passenger 5.3.1 → 5.3.2

data/src/cxx_supportlib/FileTools/PathSecurityCheck.h

@@ -0,0 +1,69 @@
+/*
+ *  Phusion Passenger - https://www.phusionpassenger.com/
+ *  Copyright (c) 2018 Phusion Holding B.V.
+ *
+ *  "Passenger", "Phusion Passenger" and "Union Station" are registered
+ *  trademarks of Phusion Holding B.V.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy
+ *  of this software and associated documentation files (the "Software"), to deal
+ *  in the Software without restriction, including without limitation the rights
+ *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *  copies of the Software, and to permit persons to whom the Software is
+ *  furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ */
+#ifndef _PASSENGER_FILE_TOOLS_PATH_SECURITY_CHECK_H_
+#define _PASSENGER_FILE_TOOLS_PATH_SECURITY_CHECK_H_
+
+#include <vector>
+#include <string>
+#include <StaticString.h>
+
+namespace Passenger {
+
+using namespace std;
+
+
+/**
+ * Checks whether the given path is secure for use by a root process.
+ * This is done by checking whether the path itself, as well as any of the
+ * parent directories, can only be written to by root. Returns whether the
+ * path is deemed secure.
+ *
+ * If a non-root user can write to any of the directories in the path then that
+ * user can cause the root proces to read an arbitrary file. That file can even
+ * be one that is not owned by said user, through the use of symlinks.
+ *
+ * Checking is done according to normal Unix permissions. ACLs and systems like
+ * SELinux are not taken into consideration. Also, if this function fails to
+ * check a part of the path (e.g. because stat() failed) then this function
+ * simply skips that part. Therefore this function does not perform a full check
+ * and its result (which *can* be a false positive or a false negative) should be
+ * taken with a grain of salt.
+ *
+ * Error messages that can be used to inform the user which parts of the path
+ * are insecure, are outputted into `errors`. This vector becomes non-empty
+ * only if result is false.
+ *
+ * Any errors that occur w.r.t. checking itself (e.g. stat() errors) are
+ * outputted into `checkErrors`. This vector may become non-empty no matter
+ * the result.
+ */
+bool isPathProbablySecureForRootUse(const StaticString &path,
+	vector<string> &errors, vector<string> &checkErrors);
+
+
+} // namespace Passenger
+
+#endif /* _PASSENGER_FILE_TOOLS_PATH_SECURITY_CHECK_H_ */

data/src/cxx_supportlib/Utils.cpp

@@ -186,9 +186,37 @@ getProcessUsername(bool fallback) {
 	}
 }
 
+string
+getUserName(uid_t uid) {
+	struct passwd pwd, *result;
+	int ret;
+	long bufSize;
+	shared_array<char> strings;
+
+	// _SC_GETPW_R_SIZE_MAX is not a maximum:
+	// http://tomlee.co/2012/10/problems-with-large-linux-unix-groups-and-getgrgid_r-getgrnam_r/
+	bufSize = std::max<long>(1024 * 128, sysconf(_SC_GETPW_R_SIZE_MAX));
+	strings.reset(new char[bufSize]);
+
+	result = (struct passwd *) NULL;
+	do {
+		ret = getpwuid_r(uid, &pwd, strings.get(), bufSize, &result);
+	} while (ret == EAGAIN);
+	if (ret != 0) {
+		result = (struct passwd *) NULL;
+	}
+
+	if (result == (struct passwd *) NULL || result->pw_name == NULL || result->pw_name[0] == '\0') {
+		return toString(uid);
+	} else {
+		return result->pw_name;
+	}
+}
+
 string
 getGroupName(gid_t gid) {
-	struct group grp, *groupEntry;
+	struct group grp, *result;
+	int ret;
 	long bufSize;
 	shared_array<char> strings;
 
@@ -197,15 +225,18 @@ getGroupName(gid_t gid) {
 	bufSize = std::max<long>(1024 * 128, sysconf(_SC_GETGR_R_SIZE_MAX));
 	strings.reset(new char[bufSize]);
 
-	groupEntry = (struct group *) NULL;
-	if (getgrgid_r(gid, &grp, strings.get(), bufSize, &groupEntry) != 0) {
-		groupEntry = (struct group *) NULL;
+	result = (struct group *) NULL;
+	do {
+		ret = getgrgid_r(gid, &grp, strings.get(), bufSize, &result);
+	} while (ret == EAGAIN);
+	if (ret != 0) {
+		result = (struct group *) NULL;
 	}
 
-	if (groupEntry == (struct group *) NULL) {
+	if (result == (struct group *) NULL || result->gr_name == NULL || result->gr_name[0] == '\0') {
 		return toString(gid);
 	} else {
-		return groupEntry->gr_name;
+		return result->gr_name;
 	}
 }
 

data/src/cxx_supportlib/Utils.h

@@ -100,6 +100,12 @@ string escapeShell(const StaticString &input);
  */
 string getProcessUsername(bool fallback = true);
 
+/**
+ * Returns either the user name for the given UID, or (if the user name
+ * couldn't be looked up) a string representation of the given UID.
+ */
+string getUserName(uid_t uid);
+
 /**
  * Returns either the group name for the given GID, or (if the group name
  * couldn't be looked up) a string representation of the given GID.

data/src/cxx_supportlib/Utils/AsyncSignalSafeUtils.h

@@ -159,12 +159,24 @@ limitedStrerror(int e, const char *defaultResult = "Unknown error") {
 		return "Permission denied";
 	case EFAULT:
 		return "Bad address";
+	case EINVAL:
+		return "Invalid argument";
 	case EIO:
 		return "Input/output error";
+	case EISDIR:
+		return "Is a directory";
+	#ifdef ELIBBAD
+		case ELIBBAD:
+			return "Accessing a corrupted shared library";
+	#endif
 	case ELOOP:
 		return "Too many levels of symbolic links";
+	case EMFILE:
+		return "Too many open files";
 	case ENAMETOOLONG:
 		return "File name too long";
+	case ENFILE:
+		return "Too many open files in system";
 	case ENOENT:
 		return "No such file or directory";
 	case ENOEXEC:
@@ -173,6 +185,8 @@ limitedStrerror(int e, const char *defaultResult = "Unknown error") {
 		return "Cannot allocate memory";
 	case ENOTDIR:
 		return "Not a directory";
+	case EPERM:
+		return "Operation not permitted";
 	case ETXTBSY:
 		return "Text file busy";
 	default:

data/src/cxx_supportlib/Utils/IOUtils.cpp

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2010-2017 Phusion Holding B.V.
+ *  Copyright (c) 2010-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -1354,32 +1354,23 @@ safelyClose(int fd, bool ignoreErrors) {
 	}
 }
 
-string
-readAll(const string &filename) {
-	FILE *f = fopen(filename.c_str(), "rb");
-	if (f != NULL) {
-		StdioGuard guard(f, NULL, 0);
-		return readAll(fileno(f));
-	} else {
-		int e = errno;
-		throw FileSystemException("Cannot open '" + filename + "' for reading",
-			e, filename);
-	}
-}
-
-string
-readAll(int fd) {
+pair<string, bool>
+readAll(int fd, size_t maxSize) {
 	string result;
 	char buf[1024 * 32];
 	ssize_t ret;
-	while (true) {
+	bool eofReached = false;
+
+	while (result.size() < maxSize) {
 		do {
 			ret = read(fd, buf, sizeof(buf));
 		} while (ret == -1 && errno == EINTR);
 		if (ret == 0) {
+			eofReached = true;
 			break;
 		} else if (ret == -1) {
 			if (errno == ECONNRESET) {
+				eofReached = true;
 				break;
 			} else {
 				int e = errno;
@@ -1389,7 +1380,8 @@ readAll(int fd) {
 			result.append(buf, ret);
 		}
 	}
-	return result;
+
+	return make_pair(result, eofReached);
 }
 
 

data/src/cxx_supportlib/Utils/IOUtils.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2010-2017 Phusion Holding B.V.
+ *  Copyright (c) 2010-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -34,6 +34,7 @@
 #include <unistd.h>
 #include <netdb.h>
 #include <string>
+#include <utility>
 #include <vector>
 #include <oxt/macros.hpp>
 #include <StaticString.h>
@@ -642,18 +643,18 @@ void readPeerCredentials(int sock, uid_t *uid, gid_t *gid);
 #endif
 
 /**
- * Read all data from the given file until EOF.
+ * Read all data from the given file descriptor until EOF, or until `maxSize`
+ * is reached.
  *
- * @throws SystemException
- */
-string readAll(const string &filename);
-
-/**
- * Read all data from the given file descriptor until EOF.
+ * Returns a pair `(contents, eof)`.
+ *
+ *  - `contents` is the read file contents, which is at most `maxSize` bytes.
+ *  - `eof` indicates whether the entire file has been read. If false, then it
+ *    means the amount of data is larger than `maxSize`.
  *
  * @throws SystemException
  */
-string readAll(int fd);
+pair<string, bool> readAll(int fd, size_t maxSize);
 
 } // namespace Passenger
 

data/src/cxx_supportlib/Utils/JsonUtils.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2014-2017 Phusion Holding B.V.
+ *  Copyright (c) 2014-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -321,18 +321,22 @@ monoTimeToJson(MonotonicTimeUsec t, MonotonicTimeUsec monoNow, unsigned long lon
 	}
 
 	time_t wallClockTime = (time_t) (wallClockTimeUsec / 1000000ull);
-	char timeStr[32];
+	char timeStr[32], *ctimeResult;
 	size_t len;
-	ctime_r(&wallClockTime, timeStr);
-	len = strlen(timeStr);
-	if (len > 0) {
-		// Get rid of trailing newline
-		timeStr[len - 1] = '\0';
+	ctimeResult = ctime_r(&wallClockTime, timeStr);
+	if (ctimeResult != NULL) {
+		len = strlen(timeStr);
+		if (len > 0) {
+			// Get rid of trailing newline
+			timeStr[len - 1] = '\0';
+		}
 	}
 
 	Json::Value doc;
 	doc["timestamp"] = wallClockTimeUsec / 1000000.0;
-	doc["local"] = timeStr;
+	if (ctimeResult != NULL) {
+		doc["local"] = timeStr;
+	}
 	if (t > monoNow) {
 		doc["relative_timestamp"] = (t - monoNow) / 1000000.0;
 		doc["relative"] = distanceOfTimeInWords(t / 1000000ull, monoNow / 1000000ull) + " from now";

data/src/cxx_supportlib/Utils/SystemMetricsCollector.h

@@ -45,8 +45,8 @@
 #ifdef __linux__
 	#include <sys/sysinfo.h>
 	#include <Exceptions.h>
+	#include <FileTools/FileManip.h>
 	#include <Utils/StringScanning.h>
-	#include <Utils/IOUtils.h>
 #endif
 #ifdef __APPLE__
 	#include <mach/mach.h>
@@ -912,7 +912,7 @@ private:
 			string contents;
 			bool hasContents = false;
 			try {
-				contents = readAll("/proc/meminfo");
+				contents = unsafeReadFile("/proc/meminfo");
 				hasContents = true;
 			} catch (const SystemException &) {
 			}
@@ -987,7 +987,7 @@ private:
 			string contents;
 			bool hasContents = false;
 			try {
-				contents = readAll("/proc/stat");
+				contents = unsafeReadFile("/proc/stat");
 				hasContents = true;
 			} catch (const SystemException &) {
 			}
@@ -1066,7 +1066,7 @@ private:
 			string contents;
 			bool hasContents = false;
 			try {
-				contents = readAll("/proc/vmstat");
+				contents = unsafeReadFile("/proc/vmstat");
 				hasContents = true;
 			} catch (const SystemException &) {
 			}

data/src/cxx_supportlib/Utils/SystemTime.h

@@ -116,7 +116,7 @@ private:
 	template<Granularity granularityNs>
 	static MonotonicTimeUsec _getMonotonicUsec() {
 		if (OXT_UNLIKELY(SystemTimeData::hasForcedUsecValue)) {
-			return SystemTimeData::hasForcedValue;
+			return SystemTimeData::forcedUsecValue;
 		}
 
 		#if BOOST_OS_MACOS

data/src/cxx_supportlib/WebSocketCommandReverseServer.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2017 Phusion Holding B.V.
+ *  Copyright (c) 2017-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -47,9 +47,9 @@
 #include <ConfigKit/AsyncUtils.h>
 #include <Exceptions.h>
 #include <FileTools/PathManip.h>
+#include <FileTools/FileManip.h>
 #include <Utils.h>
 #include <Utils/StrIntUtils.h>
-#include <Utils/IOUtils.h>
 
 namespace Passenger {
 
@@ -497,7 +497,7 @@ private:
 		if (config["password_file"].isNull()) {
 			password = config["password"].asString();
 		} else {
-			password = strip(readAll(config["password_file"].asString()));
+			password = strip(unsafeReadFile(config["password_file"].asString()));
 		}
 		string data = modp::b64_encode(username + ":" + password);
 		conn->append_header("Authorization", "Basic " + data);

data/src/cxx_supportlib/oxt/system_calls.cpp

@@ -2,7 +2,7 @@
  * OXT - OS eXtensions for boosT
  * Provides important functionality necessary for writing robust server software.
  *
- * Copyright (c) 2010-2017 Phusion Holding B.V.
+ * Copyright (c) 2010-2018 Phusion Holding B.V.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -171,6 +171,30 @@ syscalls::open(const char *path, int oflag, mode_t mode) {
 	return ret;
 }
 
+int
+syscalls::openat(int dirfd, const char *path, int oflag) {
+	int ret;
+	CHECK_INTERRUPTION(
+		ret == -1,
+		true,
+		ret = -1,
+		ret = ::openat(dirfd, path, oflag)
+	);
+	return ret;
+}
+
+int
+syscalls::openat(int dirfd, const char *path, int oflag, mode_t mode) {
+	int ret;
+	CHECK_INTERRUPTION(
+		ret == -1,
+		true,
+		ret = -1,
+		ret = ::openat(dirfd, path, oflag, mode)
+	);
+	return ret;
+}
+
 ssize_t
 syscalls::read(int fd, void *buf, size_t count) {
 	ssize_t ret;

data/src/cxx_supportlib/oxt/system_calls.hpp

@@ -2,7 +2,7 @@
  * OXT - OS eXtensions for boosT
  * Provides important functionality necessary for writing robust server software.
  *
- * Copyright (c) 2010-2017 Phusion Holding B.V.
+ * Copyright (c) 2010-2018 Phusion Holding B.V.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -136,6 +136,8 @@ namespace oxt {
 
 		int open(const char *path, int oflag);
 		int open(const char *path, int oflag, mode_t mode);
+		int openat(int dirfd, const char *path, int oflag);
+		int openat(int dirfd, const char *path, int oflag, mode_t mode);
 		ssize_t read(int fd, void *buf, size_t count);
 		ssize_t write(int fd, const void *buf, size_t count);
 		ssize_t writev(int fd, const struct iovec *iov, int iovcnt);