You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2008/09/18 20:42:18 UTC
svn commit: r696758 - in /httpd/httpd/branches/2.2.x: ./ CHANGES docs/
docs/manual/mod/mpm_common.xml include/ap_mmn.h os/unix/unixd.c
os/unix/unixd.h support/suexec.c
Author: jim
Date: Thu Sep 18 11:42:18 2008
New Revision: 696758
URL: http://svn.apache.org/viewvc?rev=696758&view=rev
Log:
Merge r611483, r639005, r639010 from trunk:
Support chroot on unix-family platforms
PR 43596 (Dimitar Pashev)
Document new ChrootDir directive (r611483)
mmn bump for chroot (r611483)
Submitted by: niq
Reviewed by: jim
Modified:
httpd/httpd/branches/2.2.x/ (props changed)
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/docs/ (props changed)
httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml
httpd/httpd/branches/2.2.x/include/ap_mmn.h
httpd/httpd/branches/2.2.x/os/unix/unixd.c
httpd/httpd/branches/2.2.x/os/unix/unixd.h
httpd/httpd/branches/2.2.x/support/suexec.c (props changed)
Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Sep 18 11:42:18 2008
@@ -1 +1 @@
-/httpd/httpd/trunk:647395,660461,660566,664330,678761,681190,682369,683626,685112,686805,686809,687099,687754,693392,693727-693728,696006
+/httpd/httpd/trunk:611483,639005,639010,647395,660461,660566,664330,678761,681190,682369,683626,685112,686805,686809,687099,687754,693392,693727-693728,696006
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=696758&r1=696757&r2=696758&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Thu Sep 18 11:42:18 2008
@@ -5,6 +5,9 @@
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
+ *) Support chroot on Unix-family platforms
+ PR 43596 [Dimitar Pashev <mitko banksoft-bg.com>]
+
*) mod_ssl: implement dynamic mutex callbacks for the benefit of
OpenSSL. [Sander Temme]
Propchange: httpd/httpd/branches/2.2.x/docs/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Sep 18 11:42:18 2008
@@ -1 +1 @@
-/httpd/httpd/trunk/docs:647395,660461,660566,664330,675610,678761,681190,682369,683626,684351,685112,686549,686805,686809,687099,687754,692325,693392,693727-693728,696006
+/httpd/httpd/trunk/docs:611483,639005,639010,647395,660461,660566,664330,675610,678761,681190,682369,683626,684351,685112,686549,686805,686809,687099,687754,692325,693392,693727-693728,696006
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml?rev=696758&r1=696757&r2=696758&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml Thu Sep 18 11:42:18 2008
@@ -964,4 +964,25 @@
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>ChrootDir</name>
+<description>Directory for apache to run chroot(8) after startup.</description>
+<syntax>ChrootDir <var>/path/to/directory</var></syntax>
+<default>none</default>
+<contextlist><context>server config</context></contextlist>
+<modulelist><module>event</module>
+<module>prefork</module><module>worker</module></modulelist>
+<compatibility>Available in Apache 2.2.10 and later</compatibility>
+
+<usage>
+ <p>This directive tells the server to <var>chroot(8)</var> to the
+ specified directory after startup, but before accepting requests.</p>
+
+ <p>Note that running the server under chroot is not
+ simple, and requires additional setup, particularly if you are running
+ scripts such as CGI or PHP. Please make sure you are properly familiar
+ with the operation of chroot before attempting to use this feature.</p>
+</usage>
+</directivesynopsis>
+
</modulesynopsis>
Modified: httpd/httpd/branches/2.2.x/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/ap_mmn.h?rev=696758&r1=696757&r2=696758&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/include/ap_mmn.h (original)
+++ httpd/httpd/branches/2.2.x/include/ap_mmn.h Thu Sep 18 11:42:18 2008
@@ -132,6 +132,7 @@
* proxy_worker struct.
* 20051115.17(2.2.10) Add scolonsep to proxy_balancer
*
+ * 20051115.18(2.2.10) Add chroot support to unixd_config
*/
#define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
@@ -139,7 +140,7 @@
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20051115
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 17 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 18 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
Modified: httpd/httpd/branches/2.2.x/os/unix/unixd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/os/unix/unixd.c?rev=696758&r1=696757&r2=696758&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/os/unix/unixd.c (original)
+++ httpd/httpd/branches/2.2.x/os/unix/unixd.c Thu Sep 18 11:42:18 2008
@@ -117,6 +117,30 @@
if (set_group_privs()) {
return -1;
}
+
+ if (NULL != unixd_config.chroot_dir) {
+ if (geteuid()) {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "Cannot chroot when not started as root");
+ return -1;
+ }
+ if (chdir(unixd_config.chroot_dir) != 0) {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "Can't chdir to %s", unixd_config.chroot_dir);
+ return -1;
+ }
+ if (chroot(unixd_config.chroot_dir) != 0) {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "Can't chroot to %s", unixd_config.chroot_dir);
+ return -1;
+ }
+ if (chdir("/") != 0) {
+ ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+ "Can't chdir to new root");
+ return -1;
+ }
+ }
+
#ifdef MPE
/* Only try to switch if we're running as MANAGER.SYS */
if (geteuid() == 1 && unixd_config.user_id > 1) {
@@ -198,6 +222,20 @@
return NULL;
}
+AP_DECLARE(const char *) unixd_set_chroot_dir(cmd_parms *cmd, void *dummy,
+ const char *arg)
+{
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+ if (!ap_is_directory(cmd->pool, arg)) {
+ return "ChrootDir must be a valid directory";
+ }
+
+ unixd_config.chroot_dir = arg;
+ return NULL;
+}
AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp)
{
@@ -206,6 +244,8 @@
unixd_config.user_name = DEFAULT_USER;
unixd_config.user_id = ap_uname2id(DEFAULT_USER);
unixd_config.group_id = ap_gname2id(DEFAULT_GROUP);
+
+ unixd_config.chroot_dir = NULL; /* none */
/* Check for suexec */
unixd_config.suexec_enabled = 0;
Modified: httpd/httpd/branches/2.2.x/os/unix/unixd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/os/unix/unixd.h?rev=696758&r1=696757&r2=696758&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/os/unix/unixd.h (original)
+++ httpd/httpd/branches/2.2.x/os/unix/unixd.h Thu Sep 18 11:42:18 2008
@@ -72,6 +72,7 @@
uid_t user_id;
gid_t group_id;
int suexec_enabled;
+ const char *chroot_dir;
} unixd_config_rec;
AP_DECLARE_DATA extern unixd_config_rec unixd_config;
@@ -81,6 +82,9 @@
const char *arg);
AP_DECLARE(const char *) unixd_set_group(cmd_parms *cmd, void *dummy,
const char *arg);
+AP_DECLARE(const char *) unixd_set_chroot_dir(cmd_parms *cmd, void *dummy,
+ const char *arg);
+
#if defined(RLIMIT_CPU) || defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined(RLIMIT_NPROC) || defined(RLIMIT_AS)
AP_DECLARE(void) unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit,
const char *arg, const char * arg2, int type);
@@ -111,7 +115,9 @@
AP_INIT_TAKE1("User", unixd_set_user, NULL, RSRC_CONF, \
"Effective user id for this server"), \
AP_INIT_TAKE1("Group", unixd_set_group, NULL, RSRC_CONF, \
- "Effective group id for this server")
+ "Effective group id for this server"), \
+AP_INIT_TAKE1("ChrootDir", unixd_set_chroot_dir, NULL, RSRC_CONF, \
+ "The directory to chroot(2) into")
#endif
/** @} */
Propchange: httpd/httpd/branches/2.2.x/support/suexec.c
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Sep 18 11:42:18 2008
@@ -1 +1 @@
-/httpd/httpd/trunk/support/suexec.c:647395,655711,660461,660566,664330,678761,681190,682369,683626,685112,686805,686809,687099,687754,693392,693727-693728,696006
+/httpd/httpd/trunk/support/suexec.c:611483,639005,639010,647395,655711,660461,660566,664330,678761,681190,682369,683626,685112,686805,686809,687099,687754,693392,693727-693728,696006