The Unix MPMs other than perchild now allow child server (8d60d296) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+7 −0

Original line number	Diff line number	Diff line
		Changes with Apache 2.0.24-dev

		*) The Unix MPMs other than perchild now allow child server
		processes to use the accept mutex when starting as root and
		using SysV sems for the accept mutex. Previously, this
		combination would lead to fatal errors in the child server
		processes. perchild can't use SysV sems because of security
		issues. [Jeff Trawick, Greg Ames]

		*) Added Win32 revision stamp resources to all http binaries
		(including modules/ and support/ tools.) PR7322 [William Rowe]

+2 −1

+36 −0

Original line number	Diff line number	Diff line
		@@ -69,6 +69,7 @@
		#include "ap_mpm.h"
		#include "apr_thread_proc.h"
		#include "apr_strings.h"
		#include "apr_portable.h"
		#ifdef HAVE_PWD_H
		#include <pwd.h>
		#endif
		@@ -86,6 +87,9 @@
		#ifdef HAVE_STRINGS_H
		#include <strings.h>
		#endif
		#ifdef HAVE_SYS_SEM_H
		#include <sys/sem.h>
		#endif

		unixd_config_rec unixd_config;

		@@ -373,3 +377,35 @@ AP_DECLARE(apr_status_t) ap_os_create_privileged_process(
		attr, ugid, p);
		}

		AP_DECLARE(apr_status_t) unixd_set_lock_perms(apr_lock_t *lock)
		{
		/* MPM shouldn't call us unless we're actually using a SysV sem;
		* this is just to avoid compile issues on systems without that
		* feature
		*/
		#if APR_HAS_SYSVSEM_SERIALIZE
		apr_os_lock_t oslock;
		#if !APR_HAVE_UNION_SEMUN
		union semun {
		long val;
		struct semid_ds *buf;
		ushort *array;
		};
		#endif
		union semun ick;
		struct semid_ds buf;

		if (!geteuid()) {
		apr_os_lock_get(&oslock, lock);
		buf.sem_perm.uid = unixd_config.user_id;
		buf.sem_perm.gid = unixd_config.group_id;
		buf.sem_perm.mode = 0600;
		ick.buf = &buf;
		if (semctl(oslock.crossproc, 0, IPC_SET, ick) < 0) {
		return errno;
		}
		}
		#endif
		return APR_SUCCESS;
		}

+2 −1

Original line number	Diff line number	Diff line
		@@ -69,6 +69,7 @@
		#endif
		#include "apr_hooks.h"
		#include "apr_thread_proc.h"
		#include "apr_lock.h"

		#include <pwd.h>
		#include <grp.h>
		@@ -111,7 +112,7 @@ AP_DECLARE(const char ) unixd_set_group(cmd_parms cmd, void *dummy,
		AP_DECLARE(void) unixd_set_rlimit(cmd_parms cmd, struct rlimit *plimit,
		const char arg, const char arg2, int type);
		#endif

		AP_DECLARE(apr_status_t) unixd_set_lock_perms(apr_lock_t *lock);

		#ifdef HAVE_KILLPG
		#define unixd_killpg(x, y) (killpg ((x), (y)))

+14 −0

Original line number	Diff line number	Diff line
		@@ -276,6 +276,20 @@ static void accept_mutex_init(apr_pool_t *p)
		ap_log_error(APLOG_MARK, APLOG_EMERG, rv, NULL, "couldn't create accept mutex");
		exit(APEXIT_INIT);
		}

		#if APR_USE_SYSVSEM_SERIALIZE
		if (ap_accept_lock_mech == APR_LOCK_DEFAULT \|\|
		ap_accept_lock_mech == APR_LOCK_SYSVSEM) {
		#else
		if (ap_accept_lock_mech == APR_LOCK_SYSVSEM) {
		#endif
		rv = unixd_set_lock_perms(accept_lock);
		if (rv != APR_SUCCESS) {
		ap_log_error(APLOG_MARK, APLOG_EMERG, rv, NULL,
		"Couldn't set permissions on cross-process lock");
		exit(APEXIT_INIT);
		}
		}
		}

		static void accept_mutex_on(void)