passenger 5.3.4 → 6.0.1

data/src/agent/FileReadHelper/FileReadHelperMain.cpp

@@ -0,0 +1,198 @@
+/*
+ *  Phusion Passenger - https://www.phusionpassenger.com/
+ *  Copyright (c) 2018 Phusion Holding B.V.
+ *
+ *  "Passenger", "Phusion Passenger" and "Union Station" are registered
+ *  trademarks of Phusion Holding B.V.
+ *
+ *  Permission is hereby granted, free of charge, to any person obtaining a copy
+ *  of this software and associated documentation files (the "Software"), to deal
+ *  in the Software without restriction, including without limitation the rights
+ *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *  copies of the Software, and to permit persons to whom the Software is
+ *  furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ */
+
+// A helper app that reads from an arbitrary file.
+// Its main reason for existance is to allow root processes (such as the Core)
+// to read from arbitrary files in a way that's safe from symlink and other
+// kinds of attacks. See the documentation for safeReadFile()
+// to learn more about the different types of attacks.
+//
+// file-read-helper is used when the caller cannot use safeReadFile(),
+// e.g. when the following two conditions hold at the same time:
+//
+//  1. The caller does not have control over the safety of the parent
+//     directories leading to the file.
+//  2. The caller cannot choose not to disclose the contents of the file.
+//
+// file-read-helper MUST be used in combination with exec-helper in order
+// to lower its privilege, otherwise no protection is provided.
+
+#include <cstdio>
+#include <cstdlib>
+#include <cstddef>
+#include <cerrno>
+#include <cstring>
+#include <string>
+#include <algorithm>
+#include <limits>
+
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <Constants.h>
+#include <ProcessManagement/Utils.h>
+#include <IOTools/IOUtils.h>
+#include <Utils/OptionParsing.h>
+
+namespace Passenger {
+namespace FileReadHelper {
+
+using namespace std;
+
+
+struct Options {
+	size_t limit;
+	int programArgStart;
+
+	Options()
+		: limit(std::numeric_limits<size_t>::max()),
+		  programArgStart(2)
+		{ }
+};
+
+static void
+usage() {
+	// ....|---------------Keep output within standard terminal width (80 chars)------------|
+	printf("Usage: " AGENT_EXE " file-read-helper [OPTIONS...] <PATH>\n");
+	printf("Reads the given file with O_NONBLOCK.\n");
+	printf("\n");
+	printf("Options:\n");
+	printf("  --limit <SIZE>  Limit the number of bytes read (default: unlimited).\n");
+	printf("  --help          Show this help message.\n");
+}
+
+static bool
+parseOption(int argc, const char *argv[], int &i, Options &options) {
+	OptionParser p(usage);
+
+	if (p.isValueFlag(argc, i, argv[i], '\0', "--limit")) {
+		options.limit = atoi(argv[i + 1]);
+		i += 2;
+	} else {
+		return false;
+	}
+	return true;
+}
+
+static bool
+parseOptions(int argc, const char *argv[], Options &options) {
+	OptionParser p(usage);
+	int i = 2;
+
+	while (i < argc) {
+		if (parseOption(argc, argv, i, options)) {
+			continue;
+		} else if (p.isFlag(argv[i], 'h', "--help")) {
+			usage();
+			exit(0);
+		} else if (*argv[i] == '-') {
+			fprintf(stderr, "ERROR: unrecognized argument %s. Please type "
+				"'%s file-read-helper --help' for usage.\n", argv[i], argv[0]);
+			exit(1);
+		} else {
+			options.programArgStart = i;
+			return true;
+		}
+	}
+
+	return true;
+}
+
+int
+fileReadHelperMain(int argc, char *argv[]) {
+	if (argc < 3) {
+		usage();
+		exit(1);
+	}
+
+	Options options;
+	if (!parseOptions(argc, (const char **) argv, options)) {
+		fprintf(stderr, "Error parsing arguments.\n");
+		usage();
+		exit(1);
+	}
+
+	if (argc != options.programArgStart + 1) {
+		fprintf(stderr, "ERROR: no file path given. Please type "
+			"'%s file-read-helper --help' for usage.\n", argv[0]);
+		exit(1);
+	}
+
+	if (geteuid() == 0) {
+		fprintf(stderr, "ERROR: file-read-helper cannot be run with root"
+			" privileges. Please use in combination with exec-helper.\n");
+		exit(1);
+	}
+
+	resetSignalHandlersAndMask();
+	disableMallocDebugging();
+
+	const char *path = argv[options.programArgStart];
+	int fd;
+	do {
+		fd = open(path, O_RDONLY | O_NONBLOCK);
+	} while (fd == -1 && errno == EINTR);
+	if (fd == -1) {
+		int e = errno;
+		fprintf(stderr, "Error opening %s for reading: %s (errno=%d)\n",
+			path, strerror(e), e);
+		exit(1);
+	}
+
+	size_t totalRead = 0;
+	char buf[1024 * 16];
+
+	while (totalRead < options.limit) {
+		ssize_t ret;
+		do {
+			ret = read(fd, buf,
+				std::min<size_t>(sizeof(buf), options.limit - totalRead));
+		} while (ret == -1 && errno == EINTR);
+		if (ret == -1) {
+			int e = errno;
+			fprintf(stderr, "Error reading from %s: %s (errno=%d)\n",
+				path, strerror(e), e);
+			exit(1);
+		} else if (ret == 0) {
+			break;
+		} else {
+			totalRead += ret;
+			writeExact(1, StaticString(buf, ret));
+		}
+	}
+
+	return 0;
+}
+
+
+} // namespace FileReadHelper
+} // namespace Passenger
+
+
+int
+fileReadHelperMain(int argc, char *argv[]) {
+	return Passenger::FileReadHelper::fileReadHelperMain(argc, argv);
+}

data/src/agent/README.md

@@ -12,7 +12,7 @@ The most important parts are:
 ## Minor parts
 
  * SpawnEnvSetupper is a tool used internally by `Core/SpawningKit/` to spawn application processes. See the README in that directory for more information.
- * SystemMetrics is a tool that shows system metrics such as CPU and memory usage. The main functionality is implemented in src/cxxUtils/SystemMetricsCollector.h. This tool is mainly useful for developing and debugging SystemMetricsCollector.h.
+ * SystemMetrics is a tool that shows system metrics such as CPU and memory usage. The main functionality is implemented in src/cxx/SystemTools/SystemMetricsCollector.h. This tool is mainly useful for developing and debugging SystemMetricsCollector.h.
  * TempDirToucher is a tool used internally by Passenger Standalone to keep a temporary directory's timestamp up-to-date so that it doesn't get removed by /tmp cleaner daemons.
 
 ## Shared code

data/src/agent/Shared/ApiAccountUtils.h

@@ -38,7 +38,7 @@
 #include <StaticString.h>
 #include <FileTools/PathManip.h>
 #include <Utils.h>
-#include <Utils/StrIntUtils.h>
+#include <StrIntTools/StrIntUtils.h>
 
 namespace Passenger {
 namespace ApiAccountUtils { // Avoid conflict with classes of the same name in ApiServerUtils.h, until we've migrated everything

data/src/agent/Shared/ApiServerUtils.h

@@ -72,9 +72,9 @@
 #include <LoggingKit/LoggingKit.h>
 #include <LoggingKit/Context.h>
 #include <Utils.h>
-#include <Utils/IOUtils.h>
-#include <Utils/BufferedIO.h>
-#include <Utils/StrIntUtils.h>
+#include <IOTools/IOUtils.h>
+#include <IOTools/BufferedIO.h>
+#include <StrIntTools/StrIntUtils.h>
 #include <Utils/VariantMap.h>
 #include <Shared/ApplicationPoolApiKey.h>
 

data/src/agent/Shared/ApplicationPoolApiKey.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2015-2017 Phusion Holding B.V.
+ *  Copyright (c) 2015-2018 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -31,7 +31,7 @@
 #include <cstring>
 #include <Exceptions.h>
 #include <StaticString.h>
-#include <Utils/StrIntUtils.h>
+#include <StrIntTools/StrIntUtils.h>
 
 namespace Passenger {
 namespace ApplicationPool2 {