You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@perl.apache.org by Andres Salomon <di...@voxel.net> on 2004/02/08 10:03:44 UTC
mp2 acl support?
Hi Stas,
I was wondering about the status of ACL support for modperl2. The
following two urls contain info and patches:
http://www.gossamer-threads.com/archive/mod_perl_C1/modperl_F7/%5BPATCH%5D_acl_support_P58252/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=230439
However, I haven't seen any patches that have been verified to work w/ ACL
setups, and don't break w/ non-ACL setups. Have you gotten any success
reports on your patch?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] Was : mp2 acl support?
Posted by Stas Bekman <st...@stason.org>.
Philippe M. Chiasson wrote:
> On Wed, 2004-02-11 at 15:15 -0500, Andres Salomon wrote:
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Philippe M. Chiasson wrote:
>>[...]
>>|
>>| Can you try this and confirm that it works the way it should for your
>>| setup ?
>>|
>>
>>It looks like there's still an issue with the way filetest is being
>>used. As Damon Buckwalters pointed out to me, filetest::access requires
>>the filename; a filehandle won't work. I've attached his patch, which
>>looks correct.
>>
>
>
> Problem with that approach is that it will add the cost of 2 stat calls
> for each and every single ModPerl::Registry scripts ;-(
>
> I think it might be worth considering a new ModPerl::RegistryCooker
> subclass just for ACL support. Since most people don't use ACLs, it
> seems unjustified to me to incur the overhead to everybody.
Seconded.
> People with need for ACL support could just be made to use ModPerl::
> RegistryACL, for example ...
I'm also thinking that all these new M-RC subclasses should probably go to
CPAN. I don't think we should supply a bunch of subclasses in the core. Only
if some subclasses get very popular we should consider including them in the
core later on.
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] Was : mp2 acl support?
Posted by "Philippe M. Chiasson" <go...@cpan.org>.
On Wed, 2004-02-11 at 15:15 -0500, Andres Salomon wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Philippe M. Chiasson wrote:
> [...]
> |
> | Can you try this and confirm that it works the way it should for your
> | setup ?
> |
>
> It looks like there's still an issue with the way filetest is being
> used. As Damon Buckwalters pointed out to me, filetest::access requires
> the filename; a filehandle won't work. I've attached his patch, which
> looks correct.
>
Problem with that approach is that it will add the cost of 2 stat calls
for each and every single ModPerl::Registry scripts ;-(
I think it might be worth considering a new ModPerl::RegistryCooker
subclass just for ACL support. Since most people don't use ACLs, it
seems unjustified to me to incur the overhead to everybody.
People with need for ACL support could just be made to use ModPerl::
RegistryACL, for example ...
Re: [Patch mp2] Was : mp2 acl support?
Posted by "Philippe M. Chiasson" <go...@cpan.org>.
On Tue, 2004-02-10 at 03:28 -0500, Andres Salomon wrote:
> Philippe M. Chiasson wrote:
> [...]
>
> |
> | Could someone running the ModPerl-Registry tests on Win32 or something
> | similarly non-POSIX with this ACL patch ?
> |
> [...]
>
> Shouldn't this also touch the -r test a few lines earlier, as well?
> Even better, why not put the "use filetest" at the beginning of the
> function, as it seems that it should affect all file permission tests.
Yes, I missed that indeed. This simpler patches most likely does the
trick.
Index: ModPerl-Registry/lib/ModPerl/RegistryCooker.pm
===================================================================
RCS file: /home/cvs/modperl-2.0/ModPerl-Registry/lib/ModPerl/RegistryCooker.pm,v
retrieving revision 1.41
diff -u -I$Id -r1.41 RegistryCooker.pm
--- ModPerl-Registry/lib/ModPerl/RegistryCooker.pm 25 Jan 2004 01:04:16 -0000 1.41
+++ ModPerl-Registry/lib/ModPerl/RegistryCooker.pm 10 Feb 2004 21:10:49 -0000
@@ -224,6 +224,9 @@
my $self = shift;
my $r = $self->{REQ};
+ #Allow correct detection even under ACLs-enable filesystems (i.e. ext3)
+ use filetest qw(access);
+
unless (-r $r->my_finfo && -s _) {
$self->log_error("$self->{FILENAME} not found or unable to stat");
return Apache::NOT_FOUND;
Can you try this and confirm that it works the way it should for your
setup ?
--
--------------------------------------------------------------------------------
Philippe M. Chiasson /gozer\@(cpan|ectoplasm)\.org/ 88C3A5A5 (122FF51B/C634E37B)
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3 A5A5
Q: It is impossible to make anything foolproof because fools are so ingenious.
perl -e'$$=\${gozer};{$_=unpack(P7,pack(L,$$));/^JAm_pH\n$/&&print||$$++&&redo}'
[Patch mp2] Was : mp2 acl support?
Posted by "Philippe M. Chiasson" <go...@cpan.org>.
On Sun, 2004-02-08 at 04:03 -0500, Andres Salomon wrote:
> Hi Stas,
>
> I was wondering about the status of ACL support for modperl2. The
> following two urls contain info and patches:
>
> http://www.gossamer-threads.com/archive/mod_perl_C1/modperl_F7/%5BPATCH%5D_acl_support_P58252/
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=230439
>
> However, I haven't seen any patches that have been verified to work w/ ACL
> setups, and don't break w/ non-ACL setups. Have you gotten any success
> reports on your patch?
>
Could someone running the ModPerl-Registry tests on Win32 or something
similarly non-POSIX with this ACL patch ?
Index: ModPerl-Registry/lib/ModPerl/RegistryCooker.pm
===================================================================
RCS file: /home/cvs/modperl-2.0/ModPerl-Registry/lib/ModPerl/RegistryCooker.pm,v
retrieving revision 1.41
diff -u -I$Id -r1.41 RegistryCooker.pm
--- ModPerl-Registry/lib/ModPerl/RegistryCooker.pm 25 Jan 2004 01:04:16 -0000 1.41
+++ ModPerl-Registry/lib/ModPerl/RegistryCooker.pm 9 Feb 2004 22:32:11 -0000
@@ -232,11 +232,16 @@
return Apache::DECLINED if -d _;
$self->{MTIME} = -M _;
-
- unless (-x _ or IS_WIN32) {
- $r->log_error("file permissions deny server execution",
- $self->{FILENAME});
- return Apache::FORBIDDEN;
+
+ {
+ #Allow correct detection even under ACLs
+ use filetest qw(access);
+
+ unless (-x _ or IS_WIN32) {
+ $r->log_error("file permissions deny server execution",
+ $self->{FILENAME});
+ return Apache::FORBIDDEN;
+ }
}
if (!($r->allow_options & Apache::OPT_EXECCGI)) {
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
> For additional commands, e-mail: dev-help@perl.apache.org
--
--------------------------------------------------------------------------------
Philippe M. Chiasson /gozer\@(cpan|ectoplasm)\.org/ 88C3A5A5 (122FF51B/C634E37B)
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3 A5A5
Q: It is impossible to make anything foolproof because fools are so ingenious.
perl -e'$$=\${gozer};{$_=unpack(P7,pack(L,$$));/^JAm_pH\n$/&&print||$$++&&redo}'
Re: mp2 acl support?
Posted by Stas Bekman <st...@stason.org>.
Philippe M. Chiasson wrote:
[...]
>>>So I guess it would be safe to use filetest 'access' in ModPerl-Registry
>>>(at least on Linux), but I would worry about:
>>>
>>>1. Other Uni*es and Win32
>>
>>What about them?
>
>
> Well, from a glance at pp_sys.c, it seems that Perl will do the right
> thing and use access() if it's available. Otherwise, using filetest
> 'access' seems like it would revert to the good old behaviour.
>
> I just meant that it could be worth verifying that. Who knows, possibly
> some platforms _do_ provide access(), but it's behaviour is not
> identical to the basic filetest operators.
but as you suggest below chances are that it works just fine since it's a perl
feature and it exists since 5.6.0 (enough time to discover problems, if it was
used at all).
>>>2. ACL support in APR/httpd
>>
>>Are you talking about internal C calls? I don't think it should affect these.
>
>
> I was asking if some of the apr file operations were using access()
> internally, so we could have leaveraged off of that instead of using
> Perl. But a quick grep exposed that apr seems to be using access(), but
> only in threadproc/unix/proc.c, not using it for the implementation of
> the apr_file_* stuff. So this issue is void (unless it's worth having
> access() support in APR)
and it probabaly should. but that's a different story.
>>>3. When was the filetest.pm module introduced in the Perl core ?
>>
>>5.6.0. I don't know whether Leon will want to backport it to 5.005_04.
>
>
> Well, is that an issue preventing us from using it?
Not at all. We require 5.6.1+. I thought you were asking about mp1, where
5.005_03 is relevant.
>>4. performance. from the filetest manpage:
>>
>> There may be a slight performance decrease in the filetests when "use
>> filetest" is in effect, because in some systems the extended function-
>> ality needs to be emulated.
>>
>>is there a generic way to check whether the fs is acl-enabled?
>
>
> No easy way I can find...
In which case, we should either enable it by default and have a config flag
that will turn this feature off. Or better off leave the registry as is and
write a subclass of Registry which will use the access(), so not to add a
penalty to those users who have no .acls.
>>>But, I'd be for using this if it doesn't causes false negatives for
>>>anybody. (A bit of a problem to write a portable test for it though)
>>
>>if you get false negatives that's probably a bug in POSIX::access, no?
>
>
> Yes, but who knows the status of access() on all platforms ?
I say it's a perl's problem ;)
> IMHO, if it's there, we should think about using it. After all, I am
> pretty sure Perl already does a pretty good job at making sure it will
> work correctly on all platforms it runs on.
right, assuming that this feature was/is used at all.
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: mp2 acl support?
Posted by "Philippe M. Chiasson" <go...@cpan.org>.
On Mon, 2004-02-09 at 14:47 -0800, Stas Bekman wrote:
> Philippe M. Chiasson wrote:
> > On Sun, 2004-02-08 at 04:03 -0500, Andres Salomon wrote:
> >
> >>Hi Stas,
> >>
> >>I was wondering about the status of ACL support for modperl2. The
> >>following two urls contain info and patches:
> >>
> >>http://www.gossamer-threads.com/archive/mod_perl_C1/modperl_F7/%5BPATCH%5D_acl_support_P58252/
> >>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=230439
> >>
> >>However, I haven't seen any patches that have been verified to work w/ ACL
> >>setups, and don't break w/ non-ACL setups. Have you gotten any success
> >>reports on your patch?
> >>
> >
> >
> > Well, after reading the threads and getting my box setup with ext3fs
> > ACLs, I was able to run basic tests with:
> >
> > -e somefile
> >
> > and
> >
> > use filetest 'access';
> > -e somefile
> >
> > And as far as I can tell, it works the way I expected it to in every
> > case.
>
> Cool. Does it work for Andres?
Andres, can you try it ?
> > So I guess it would be safe to use filetest 'access' in ModPerl-Registry
> > (at least on Linux), but I would worry about:
> >
> > 1. Other Uni*es and Win32
>
> What about them?
Well, from a glance at pp_sys.c, it seems that Perl will do the right
thing and use access() if it's available. Otherwise, using filetest
'access' seems like it would revert to the good old behaviour.
I just meant that it could be worth verifying that. Who knows, possibly
some platforms _do_ provide access(), but it's behaviour is not
identical to the basic filetest operators.
> > 2. ACL support in APR/httpd
>
> Are you talking about internal C calls? I don't think it should affect these.
I was asking if some of the apr file operations were using access()
internally, so we could have leaveraged off of that instead of using
Perl. But a quick grep exposed that apr seems to be using access(), but
only in threadproc/unix/proc.c, not using it for the implementation of
the apr_file_* stuff. So this issue is void (unless it's worth having
access() support in APR)
> > 3. When was the filetest.pm module introduced in the Perl core ?
>
> 5.6.0. I don't know whether Leon will want to backport it to 5.005_04.
Well, is that an issue preventing us from using it?
> 4. performance. from the filetest manpage:
>
> There may be a slight performance decrease in the filetests when "use
> filetest" is in effect, because in some systems the extended function-
> ality needs to be emulated.
>
> is there a generic way to check whether the fs is acl-enabled?
No easy way I can find...
> > But, I'd be for using this if it doesn't causes false negatives for
> > anybody. (A bit of a problem to write a portable test for it though)
>
> if you get false negatives that's probably a bug in POSIX::access, no?
Yes, but who knows the status of access() on all platforms ?
IMHO, if it's there, we should think about using it. After all, I am
pretty sure Perl already does a pretty good job at making sure it will
work correctly on all platforms it runs on.
Just my 0.02$
> __________________________________________________________________
> Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
> http://stason.org/ mod_perl Guide ---> http://perl.apache.org
> mailto:stas@stason.org http://use.perl.org http://apacheweek.com
> http://modperlbook.org http://apache.org http://ticketmaster.com
--
--------------------------------------------------------------------------------
Philippe M. Chiasson /gozer\@(cpan|ectoplasm)\.org/ 88C3A5A5 (122FF51B/C634E37B)
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3 A5A5
Q: It is impossible to make anything foolproof because fools are so ingenious.
perl -e'$$=\${gozer};{$_=unpack(P7,pack(L,$$));/^JAm_pH\n$/&&print||$$++&&redo}'
Re: mp2 acl support?
Posted by Stas Bekman <st...@stason.org>.
Philippe M. Chiasson wrote:
> On Sun, 2004-02-08 at 04:03 -0500, Andres Salomon wrote:
>
>>Hi Stas,
>>
>>I was wondering about the status of ACL support for modperl2. The
>>following two urls contain info and patches:
>>
>>http://www.gossamer-threads.com/archive/mod_perl_C1/modperl_F7/%5BPATCH%5D_acl_support_P58252/
>>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=230439
>>
>>However, I haven't seen any patches that have been verified to work w/ ACL
>>setups, and don't break w/ non-ACL setups. Have you gotten any success
>>reports on your patch?
>>
>
>
> Well, after reading the threads and getting my box setup with ext3fs
> ACLs, I was able to run basic tests with:
>
> -e somefile
>
> and
>
> use filetest 'access';
> -e somefile
>
> And as far as I can tell, it works the way I expected it to in every
> case.
Cool. Does it work for Andres?
> So I guess it would be safe to use filetest 'access' in ModPerl-Registry
> (at least on Linux), but I would worry about:
>
> 1. Other Uni*es and Win32
What about them?
> 2. ACL support in APR/httpd
Are you talking about internal C calls? I don't think it should affect these.
> 3. When was the filetest.pm module introduced in the Perl core ?
5.6.0. I don't know whether Leon will want to backport it to 5.005_04.
4. performance. from the filetest manpage:
There may be a slight performance decrease in the filetests when "use
filetest" is in effect, because in some systems the extended function-
ality needs to be emulated.
is there a generic way to check whether the fs is acl-enabled?
> But, I'd be for using this if it doesn't causes false negatives for
> anybody. (A bit of a problem to write a portable test for it though)
if you get false negatives that's probably a bug in POSIX::access, no?
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: mp2 acl support?
Posted by "Philippe M. Chiasson" <go...@cpan.org>.
On Sun, 2004-02-08 at 04:03 -0500, Andres Salomon wrote:
> Hi Stas,
>
> I was wondering about the status of ACL support for modperl2. The
> following two urls contain info and patches:
>
> http://www.gossamer-threads.com/archive/mod_perl_C1/modperl_F7/%5BPATCH%5D_acl_support_P58252/
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=230439
>
> However, I haven't seen any patches that have been verified to work w/ ACL
> setups, and don't break w/ non-ACL setups. Have you gotten any success
> reports on your patch?
>
Well, after reading the threads and getting my box setup with ext3fs
ACLs, I was able to run basic tests with:
-e somefile
and
use filetest 'access';
-e somefile
And as far as I can tell, it works the way I expected it to in every
case.
So I guess it would be safe to use filetest 'access' in ModPerl-Registry
(at least on Linux), but I would worry about:
1. Other Uni*es and Win32
2. ACL support in APR/httpd
3. When was the filetest.pm module introduced in the Perl core ?
But, I'd be for using this if it doesn't causes false negatives for
anybody. (A bit of a problem to write a portable test for it though)
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
> For additional commands, e-mail: dev-help@perl.apache.org
--
--------------------------------------------------------------------------------
Philippe M. Chiasson /gozer\@(cpan|ectoplasm)\.org/ 88C3A5A5 (122FF51B/C634E37B)
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3 A5A5
Q: It is impossible to make anything foolproof because fools are so ingenious.
perl -e'$$=\${gozer};{$_=unpack(P7,pack(L,$$));/^JAm_pH\n$/&&print||$$++&&redo}'