You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2008/09/18 20:42:18 UTC

svn commit: r696758 - in /httpd/httpd/branches/2.2.x: ./ CHANGES docs/ docs/manual/mod/mpm_common.xml include/ap_mmn.h os/unix/unixd.c os/unix/unixd.h support/suexec.c

Author: jim
Date: Thu Sep 18 11:42:18 2008
New Revision: 696758

URL: http://svn.apache.org/viewvc?rev=696758&view=rev
Log:
Merge r611483, r639005, r639010 from trunk:

Support chroot on unix-family platforms
PR 43596 (Dimitar Pashev)


Document new ChrootDir directive (r611483)


mmn bump for chroot (r611483)

Submitted by: niq
Reviewed by: jim

Modified:
    httpd/httpd/branches/2.2.x/   (props changed)
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/docs/   (props changed)
    httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml
    httpd/httpd/branches/2.2.x/include/ap_mmn.h
    httpd/httpd/branches/2.2.x/os/unix/unixd.c
    httpd/httpd/branches/2.2.x/os/unix/unixd.h
    httpd/httpd/branches/2.2.x/support/suexec.c   (props changed)

Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Sep 18 11:42:18 2008
@@ -1 +1 @@
-/httpd/httpd/trunk:647395,660461,660566,664330,678761,681190,682369,683626,685112,686805,686809,687099,687754,693392,693727-693728,696006
+/httpd/httpd/trunk:611483,639005,639010,647395,660461,660566,664330,678761,681190,682369,683626,685112,686805,686809,687099,687754,693392,693727-693728,696006

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=696758&r1=696757&r2=696758&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Thu Sep 18 11:42:18 2008
@@ -5,6 +5,9 @@
      mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
      the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
 
+  *) Support chroot on Unix-family platforms
+     PR 43596 [Dimitar Pashev <mitko banksoft-bg.com>]
+
   *) mod_ssl: implement dynamic mutex callbacks for the benefit of
      OpenSSL.  [Sander Temme]
 

Propchange: httpd/httpd/branches/2.2.x/docs/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Sep 18 11:42:18 2008
@@ -1 +1 @@
-/httpd/httpd/trunk/docs:647395,660461,660566,664330,675610,678761,681190,682369,683626,684351,685112,686549,686805,686809,687099,687754,692325,693392,693727-693728,696006
+/httpd/httpd/trunk/docs:611483,639005,639010,647395,660461,660566,664330,675610,678761,681190,682369,683626,684351,685112,686549,686805,686809,687099,687754,692325,693392,693727-693728,696006

Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml?rev=696758&r1=696757&r2=696758&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mpm_common.xml Thu Sep 18 11:42:18 2008
@@ -964,4 +964,25 @@
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>ChrootDir</name>
+<description>Directory for apache to run chroot(8) after startup.</description>
+<syntax>ChrootDir <var>/path/to/directory</var></syntax>
+<default>none</default>
+<contextlist><context>server config</context></contextlist>
+<modulelist><module>event</module>
+<module>prefork</module><module>worker</module></modulelist>
+<compatibility>Available in Apache 2.2.10 and later</compatibility>
+
+<usage>
+    <p>This directive tells the server to <var>chroot(8)</var> to the
+    specified directory after startup, but before accepting requests.</p>
+
+    <p>Note that running the server under chroot is not
+    simple, and requires additional setup, particularly if you are running
+    scripts such as CGI or PHP.  Please make sure you are properly familiar
+    with the operation of chroot before attempting to use this feature.</p>
+</usage>
+</directivesynopsis>
+
 </modulesynopsis>

Modified: httpd/httpd/branches/2.2.x/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/ap_mmn.h?rev=696758&r1=696757&r2=696758&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/include/ap_mmn.h (original)
+++ httpd/httpd/branches/2.2.x/include/ap_mmn.h Thu Sep 18 11:42:18 2008
@@ -132,6 +132,7 @@
  *                     proxy_worker struct.
  * 20051115.17(2.2.10) Add scolonsep to proxy_balancer
  *
+ * 20051115.18(2.2.10)  Add chroot support to unixd_config
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
@@ -139,7 +140,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20051115
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 17                    /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 18                    /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a

Modified: httpd/httpd/branches/2.2.x/os/unix/unixd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/os/unix/unixd.c?rev=696758&r1=696757&r2=696758&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/os/unix/unixd.c (original)
+++ httpd/httpd/branches/2.2.x/os/unix/unixd.c Thu Sep 18 11:42:18 2008
@@ -117,6 +117,30 @@
     if (set_group_privs()) {
         return -1;
     }
+
+    if (NULL != unixd_config.chroot_dir) {
+        if (geteuid()) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                         "Cannot chroot when not started as root");
+            return -1;
+        }
+        if (chdir(unixd_config.chroot_dir) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                         "Can't chdir to %s", unixd_config.chroot_dir);
+            return -1;
+        }
+        if (chroot(unixd_config.chroot_dir) != 0) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                         "Can't chroot to %s", unixd_config.chroot_dir);
+            return -1;
+        }
+        if (chdir("/") != 0) {
+            ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL,
+                         "Can't chdir to new root");
+            return -1;
+        }
+    }
+
 #ifdef MPE
     /* Only try to switch if we're running as MANAGER.SYS */
     if (geteuid() == 1 && unixd_config.user_id > 1) {
@@ -198,6 +222,20 @@
 
     return NULL;
 }
+AP_DECLARE(const char *) unixd_set_chroot_dir(cmd_parms *cmd, void *dummy,
+                                              const char *arg)
+{
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+    if (err != NULL) {
+        return err;
+    }
+    if (!ap_is_directory(cmd->pool, arg)) {
+        return "ChrootDir must be a valid directory";
+    }
+
+    unixd_config.chroot_dir = arg;
+    return NULL;
+}
 
 AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp)
 {
@@ -206,6 +244,8 @@
     unixd_config.user_name = DEFAULT_USER;
     unixd_config.user_id = ap_uname2id(DEFAULT_USER);
     unixd_config.group_id = ap_gname2id(DEFAULT_GROUP);
+    
+    unixd_config.chroot_dir = NULL; /* none */
 
     /* Check for suexec */
     unixd_config.suexec_enabled = 0;

Modified: httpd/httpd/branches/2.2.x/os/unix/unixd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/os/unix/unixd.h?rev=696758&r1=696757&r2=696758&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/os/unix/unixd.h (original)
+++ httpd/httpd/branches/2.2.x/os/unix/unixd.h Thu Sep 18 11:42:18 2008
@@ -72,6 +72,7 @@
     uid_t user_id;
     gid_t group_id;
     int suexec_enabled;
+    const char *chroot_dir;
 } unixd_config_rec;
 AP_DECLARE_DATA extern unixd_config_rec unixd_config;
 
@@ -81,6 +82,9 @@
                                         const char *arg);
 AP_DECLARE(const char *) unixd_set_group(cmd_parms *cmd, void *dummy, 
                                          const char *arg);
+AP_DECLARE(const char *) unixd_set_chroot_dir(cmd_parms *cmd, void *dummy, 
+                                              const char *arg);
+					 
 #if defined(RLIMIT_CPU) || defined(RLIMIT_DATA) || defined(RLIMIT_VMEM) || defined(RLIMIT_NPROC) || defined(RLIMIT_AS)
 AP_DECLARE(void) unixd_set_rlimit(cmd_parms *cmd, struct rlimit **plimit,
                            const char *arg, const char * arg2, int type);
@@ -111,7 +115,9 @@
 AP_INIT_TAKE1("User", unixd_set_user, NULL, RSRC_CONF, \
   "Effective user id for this server"), \
 AP_INIT_TAKE1("Group", unixd_set_group, NULL, RSRC_CONF, \
-  "Effective group id for this server")
+  "Effective group id for this server"), \
+AP_INIT_TAKE1("ChrootDir", unixd_set_chroot_dir, NULL, RSRC_CONF, \
+    "The directory to chroot(2) into")
 
 #endif
 /** @} */

Propchange: httpd/httpd/branches/2.2.x/support/suexec.c
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Sep 18 11:42:18 2008
@@ -1 +1 @@
-/httpd/httpd/trunk/support/suexec.c:647395,655711,660461,660566,664330,678761,681190,682369,683626,685112,686805,686809,687099,687754,693392,693727-693728,696006
+/httpd/httpd/trunk/support/suexec.c:611483,639005,639010,647395,655711,660461,660566,664330,678761,681190,682369,683626,685112,686805,686809,687099,687754,693392,693727-693728,696006