You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by hu...@chem.leidenuniv.nl on 2005/09/23 15:46:27 UTC
Mod_auth_ldap with file locking
Hi all,
Please bare with me while I try to explain my question....
First let me start with the problem I encountered while implementing
mod_auth_ldap on a freebsd 5.4 system (apache 2.0.54).
Of course I have my apache2 daemon running as the www user. When starting
the server, the initialisation fase will run as root, so it can bind to port
80 etc., but during this fase, also the lock file for the mod_auth_ldap
module is created.
fwnc5510# ls -al /usr/local/apache2/var/
total 6
drwxr-xr-x 2 root wheel 512 Sep 23 14:27 .
drwxr-xr-x 3 root wheel 512 Sep 23 14:26 ..
-rw-r--r-- 1 root wheel 4 Sep 23 14:27 LdapCache
-rw------- 1 root wheel 0 Sep 23 14:27 LdapCache.lck
After startting the child processes (running as www), they will try to
access the lock file to read and write ldap validated users -> here comes
the snag; they do not have access to the lock file since it is owned by
root!
[Fri Sep 23 14:27:01 2005] [crit] (13)Permission denied: Failed to
initialise global mutex /usr/local/apache2/var/LdapCache.lck in child
process 26310.
[Fri Sep 23 14:27:01 2005] [crit] (13)Permission denied: Failed to
initialise global mutex /usr/local/apache2/var/LdapCache.lck in child
process 26311.
[Fri Sep 23 14:27:01 2005] [crit] (13)Permission denied: Failed to
initialise global mutex /usr/local/apache2/var/LdapCache.lck in child
process 26312.
[Fri Sep 23 14:27:01 2005] [crit] (13)Permission denied: Failed to
initialise global mutex /usr/local/apache2/var/LdapCache.lck in child
process 26313.
[Fri Sep 23 14:27:01 2005] [crit] (13)Permission denied: Failed to
initialise global mutex /usr/local/apache2/var/LdapCache.lck in child
process 26314.
After a lot of searching in the source code, I finally came up to a point
where the files were supposedly created and tried something nasty up there:
chown www <created file> or in c:
diff -ruN ../httpd-2.0.54/srclib/apr/file_io/unix/open.c
./srclib/apr/file_io/unix/open.c
--- ../httpd-2.0.54/srclib/apr/file_io/unix/open.c Fri Feb 4 21:36:31
2005
+++ ./srclib/apr/file_io/unix/open.c Mon Aug 22 11:42:02 2005
@@ -26,6 +26,9 @@
#include "fsio.h"
#endif
+apr_uid_t uid;
+apr_gid_t gid;
+
apr_status_t apr_unix_file_cleanup(void *thefile)
{
apr_file_t *file = thefile;
@@ -120,6 +123,9 @@
}
else {
fd = open(fname, oflags, apr_unix_perms2mode(perm));
+ apr_uid_current(&uid, &gid, pool);
+ uid = 80;
+ chown(fname, uid, gid);
}
if (fd < 0) {
return errno;
Which is of course the most raunchy piece of code you could possibly
imagine... but the result is quite nice:
fwnc5510# ls -al /usr/local/apache2/var/
total 6
drwxr-xr-x 2 root wheel 512 Sep 23 15:32 .
drwxr-xr-x 3 root wheel 512 Sep 23 14:26 ..
-rw-r--r-- 1 root wheel 4 Sep 23 15:32 LdapCache
-rw------- 1 www www 0 Sep 23 15:32 LdapCache.lck
And a working ldap authentication which is also a huge benefit to my
collegues :-)
The thing I would like to check with you guys is the following:
-> Am I making a huge d-tour for just a stupid config mistake? (please do
not kick too hard...)
-> If not (pfewww...), how to do this clean:
-> read the actual uid from the config file ?
(which will solve -this- problem)
-> or extend the _create_file funtion to include the uid of supposed
owner,
with a fall-back to the default process owner (www).
This will add some nice features to e.g. webdav (if they
even use this code??)
Thanks for your time,
Hugo Meiland,
Leiden University, The Netherlands
Re: Mod_auth_ldap with file locking
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Sep 23, 2005 at 03:46:27PM +0200, hugo@chem.leidenuniv.nl wrote:
> First let me start with the problem I encountered while implementing
> mod_auth_ldap on a freebsd 5.4 system (apache 2.0.54).
>
> Of course I have my apache2 daemon running as the www user. When starting
> the server, the initialisation fase will run as root, so it can bind to port
> 80 etc., but during this fase, also the lock file for the mod_auth_ldap
> module is created.
Hi, please try this patch:
http://people.apache.org/~jorton/httpd-2.0.54-ldap.patch
this contains all the changes between 2.0.54 and the current 2.0.x
branch as of a few days ago; it includes the fix for the mutex
permissions issue and several other bugs.
Regards,
joe