passenger 4.0.7 → 4.0.8

data.tar.gz.asc

@@ -2,11 +2,11 @@
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 
-iQEcBAABAgAGBQJR1pxdAAoJECrHRaUKISqMqh4IAINOF8pLt0MCBN50TlXc162j
-2Oco+OJcp9pPxv2id5N4CObL0tVJapvmDxBCcsOKEGalR4ssrUd/mxjYronRcwft
-daDDGCEiWH/V6Nh7+m3ENhsucEIz1duOWjm+vKLOBzoTcIRKtNSC1RdTw5HCJCC2
-/Z/He4iKHJwfrvelia8vQdhBe0/CYEYKekLnJc3kRvcZabbLmzsWNw/R/4mYk4d0
-iTHpU8JgtKy3PiDqpFWcd/R3gEzEAq8J3RE8baEtZgm4DFlNOYncvBZpcQe0EFwe
-nsrovBNemt++Im6DeiMG5yuQVT5E/YXpIryhCKZEV1IQGCXIY4rJNLh3mcC7BDg=
-=uTYu
+iQEcBAABAgAGBQJR28iYAAoJECrHRaUKISqMPf4IAIGf9BCAw6AwVnoumKhaWkim
+k+hKA1kkPofS9Q7DZPEA5sizgSB1RCW8clalOF5Wb+kCn3KNwfluBENw2Bl974+A
+HubjUnT58//z4bNqx7cEjBxfVWrs8VwINd8nbtEnjVaZG9Xkh+zinGsBwVbvgBE/
+kwwklTV25qOPV3E9eLvWprB4i6lZEVCpsgJzn6HHz+mOxy9OS2VEGJQKZcCLU4WD
+EWiinu8mJmKWGDHAigzNs6xFCfR9i8tRp56y9p5nQrxDqAhYaGdcwPPvD2iNabgh
+dtnid9XFZeEOG5PtNktJ8P/2VX3ziFKnsvq5qYQMrV/lVQdBDeZDlcTfTHBDgqw=
+=V08b
 -----END PGP SIGNATURE-----

data/CONTRIBUTORS

@@ -22,6 +22,7 @@ Erik Ogan
 Evan Phoenix
 Gaspard Bucher
 Goffert van Gool
+Gokulnath Manakkattil
 Gregory Potamianos
 Hongli Lai (Phusion)
 Ian Ehlert
@@ -56,6 +57,7 @@ Philip M. Gollucci
 Redmar Kerkhoff
 remi
 Robin Bowes
+Ryan Schwartz
 Ryo Onodera
 Saimon Moore
 Sam Pohlenz

data/NEWS

@@ -1,3 +1,18 @@
+Release 4.0.8
+-------------
+
+ * Fixed a problem with graceful web server restarts. When you gracefully
+   restart the web server, it would cause Phusion Passenger internal sockets
+   to be deleted, thus causing Phusion Passenger to go down. This problem
+   was introduced in 4.0.6 during the attempt to fix issue #910.
+ * The PassengerRestartDir/passenger_restart_dir now accepts relative
+   filenames again, just like in Phusion Passenger 3.x. Patch
+   contributed by Ryan Schwartz.
+ * Documentation updates contributed by Gokulnath Manakkattil.
+ * [Enterprise] Fixed a license key checking issue on some operating systems,
+   such as CentOS 6.
+
+
 Release 4.0.7
 -------------
 

data/build/agents.rb

@@ -112,6 +112,7 @@ logging_agent_libs = COMMON_LIBRARY.only(:base, :logging_agent, 'AgentsBase.o',
 	'Utils/Base64.o', 'Utils/MD5.o')
 dependencies = [
 	'ext/common/agents/LoggingAgent/Main.cpp',
+	'ext/common/agents/LoggingAgent/AdminController.h',
 	'ext/common/agents/LoggingAgent/LoggingServer.h',
 	'ext/common/agents/LoggingAgent/RemoteSender.h',
 	'ext/common/agents/LoggingAgent/DataStoreId.h',

data/build/misc.rb

@@ -166,6 +166,8 @@ task :contributors do
 	entries.push "Ninh Bui (Phusion)"
 	entries.delete "Tinco Andringa"
 	entries.push "Tinco Andringa (Phusion)"
+	entries.delete "Gokulnath"
+	entries.push "Gokulnath Manakkattil"
 	File.open("CONTRIBUTORS", "w") do |f|
 		f.puts(entries.sort{ |a, b| a.downcase <=> b.downcase }.join("\n"))
 	end

data/doc/Users guide Nginx.html

@@ -2886,6 +2886,7 @@ In an <em>if</em> configuration scope.
         # The web app under www.bar.com/blog will use JRuby 1.7.1
         passenger_base_uri /blog;
         location /blog {
+            passenger_enabled on;
             passenger_ruby /usr/local/rvm/wrappers/jruby-1.7.1/ruby;
         }
     }

data/doc/Users guide Nginx.txt

@@ -510,6 +510,7 @@ http {
         # The web app under www.bar.com/blog will use JRuby 1.7.1
         passenger_base_uri /blog;
         location /blog {
+            passenger_enabled on;
             passenger_ruby /usr/local/rvm/wrappers/jruby-1.7.1/ruby;
         }
     }

data/ext/apache2/Hooks.cpp

@@ -278,7 +278,8 @@ private:
 				
 				if (!connected) {
 					UPDATE_TRACE_POINT();
-					throw IOException("Cannot connect to the helper agent");
+					throw IOException("Cannot connect to the helper agent at " +
+						agentsStarter.getRequestSocketFilename());
 				}
 			} else {
 				throw;

data/ext/common/Account.h

@@ -62,16 +62,12 @@ public:
 		ALL                       = ~0,
 		NONE                      = 0,
 		
-		// ApplicationPool2::Server rights.
-		GET                       = 1 << 0,
-		CLEAR                     = 1 << 1,
-		DETACH                    = 1 << 2,
-		GET_PARAMETERS            = 1 << 3,
-		SET_PARAMETERS            = 1 << 4,
-		INSPECT_BASIC_INFO        = 1 << 5,
-		INSPECT_SENSITIVE_INFO    = 1 << 6,
-		//INSPECT_BACKEND_ADDRESSES = 1 << 6,
-		//INSPECT_DETACH_KEYS       = 1 << 7,
+		// HelperAgent ApplicationPool rights.
+		CLEAR                     = 1 << 0,
+		DETACH                    = 1 << 1,
+		SET_PARAMETERS            = 1 << 2,
+		INSPECT_BASIC_INFO        = 1 << 3,
+		INSPECT_SENSITIVE_INFO    = 1 << 4,
 		
 		// HelperAgent admin rights.
 		INSPECT_REQUESTS          = 1 << 8,
@@ -103,14 +99,10 @@ public:
 			} else if (*it == "none") {
 				result = NONE;
 			
-			} else if (*it == "get") {
-				result |= GET;
 			} else if (*it == "clear") {
 				result |= CLEAR;
 			} else if (*it == "detach") {
 				result |= DETACH;
-			} else if (*it == "get_parameters") {
-				result |= GET_PARAMETERS;
 			} else if (*it == "set_parameters") {
 				result |= SET_PARAMETERS;
 			} else if (*it == "inspect_basic_info") {
@@ -118,6 +110,8 @@ public:
 			} else if (*it == "inspect_sensitive_info") {
 				result |= INSPECT_SENSITIVE_INFO;
 			
+			} else if (*it == "inspect_requests") {
+				result |= INSPECT_REQUESTS;
 			} else if (*it == "inspect_backtraces") {
 				result |= INSPECT_BACKTRACES;
 				

data/ext/common/AccountsDatabase.h

@@ -51,10 +51,6 @@ private:
 	unsigned int uniqueNumber;
 	
 public:
-	static AccountsDatabasePtr createDefault(const ServerInstanceDir::GenerationPtr &generation,
-	                                         bool userSwitching, const string &defaultUser,
-	                                         const string &defaultGroup);
-	
 	AccountsDatabase() {
 		uniqueNumber = 0;
 	}

data/ext/common/ApplicationPool2/Implementation.cpp

@@ -339,9 +339,12 @@ Group::Group(const SuperGroupPtr &_superGroup, const Options &options, const Com
 	if (options.restartDir.empty()) {
 		restartFile = options.appRoot + "/tmp/restart.txt";
 		alwaysRestartFile = options.appRoot + "/always_restart.txt";
-	} else {
+	} else if (options.restartDir[0] == '/') {
 		restartFile = options.restartDir + "/restart.txt";
 		alwaysRestartFile = options.restartDir + "/always_restart.txt";
+	} else {
+		restartFile = options.appRoot + "/" + options.restartDir + "/restart.txt";
+		alwaysRestartFile = options.appRoot + "/" + options.restartDir + "/always_restart.txt";
 	}
 	resetOptions(options);
 

data/ext/common/Constants.h

@@ -70,7 +70,7 @@
 
 	#define PROCESS_SHUTDOWN_TIMEOUT_DISPLAY "1 minute"
 
-	#define PASSENGER_VERSION "4.0.7"
+	#define PASSENGER_VERSION "4.0.8"
 
 	#define SERVER_INSTANCE_DIR_STRUCTURE_MAJOR_VERSION 1
 

data/ext/common/MessageServer.h

@@ -205,9 +205,18 @@ public:
 				writeArrayMessage(fd, "SecurityException", "Insufficient rights to execute this command.", NULL);
 				throw SecurityException("Insufficient rights to execute this command.");
 			} else {
-				writeArrayMessage(fd, "Passed security", NULL);
+				passSecurity();
 			}
 		}
+
+		/** Announce to the client that it has passed the security checks.
+		 *
+		 * @throws SystemException Something went wrong while communicating with the client.
+		 * @throws boost::thread_interrupted
+		 */
+		void passSecurity() {
+			writeArrayMessage(fd, "Passed security", NULL);
+		}
 	};
 	
 	/**
@@ -218,6 +227,26 @@ public:
 	 * client is closed.
 	 */
 	class Handler {
+	protected:
+		/** Utility function for checking whether the command name equals `command`,
+		 * and whether it has exactly `nargs` arguments (excluding command name).
+		 */
+		bool isCommand(const vector<string> &args, const string &command,
+			unsigned int nargs = 0) const
+		{
+			return args.size() == nargs + 1 && args[0] == command;
+		}
+
+		/** Utility function for checking whether the command name equals `command`,
+		 * and whether it has at least `minargs` and at most `maxargs` arguments
+		 * (excluding command name), inclusive.
+		 */
+		bool isCommand(const vector<string> &args, const string &command,
+			unsigned int minargs, unsigned int maxargs) const
+		{
+			return args.size() >= minargs + 1 && args.size() <= maxargs + 1 && args[0] == command;
+		}
+
 	public:
 		virtual ~Handler() { }
 		

data/ext/common/ResourceLocator.h

@@ -25,6 +25,7 @@
 #ifndef _PASSENGER_RESOURCE_LOCATOR_H_
 #define _PASSENGER_RESOURCE_LOCATOR_H_
 
+#include <boost/shared_ptr.hpp>
 #include <string>
 #include <Exceptions.h>
 #include <Utils.h>
@@ -32,6 +33,7 @@
 
 namespace Passenger {
 
+using namespace std;
 using namespace boost;
 
 
@@ -108,6 +110,8 @@ public:
 	}
 };
 
+typedef shared_ptr<ResourceLocator> ResourceLocatorPtr;
+
 
 }
 

data/ext/common/ServerInstanceDir.h

@@ -40,6 +40,7 @@
 #include <string>
 
 #include <Constants.h>
+#include <Logging.h>
 #include <Exceptions.h>
 #include <Utils.h>
 #include <Utils/StrIntUtils.h>
@@ -49,6 +50,15 @@ namespace Passenger {
 using namespace std;
 using namespace boost;
 
+/* TODO: I think we should move away from generation dirs in the future.
+ * That way we can become immune to existing-directory-in-tmp denial of
+ * service attacks. To achieve the same functionality as we do now, each
+ * server instance directory is tagged with the control process's PID
+ * and a creation timestamp. passenger-status should treat the server instance
+ * directory with the most recent creation timestamp as the one to query.
+ * For now, the current code does not lead to an exploit.
+ */
+
 class ServerInstanceDir: public noncopyable {
 public:
 	class Generation: public noncopyable {
@@ -221,8 +231,7 @@ private:
 				createDirectory(path);
 				break;
 			case FT_DIRECTORY:
-				removeDirTree(path);
-				createDirectory(path);
+				verifyDirectoryPermissions(path);
 				break;
 			default:
 				throw RuntimeException("'" + path + "' already exists, and is not a directory");
@@ -242,6 +251,43 @@ private:
 			throw FileSystemException("Cannot create server instance directory '" +
 				path + "'", e, path);
 		}
+		// verifyDirectoryPermissions() checks for the owner/group so we must make
+		// sure the server instance directory has that owner/group, even when the
+		// parent directory has setgid on.
+		if (chown(path.c_str(), geteuid(), getegid()) == -1) {
+			int e = errno;
+			throw FileSystemException("Cannot change the permissions of the server "
+				"instance directory '" + path + "'", e, path);
+		}
+	}
+
+	/**
+	 * When reusing an existing server instance directory, check permissions
+	 * so that an attacker cannot pre-create a directory with too liberal
+	 * permissions.
+	 */
+	void verifyDirectoryPermissions(const string &path) {
+		TRACE_POINT();
+		struct stat buf;
+
+		if (stat(path.c_str(), &buf) == -1) {
+			int e = errno;
+			throw FileSystemException("Cannot stat() " + path, e, path);
+		} else if (buf.st_mode != (S_IFDIR | parseModeString("u=rwx,g=rx,o=rx"))) {
+			throw RuntimeException("Tried to reuse existing server instance directory " +
+				path + ", but it has wrong permissions");
+		} else if (buf.st_uid != geteuid() || buf.st_gid != getegid()) {
+			/* The server instance directory is always created by the Watchdog. Its UID/GID never
+			 * changes because:
+			 * 1. Disabling user switching only lowers the privilege of the HelperAgent.
+			 * 2. For the UID/GID to change, the web server must be completely restarted
+			 *    (not just graceful reload) so that the control process can change its UID/GID.
+			 *    This causes the PID to change, so that an entirely new server instance
+			 *    directory is created.
+			 */
+			throw RuntimeException("Tried to reuse existing server instance directory " +
+				path + ", but it has wrong owner and group");
+		}
 	}
 	
 	bool isDirectory(const string &dir, struct dirent *entry) const {

data/ext/common/agents/HelperAgent/Main.cpp

@@ -181,17 +181,17 @@ public:
 	{
 		SpecificContext *specificContext = (SpecificContext *) _specificContext.get();
 		try {
-			if (args[0] == "detach_process" && args.size() == 2) {
+			if (isCommand(args, "detach_process", 1)) {
 				processDetachProcess(commonContext, specificContext, args);
-			} else if (args[0] == "detach_process_by_key" && args.size() == 2) {
+			} else if (isCommand(args, "detach_process_by_key", 1)) {
 				processDetachProcessByKey(commonContext, specificContext, args);
 			} else if (args[0] == "inspect") {
 				return processInspect(commonContext, specificContext, args);
-			} else if (args[0] == "toXml" && args.size() == 2) {
+			} else if (isCommand(args, "toXml", 1)) {
 				processToXml(commonContext, specificContext, args);
-			} else if (args[0] == "backtraces") {
+			} else if (isCommand(args, "backtraces", 0)) {
 				processBacktraces(commonContext, specificContext, args);
-			} else if (args[0] == "requests") {
+			} else if (isCommand(args, "requests", 0)) {
 				processRequests(commonContext, specificContext, args);
 			} else {
 				return false;

data/ext/common/agents/LoggingAgent/AdminController.h

@@ -44,26 +44,25 @@ private:
 	
 	typedef MessageServer::CommonClientContext CommonClientContext;
 	
-	const LoggingServer *server;
+	LoggingServerPtr server;
 	
 	
 	/*********************************************
 	 * Message handler methods
 	 *********************************************/
 	
-	void processStatus(CommonClientContext &commonContext, SpecificContext *specificContext, const vector<string> &args) {
+	void processStatus(CommonClientContext &commonContext, SpecificContext *specificContext,
+		const vector<string> &args)
+	{
 		TRACE_POINT();
+		commonContext.passSecurity();
 		stringstream stream;
 		server->dump(stream);
 		writeScalarMessage(commonContext.fd, stream.str());
 	}
 	
-	bool isCommand(const vector<string> &args, const string &command, unsigned int nargs = 0) const {
-		return args.size() == nargs + 1 && args[0] == command;
-	}
-	
 public:
-	AdminController(const LoggingServer *server) {
+	AdminController(const LoggingServerPtr &server) {
 		this->server = server;
 	}
 	
@@ -76,10 +75,16 @@ public:
 	                            const vector<string> &args)
 	{
 		SpecificContext *specificContext = (SpecificContext *) _specificContext.get();
-		if (isCommand(args, "status", 0)) {
-			processStatus(commonContext, specificContext, args);
-		} else {
-			return false;
+		try {
+			if (isCommand(args, "status", 0)) {
+				processStatus(commonContext, specificContext, args);
+			} else {
+				return false;
+			}
+		} catch (const SecurityException &) {
+			/* Client does not have enough rights to perform a certain action.
+			 * It has already been notified of this; ignore exception and move on.
+			 */
 		}
 		return true;
 	}

data/ext/common/agents/LoggingAgent/LoggingServer.h

@@ -1098,7 +1098,7 @@ public:
 	LoggingServer(struct ev_loop *loop,
 		FileDescriptor fd,
 		const AccountsDatabasePtr &accountsDatabase,
-		const VariantMap &options = VariantMap()/**/)
+		const VariantMap &options = VariantMap())
 		: EventedMessageServer(loop, fd, accountsDatabase),
 		  remoteSender(
 		      options.get("union_station_gateway_address", false, DEFAULT_UNION_STATION_GATEWAY_ADDRESS),

data/ext/common/agents/LoggingAgent/Main.cpp

@@ -55,33 +55,128 @@ using namespace oxt;
 using namespace Passenger;
 
 
-static struct ev_loop *eventLoop;
-static LoggingServer *loggingServer;
-static int exitCode = 0;
+/***** Agent options *****/
+
+static VariantMap agentsOptions;
+static string passengerRoot;
+static string socketAddress;
+static string adminSocketAddress;
+static string password;
+static string username;
+static string groupname;
+static string adminToolStatusPassword;
+
+/***** Constants and working objects *****/
 
 static const int MESSAGE_SERVER_THREAD_STACK_SIZE = 128 * 1024;
 
+struct WorkingObjects {
+	ResourceLocatorPtr resourceLocator;
+	FileDescriptor serverSocketFd;
+	AccountsDatabasePtr adminAccountsDatabase;
+	MessageServerPtr adminServer;
+	shared_ptr<oxt::thread> adminServerThread;
+	AccountsDatabasePtr accountsDatabase;
+	LoggingServerPtr loggingServer;
 
-static struct ev_loop *
-createEventLoop() {
-	struct ev_loop *loop;
-	
-	// libev doesn't like choosing epoll and kqueue because the author thinks they're broken,
-	// so let's try to force it.
-	loop = ev_default_loop(EVBACKEND_EPOLL);
-	if (loop == NULL) {
-		loop = ev_default_loop(EVBACKEND_KQUEUE);
+	~WorkingObjects() {
+		// Stop thread before destroying anything else.
+		if (adminServerThread != NULL) {
+			adminServerThread->interrupt_and_join();
+		}
 	}
-	if (loop == NULL) {
-		loop = ev_default_loop(0);
+};
+
+static struct ev_loop *eventLoop = NULL;
+static LoggingServer *loggingServer = NULL;
+static int exitCode = 0;
+
+
+/***** Functions *****/
+
+void
+feedbackFdBecameReadable(ev::io &watcher, int revents) {
+	/* This event indicates that the watchdog has been killed.
+	 * In this case we'll kill all descendant
+	 * processes and exit. There's no point in keeping this agent
+	 * running because we can't detect when the web server exits,
+	 * and because this agent doesn't own the server instance
+	 * directory. As soon as passenger-status is run, the server
+	 * instance directory will be cleaned up, making this agent's
+	 * services inaccessible.
+	 */
+	syscalls::killpg(getpgrp(), SIGKILL);
+	_exit(2); // In case killpg() fails.
+}
+
+static string
+myself() {
+	struct passwd *entry = getpwuid(geteuid());
+	if (entry != NULL) {
+		return entry->pw_name;
+	} else {
+		throw NonExistentUserException(string("The current user, UID ") +
+			toString(geteuid()) + ", doesn't have a corresponding " +
+			"entry in the system's user database. Please fix your " +
+			"system's user database first.");
 	}
-	if (loop == NULL) {
-		throw RuntimeException("Cannot create an event loop");
+}
+
+static void
+initializeBareEssentials(int argc, char *argv[]) {
+	agentsOptions = initializeAgent(argc, argv, "PassengerLoggingAgent");
+	curl_global_init(CURL_GLOBAL_ALL);
+}
+
+static string
+findUnionStationGatewayCert(const ResourceLocator &locator,
+	const string &cert)
+{
+	if (cert.empty()) {
+		return locator.getResourcesDir() + "/union_station_gateway.crt";
+	} else if (cert != "-") {
+		return cert;
 	} else {
-		return loop;
+		return "";
 	}
 }
 
+static void
+initializeOptions(WorkingObjects &wo) {
+	passengerRoot      = agentsOptions.get("passenger_root");
+	socketAddress      = agentsOptions.get("logging_agent_address");
+	adminSocketAddress = agentsOptions.get("logging_agent_admin_address");
+	password           = agentsOptions.get("logging_agent_password");
+	username           = agentsOptions.get("analytics_log_user", false, myself());
+	groupname          = agentsOptions.get("analytics_log_group", false);
+	adminToolStatusPassword = agentsOptions.get("admin_tool_status_password");
+
+	wo.resourceLocator = make_shared<ResourceLocator>(passengerRoot);
+	agentsOptions.set("union_station_gateway_cert", findUnionStationGatewayCert(
+		*wo.resourceLocator, agentsOptions.get("union_station_gateway_cert", false)));
+}
+
+static void
+initializePrivilegedWorkingObjects(WorkingObjects &wo) {
+	wo.serverSocketFd = createServer(socketAddress.c_str());
+	if (getSocketAddressType(socketAddress) == SAT_UNIX) {
+		int ret;
+
+		do {
+			ret = chmod(parseUnixSocketAddress(socketAddress).c_str(),
+				S_ISVTX |
+				S_IRUSR | S_IWUSR | S_IXUSR |
+				S_IRGRP | S_IWGRP | S_IXGRP |
+				S_IROTH | S_IWOTH | S_IXOTH);
+		} while (ret == -1 && errno == EINTR);
+	}
+
+	wo.adminAccountsDatabase = make_shared<AccountsDatabase>();	
+	wo.adminAccountsDatabase->add("_passenger-status", adminToolStatusPassword, false);
+	wo.adminServer = make_shared<MessageServer>(parseUnixSocketAddress(adminSocketAddress),
+		wo.adminAccountsDatabase);
+}
+
 static void
 lowerPrivilege(const string &username, const struct passwd *user, const struct group *group) {
 	int e;
@@ -108,24 +203,99 @@ lowerPrivilege(const string &username, const struct passwd *user, const struct g
 	}
 }
 
-void
-feedbackFdBecameReadable(ev::io &watcher, int revents) {
-	/* This event indicates that the watchdog has been killed.
-	 * In this case we'll kill all descendant
-	 * processes and exit. There's no point in keeping this agent
-	 * running because we can't detect when the web server exits,
-	 * and because this agent doesn't own the server instance
-	 * directory. As soon as passenger-status is run, the server
-	 * instance directory will be cleaned up, making this agent's
-	 * services inaccessible.
-	 */
-	syscalls::killpg(getpgrp(), SIGKILL);
-	_exit(2); // In case killpg() fails.
+static void
+maybeLowerPrivilege() {
+	struct passwd *user;
+	struct group  *group;
+
+	/* Sanity check user accounts. */
+		
+	user = getpwnam(username.c_str());
+	if (user == NULL) {
+		throw NonExistentUserException(string("The configuration option ") +
+			"'PassengerAnalyticsLogUser' (Apache) or " +
+			"'passenger_analytics_log_user' (Nginx) was set to '" +
+			username + "', but this user doesn't exist. Please fix " +
+			"the configuration option.");
+	}
+	
+	if (groupname.empty()) {
+		group = getgrgid(user->pw_gid);
+		if (group == NULL) {
+			throw NonExistentGroupException(string("The configuration option ") +
+				"'PassengerAnalyticsLogGroup' (Apache) or " +
+				"'passenger_analytics_log_group' (Nginx) wasn't set, " +
+				"so PassengerLoggingAgent tried to use the default group " +
+				"for user '" + username + "' - which is GID #" +
+				toString(user->pw_gid) + " - as the group for the analytics " +
+				"log dir, but this GID doesn't exist. " +
+				"You can solve this problem by explicitly " +
+				"setting PassengerAnalyticsLogGroup (Apache) or " +
+				"passenger_analytics_log_group (Nginx) to a group that " +
+				"does exist. In any case, it looks like your system's user " +
+				"database is broken; Phusion Passenger can work fine even " +
+				"with this broken user database, but you should still fix it.");
+		} else {
+			groupname = group->gr_name;
+		}
+	} else {
+		group = getgrnam(groupname.c_str());
+		if (group == NULL) {
+			throw NonExistentGroupException(string("The configuration option ") +
+				"'PassengerAnalyticsLogGroup' (Apache) or " +
+				"'passenger_analytics_log_group' (Nginx) was set to '" +
+				groupname + "', but this group doesn't exist. Please fix " +
+				"the configuration option.");
+		}
+	}
+
+	/* Now's a good time to lower the privilege. */
+	if (geteuid() == 0) {
+		lowerPrivilege(username, user, group);
+	}
+}
+
+static struct ev_loop *
+createEventLoop() {
+	struct ev_loop *loop;
+	
+	// libev doesn't like choosing epoll and kqueue because the author thinks they're broken,
+	// so let's try to force it.
+	loop = ev_default_loop(EVBACKEND_EPOLL);
+	if (loop == NULL) {
+		loop = ev_default_loop(EVBACKEND_KQUEUE);
+	}
+	if (loop == NULL) {
+		loop = ev_default_loop(0);
+	}
+	if (loop == NULL) {
+		throw RuntimeException("Cannot create an event loop");
+	} else {
+		return loop;
+	}
+}
+
+static void
+initializeUnprivilegedWorkingObjects(WorkingObjects &wo) {
+	eventLoop = createEventLoop();
+	wo.accountsDatabase = make_shared<AccountsDatabase>();
+	wo.accountsDatabase->add("logging", password, false);
+
+	wo.loggingServer = make_shared<LoggingServer>(eventLoop, wo.serverSocketFd,
+		wo.accountsDatabase, agentsOptions);
+	loggingServer = wo.loggingServer.get();
+
+	wo.adminServer->addHandler(make_shared<AdminController>(wo.loggingServer));
+	function<void ()> adminServerFunc = boost::bind(&MessageServer::mainLoop, wo.adminServer.get());
+	wo.adminServerThread = make_shared<oxt::thread>(
+		boost::bind(runAndPrintExceptions, adminServerFunc, true),
+		"AdminServer thread", MESSAGE_SERVER_THREAD_STACK_SIZE
+	);
 }
 
 void
 caughtExitSignal(ev::sig &watcher, int revents) {
-	P_DEBUG("Caught signal, exiting...");
+	P_INFO("Caught signal, exiting...");
 	ev_break(eventLoop, EVBREAK_ONE);
 	/* We only consider the "exit" command to be a graceful way to shut down
 	 * the logging agent, so upon receiving an exit signal we want to return
@@ -143,162 +313,43 @@ printInfo(ev::sig &watcher, int revents) {
 	cerr << "---------- End LoggingAgent status   ----------\n";
 }
 
-static string
-myself() {
-	struct passwd *entry = getpwuid(geteuid());
-	if (entry != NULL) {
-		return entry->pw_name;
-	} else {
-		throw NonExistentUserException(string("The current user, UID ") +
-			toString(geteuid()) + ", doesn't have a corresponding " +
-			"entry in the system's user database. Please fix your " +
-			"system's user database first.");
-	}
-}
-
-static string
-findUnionStationGatewayCert(const ResourceLocator &locator,
-	const string &cert)
-{
-	if (cert.empty()) {
-		return locator.getResourcesDir() + "/union_station_gateway.crt";
-	} else if (cert != "-") {
-		return cert;
-	} else {
-		return "";
+static void
+runMainLoop(WorkingObjects &wo) {
+	ev::io feedbackFdWatcher(eventLoop);
+	ev::sig sigintWatcher(eventLoop);
+	ev::sig sigtermWatcher(eventLoop);
+	ev::sig sigquitWatcher(eventLoop);
+	
+	sigintWatcher.set<&caughtExitSignal>();
+	sigintWatcher.start(SIGINT);
+	sigtermWatcher.set<&caughtExitSignal>();
+	sigtermWatcher.start(SIGTERM);
+	sigquitWatcher.set<&printInfo>();
+	sigquitWatcher.start(SIGQUIT);
+	
+	P_WARN("PassengerLoggingAgent online, listening at " << socketAddress);
+	if (feedbackFdAvailable()) {
+		feedbackFdWatcher.set<&feedbackFdBecameReadable>();
+		feedbackFdWatcher.start(FEEDBACK_FD, ev::READ);
+		writeArrayMessage(FEEDBACK_FD, "initialized", NULL);
 	}
+	ev_run(eventLoop, 0);
 }
 
 int
 main(int argc, char *argv[]) {
-	VariantMap options        = initializeAgent(argc, argv, "PassengerLoggingAgent");
-	string passengerRoot      = options.get("passenger_root");
-	string socketAddress      = options.get("logging_agent_address");
-	string adminSocketAddress = options.get("logging_agent_admin_address");
-	string password           = options.get("logging_agent_password");
-	string username           = options.get("analytics_log_user", false, myself());
-	string groupname          = options.get("analytics_log_group", false);
-	string adminToolStatusPassword = options.get("admin_tool_status_password");
-	
-	curl_global_init(CURL_GLOBAL_ALL);
-	
+	initializeBareEssentials(argc, argv);
+	P_DEBUG("Starting PassengerLoggingAgent...");
+
 	try {
-		/********** Now begins the real initialization **********/
-		
-		/* Create all the necessary objects and sockets... */
-		ResourceLocator      resourceLocator(passengerRoot);
-		AccountsDatabasePtr  accountsDatabase, adminAccountsDatabase;
-		FileDescriptor       serverSocketFd;
-		struct passwd       *user;
-		struct group        *group;
-		int                  ret;
-
-		options.set("union_station_gateway_cert", findUnionStationGatewayCert(
-			resourceLocator, options.get("union_station_gateway_cert", false)));
-		
-		eventLoop = createEventLoop();
-		accountsDatabase = make_shared<AccountsDatabase>();
-		adminAccountsDatabase = make_shared<AccountsDatabase>();
-		serverSocketFd = createServer(socketAddress.c_str());
-		if (getSocketAddressType(socketAddress) == SAT_UNIX) {
-			do {
-				ret = chmod(parseUnixSocketAddress(socketAddress).c_str(),
-					S_ISVTX |
-					S_IRUSR | S_IWUSR | S_IXUSR |
-					S_IRGRP | S_IWGRP | S_IXGRP |
-					S_IROTH | S_IWOTH | S_IXOTH);
-			} while (ret == -1 && errno == EINTR);
-		}
-		
-		/* Sanity check user accounts. */
-		
-		user = getpwnam(username.c_str());
-		if (user == NULL) {
-			throw NonExistentUserException(string("The configuration option ") +
-				"'PassengerAnalyticsLogUser' (Apache) or " +
-				"'passenger_analytics_log_user' (Nginx) was set to '" +
-				username + "', but this user doesn't exist. Please fix " +
-				"the configuration option.");
-		}
-		
-		if (groupname.empty()) {
-			group = getgrgid(user->pw_gid);
-			if (group == NULL) {
-				throw NonExistentGroupException(string("The configuration option ") +
-					"'PassengerAnalyticsLogGroup' (Apache) or " +
-					"'passenger_analytics_log_group' (Nginx) wasn't set, " +
-					"so PassengerLoggingAgent tried to use the default group " +
-					"for user '" + username + "' - which is GID #" +
-					toString(user->pw_gid) + " - as the group for the analytics " +
-					"log dir, but this GID doesn't exist. " +
-					"You can solve this problem by explicitly " +
-					"setting PassengerAnalyticsLogGroup (Apache) or " +
-					"passenger_analytics_log_group (Nginx) to a group that " +
-					"does exist. In any case, it looks like your system's user " +
-					"database is broken; Phusion Passenger can work fine even " +
-					"with this broken user database, but you should still fix it.");
-			} else {
-				groupname = group->gr_name;
-			}
-		} else {
-			group = getgrnam(groupname.c_str());
-			if (group == NULL) {
-				throw NonExistentGroupException(string("The configuration option ") +
-					"'PassengerAnalyticsLogGroup' (Apache) or " +
-					"'passenger_analytics_log_group' (Nginx) was set to '" +
-					groupname + "', but this group doesn't exist. Please fix " +
-					"the configuration option.");
-			}
-		}
+		TRACE_POINT();
+		WorkingObjects wo;
 
-		/* Setup the admin server right before lowering privilege. */
-		adminAccountsDatabase->add("_passenger-status", adminToolStatusPassword, false);
-		MessageServer adminServer(parseUnixSocketAddress(adminSocketAddress),
-			adminAccountsDatabase);
-		
-		/* Now's a good time to lower the privilege. */
-		if (geteuid() == 0) {
-			lowerPrivilege(username, user, group);
-		}
-		
-		/* Now setup the actual logging server. */
-		accountsDatabase->add("logging", password, false);
-		LoggingServer server(eventLoop, serverSocketFd,
-			accountsDatabase, options);
-		loggingServer = &server;
-
-		/* Continue setting up the admin server. */
-		adminServer.addHandler(make_shared<AdminController>(&server));
-		function<void ()> adminServerFunc = boost::bind(&MessageServer::mainLoop, &adminServer);
-		oxt::thread adminServerThread(
-			boost::bind(runAndPrintExceptions, adminServerFunc, true),
-			"AdminServer thread", MESSAGE_SERVER_THREAD_STACK_SIZE
-		);
-		
-		
-		ev::io feedbackFdWatcher(eventLoop);
-		ev::sig sigintWatcher(eventLoop);
-		ev::sig sigtermWatcher(eventLoop);
-		ev::sig sigquitWatcher(eventLoop);
-		
-		if (feedbackFdAvailable()) {
-			feedbackFdWatcher.set<&feedbackFdBecameReadable>();
-			feedbackFdWatcher.start(FEEDBACK_FD, ev::READ);
-			writeArrayMessage(FEEDBACK_FD, "initialized", NULL);
-		}
-		sigintWatcher.set<&caughtExitSignal>();
-		sigintWatcher.start(SIGINT);
-		sigtermWatcher.set<&caughtExitSignal>();
-		sigtermWatcher.start(SIGTERM);
-		sigquitWatcher.set<&printInfo>();
-		sigquitWatcher.start(SIGQUIT);
-		
-		
-		/********** Initialized! Enter main loop... **********/
-		
-		P_WARN("PassengerLoggingAgent online, listening at " << socketAddress);
-		ev_run(eventLoop, 0);
-		adminServerThread.interrupt_and_join();
+		initializeOptions(wo);
+		initializePrivilegedWorkingObjects(wo);
+		maybeLowerPrivilege();
+		initializeUnprivilegedWorkingObjects(wo);
+		runMainLoop(wo);
 		P_DEBUG("Logging agent exiting with code " << exitCode << ".");
 		return exitCode;
 	} catch (const tracable_exception &e) {

data/lib/phusion_passenger.rb

@@ -30,7 +30,7 @@ module PhusionPassenger
 	
 	PACKAGE_NAME = 'passenger'
 	# Run 'rake ext/common/Constants.h' after changing this number.
-	VERSION_STRING = '4.0.7'
+	VERSION_STRING = '4.0.8'
 	
 	PREFERRED_NGINX_VERSION = '1.4.1'
 	NGINX_SHA256_CHECKSUM = 'bca5d1e89751ba29406185e1736c390412603a7e6b604f5b4575281f6565d119'

data/lib/phusion_passenger/common_library.rb

@@ -394,15 +394,6 @@ COMMON_LIBRARY = CommonLibraryBuilder.new do
 			Utils/StrIntUtils.h
 			Utils/CachedFileStat.h
 		)
-	define_component 'AccountsDatabase.o',
-		:source   => 'AccountsDatabase.cpp',
-		:category => :other,
-		:deps     => %w(
-			AccountsDatabase.h
-			RandomGenerator.h
-			Constants.h
-			Utils.h
-		)
 	define_component 'AgentsStarter.o',
 		:source   => 'AgentsStarter.cpp',
 		:category => :other,

data/lib/phusion_passenger/message_client.rb

@@ -131,6 +131,7 @@ class MessageClient
 	
 	def logging_agent_status
 		write("status")
+		check_security_response
 		return read_scalar
 	end
 	

data/lib/phusion_passenger/preloader_shared_helpers.rb

@@ -108,7 +108,10 @@ module PreloaderSharedHelpers
 		puts "!> "
 		
 		while true
-			ios = select([server, STDIN])[0]
+			# We call ::select just in case someone overwrites the global select()
+			# function by including ActionView::Helpers in the wrong place.
+			# https://code.google.com/p/phusion-passenger/issues/detail?id=915
+			ios = Kernel.select([server, STDIN])[0]
 			if ios.include?(server)
 				result, client = accept_and_process_next_client(server)
 				if result == :forked

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: passenger
 version: !ruby/object:Gem::Version
-  version: 4.0.7
+  version: 4.0.8
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-05 00:00:00.000000000 Z
+date: 2013-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -285,7 +285,6 @@ files:
 - helper-scripts/system-memory-stats.py
 - helper-scripts/wsgi-loader.py
 - helper-scripts/wsgi-preloader.py
-- ext/common/AccountsDatabase.cpp
 - ext/common/agents/Base.cpp
 - ext/common/agents/HelperAgent/Main.cpp
 - ext/common/agents/HelperAgent/RequestHandler.cpp

metadata.gz.asc

@@ -2,11 +2,11 @@
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 
-iQEcBAABAgAGBQJR1pxdAAoJECrHRaUKISqMiqwH/3LCgw5ztPSGL4tTd1bRtx3i
-jRu4rb7iHj45z8vbbNSebe981xBlxxcNGVEmRnENNVErYM4C0CMDyHH8xyDjOn7D
-9xYfBEhfZl3odLoI4eXoiWbkKxY+dKFr04ZCvC22EwTWiq89xT0Mxj46/tsbhG4H
-cU05PFmIlQX8bQQRAAdxqqMWCCBllwgYh05qmegSs/VYxsZbMiPisEunAsc+uRbF
-bC5T6Vjv4mvHxEKEXByc7bmP6nUnGHWHH8Vd1cdb+g5RxWKZOVFGnzzCWhAXKS1C
-fTcbZT0f2hG8ghcbHrEx4tB470IZ1DriocKPdGZRHqjZmsS/Kq8R/gS5FH+8tds=
-=Auh+
+iQEcBAABAgAGBQJR28iYAAoJECrHRaUKISqMQI4H/07+WJ2+hUyYOccJ6FxrH/7e
+59ofy0PbGFEctyrfH7+TilJixj+xzKqn9q75q7eBNX8bK8gGD8zX1AwvgILvUWby
+OU23wRacnuhYbJrRK6aeftCDNDsoLpLGvfYBr05aUE72q4lUGuoE7A9Yc+1JVJPN
+DEpwf5BhcF0MGCtTZtuujCMBpHP6Dc+i1Ty9vhNYI4lvZgRNEwwU5MDyjH0ZJeyL
+pK8+h7zhLL4ryS+h+g3HXRjEcvkth2ANaK/UhB74pWpnbqTqyMazpsSSK4XypHgh
+7ynPAf74eO8qfVZ1uPfwtm+53FXQIl5ix0MGg84osGJW3KUoyG1f5I1aUcAanZs=
+=dSK/
 -----END PGP SIGNATURE-----

data/ext/common/AccountsDatabase.cpp

@@ -1,81 +0,0 @@
-/*
- *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2010 Phusion
- *
- *  "Phusion Passenger" is a trademark of Hongli Lai & Ninh Bui.
- *
- *  Permission is hereby granted, free of charge, to any person obtaining a copy
- *  of this software and associated documentation files (the "Software"), to deal
- *  in the Software without restriction, including without limitation the rights
- *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- *  copies of the Software, and to permit persons to whom the Software is
- *  furnished to do so, subject to the following conditions:
- *
- *  The above copyright notice and this permission notice shall be included in
- *  all copies or substantial portions of the Software.
- *
- *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- *  THE SOFTWARE.
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <pwd.h>
-#include <grp.h>
-#include "AccountsDatabase.h"
-#include "RandomGenerator.h"
-#include "Exceptions.h"
-#include "Constants.h"
-#include "Utils.h"
-
-namespace Passenger {
-
-AccountsDatabasePtr
-AccountsDatabase::createDefault(const ServerInstanceDir::GenerationPtr &generation,
-                                bool userSwitching, const string &defaultUser,
-                                const string &defaultGroup)
-{
-	AccountsDatabasePtr database(new AccountsDatabase());
-	struct passwd *defaultUserEntry;
-	struct group  *defaultGroupEntry;
-	uid_t defaultUid;
-	gid_t defaultGid;
-	RandomGenerator random;
-	string passengerStatusPassword = random.generateByteString(MESSAGE_SERVER_MAX_PASSWORD_SIZE);
-	
-	defaultUserEntry = getpwnam(defaultUser.c_str());
-	if (defaultUserEntry == NULL) {
-		throw NonExistentUserException("Default user '" + defaultUser +
-			"' does not exist.");
-	}
-	defaultUid = defaultUserEntry->pw_uid;
-	defaultGroupEntry = getgrnam(defaultGroup.c_str());
-	if (defaultGroupEntry == NULL) {
-		throw NonExistentGroupException("Default group '" + defaultGroup +
-			"' does not exist.");
-	}
-	defaultGid = defaultGroupEntry->gr_gid;
-	
-	// An account for the 'passenger-status' command. Its password is only readable by
-	// root, or (if user switching is turned off) only by the web server's user.
-	database->add("_passenger-status", passengerStatusPassword, false,
-		Account::INSPECT_BASIC_INFO | Account::INSPECT_SENSITIVE_INFO |
-		Account::INSPECT_BACKTRACES);
-	if (geteuid() == 0 && !userSwitching) {
-		createFile(generation->getPath() + "/passenger-status-password.txt",
-			passengerStatusPassword, S_IRUSR, defaultUid, defaultGid);
-	} else {
-		createFile(generation->getPath() + "/passenger-status-password.txt",
-			passengerStatusPassword, S_IRUSR | S_IWUSR);
-	}
-	
-	return database;
-}
-
-} // namespace Passenger