You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by hu...@chem.leidenuniv.nl on 2005/09/23 15:46:27 UTC

Mod_auth_ldap with file locking

Hi all,

Please bare with me while I try to explain my question....

First let me start with the problem I encountered while implementing
mod_auth_ldap on a freebsd 5.4 system (apache 2.0.54). 

Of course I have my apache2 daemon running as the www user. When starting
the server, the initialisation fase will run as root, so it can bind to port
80 etc., but during this fase, also the lock file for the mod_auth_ldap
module is created. 

fwnc5510# ls -al /usr/local/apache2/var/
total 6
drwxr-xr-x  2 root  wheel  512 Sep 23 14:27 .
drwxr-xr-x  3 root  wheel  512 Sep 23 14:26 ..
-rw-r--r--  1 root  wheel    4 Sep 23 14:27 LdapCache
-rw-------  1 root  wheel    0 Sep 23 14:27 LdapCache.lck

After startting the child processes (running as www), they will try to
access the lock file to read and write ldap validated users -> here comes
the snag; they do not have access to the lock file since it is owned by
root!

[Fri Sep 23 14:27:01 2005] [crit] (13)Permission denied: Failed to
initialise global mutex /usr/local/apache2/var/LdapCache.lck in child
process 26310.
[Fri Sep 23 14:27:01 2005] [crit] (13)Permission denied: Failed to
initialise global mutex /usr/local/apache2/var/LdapCache.lck in child
process 26311.
[Fri Sep 23 14:27:01 2005] [crit] (13)Permission denied: Failed to
initialise global mutex /usr/local/apache2/var/LdapCache.lck in child
process 26312.
[Fri Sep 23 14:27:01 2005] [crit] (13)Permission denied: Failed to
initialise global mutex /usr/local/apache2/var/LdapCache.lck in child
process 26313.
[Fri Sep 23 14:27:01 2005] [crit] (13)Permission denied: Failed to
initialise global mutex /usr/local/apache2/var/LdapCache.lck in child
process 26314.

After a lot of searching in the source code, I finally came up to a point
where the files were supposedly created and tried something nasty up there:
chown www <created file> or in c:

diff -ruN ../httpd-2.0.54/srclib/apr/file_io/unix/open.c
./srclib/apr/file_io/unix/open.c
--- ../httpd-2.0.54/srclib/apr/file_io/unix/open.c	Fri Feb  4 21:36:31
2005
+++ ./srclib/apr/file_io/unix/open.c	Mon Aug 22 11:42:02 2005
@@ -26,6 +26,9 @@
 #include "fsio.h"
 #endif
 
+apr_uid_t uid;
+apr_gid_t gid;
+
 apr_status_t apr_unix_file_cleanup(void *thefile)
 {
     apr_file_t *file = thefile;
@@ -120,6 +123,9 @@
     }
     else {
         fd = open(fname, oflags, apr_unix_perms2mode(perm));
+   	apr_uid_current(&uid, &gid, pool); 
+	uid = 80;
+	chown(fname, uid, gid);
     } 
     if (fd < 0) {
        return errno;

Which is of course the most raunchy piece of code you could possibly
imagine... but the result is quite nice:


fwnc5510# ls -al /usr/local/apache2/var/
total 6
drwxr-xr-x  2 root  wheel  512 Sep 23 15:32 .
drwxr-xr-x  3 root  wheel  512 Sep 23 14:26 ..
-rw-r--r--  1 root  wheel    4 Sep 23 15:32 LdapCache
-rw-------  1 www   www      0 Sep 23 15:32 LdapCache.lck

And a working ldap authentication which is also a huge benefit to my
collegues :-)

The thing I would like to check with you guys is the following:

-> Am I making a huge d-tour for just a stupid config mistake? (please do
not kick too hard...)

-> If not (pfewww...), how to do this clean:
	-> read the actual uid from the config file ?
		(which will solve -this- problem)

	-> or extend the _create_file funtion to include the uid of supposed
owner, 
		with a fall-back to the default process owner (www).
		This will add some nice features to e.g. webdav (if they
even use this code??)

Thanks for your time,

Hugo Meiland,
Leiden University, The Netherlands

Re: Mod_auth_ldap with file locking

Posted by Joe Orton <jo...@redhat.com>.

On Fri, Sep 23, 2005 at 03:46:27PM +0200, hugo@chem.leidenuniv.nl wrote:
> First let me start with the problem I encountered while implementing
> mod_auth_ldap on a freebsd 5.4 system (apache 2.0.54). 
> 
> Of course I have my apache2 daemon running as the www user. When starting
> the server, the initialisation fase will run as root, so it can bind to port
> 80 etc., but during this fase, also the lock file for the mod_auth_ldap
> module is created. 

Hi, please try this patch:

http://people.apache.org/~jorton/httpd-2.0.54-ldap.patch

this contains all the changes between 2.0.54 and the current 2.0.x 
branch as of a few days ago; it includes the fix for the mutex 
permissions issue and several other bugs.

Regards,

joe