Run external RewriteMap program as non-root

Wed, 04 Mar 2015 22:59:31 -0800 

Hi,
currently, the External Rewriting Program (RewriteMap "prg:") is run as root. I would like to change it but I see three ways how to do it: 


1. Execute it right after drop_privileges hook. This looks like best 
way, but I haven't found any hook which could be used for that (except 
drop_privileges with APR_HOOK_REALLY_LAST, which does not seem as proper 
place to me).



2. Execute it in child_init. This is done after drop_privileges, so the 
user/group is good. The "problem" here is that it would execute one 
rewrite program per child. Right now I'm not sure if it's really 
problem. It could be useful to have more instances of rewriting program 
to make its bottleneck lower.



3. Execute it where it is now (post_config), but set user/group using 
apr_procattr_t. So far I think this would duplicate the code of 
mod_unixd and would probably have to also handle the windows equivalent 
of that module (if there's any).


What way do you think is the best, or would you do it differently?

I'm attaching patch for number 2.

Regards,
Jan Kaluza

Index: modules/mappers/mod_rewrite.c
===================================================================
--- modules/mappers/mod_rewrite.c	(revision 1663642)
+++ modules/mappers/mod_rewrite.c	(working copy)
@@ -4449,17 +4449,6 @@
     apr_pool_cleanup_register(p, (void *)s, rewritelock_remove,
                               apr_pool_cleanup_null);
 
-    /* if we are not doing the initial config, step through the servers and
-     * open the RewriteMap prg:xxx programs,
-     */
-    if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_CONFIG) {
-        for (; s; s = s->next) {
-            if (run_rewritemap_programs(s, p) != APR_SUCCESS) {
-                return HTTP_INTERNAL_SERVER_ERROR;
-            }
-        }
-    }
-
     rewrite_ssl_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
     rewrite_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
 
@@ -4485,6 +4474,11 @@
         ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, APLOGNO(00667)
                      "mod_rewrite: could not init map cache in child");
     }
+
+    /* step through the servers and open the RewriteMap prg:xxx programs */
+    for (; s; s = s->next) {
+        run_rewritemap_programs(s, p);
+    }
 }
 
 






















					Reply via email to