You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2005/09/19 16:57:16 UTC
svn commit: r290179 - in /httpd/httpd: branches/2.2.x/
branches/2.2.x/include/ branches/2.2.x/modules/generators/
branches/2.2.x/server/ branches/2.2.x/server/mpm/experimental/event/
branches/2.2.x/server/mpm/prefork/ branches/2.2.x/server/mpm/worker/ ...
Author: colm
Date: Mon Sep 19 07:57:07 2005
New Revision: 290179
URL: http://svn.apache.org/viewcvs?rev=290179&view=rev
Log:
Backport r239710, r239711, r239732, r239740 and r241815 to the 2.2.x branch;
Fix PR 28167, which means we stop listening on ports when we do a
graceful-restart.
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/include/ap_listen.h
httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c
httpd/httpd/branches/2.2.x/server/listen.c
httpd/httpd/branches/2.2.x/server/mpm/experimental/event/event.c
httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c
httpd/httpd/branches/2.2.x/server/mpm/worker/worker.c
httpd/httpd/trunk/CHANGES
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/CHANGES?rev=290179&r1=290178&r2=290179&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Sep 19 07:57:07 2005
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.1.8
+ *) prefork, worker and event MPMs: Prevent children from holding open
+ listening ports upon graceful restart or stop. PR 28167.
+ [Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>]
+
*) SECURITY: CAN-2005-2700 (cve.mitre.org)
mod_ssl: Fix a security issue where "SSLVerifyClient" was not
enforced in per-location context if "SSLVerifyClient optional"
Modified: httpd/httpd/branches/2.2.x/include/ap_listen.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/include/ap_listen.h?rev=290179&r1=290178&r2=290179&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/include/ap_listen.h (original)
+++ httpd/httpd/branches/2.2.x/include/ap_listen.h Mon Sep 19 07:57:07 2005
@@ -77,6 +77,11 @@
*/
AP_DECLARE(int) ap_setup_listeners(server_rec *s);
+/**
+ * Loop through the global ap_listen_rec list and close each of the sockets.
+ */
+AP_DECLARE_NONSTD(void) ap_close_listeners(void);
+
/* Although these functions are exported from libmain, they are not really
* public functions. These functions are actually called while parsing the
* config file, when one of the LISTEN_COMMANDS directives is read. These
Modified: httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c?rev=290179&r1=290178&r2=290179&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c (original)
+++ httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c Mon Sep 19 07:57:07 2005
@@ -566,6 +566,9 @@
apr_signal(SIGCHLD, SIG_IGN);
apr_signal(SIGHUP, daemon_signal_handler);
+ /* Close our copy of the listening sockets */
+ ap_close_listeners();
+
/* cgid should use its own suexec doer */
ap_hook_get_suexec_identity(cgid_suexec_id_doer, NULL, NULL,
APR_HOOK_REALLY_FIRST);
Modified: httpd/httpd/branches/2.2.x/server/listen.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/server/listen.c?rev=290179&r1=290178&r2=290179&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/listen.c (original)
+++ httpd/httpd/branches/2.2.x/server/listen.c Mon Sep 19 07:57:07 2005
@@ -237,17 +237,10 @@
static apr_status_t close_listeners_on_exec(void *v)
{
- ap_listen_rec *lr;
-
- for (lr = ap_listeners; lr; lr = lr->next) {
- apr_socket_close(lr->sd);
- lr->active = 0;
- }
-
+ ap_close_listeners();
return APR_SUCCESS;
}
-
static const char *alloc_listener(process_rec *process, char *addr,
apr_port_t port, const char* proto)
{
@@ -566,6 +559,15 @@
}
return num_listeners;
+}
+
+AP_DECLARE_NONSTD(void) ap_close_listeners(void) {
+ ap_listen_rec *lr;
+
+ for (lr = ap_listeners; lr; lr = lr->next) {
+ apr_socket_close(lr->sd);
+ lr->active = 0;
+ }
}
AP_DECLARE(void) ap_listen_pre_config(void)
Modified: httpd/httpd/branches/2.2.x/server/mpm/experimental/event/event.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/server/mpm/experimental/event/event.c?rev=290179&r1=290178&r2=290179&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/mpm/experimental/event/event.c (original)
+++ httpd/httpd/branches/2.2.x/server/mpm/experimental/event/event.c Mon Sep 19 07:57:07 2005
@@ -1036,6 +1036,7 @@
} /* listener main loop */
+ ap_close_listeners();
ap_queue_term(worker_queue);
dying = 1;
ap_scoreboard_image->parent[process_slot].quiescing = 1;
Modified: httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c?rev=290179&r1=290178&r2=290179&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c (original)
+++ httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c Mon Sep 19 07:57:07 2005
@@ -328,6 +328,11 @@
clean_child_exit(0);
}
+static void stop_listening(int sig)
+{
+ ap_close_listeners();
+}
+
/* volatile just in case */
static int volatile shutdown_pending;
static int volatile restart_pending;
@@ -712,10 +717,10 @@
*/
apr_signal(SIGHUP, just_die);
apr_signal(SIGTERM, just_die);
- /* The child process doesn't do anything for AP_SIG_GRACEFUL.
- * Instead, the pod is used for signalling graceful restart.
+ /* The child process just closes listeners on AP_SIG_GRACEFUL.
+ * The pod is used for signalling graceful restart.
*/
- apr_signal(AP_SIG_GRACEFUL, SIG_IGN);
+ apr_signal(AP_SIG_GRACEFUL, stop_listening);
child_main(slot);
}
@@ -1093,6 +1098,7 @@
/* we've been told to restart */
apr_signal(SIGHUP, SIG_IGN);
+ apr_signal(AP_SIG_GRACEFUL, SIG_IGN);
if (one_process) {
/* not worth thinking about */
return 1;
@@ -1120,6 +1126,14 @@
for (index = 0; index < ap_daemons_limit; ++index) {
if (ap_scoreboard_image->servers[index][0].status != SERVER_DEAD) {
ap_scoreboard_image->servers[index][0].status = SERVER_GRACEFUL;
+ /* Ask each child to close its listeners.
+ *
+ * NOTE: we use the scoreboard, because if we send SIGUSR1
+ * to every process in the group, this may include CGI's,
+ * piped loggers, etc. They almost certainly won't handle
+ * it gracefully.
+ */
+ kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL);
}
}
}
Modified: httpd/httpd/branches/2.2.x/server/mpm/worker/worker.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/server/mpm/worker/worker.c?rev=290179&r1=290178&r2=290179&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/mpm/worker/worker.c (original)
+++ httpd/httpd/branches/2.2.x/server/mpm/worker/worker.c Mon Sep 19 07:57:07 2005
@@ -775,6 +775,7 @@
}
}
+ ap_close_listeners();
ap_queue_term(worker_queue);
dying = 1;
ap_scoreboard_image->parent[process_slot].quiescing = 1;
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=290179&r1=290178&r2=290179&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Sep 19 07:57:07 2005
@@ -28,16 +28,16 @@
"GracefulShutdownTimeout" number of seconds before exiting.
[Colm MacCarthaigh, Ken Coar, Bill Stoddard]
- *) prefork, worker and event MPMs: Prevent children from holding open
- listening ports upon graceful restart or stop. PR 28167.
- [Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>]
-
*) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive,
allowing string-valued client certificate attributes to be used for
access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
[Martin Kraemer, David Reid]
Changes with Apache 2.1.8
+
+ *) prefork, worker and event MPMs: Prevent children from holding open
+ listening ports upon graceful restart or stop. PR 28167.
+ [Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>]
*) mod_proxy/mod_proxy_balancer: lbmethods now implemented as
providers. Prevent problems when no Vhost containers were