLoweringPrivilege)
@@ -1005,6 +1039,10 @@ initializeWorkingObjects(const WorkingObjectsPtr &wo, InstanceDirToucherPtr &ins
 	if (watchdogConfig->get("integration_mode").asString() == "standalone") {
 		instanceOptions.properties["standalone_engine"] = watchdogConfig->get("standalone_engine").asString();
 	}
+
+	// check if path is safe
+	warnIfInstanceDirVulnerable(watchdogConfig->get("instance_registry_dir").asString());
+
 	wo->instanceDir = boost::make_shared<InstanceDirectory>(instanceOptions,
 		watchdogConfig->get("instance_registry_dir").asString());
 	wo->extraConfigToPassToSubAgents["instance_dir"] = wo->instanceDir->getPath();

data/src/apache2_module/Hooks.cpp

@@ -1326,6 +1326,7 @@ public:
 		config["show_version_in_header"] = serverConfig.showVersionInHeader;
 		config["max_pool_size"] = serverConfig.maxPoolSize;
 		config["pool_idle_time"] = serverConfig.poolIdleTime;
+		config["max_instances_per_app"] = serverConfig.maxInstancesPerApp;
 		config["response_buffer_high_watermark"] = serverConfig.responseBufferHighWatermark;
 		config["stat_throttle_rate"] = serverConfig.statThrottleRate;
 		config["turbocaching"] = serverConfig.turbocaching;

data/src/cxx_supportlib/ConfigKit/IN_PRACTICE.md

@@ -4,7 +4,7 @@
 
 At the time of writing (25 Feb 2017), ConfigKit was just introduced, so these practices and patterns aren't yet used everywhere, but the long-term plan is to adopt these practices/patterns throughout the entire codebase.
 
-<!-- MarkdownTOC depth=3 autolink="true" bracket="round" -->
+<!-- MarkdownTOC levels="1,2,3,4" autolink="true" bracket="round" -->
 
 - [The "component" pattern](#the-component-pattern)
     - [Components are composable](#components-are-composable)

data/src/cxx_supportlib/ConfigKit/README.md

@@ -4,7 +4,7 @@ ConfigKit is a configuration management system that lets you define configuratio
 
 **Table of contents:**
 
-<!-- MarkdownTOC depth=3 autolink="true" bracket="round" -->
+<!-- MarkdownTOC levels="1,2,3,4" autolink="true" bracket="round" -->
 
 - [Motivations](#motivations)
   - [Configuration flow from high-level to low-level with a minimum of repeated code](#configuration-flow-from-high-level-to-low-level-with-a-minimum-of-repeated-code)

data/src/cxx_supportlib/Constants.h

@@ -81,7 +81,7 @@
 #define PASSENGER_API_VERSION_MAJOR 0
 #define PASSENGER_API_VERSION_MINOR 3
 #define PASSENGER_DEFAULT_USER "nobody"
-#define PASSENGER_VERSION "5.3.1"
+#define PASSENGER_VERSION "5.3.2"
 #define POOL_HELPER_THREAD_STACK_SIZE 262144
 #define PROCESS_SHUTDOWN_TIMEOUT 60
 #define PROCESS_SHUTDOWN_TIMEOUT_DISPLAY "1 minute"
@@ -98,6 +98,11 @@
 #define SERVER_KIT_MAX_SERVER_ENDPOINTS 4
 #define SERVER_TOKEN_NAME "Phusion_Passenger"
 #define SHORT_PROGRAM_NAME "Passenger"
+#define SPAWNINGKIT_MAX_ERROR_CATEGORY_SIZE 32
+#define SPAWNINGKIT_MAX_JOURNEY_STEP_FILE_SIZE 32
+#define SPAWNINGKIT_MAX_PROPERTIES_JSON_SIZE 32768
+#define SPAWNINGKIT_MAX_SUBPROCESS_ENVDUMP_SIZE 131072
+#define SPAWNINGKIT_MAX_SUBPROCESS_ERROR_MESSAGE_SIZE 131072
 #define SUPPORT_URL "https://www.phusionpassenger.com/support"
 #define USER_NAMESPACE_DIRNAME ".passenger"
 

data/src/cxx_supportlib/FileTools/FileManip.cpp

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2010-2017 Phusion Holding B.V.
+ *  Copyright (c) 2010-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -34,6 +34,7 @@
 
 #include <cstdio>
 #include <cerrno>
+#include <limits>
 
 #include <FileTools/FileManip.h>
 #include <FileDescriptor.h>
@@ -44,6 +45,7 @@
 #include <Utils.h> // parseModeString
 #include <Utils/CachedFileStat.hpp>
 #include <Utils/IOUtils.h>
+#include <Utils/ScopeGuard.h>
 
 namespace Passenger {
 
@@ -181,6 +183,36 @@ createFile(const string &filename, const StaticString &contents, mode_t permissi
 	}
 }
 
+string
+unsafeReadFile(const string &path) {
+	int fd = open(path.c_str(), O_RDONLY);
+	if (fd != -1) {
+		FdGuard guard(fd, __FILE__, __LINE__);
+		return readAll(fd, std::numeric_limits<size_t>::max()).first;
+	} else {
+		int e = errno;
+		throw FileSystemException("Cannot open '" + path + "' for reading",
+			e, path);
+	}
+}
+
+pair<string, bool>
+safeReadFile(int dirfd, const string &basename, size_t maxSize) {
+	if (basename.find('/') != string::npos) {
+		throw ArgumentException("basename may not contain slashes");
+	}
+
+	int fd = openat(dirfd, basename.c_str(), O_RDONLY | O_NOFOLLOW | O_NONBLOCK);
+	if (fd != -1) {
+		FdGuard guard(fd, __FILE__, __LINE__);
+		return readAll(fd, maxSize);
+	} else {
+		int e = errno;
+		throw FileSystemException("Cannot open '" + basename + "' for reading",
+			e, basename);
+	}
+}
+
 void
 makeDirTree(const string &path, const StaticString &mode, uid_t owner, gid_t group) {
 	struct stat buf;
@@ -240,7 +272,7 @@ makeDirTree(const string &path, const StaticString &mode, uid_t owner, gid_t gro
 				group = (gid_t) -1; // Don't let chown change file group.
 			}
 			do {
-				ret = chown(current.c_str(), owner, group);
+				ret = lchown(current.c_str(), owner, group);
 			} while (ret == -1 && errno == EINTR);
 			if (ret == -1) {
 				char message[1024];

data/src/cxx_supportlib/FileTools/FileManip.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2010-2017 Phusion Holding B.V.
+ *  Copyright (c) 2010-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -31,6 +31,7 @@
 #include <unistd.h>
 #include <cstddef>
 #include <string>
+#include <utility>
 #include <StaticString.h>
 
 namespace boost {
@@ -131,6 +132,62 @@ void createFile(const string &filename, const StaticString &contents,
 	bool overwrite = true,
 	const char *callerFile = NULL, unsigned int callerLine = 0);
 
+/**
+ * Read all data from the given file until EOF.
+ * This function is "unsafe" in the sense that it lacks the security
+ * checks implemented by `safeReadFile()`. Read the docs for that function
+ * for more information.
+ *
+ * @throws SystemException
+ */
+string unsafeReadFile(const string &path);
+
+/**
+ * Read all data from the given file until EOF.
+ *
+ *  - `dirfd` is a file descriptor of the directory that contains the file
+ *    you want read from.
+ *  - `basename` is the basename of the file you want to read from. `basename`
+ *    may thus not contain slashes.
+ *  - `maxSize` is the maximum number of bytes you want to read.
+ *
+ * Returns a pair `(contents, eof)`.
+ *
+ *  - `contents` is the read file contents, which is at most `maxSize` bytes.
+ *  - `eof` indicates whether the entire file has been read. If false, then it
+ *    means the amount of data is larger than `maxSize`.
+ *
+ * This function is "safe" in following sense:
+ *
+ *  - It mitigates symbolic link attacks. `open(path)` may not be safe for
+ *    processes running as root, because if a user controls any parts of the
+ *    path then the user can swap one of the parent directories, or the file
+ *    itself, with a symlink. This causes us to read an arbitrary file.
+ *
+ *    This function mitigates this attack by requiring a `dirfd` and by opening
+ *    the file with O_NOFOLLOW. The caller must ensure that `dirfd` is created
+ *    at a time when it knows that no user controls any parts of the path to
+ *    that directory.
+ *
+ *    However, this mitigation does mean that safeReadFile() *cannot be used to
+ *    read from a symlink*!
+ *
+ *  - It mitigates DoS attacks through non-regular files which may block the
+ *    reader, like FIFOs or block devices. For example if the path refers to a
+ *    FIFO which a user created, and the user never opens the FIFO on the other
+ *    side, then the open can block indefinitely.
+ *
+ *    This function mitigates this attack by opening the file with O_NONBLOCK.
+ *
+ *  - It mitigates DoS attacks by creating a very large file. Since we slurp
+ *    the entire file into memory, it is a good idea if we impose a limit
+ *    on how much data we read.
+ *
+ * @throws ArgumentException
+ * @throws SystemException
+ */
+pair<string, bool> safeReadFile(int dirfd, const string &basename, size_t maxSize);
+
 /**
  * Create the directory at the given path, creating intermediate directories
  * if necessary. The created directories' permissions are exactly as specified

data/src/cxx_supportlib/FileTools/PathManip.cpp

@@ -84,11 +84,12 @@ absolutizePath(const StaticString &path, const StaticString &workingDir) {
 	vector<string> components;
 	if (!startsWith(path, "/")) {
 		if (workingDir.empty()) {
-			char buffer[PATH_MAX];
-			if (getcwd(buffer, sizeof(buffer)) == NULL) {
+			char buffer[PATH_MAX + 1];
+			if (getcwd(buffer, PATH_MAX) == NULL) {
 				int e = errno;
 				throw SystemException("Unable to query current working directory", e);
 			}
+			buffer[PATH_MAX] = '\0';
 			split(buffer + 1, '/', components);
 		} else {
 			string absoluteWorkingDir = absolutizePath(workingDir);

data/src/cxx_supportlib/FileTools/PathSecurityCheck.cpp

@@ -0,0 +1,99 @@
+/*
+ *  Phusion Passenger - https://www.phusionpassenger.com/
+ *  Copyright (c) 2018 Phusion Holding B.V.
+ *
+ *  "Passenger", "Phusion Passenger" and "Union Station" are registered
+ *  trademarks of Phusion Holding B.V.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy
+ *  of this software and associated documentation files (the "Software"), to deal
+ *  in the Software without restriction, including without limitation the rights
+ *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *  copies of the Software, and to permit persons to whom the Software is
+ *  furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ */
+
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <cerrno>
+
+#include <FileTools/PathSecurityCheck.h>
+#include <FileTools/PathManip.h>
+#include <Utils.h>
+#include <Utils/StrIntUtils.h>
+
+namespace Passenger {
+
+
+static bool
+isSinglePathProbablySecureForRootUse(const string &path,
+	vector<string> &errors, vector<string> &checkErrors)
+{
+	struct stat s;
+	int ret;
+
+	do {
+		ret = stat(path.c_str(), &s);
+	} while (ret == -1 && errno == EAGAIN);
+	if (ret == -1) {
+		int e = errno;
+		checkErrors.push_back("Security check skipped on " + path
+			+ ": stat() failed: " + strerror(e) + " (errno="
+			+ toString(e) + ")");
+		return true;
+	}
+
+	if (s.st_uid != 0) {
+		errors.push_back(path + " is not secure: it can be modified by user "
+			+ getUserName(s.st_uid));
+		return false;
+	}
+
+	if (s.st_mode & S_ISVTX) {
+		return true;
+	}
+
+	if (s.st_mode & S_IWGRP) {
+		errors.push_back(path + " is not secure: it can be modified by group "
+			+ getGroupName(s.st_gid));
+		return false;
+	}
+
+	if (s.st_mode & S_IWOTH) {
+		errors.push_back(path + " is not secure: it can be modified by anybody");
+		return false;
+	}
+
+	return true;
+}
+
+bool
+isPathProbablySecureForRootUse(const StaticString &path, vector<string> &errors,
+	vector<string> &checkErrors)
+{
+	string fullPath = absolutizePath(path);
+	bool result = true;
+
+	while (!fullPath.empty() && fullPath != "/") {
+		result = isSinglePathProbablySecureForRootUse(fullPath, errors, checkErrors)
+			&& result;
+		fullPath = extractDirName(fullPath);
+	}
+
+	return result;
+}
+
+
+} // namespace Passenger