Hello community, here is the log from the commit of package spawn-fcgi for openSUSE:Factory checked in at 2015-01-23 15:47:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/spawn-fcgi (Old) and /work/SRC/openSUSE:Factory/.spawn-fcgi.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spawn-fcgi" Changes: -------- --- /work/SRC/openSUSE:Factory/spawn-fcgi/spawn-fcgi.changes 2013-06-05 13:14:32.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.spawn-fcgi.new/spawn-fcgi.changes 2015-01-23 15:47:43.000000000 +0100 @@ -1,0 +2,24 @@ +Thu Jan 22 17:30:13 UTC 2015 - [email protected] + +- Update to version 1.6.4: + + Use octal mode for -M (patch by dfjoerg) + + Add -b backlog option (fixes #2422, patch by aschmitz) + + Restrict Unix socket file ownership by default to ug=rw + + Add example apparmor spawn-fcgi abstraction + + Use autoreconf instead of calling tools manually + + Add more flags to extra-warning flags + + Check return values of setuid, setgid, setgroups, initgroups, write + + Check whether compiler supports wanted CFLAGS (fixes #2235) + + Fix resource leaks in failure cases (found with coverity) +- Added: + + spawn-fcgi-1.6.4.tar.bz2 + + spawn-fcgi_1.6.4.orig.tar.gz + + spawn-fcgi_1.6.4-1.diff.gz + + spawn-fcgi_1.6.4-1.dsc +- Dropped: + + spawn-fcgi-1.6.3.tar.bz2 + + spawn-fcgi_1.6.3.orig.tar.gz + + spawn-fcgi_1.6.3-1.1~backport1.diff.gz + + spawn-fcgi_1.6.3-1.1~backport1.dsc + +------------------------------------------------------------------- Old: ---- spawn-fcgi-1.6.3.tar.bz2 spawn-fcgi_1.6.3-1.1~backport1.diff.gz spawn-fcgi_1.6.3-1.1~backport1.dsc spawn-fcgi_1.6.3.orig.tar.gz New: ---- spawn-fcgi-1.6.4.tar.bz2 spawn-fcgi_1.6.4-1.diff.gz spawn-fcgi_1.6.4-1.dsc spawn-fcgi_1.6.4.orig.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spawn-fcgi.spec ++++++ --- /var/tmp/diff_new_pack.UECb8w/_old 2015-01-23 15:47:44.000000000 +0100 +++ /var/tmp/diff_new_pack.UECb8w/_new 2015-01-23 15:47:44.000000000 +0100 @@ -17,7 +17,7 @@ Name: spawn-fcgi -Version: 1.6.3 +Version: 1.6.4 Release: 0 Summary: Spawn FastCGI applications independent of the webserver License: BSD-3-Clause @@ -27,7 +27,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build # Url: http://redmine.lighttpd.net/projects/spawn-fcgi/ -Source: http://www.lighttpd.net/download/spawn-fcgi-%{pkg_version}.tar.bz2 +Source: http://www.lighttpd.net/download/spawn-fcgi-%{version}.tar.bz2 # %description ++++++ spawn-fcgi-1.6.3.tar.bz2 -> spawn-fcgi-1.6.4.tar.bz2 ++++++ ++++ 7548 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/CMakeLists.txt new/spawn-fcgi-1.6.4/CMakeLists.txt --- old/spawn-fcgi-1.6.3/CMakeLists.txt 2009-04-18 14:23:25.000000000 +0200 +++ new/spawn-fcgi-1.6.4/CMakeLists.txt 2009-09-23 16:30:15.000000000 +0200 @@ -4,7 +4,7 @@ PROJECT(spawn-fcgi) SET(PACKAGE_NAME ${CMAKE_PROJECT_NAME}) -SET(PACKAGE_VERSION 1.6.3) +SET(PACKAGE_VERSION 1.6.4) SET(CMAKE_MAN_DIR "share/man" CACHE STRING "Install location for man pages (relative to prefix).") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/NEWS new/spawn-fcgi-1.6.4/NEWS --- old/spawn-fcgi-1.6.3/NEWS 2009-09-23 14:27:48.000000000 +0200 +++ new/spawn-fcgi-1.6.4/NEWS 2014-06-05 13:22:06.000000000 +0200 @@ -3,10 +3,21 @@ NEWS ==== -- 1.6.3 - +- 1.6.4 - 2014-06-05 + * Use octal mode for -M (patch by dfjoerg) + * Add -b backlog option (fixes #2422, patch by aschmitz) + * Restrict Unix socket file ownership by default to ug=rw + * Add example apparmor spawn-fcgi abstraction + * Use autoreconf instead of calling tools manually + * Add more flags to extra-warning flags + * Check return values of setuid, setgid, setgroups, initgroups, write + * Check whether compiler supports wanted CFLAGS (fixes #2235) + * Fix resource leaks in failure cases (found with coverity) + +- 1.6.3 - 2009-09-23 * Fix unix socket mode change to work without specifying user/group for socket * Add some ./run script examples for use with daemontools or runit - * Fix Invalid Argument in chmod if mode=-1 (fixes 2033) + * Fix Invalid Argument in chmod if mode=-1 (fixes #2033) * Add deprecated and /bin/sh info for -f option; wrap syntax output (fixes #2044) * Add run script examples in automake dist build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/autogen.sh new/spawn-fcgi-1.6.4/autogen.sh --- old/spawn-fcgi-1.6.3/autogen.sh 2009-02-06 21:16:05.000000000 +0100 +++ new/spawn-fcgi-1.6.4/autogen.sh 2014-06-01 18:07:05.000000000 +0200 @@ -1,24 +1,12 @@ #!/bin/sh # Run this to generate all the initial makefiles, etc. -ACLOCAL=${ACLOCAL:-aclocal} -AUTOHEADER=${AUTOHEADER:-autoheader} -AUTOMAKE=${AUTOMAKE:-automake} -AUTOMAKE_FLAGS="--add-missing --copy" -AUTOCONF=${AUTOCONF:-autoconf} - -ARGV0=$0 - set -e +if [ ! -f configure.ac -o ! -f COPYING ]; then + echo "Doesn't look like you're in the source directory" >&2 + exit 1 +fi -run() { - echo "$ARGV0: running \`$@'" - $@ -} - -run $ACLOCAL $ACLOCAL_FLAGS -run $AUTOHEADER -run $AUTOMAKE $AUTOMAKE_FLAGS -run $AUTOCONF +autoreconf --force --install echo "Now type './configure ...' and 'make' to compile." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/compile new/spawn-fcgi-1.6.4/compile --- old/spawn-fcgi-1.6.3/compile 1970-01-01 01:00:00.000000000 +0100 +++ new/spawn-fcgi-1.6.4/compile 2014-06-05 13:51:39.000000000 +0200 @@ -0,0 +1,347 @@ +#! /bin/sh +# Wrapper for compilers which do not understand '-c -o'. + +scriptversion=2012-10-14.11; # UTC + +# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Written by Tom Tromey <[email protected]>. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to <[email protected]> or send patches to +# <[email protected]>. + +nl=' +' + +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent tools from complaining about whitespace usage. +IFS=" "" $nl" + +file_conv= + +# func_file_conv build_file lazy +# Convert a $build file to $host form and store it in $file +# Currently only supports Windows hosts. If the determined conversion +# type is listed in (the comma separated) LAZY, no conversion will +# take place. +func_file_conv () +{ + file=$1 + case $file in + / | /[!/]*) # absolute file, and not a UNC file + if test -z "$file_conv"; then + # lazily determine how to convert abs files + case `uname -s` in + MINGW*) + file_conv=mingw + ;; + CYGWIN*) + file_conv=cygwin + ;; + *) + file_conv=wine + ;; + esac + fi + case $file_conv/,$2, in + *,$file_conv,*) + ;; + mingw/*) + file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` + ;; + cygwin/*) + file=`cygpath -m "$file" || echo "$file"` + ;; + wine/*) + file=`winepath -w "$file" || echo "$file"` + ;; + esac + ;; + esac +} + +# func_cl_dashL linkdir +# Make cl look for libraries in LINKDIR +func_cl_dashL () +{ + func_file_conv "$1" + if test -z "$lib_path"; then + lib_path=$file + else + lib_path="$lib_path;$file" + fi + linker_opts="$linker_opts -LIBPATH:$file" +} + +# func_cl_dashl library +# Do a library search-path lookup for cl +func_cl_dashl () +{ + lib=$1 + found=no + save_IFS=$IFS + IFS=';' + for dir in $lib_path $LIB + do + IFS=$save_IFS + if $shared && test -f "$dir/$lib.dll.lib"; then + found=yes + lib=$dir/$lib.dll.lib + break + fi + if test -f "$dir/$lib.lib"; then + found=yes + lib=$dir/$lib.lib + break + fi + if test -f "$dir/lib$lib.a"; then + found=yes + lib=$dir/lib$lib.a + break + fi + done + IFS=$save_IFS + + if test "$found" != yes; then + lib=$lib.lib + fi +} + +# func_cl_wrapper cl arg... +# Adjust compile command to suit cl +func_cl_wrapper () +{ + # Assume a capable shell + lib_path= + shared=: + linker_opts= + for arg + do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + eat=1 + case $2 in + *.o | *.[oO][bB][jJ]) + func_file_conv "$2" + set x "$@" -Fo"$file" + shift + ;; + *) + func_file_conv "$2" + set x "$@" -Fe"$file" + shift + ;; + esac + ;; + -I) + eat=1 + func_file_conv "$2" mingw + set x "$@" -I"$file" + shift + ;; + -I*) + func_file_conv "${1#-I}" mingw + set x "$@" -I"$file" + shift + ;; + -l) + eat=1 + func_cl_dashl "$2" + set x "$@" "$lib" + shift + ;; + -l*) + func_cl_dashl "${1#-l}" + set x "$@" "$lib" + shift + ;; + -L) + eat=1 + func_cl_dashL "$2" + ;; + -L*) + func_cl_dashL "${1#-L}" + ;; + -static) + shared=false + ;; + -Wl,*) + arg=${1#-Wl,} + save_ifs="$IFS"; IFS=',' + for flag in $arg; do + IFS="$save_ifs" + linker_opts="$linker_opts $flag" + done + IFS="$save_ifs" + ;; + -Xlinker) + eat=1 + linker_opts="$linker_opts $2" + ;; + -*) + set x "$@" "$1" + shift + ;; + *.cc | *.CC | *.cxx | *.CXX | *.[cC]++) + func_file_conv "$1" + set x "$@" -Tp"$file" + shift + ;; + *.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO]) + func_file_conv "$1" mingw + set x "$@" "$file" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift + done + if test -n "$linker_opts"; then + linker_opts="-link$linker_opts" + fi + exec "$@" $linker_opts + exit 1 +} + +eat= + +case $1 in + '') + echo "$0: No command. Try '$0 --help' for more information." 1>&2 + exit 1; + ;; + -h | --h*) + cat <<\EOF +Usage: compile [--help] [--version] PROGRAM [ARGS] + +Wrapper for compilers which do not understand '-c -o'. +Remove '-o dest.o' from ARGS, run PROGRAM with the remaining +arguments, and rename the output as expected. + +If you are trying to build a whole package this is not the +right script to run: please start by reading the file 'INSTALL'. + +Report bugs to <[email protected]>. +EOF + exit $? + ;; + -v | --v*) + echo "compile $scriptversion" + exit $? + ;; + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + func_cl_wrapper "$@" # Doesn't return... + ;; +esac + +ofile= +cfile= + +for arg +do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + # So we strip '-o arg' only if arg is an object. + eat=1 + case $2 in + *.o | *.obj) + ofile=$2 + ;; + *) + set x "$@" -o "$2" + shift + ;; + esac + ;; + *.c) + cfile=$1 + set x "$@" "$1" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift +done + +if test -z "$ofile" || test -z "$cfile"; then + # If no '-o' option was seen then we might have been invoked from a + # pattern rule where we don't need one. That is ok -- this is a + # normal compilation that the losing compiler can handle. If no + # '.c' file was seen then we are probably linking. That is also + # ok. + exec "$@" +fi + +# Name of file we expect compiler to create. +cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'` + +# Create the lock directory. +# Note: use '[/\\:.-]' here to ensure that we don't use the same name +# that we are using for the .o file. Also, base the name on the expected +# object file name, since that is what matters with a parallel build. +lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d +while true; do + if mkdir "$lockdir" >/dev/null 2>&1; then + break + fi + sleep 1 +done +# FIXME: race condition here if user kills between mkdir and trap. +trap "rmdir '$lockdir'; exit 1" 1 2 15 + +# Run the compile. +"$@" +ret=$? + +if test -f "$cofile"; then + test "$cofile" = "$ofile" || mv "$cofile" "$ofile" +elif test -f "${cofile}bj"; then + test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile" +fi + +rmdir "$lockdir" +exit $ret + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" +# End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/configure.ac new/spawn-fcgi-1.6.4/configure.ac --- old/spawn-fcgi-1.6.3/configure.ac 2009-09-23 14:14:58.000000000 +0200 +++ new/spawn-fcgi-1.6.4/configure.ac 2014-06-02 12:16:49.000000000 +0200 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([spawn-fcgi],[1.6.3]) +AC_INIT([spawn-fcgi],[1.6.4]) AC_CONFIG_SRCDIR([src/spawn-fcgi.c]) AC_CONFIG_HEADER([config.h]) @@ -12,6 +12,25 @@ AC_PROG_CC AC_PROG_MAKE_SET +dnl @synopsis TRY_CFLAGS [compiler flags] +dnl @summary check whether C compiler supports given flags and adds them to CFLAGS +AC_DEFUN([TRY_CFLAGS], +[dnl + AC_MSG_CHECKING([if $CC supports $1]) + AC_LANG_PUSH([C]) + ac_try_cflags_saved_cflags="${CFLAGS}" + CFLAGS="${CFLAGS} $1" + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], + [AC_MSG_RESULT([yes])], + [ + AC_MSG_ERROR([no]) + # options not supported, remove them: + CFLAGS="${ac_try_cflags_saved_cflags}" + ] + ) + AC_LANG_POP([C]) +]) + # Checks for libraries. # Checks for header files. @@ -47,8 +66,8 @@ # Check for IPv6 support AC_ARG_ENABLE(ipv6, - AC_HELP_STRING([--disable-ipv6],[disable IPv6 support]), - [case "${enableval}" in + AC_HELP_STRING([--disable-ipv6],[disable IPv6 support]), + [case "${enableval}" in yes) ipv6=true ;; no) ipv6=false ;; *) AC_MSG_ERROR(bad value ${enableval} for --enable-ipv6) ;; @@ -56,10 +75,13 @@ if test x$ipv6 = xtrue; then AC_CACHE_CHECK([for IPv6 support], ac_cv_ipv6_support, - [AC_TRY_LINK([ #include <sys/types.h> + [AC_TRY_LINK([[ +#include <sys/types.h> #include <sys/socket.h> -#include <netinet/in.h>], [struct sockaddr_in6 s; struct in6_addr t=in6addr_any; int i=AF_INET6; s; t.s6_addr[0] = 0; ], - [ac_cv_ipv6_support=yes], [ac_cv_ipv6_support=no])]) +#include <netinet/in.h> + ]], [[ +struct sockaddr_in6 s; struct in6_addr t=in6addr_any; int i=AF_INET6; s; t.s6_addr[0] = 0; + ]], [ac_cv_ipv6_support=yes], [ac_cv_ipv6_support=no])]) if test "$ac_cv_ipv6_support" = yes; then AC_DEFINE(HAVE_IPV6,1,[Whether to enable IPv6 support]) @@ -69,7 +91,8 @@ # check for extra compiler options (warning options) if test "${GCC}" = "yes"; then - CFLAGS="${CFLAGS} -Wall -W -Wshadow -pedantic -std=gnu99" + TRY_CFLAGS([-Wall -W -Wshadow -pedantic]) + TRY_CFLAGS([-std=gnu99]) fi AC_ARG_ENABLE(extra-warnings, @@ -81,7 +104,7 @@ esac],[extrawarnings=false]) if test x$extrawarnings = xtrue; then - CFLAGS="${CFLAGS} -g -O2 -g2 -Wall -Wmissing-declarations -Wdeclaration-after-statement -Wcast-align -Winline -Wsign-compare -Wnested-externs -Wpointer-arith -Wl,--as-needed -Wformat-security" + TRY_CFLAGS([-g -O2 -g2 -Wall -Wmissing-declarations -Wdeclaration-after-statement -Wcast-align -Winline -Wsign-compare -Wnested-externs -Wpointer-arith -Wl,--as-needed -D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security]) fi AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/doc/Makefile.am new/spawn-fcgi-1.6.4/doc/Makefile.am --- old/spawn-fcgi-1.6.3/doc/Makefile.am 2009-09-23 14:01:42.000000000 +0200 +++ new/spawn-fcgi-1.6.4/doc/Makefile.am 2014-06-01 13:17:36.000000000 +0200 @@ -1 +1 @@ -EXTRA_DIST=run-generic run-php run-rails +EXTRA_DIST=run-generic run-php run-rails apparmor.d-abstractions-spawn-fcgi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/doc/apparmor.d-abstractions-spawn-fcgi new/spawn-fcgi-1.6.4/doc/apparmor.d-abstractions-spawn-fcgi --- old/spawn-fcgi-1.6.3/doc/apparmor.d-abstractions-spawn-fcgi 1970-01-01 01:00:00.000000000 +0100 +++ new/spawn-fcgi-1.6.4/doc/apparmor.d-abstractions-spawn-fcgi 2014-06-05 13:04:50.000000000 +0200 @@ -0,0 +1,51 @@ +# /etc/apparmor.d/abstractions/spawn-fcgi +# +# a (nested) spawn-fcgi profile should include this abstraction +# and a rule to execute the FastCGI application itself +# +# Example for runit (or daemontools) service "foo" starting php: +# +# #include <tunables/global> +# /etc/sv/foo/run { +# #include <abstractions/base> +# /bin/dash ix, +# /etc/sv/foo/run r, +# +# # spawn-fcgi + alternatives handling in debian +# /usr/bin/spawn-fcgi* px -> /etc/sv/foo/run//spawn-fcgi, +# +# profile spawn-fcgi { +# #include <abstractions/spawn-fcgi> +# /usr/bin/php5-cgi px -> /etc/sv/foo/run//php, +# } +# +# profile php { +# #include <abstractions/base> +# #include <abstractions/php5> +# /var/www/** r, +# } +# } + + +#include <abstractions/base> +#include <abstractions/nameservice> + +capability net_bind_service, +capability setgid, +capability setuid, +capability chown, +capability dac_override, + +network inet stream, +network inet6 stream, +network inet dgram, +network inet6 dgram, + +# if the binary is compiled with hardening options it might try to make a +# previously writable mmapped area readonly (RELRO, mprotect PROT_READ), which +# requires additional permissions in AppArmor. +# more permissions -> more secure, obviously. +# again match standard location + debian alternatives: +/usr/bin/spawn-fcgi* r, + +/{,var/}run/*.sock rw, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/missing new/spawn-fcgi-1.6.4/missing --- old/spawn-fcgi-1.6.3/missing 2009-09-23 14:14:11.000000000 +0200 +++ new/spawn-fcgi-1.6.4/missing 2014-06-05 13:51:39.000000000 +0200 @@ -1,11 +1,10 @@ #! /bin/sh -# Common stub for a few missing GNU programs while installing. +# Common wrapper for a few potentially missing GNU programs. -scriptversion=2009-04-28.21; # UTC +scriptversion=2013-10-28.13; # UTC -# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006, -# 2008, 2009 Free Software Foundation, Inc. -# Originally by Fran,cois Pinard <[email protected]>, 1996. +# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Originally written by Fran,cois Pinard <[email protected]>, 1996. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -26,69 +25,40 @@ # the same distribution terms that you use for the rest of that program. if test $# -eq 0; then - echo 1>&2 "Try \`$0 --help' for more information" + echo 1>&2 "Try '$0 --help' for more information" exit 1 fi -run=: -sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p' -sed_minuso='s/.* -o \([^ ]*\).*/\1/p' - -# In the cases where this matters, `missing' is being run in the -# srcdir already. -if test -f configure.ac; then - configure_ac=configure.ac -else - configure_ac=configure.in -fi +case $1 in -msg="missing on your system" + --is-lightweight) + # Used by our autoconf macros to check whether the available missing + # script is modern enough. + exit 0 + ;; -case $1 in ---run) - # Try to run requested program, and just exit if it succeeds. - run= - shift - "$@" && exit 0 - # Exit code 63 means version mismatch. This often happens - # when the user try to use an ancient version of a tool on - # a file that requires a minimum version. In this case we - # we should proceed has if the program had been absent, or - # if --run hadn't been passed. - if test $? = 63; then - run=: - msg="probably too old" - fi - ;; + --run) + # Back-compat with the calling convention used by older automake. + shift + ;; -h|--h|--he|--hel|--help) echo "\ $0 [OPTION]... PROGRAM [ARGUMENT]... -Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an -error status if there is no known handling for PROGRAM. +Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due +to PROGRAM being missing or too old. Options: -h, --help display this help and exit -v, --version output version information and exit - --run try to run the given command, and emulate it if it fails Supported PROGRAM values: - aclocal touch file \`aclocal.m4' - autoconf touch file \`configure' - autoheader touch file \`config.h.in' - autom4te touch the output file, or create a stub one - automake touch all \`Makefile.in' files - bison create \`y.tab.[ch]', if possible, from existing .[ch] - flex create \`lex.yy.c', if possible, from existing .c - help2man touch the output file - lex create \`lex.yy.c', if possible, from existing .c - makeinfo touch the output file - tar try tar, gnutar, gtar, then tar without non-portable flags - yacc create \`y.tab.[ch]', if possible, from existing .[ch] + aclocal autoconf autoheader autom4te automake makeinfo + bison yacc flex lex help2man -Version suffixes to PROGRAM as well as the prefixes \`gnu-', \`gnu', and -\`g' are ignored when checking the name. +Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and +'g' are ignored when checking the name. Send bug reports to <[email protected]>." exit $? @@ -100,272 +70,141 @@ ;; -*) - echo 1>&2 "$0: Unknown \`$1' option" - echo 1>&2 "Try \`$0 --help' for more information" + echo 1>&2 "$0: unknown '$1' option" + echo 1>&2 "Try '$0 --help' for more information" exit 1 ;; esac -# normalize program name to check for. -program=`echo "$1" | sed ' - s/^gnu-//; t - s/^gnu//; t - s/^g//; t'` - -# Now exit if we have it, but it failed. Also exit now if we -# don't have it and --version was passed (most likely to detect -# the program). This is about non-GNU programs, so use $1 not -# $program. -case $1 in - lex*|yacc*) - # Not GNU programs, they don't have --version. - ;; - - tar*) - if test -n "$run"; then - echo 1>&2 "ERROR: \`tar' requires --run" - exit 1 - elif test "x$2" = "x--version" || test "x$2" = "x--help"; then - exit 1 - fi - ;; +# Run the given program, remember its exit status. +"$@"; st=$? - *) - if test -z "$run" && ($1 --version) > /dev/null 2>&1; then - # We have it, but it failed. - exit 1 - elif test "x$2" = "x--version" || test "x$2" = "x--help"; then - # Could not run --version or --help. This is probably someone - # running `$TOOL --version' or `$TOOL --help' to check whether - # $TOOL exists and not knowing $TOOL uses missing. - exit 1 - fi - ;; -esac - -# If it does not exist, or fails to run (possibly an outdated version), -# try to emulate it. -case $program in - aclocal*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`acinclude.m4' or \`${configure_ac}'. You might want - to install the \`Automake' and \`Perl' packages. Grab them from - any GNU archive site." - touch aclocal.m4 - ;; - - autoconf*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`${configure_ac}'. You might want to install the - \`Autoconf' and \`GNU m4' packages. Grab them from any GNU - archive site." - touch configure - ;; - - autoheader*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`acconfig.h' or \`${configure_ac}'. You might want - to install the \`Autoconf' and \`GNU m4' packages. Grab them - from any GNU archive site." - files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}` - test -z "$files" && files="config.h" - touch_files= - for f in $files; do - case $f in - *:*) touch_files="$touch_files "`echo "$f" | - sed -e 's/^[^:]*://' -e 's/:.*//'`;; - *) touch_files="$touch_files $f.in";; - esac - done - touch $touch_files - ;; - - automake*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'. - You might want to install the \`Automake' and \`Perl' packages. - Grab them from any GNU archive site." - find . -type f -name Makefile.am -print | - sed 's/\.am$/.in/' | - while read f; do touch "$f"; done - ;; +# If it succeeded, we are done. +test $st -eq 0 && exit 0 - autom4te*) - echo 1>&2 "\ -WARNING: \`$1' is needed, but is $msg. - You might have modified some files without having the - proper tools for further handling them. - You can get \`$1' as part of \`Autoconf' from any GNU - archive site." - - file=`echo "$*" | sed -n "$sed_output"` - test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` - if test -f "$file"; then - touch $file - else - test -z "$file" || exec >$file - echo "#! /bin/sh" - echo "# Created by GNU Automake missing as a replacement of" - echo "# $ $@" - echo "exit 0" - chmod +x $file - exit 1 - fi - ;; - - bison*|yacc*) - echo 1>&2 "\ -WARNING: \`$1' $msg. You should only need it if - you modified a \`.y' file. You may need the \`Bison' package - in order for those modifications to take effect. You can get - \`Bison' from any GNU archive site." - rm -f y.tab.c y.tab.h - if test $# -ne 1; then - eval LASTARG="\${$#}" - case $LASTARG in - *.y) - SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` - if test -f "$SRCFILE"; then - cp "$SRCFILE" y.tab.c - fi - SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` - if test -f "$SRCFILE"; then - cp "$SRCFILE" y.tab.h - fi - ;; - esac - fi - if test ! -f y.tab.h; then - echo >y.tab.h - fi - if test ! -f y.tab.c; then - echo 'main() { return 0; }' >y.tab.c - fi - ;; - - lex*|flex*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a \`.l' file. You may need the \`Flex' package - in order for those modifications to take effect. You can get - \`Flex' from any GNU archive site." - rm -f lex.yy.c - if test $# -ne 1; then - eval LASTARG="\${$#}" - case $LASTARG in - *.l) - SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` - if test -f "$SRCFILE"; then - cp "$SRCFILE" lex.yy.c - fi - ;; - esac - fi - if test ! -f lex.yy.c; then - echo 'main() { return 0; }' >lex.yy.c - fi - ;; - - help2man*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a dependency of a manual page. You may need the - \`Help2man' package in order for those modifications to take - effect. You can get \`Help2man' from any GNU archive site." - - file=`echo "$*" | sed -n "$sed_output"` - test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` - if test -f "$file"; then - touch $file - else - test -z "$file" || exec >$file - echo ".ab help2man is required to generate this page" - exit $? - fi - ;; - - makeinfo*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a \`.texi' or \`.texinfo' file, or any other file - indirectly affecting the aspect of the manual. The spurious - call might also be the consequence of using a buggy \`make' (AIX, - DU, IRIX). You might want to install the \`Texinfo' package or - the \`GNU make' package. Grab either from any GNU archive site." - # The file to touch is that specified with -o ... - file=`echo "$*" | sed -n "$sed_output"` - test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` - if test -z "$file"; then - # ... or it is the one specified with @setfilename ... - infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` - file=`sed -n ' - /^@setfilename/{ - s/.* \([^ ]*\) *$/\1/ - p - q - }' $infile` - # ... or it is derived from the source name (dir/f.texi becomes f.info) - test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info - fi - # If the file does not exist, the user really needs makeinfo; - # let's fail without touching anything. - test -f $file || exit 1 - touch $file - ;; - - tar*) - shift - - # We have already tried tar in the generic part. - # Look for gnutar/gtar before invocation to avoid ugly error - # messages. - if (gnutar --version > /dev/null 2>&1); then - gnutar "$@" && exit 0 - fi - if (gtar --version > /dev/null 2>&1); then - gtar "$@" && exit 0 - fi - firstarg="$1" - if shift; then - case $firstarg in - *o*) - firstarg=`echo "$firstarg" | sed s/o//` - tar "$firstarg" "$@" && exit 0 - ;; - esac - case $firstarg in - *h*) - firstarg=`echo "$firstarg" | sed s/h//` - tar "$firstarg" "$@" && exit 0 - ;; - esac - fi - - echo 1>&2 "\ -WARNING: I can't seem to be able to run \`tar' with the given arguments. - You may want to install GNU tar or Free paxutils, or check the - command line arguments." - exit 1 - ;; - - *) - echo 1>&2 "\ -WARNING: \`$1' is needed, and is $msg. - You might have modified some files without having the - proper tools for further handling them. Check the \`README' file, - it often tells you about the needed prerequisites for installing - this package. You may also peek at any GNU archive site, in case - some other package would contain this missing \`$1' program." - exit 1 - ;; -esac +# Also exit now if we it failed (or wasn't found), and '--version' was +# passed; such an option is passed most likely to detect whether the +# program is present and works. +case $2 in --version|--help) exit $st;; esac + +# Exit code 63 means version mismatch. This often happens when the user +# tries to use an ancient version of a tool on a file that requires a +# minimum version. +if test $st -eq 63; then + msg="probably too old" +elif test $st -eq 127; then + # Program was missing. + msg="missing on your system" +else + # Program was found and executed, but failed. Give up. + exit $st +fi -exit 0 +perl_URL=http://www.perl.org/ +flex_URL=http://flex.sourceforge.net/ +gnu_software_URL=http://www.gnu.org/software + +program_details () +{ + case $1 in + aclocal|automake) + echo "The '$1' program is part of the GNU Automake package:" + echo "<$gnu_software_URL/automake>" + echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:" + echo "<$gnu_software_URL/autoconf>" + echo "<$gnu_software_URL/m4/>" + echo "<$perl_URL>" + ;; + autoconf|autom4te|autoheader) + echo "The '$1' program is part of the GNU Autoconf package:" + echo "<$gnu_software_URL/autoconf/>" + echo "It also requires GNU m4 and Perl in order to run:" + echo "<$gnu_software_URL/m4/>" + echo "<$perl_URL>" + ;; + esac +} + +give_advice () +{ + # Normalize program name to check for. + normalized_program=`echo "$1" | sed ' + s/^gnu-//; t + s/^gnu//; t + s/^g//; t'` + + printf '%s\n' "'$1' is $msg." + + configure_deps="'configure.ac' or m4 files included by 'configure.ac'" + case $normalized_program in + autoconf*) + echo "You should only need it if you modified 'configure.ac'," + echo "or m4 files included by it." + program_details 'autoconf' + ;; + autoheader*) + echo "You should only need it if you modified 'acconfig.h' or" + echo "$configure_deps." + program_details 'autoheader' + ;; + automake*) + echo "You should only need it if you modified 'Makefile.am' or" + echo "$configure_deps." + program_details 'automake' + ;; + aclocal*) + echo "You should only need it if you modified 'acinclude.m4' or" + echo "$configure_deps." + program_details 'aclocal' + ;; + autom4te*) + echo "You might have modified some maintainer files that require" + echo "the 'autom4te' program to be rebuilt." + program_details 'autom4te' + ;; + bison*|yacc*) + echo "You should only need it if you modified a '.y' file." + echo "You may want to install the GNU Bison package:" + echo "<$gnu_software_URL/bison/>" + ;; + lex*|flex*) + echo "You should only need it if you modified a '.l' file." + echo "You may want to install the Fast Lexical Analyzer package:" + echo "<$flex_URL>" + ;; + help2man*) + echo "You should only need it if you modified a dependency" \ + "of a man page." + echo "You may want to install the GNU Help2man package:" + echo "<$gnu_software_URL/help2man/>" + ;; + makeinfo*) + echo "You should only need it if you modified a '.texi' file, or" + echo "any other file indirectly affecting the aspect of the manual." + echo "You might want to install the Texinfo package:" + echo "<$gnu_software_URL/texinfo/>" + echo "The spurious makeinfo call might also be the consequence of" + echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might" + echo "want to install GNU make:" + echo "<$gnu_software_URL/make/>" + ;; + *) + echo "You might have modified some files without having the proper" + echo "tools for further handling them. Check the 'README' file, it" + echo "often tells you about the needed prerequisites for installing" + echo "this package. You may also peek at any GNU archive site, in" + echo "case some other package contains this missing '$1' program." + ;; + esac +} + +give_advice "$1" | sed -e '1s/^/WARNING: /' \ + -e '2,$s/^/ /' >&2 + +# Propagate the correct exit status (expected to be 127 for a program +# not found, 63 for a program that failed due to version mismatch). +exit $st # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/spawn-fcgi.1 new/spawn-fcgi-1.6.4/spawn-fcgi.1 --- old/spawn-fcgi-1.6.3/spawn-fcgi.1 2009-03-29 18:33:18.000000000 +0200 +++ new/spawn-fcgi-1.6.4/spawn-fcgi.1 2014-06-01 13:08:09.000000000 +0200 @@ -1,4 +1,4 @@ -.TH spawn-fcgi 1 "26 March 2009" +.TH spawn-fcgi 1 "21 November 2012" . .SH NAME . @@ -69,6 +69,12 @@ .BR multiwatch(1) if you want to supervise multiple forks on the same socket. .TP 8 +.B \-b <backlog> +backlog to allow on the socket (default 1024). This is usually limited by the kernel too, +check sysctl net.core.somaxconn (default 128) for linux. +.IP +backlog is the queue of connections that the kernel accepts before the userspace application sees them. +.TP 8 .B \-P <path> Name of the PID file for spawned processes (ignored in no-fork mode) .TP 8 @@ -76,7 +82,8 @@ No forking should take place (for daemontools) .TP 8 .B \-M <mode> -Change file mode of the Unix domain socket; only used if \-s is given too. +Change file mode of the Unix domain socket (octal integer); only used if \-s is given too. +Defaults to read+write for user and group (0660) as far as the umask allows it. .TP 8 .B \-?, \-h General usage instructions diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/src/CMakeLists.txt new/spawn-fcgi-1.6.4/src/CMakeLists.txt --- old/spawn-fcgi-1.6.3/src/CMakeLists.txt 2009-06-03 18:50:25.000000000 +0200 +++ new/spawn-fcgi-1.6.4/src/CMakeLists.txt 2014-06-01 18:07:37.000000000 +0200 @@ -9,7 +9,7 @@ OPTION(BUILD_EXTRA_WARNINGS "extra warnings") IF(BUILD_EXTRA_WARNINGS) - SET(WARN_FLAGS "-g -O2 -g2 -Wall -Wmissing-declarations -Wdeclaration-after-statement -Wcast-align -Winline -Wsign-compare -Wnested-externs -Wpointer-arith -Wl,--as-needed -Wformat-security") + SET(WARN_FLAGS "-g -O2 -g2 -Wall -Wmissing-declarations -Wdeclaration-after-statement -Wcast-align -Winline -Wsign-compare -Wnested-externs -Wpointer-arith -Wl,--as-needed -D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security") # -Wno-pointer-sign -Werror -Wbad-function-cast -Wmissing-prototypes ELSE(BUILD_EXTRA_WARNINGS) SET(WARN_FLAGS "") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/src/spawn-fcgi.c new/spawn-fcgi-1.6.4/src/spawn-fcgi.c --- old/spawn-fcgi-1.6.3/src/spawn-fcgi.c 2009-09-19 11:48:40.000000000 +0200 +++ new/spawn-fcgi-1.6.4/src/spawn-fcgi.c 2014-06-04 13:38:56.000000000 +0200 @@ -24,20 +24,6 @@ #define FCGI_LISTENSOCK_FILENO 0 -/* "sys-socket.h" */ -#ifdef __WIN32 - -# include <winsock2.h> - -# define ECONNRESET WSAECONNRESET -# define EINPROGRESS WSAEINPROGRESS -# define EALREADY WSAEALREADY -# define ECONNABORTED WSAECONNABORTED -# define ioctl ioctlsocket -# define hstrerror(x) "" - -#else /* _WIN32 */ - # include <sys/socket.h> # include <sys/ioctl.h> # include <netinet/in.h> @@ -47,9 +33,6 @@ # include <netdb.h> -#endif /* _WIN32 */ -/* end "sys-socket.h" */ - #ifdef HAVE_SYS_WAIT_H # include <sys/wait.h> #endif @@ -79,7 +62,27 @@ #define CONST_STR_LEN(s) s, sizeof(s) - 1 -static int bind_socket(const char *addr, unsigned short port, const char *unixsocket, uid_t uid, gid_t gid, int mode) { +static mode_t read_umask(void) { + mode_t mask = umask(0); + umask(mask); + return mask; +} + +static ssize_t write_all(int fildes, const void *buf, size_t nbyte) { + size_t rem; + for (rem = nbyte; rem > 0;) { + ssize_t res = write(fildes, buf, rem); + if (-1 == res) { + if (EINTR != errno) return res; + } else { + buf = res + (char const*) buf; + rem -= res; + } + } + return nbyte; +} + +static int bind_socket(const char *addr, unsigned short port, const char *unixsocket, uid_t uid, gid_t gid, mode_t mode, int backlog) { int fcgi_fd, socket_type, val; struct sockaddr_un fcgi_addr_un; @@ -95,6 +98,8 @@ memset(&fcgi_addr_un, 0, sizeof(fcgi_addr_un)); fcgi_addr_un.sun_family = AF_UNIX; + /* already checked in main() */ + if (strlen(unixsocket) > sizeof(fcgi_addr_un.sun_path) - 1) return -1; strcpy(fcgi_addr_un.sun_path, unixsocket); #ifdef SUN_LEN @@ -127,6 +132,7 @@ break; default: fprintf(stderr, "spawn-fcgi: removing old socket failed: %s\n", strerror(errno)); + close(fcgi_fd); return -1; } } @@ -180,15 +186,24 @@ val = 1; if (setsockopt(fcgi_fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) { fprintf(stderr, "spawn-fcgi: couldn't set SO_REUSEADDR: %s\n", strerror(errno)); + close(fcgi_fd); return -1; } if (-1 == bind(fcgi_fd, fcgi_addr, servlen)) { fprintf(stderr, "spawn-fcgi: bind failed: %s\n", strerror(errno)); + close(fcgi_fd); return -1; } if (unixsocket) { + if (-1 == chmod(unixsocket, mode)) { + fprintf(stderr, "spawn-fcgi: couldn't chmod socket: %s\n", strerror(errno)); + close(fcgi_fd); + unlink(unixsocket); + return -1; + } + if (0 != uid || 0 != gid) { if (0 == uid) uid = -1; if (0 == gid) gid = -1; @@ -199,17 +214,12 @@ return -1; } } - - if (-1 != mode && -1 == chmod(unixsocket, mode)) { - fprintf(stderr, "spawn-fcgi: couldn't chmod socket: %s\n", strerror(errno)); - close(fcgi_fd); - unlink(unixsocket); - return -1; - } } - if (-1 == listen(fcgi_fd, 1024)) { + if (-1 == listen(fcgi_fd, backlog)) { fprintf(stderr, "spawn-fcgi: listen failed: %s\n", strerror(errno)); + close(fcgi_fd); + if (unixsocket) unlink(unixsocket); return -1; } @@ -278,6 +288,8 @@ /* exec the cgi */ execl("/bin/sh", "sh", "-c", b, (char *)NULL); + + free(b); } /* in nofork mode stderr is still open */ @@ -301,16 +313,24 @@ fprintf(stdout, "spawn-fcgi: child spawned successfully: PID: %d\n", child); /* write pid file */ - if (pid_fd != -1) { + if (-1 != pid_fd) { /* assume a 32bit pid_t */ char pidbuf[12]; snprintf(pidbuf, sizeof(pidbuf) - 1, "%d", child); - write(pid_fd, pidbuf, strlen(pidbuf)); + if (-1 == write_all(pid_fd, pidbuf, strlen(pidbuf))) { + fprintf(stderr, "spawn-fcgi: writing pid file failed: %s\n", strerror(errno)); + close(pid_fd); + pid_fd = -1; + } /* avoid eol for the last one */ - if (fork_count != 0) { - write(pid_fd, "\n", 1); + if (-1 != pid_fd && fork_count != 0) { + if (-1 == write_all(pid_fd, "\n", 1)) { + fprintf(stderr, "spawn-fcgi: writing pid file failed: %s\n", strerror(errno)); + close(pid_fd); + pid_fd = -1; + } } } @@ -336,7 +356,10 @@ break; } } - close(pid_fd); + + if (-1 != pid_fd) { + close(pid_fd); + } close(fcgi_fd); @@ -404,14 +427,13 @@ } static void show_version () { - write(1, CONST_STR_LEN( - PACKAGE_DESC \ - "Build-Date: " __DATE__ " " __TIME__ "\n" + (void) write_all(1, CONST_STR_LEN( + PACKAGE_DESC )); } static void show_help () { - write(1, CONST_STR_LEN( + (void) write_all(1, CONST_STR_LEN( "Usage: spawn-fcgi [options] [-- <fcgiapp> [fcgi app arguments]]\n" \ "\n" \ PACKAGE_DESC \ @@ -423,10 +445,12 @@ " -a <address> bind to IPv4/IPv6 address (defaults to 0.0.0.0)\n" \ " -p <port> bind to TCP-port\n" \ " -s <path> bind to Unix domain socket\n" \ - " -M <mode> change Unix domain socket mode\n" \ + " -M <mode> change Unix domain socket mode (octal integer, default: allow\n" \ + " read+write for user and group as far as umask allows it) \n" \ " -C <children> (PHP only) numbers of childs to spawn (default: not setting\n" \ " the PHP_FCGI_CHILDREN environment variable - PHP defaults to 0)\n" \ " -F <children> number of children to fork (default 1)\n" \ + " -b <backlog> backlog to allow on the socket (default 1024)\n" \ " -P <path> name of PID-file for spawned process (ignored in no-fork mode)\n" \ " -n no fork (for daemontools)\n" \ " -v show version\n" \ @@ -452,9 +476,10 @@ char **fcgi_app_argv = { NULL }; char *endptr = NULL; unsigned short port = 0; - int sockmode = -1; + mode_t sockmode = (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP) & ~read_umask(); int child_count = -1; int fork_count = 1; + int backlog = 1024; int i_am_root, o; int pid_fd = -1; int nofork = 0; @@ -469,7 +494,7 @@ i_am_root = (getuid() == 0); - while (-1 != (o = getopt(argc, argv, "c:d:f:g:?hna:p:u:vC:F:s:P:U:G:M:S"))) { + while (-1 != (o = getopt(argc, argv, "c:d:f:g:?hna:p:b:u:vC:F:s:P:U:G:M:S"))) { switch(o) { case 'f': fcgi_app = optarg; break; case 'd': fcgi_dir = optarg; break; @@ -482,6 +507,7 @@ break; case 'C': child_count = strtol(optarg, NULL, 10);/* */ break; case 'F': fork_count = strtol(optarg, NULL, 10);/* */ break; + case 'b': backlog = strtol(optarg, NULL, 10);/* */ break; case 's': unixsocket = optarg; /* unix-domain socket */ break; case 'c': if (i_am_root) { changeroot = optarg; }/* chroot() */ break; case 'u': if (i_am_root) { username = optarg; } /* set user */ break; @@ -489,7 +515,7 @@ case 'U': if (i_am_root) { sockusername = optarg; } /* set socket user */ break; case 'G': if (i_am_root) { sockgroupname = optarg; } /* set socket group */ break; case 'S': if (i_am_root) { sockbeforechroot = 1; } /* open socket before chroot() */ break; - case 'M': sockmode = strtol(optarg, NULL, 0); /* set socket mode */ break; + case 'M': sockmode = strtol(optarg, NULL, 8); /* set socket mode */ break; case 'n': nofork = 1; break; case 'P': pid_file = optarg; /* PID file */ break; case 'v': show_version(); return 0; @@ -581,17 +607,26 @@ if (0 == sockuid) sockuid = uid; if (0 == sockgid) sockgid = gid; - if (sockbeforechroot && -1 == (fcgi_fd = bind_socket(addr, port, unixsocket, sockuid, sockgid, sockmode))) + if (sockbeforechroot && -1 == (fcgi_fd = bind_socket(addr, port, unixsocket, sockuid, sockgid, sockmode, backlog))) return -1; /* Change group before chroot, when we have access * to /etc/group */ if (gid != 0) { - setgid(gid); - setgroups(0, NULL); + if (-1 == setgid(gid)) { + fprintf(stderr, "spawn-fcgi: setgid(%i) failed: %s\n", (int) gid, strerror(errno)); + return -1; + } + if (-1 == setgroups(0, NULL)) { + fprintf(stderr, "spawn-fcgi: setgroups(0, NULL) failed: %s\n", strerror(errno)); + return -1; + } if (real_username) { - initgroups(real_username, gid); + if (-1 == initgroups(real_username, gid)) { + fprintf(stderr, "spawn-fcgi: initgroups('%s', %i) failed: %s\n", real_username, (int) gid, strerror(errno)); + return -1; + } } } @@ -606,15 +641,18 @@ } } - if (!sockbeforechroot && -1 == (fcgi_fd = bind_socket(addr, port, unixsocket, sockuid, sockgid, sockmode))) + if (!sockbeforechroot && -1 == (fcgi_fd = bind_socket(addr, port, unixsocket, sockuid, sockgid, sockmode, backlog))) return -1; /* drop root privs */ if (uid != 0) { - setuid(uid); + if (-1 == setuid(uid)) { + fprintf(stderr, "spawn-fcgi: setuid(%i) failed: %s\n", (int) uid, strerror(errno)); + return -1; + } } } else { - if (-1 == (fcgi_fd = bind_socket(addr, port, unixsocket, 0, 0, sockmode))) + if (-1 == (fcgi_fd = bind_socket(addr, port, unixsocket, 0, 0, sockmode, backlog))) return -1; } ++++++ spawn-fcgi_1.6.3-1.1~backport1.diff.gz -> spawn-fcgi_1.6.4-1.diff.gz ++++++ Files /work/SRC/openSUSE:Factory/spawn-fcgi/spawn-fcgi_1.6.3-1.1~backport1.diff.gz and /work/SRC/openSUSE:Factory/.spawn-fcgi.new/spawn-fcgi_1.6.4-1.diff.gz differ ++++++ spawn-fcgi_1.6.3-1.1~backport1.dsc -> spawn-fcgi_1.6.4-1.dsc ++++++ --- /work/SRC/openSUSE:Factory/spawn-fcgi/spawn-fcgi_1.6.3-1.1~backport1.dsc 2011-09-23 12:46:43.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.spawn-fcgi.new/spawn-fcgi_1.6.4-1.dsc 2015-01-23 15:47:43.000000000 +0100 @@ -1,29 +1,12 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - Format: 1.0 Source: spawn-fcgi Binary: spawn-fcgi Architecture: any -Version: 1.6.3-1.1~backport1 +Version: 1.6.4-1 Maintainer: Jérémy Lal <[email protected]> Homepage: http://redmine.lighttpd.net/projects/spawn-fcgi Standards-Version: 3.8.3 Build-Depends: debhelper (>= 5.0.0) -Checksums-Sha1: - 2b97ea57d9d79745fe8d6051d830fa507b421169 97921 spawn-fcgi_1.6.3.orig.tar.gz - e2acbb1992ec9205d41c6590e176552c37a6841b 3266 spawn-fcgi_1.6.3-1.1~backport1.diff.gz -Checksums-Sha256: - 7507a822995731629149040ee5686279b7582ae46f0296efd64b542ef052a90e 97921 spawn-fcgi_1.6.3.orig.tar.gz - 673aeb89983f45745a62c31bd0ffdadff97cc5a553ff56844fc89dae0d1d3437 3266 spawn-fcgi_1.6.3-1.1~backport1.diff.gz -Files: - 6d75f9e9435056fa1e574d836d823cd0 97921 spawn-fcgi_1.6.3.orig.tar.gz - 42714226442c9be2f1cfdcc5470aec2e 3266 spawn-fcgi_1.6.3-1.1~backport1.diff.gz - ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.10 (GNU/Linux) - -iEYEARECAAYFAkt0OSkACgkQgBIc0keWidiGrwCfcFAwjKZlHeRFsk+W9BF+R1wn -pqMAnjuDnLmbZOkCQ5z3A0OYVYoG0oHp -=2dku ------END PGP SIGNATURE----- +Files: + b92332c716b08ed0c8a207cafdb72c7e 112601 spawn-fcgi_1.6.4.orig.tar.gz + 0c9f24adb5628eb6d801b43607b1341f 3900 spawn-fcgi_1.6.4-1.diff.gz ++++++ spawn-fcgi_1.6.3.orig.tar.gz -> spawn-fcgi_1.6.4.orig.tar.gz ++++++ ++++ 7548 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/CMakeLists.txt new/spawn-fcgi-1.6.4/CMakeLists.txt --- old/spawn-fcgi-1.6.3/CMakeLists.txt 2009-04-18 14:23:25.000000000 +0200 +++ new/spawn-fcgi-1.6.4/CMakeLists.txt 2009-09-23 16:30:15.000000000 +0200 @@ -4,7 +4,7 @@ PROJECT(spawn-fcgi) SET(PACKAGE_NAME ${CMAKE_PROJECT_NAME}) -SET(PACKAGE_VERSION 1.6.3) +SET(PACKAGE_VERSION 1.6.4) SET(CMAKE_MAN_DIR "share/man" CACHE STRING "Install location for man pages (relative to prefix).") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/NEWS new/spawn-fcgi-1.6.4/NEWS --- old/spawn-fcgi-1.6.3/NEWS 2009-09-23 14:27:48.000000000 +0200 +++ new/spawn-fcgi-1.6.4/NEWS 2014-06-05 13:22:06.000000000 +0200 @@ -3,10 +3,21 @@ NEWS ==== -- 1.6.3 - +- 1.6.4 - 2014-06-05 + * Use octal mode for -M (patch by dfjoerg) + * Add -b backlog option (fixes #2422, patch by aschmitz) + * Restrict Unix socket file ownership by default to ug=rw + * Add example apparmor spawn-fcgi abstraction + * Use autoreconf instead of calling tools manually + * Add more flags to extra-warning flags + * Check return values of setuid, setgid, setgroups, initgroups, write + * Check whether compiler supports wanted CFLAGS (fixes #2235) + * Fix resource leaks in failure cases (found with coverity) + +- 1.6.3 - 2009-09-23 * Fix unix socket mode change to work without specifying user/group for socket * Add some ./run script examples for use with daemontools or runit - * Fix Invalid Argument in chmod if mode=-1 (fixes 2033) + * Fix Invalid Argument in chmod if mode=-1 (fixes #2033) * Add deprecated and /bin/sh info for -f option; wrap syntax output (fixes #2044) * Add run script examples in automake dist build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/autogen.sh new/spawn-fcgi-1.6.4/autogen.sh --- old/spawn-fcgi-1.6.3/autogen.sh 2009-02-06 21:16:05.000000000 +0100 +++ new/spawn-fcgi-1.6.4/autogen.sh 2014-06-01 18:07:05.000000000 +0200 @@ -1,24 +1,12 @@ #!/bin/sh # Run this to generate all the initial makefiles, etc. -ACLOCAL=${ACLOCAL:-aclocal} -AUTOHEADER=${AUTOHEADER:-autoheader} -AUTOMAKE=${AUTOMAKE:-automake} -AUTOMAKE_FLAGS="--add-missing --copy" -AUTOCONF=${AUTOCONF:-autoconf} - -ARGV0=$0 - set -e +if [ ! -f configure.ac -o ! -f COPYING ]; then + echo "Doesn't look like you're in the source directory" >&2 + exit 1 +fi -run() { - echo "$ARGV0: running \`$@'" - $@ -} - -run $ACLOCAL $ACLOCAL_FLAGS -run $AUTOHEADER -run $AUTOMAKE $AUTOMAKE_FLAGS -run $AUTOCONF +autoreconf --force --install echo "Now type './configure ...' and 'make' to compile." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/compile new/spawn-fcgi-1.6.4/compile --- old/spawn-fcgi-1.6.3/compile 1970-01-01 01:00:00.000000000 +0100 +++ new/spawn-fcgi-1.6.4/compile 2014-06-05 13:51:39.000000000 +0200 @@ -0,0 +1,347 @@ +#! /bin/sh +# Wrapper for compilers which do not understand '-c -o'. + +scriptversion=2012-10-14.11; # UTC + +# Copyright (C) 1999-2013 Free Software Foundation, Inc. +# Written by Tom Tromey <[email protected]>. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to <[email protected]> or send patches to +# <[email protected]>. + +nl=' +' + +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent tools from complaining about whitespace usage. +IFS=" "" $nl" + +file_conv= + +# func_file_conv build_file lazy +# Convert a $build file to $host form and store it in $file +# Currently only supports Windows hosts. If the determined conversion +# type is listed in (the comma separated) LAZY, no conversion will +# take place. +func_file_conv () +{ + file=$1 + case $file in + / | /[!/]*) # absolute file, and not a UNC file + if test -z "$file_conv"; then + # lazily determine how to convert abs files + case `uname -s` in + MINGW*) + file_conv=mingw + ;; + CYGWIN*) + file_conv=cygwin + ;; + *) + file_conv=wine + ;; + esac + fi + case $file_conv/,$2, in + *,$file_conv,*) + ;; + mingw/*) + file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` + ;; + cygwin/*) + file=`cygpath -m "$file" || echo "$file"` + ;; + wine/*) + file=`winepath -w "$file" || echo "$file"` + ;; + esac + ;; + esac +} + +# func_cl_dashL linkdir +# Make cl look for libraries in LINKDIR +func_cl_dashL () +{ + func_file_conv "$1" + if test -z "$lib_path"; then + lib_path=$file + else + lib_path="$lib_path;$file" + fi + linker_opts="$linker_opts -LIBPATH:$file" +} + +# func_cl_dashl library +# Do a library search-path lookup for cl +func_cl_dashl () +{ + lib=$1 + found=no + save_IFS=$IFS + IFS=';' + for dir in $lib_path $LIB + do + IFS=$save_IFS + if $shared && test -f "$dir/$lib.dll.lib"; then + found=yes + lib=$dir/$lib.dll.lib + break + fi + if test -f "$dir/$lib.lib"; then + found=yes + lib=$dir/$lib.lib + break + fi + if test -f "$dir/lib$lib.a"; then + found=yes + lib=$dir/lib$lib.a + break + fi + done + IFS=$save_IFS + + if test "$found" != yes; then + lib=$lib.lib + fi +} + +# func_cl_wrapper cl arg... +# Adjust compile command to suit cl +func_cl_wrapper () +{ + # Assume a capable shell + lib_path= + shared=: + linker_opts= + for arg + do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + eat=1 + case $2 in + *.o | *.[oO][bB][jJ]) + func_file_conv "$2" + set x "$@" -Fo"$file" + shift + ;; + *) + func_file_conv "$2" + set x "$@" -Fe"$file" + shift + ;; + esac + ;; + -I) + eat=1 + func_file_conv "$2" mingw + set x "$@" -I"$file" + shift + ;; + -I*) + func_file_conv "${1#-I}" mingw + set x "$@" -I"$file" + shift + ;; + -l) + eat=1 + func_cl_dashl "$2" + set x "$@" "$lib" + shift + ;; + -l*) + func_cl_dashl "${1#-l}" + set x "$@" "$lib" + shift + ;; + -L) + eat=1 + func_cl_dashL "$2" + ;; + -L*) + func_cl_dashL "${1#-L}" + ;; + -static) + shared=false + ;; + -Wl,*) + arg=${1#-Wl,} + save_ifs="$IFS"; IFS=',' + for flag in $arg; do + IFS="$save_ifs" + linker_opts="$linker_opts $flag" + done + IFS="$save_ifs" + ;; + -Xlinker) + eat=1 + linker_opts="$linker_opts $2" + ;; + -*) + set x "$@" "$1" + shift + ;; + *.cc | *.CC | *.cxx | *.CXX | *.[cC]++) + func_file_conv "$1" + set x "$@" -Tp"$file" + shift + ;; + *.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO]) + func_file_conv "$1" mingw + set x "$@" "$file" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift + done + if test -n "$linker_opts"; then + linker_opts="-link$linker_opts" + fi + exec "$@" $linker_opts + exit 1 +} + +eat= + +case $1 in + '') + echo "$0: No command. Try '$0 --help' for more information." 1>&2 + exit 1; + ;; + -h | --h*) + cat <<\EOF +Usage: compile [--help] [--version] PROGRAM [ARGS] + +Wrapper for compilers which do not understand '-c -o'. +Remove '-o dest.o' from ARGS, run PROGRAM with the remaining +arguments, and rename the output as expected. + +If you are trying to build a whole package this is not the +right script to run: please start by reading the file 'INSTALL'. + +Report bugs to <[email protected]>. +EOF + exit $? + ;; + -v | --v*) + echo "compile $scriptversion" + exit $? + ;; + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + func_cl_wrapper "$@" # Doesn't return... + ;; +esac + +ofile= +cfile= + +for arg +do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + # So we strip '-o arg' only if arg is an object. + eat=1 + case $2 in + *.o | *.obj) + ofile=$2 + ;; + *) + set x "$@" -o "$2" + shift + ;; + esac + ;; + *.c) + cfile=$1 + set x "$@" "$1" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift +done + +if test -z "$ofile" || test -z "$cfile"; then + # If no '-o' option was seen then we might have been invoked from a + # pattern rule where we don't need one. That is ok -- this is a + # normal compilation that the losing compiler can handle. If no + # '.c' file was seen then we are probably linking. That is also + # ok. + exec "$@" +fi + +# Name of file we expect compiler to create. +cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'` + +# Create the lock directory. +# Note: use '[/\\:.-]' here to ensure that we don't use the same name +# that we are using for the .o file. Also, base the name on the expected +# object file name, since that is what matters with a parallel build. +lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d +while true; do + if mkdir "$lockdir" >/dev/null 2>&1; then + break + fi + sleep 1 +done +# FIXME: race condition here if user kills between mkdir and trap. +trap "rmdir '$lockdir'; exit 1" 1 2 15 + +# Run the compile. +"$@" +ret=$? + +if test -f "$cofile"; then + test "$cofile" = "$ofile" || mv "$cofile" "$ofile" +elif test -f "${cofile}bj"; then + test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile" +fi + +rmdir "$lockdir" +exit $ret + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" +# End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/configure.ac new/spawn-fcgi-1.6.4/configure.ac --- old/spawn-fcgi-1.6.3/configure.ac 2009-09-23 14:14:58.000000000 +0200 +++ new/spawn-fcgi-1.6.4/configure.ac 2014-06-02 12:16:49.000000000 +0200 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([spawn-fcgi],[1.6.3]) +AC_INIT([spawn-fcgi],[1.6.4]) AC_CONFIG_SRCDIR([src/spawn-fcgi.c]) AC_CONFIG_HEADER([config.h]) @@ -12,6 +12,25 @@ AC_PROG_CC AC_PROG_MAKE_SET +dnl @synopsis TRY_CFLAGS [compiler flags] +dnl @summary check whether C compiler supports given flags and adds them to CFLAGS +AC_DEFUN([TRY_CFLAGS], +[dnl + AC_MSG_CHECKING([if $CC supports $1]) + AC_LANG_PUSH([C]) + ac_try_cflags_saved_cflags="${CFLAGS}" + CFLAGS="${CFLAGS} $1" + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], + [AC_MSG_RESULT([yes])], + [ + AC_MSG_ERROR([no]) + # options not supported, remove them: + CFLAGS="${ac_try_cflags_saved_cflags}" + ] + ) + AC_LANG_POP([C]) +]) + # Checks for libraries. # Checks for header files. @@ -47,8 +66,8 @@ # Check for IPv6 support AC_ARG_ENABLE(ipv6, - AC_HELP_STRING([--disable-ipv6],[disable IPv6 support]), - [case "${enableval}" in + AC_HELP_STRING([--disable-ipv6],[disable IPv6 support]), + [case "${enableval}" in yes) ipv6=true ;; no) ipv6=false ;; *) AC_MSG_ERROR(bad value ${enableval} for --enable-ipv6) ;; @@ -56,10 +75,13 @@ if test x$ipv6 = xtrue; then AC_CACHE_CHECK([for IPv6 support], ac_cv_ipv6_support, - [AC_TRY_LINK([ #include <sys/types.h> + [AC_TRY_LINK([[ +#include <sys/types.h> #include <sys/socket.h> -#include <netinet/in.h>], [struct sockaddr_in6 s; struct in6_addr t=in6addr_any; int i=AF_INET6; s; t.s6_addr[0] = 0; ], - [ac_cv_ipv6_support=yes], [ac_cv_ipv6_support=no])]) +#include <netinet/in.h> + ]], [[ +struct sockaddr_in6 s; struct in6_addr t=in6addr_any; int i=AF_INET6; s; t.s6_addr[0] = 0; + ]], [ac_cv_ipv6_support=yes], [ac_cv_ipv6_support=no])]) if test "$ac_cv_ipv6_support" = yes; then AC_DEFINE(HAVE_IPV6,1,[Whether to enable IPv6 support]) @@ -69,7 +91,8 @@ # check for extra compiler options (warning options) if test "${GCC}" = "yes"; then - CFLAGS="${CFLAGS} -Wall -W -Wshadow -pedantic -std=gnu99" + TRY_CFLAGS([-Wall -W -Wshadow -pedantic]) + TRY_CFLAGS([-std=gnu99]) fi AC_ARG_ENABLE(extra-warnings, @@ -81,7 +104,7 @@ esac],[extrawarnings=false]) if test x$extrawarnings = xtrue; then - CFLAGS="${CFLAGS} -g -O2 -g2 -Wall -Wmissing-declarations -Wdeclaration-after-statement -Wcast-align -Winline -Wsign-compare -Wnested-externs -Wpointer-arith -Wl,--as-needed -Wformat-security" + TRY_CFLAGS([-g -O2 -g2 -Wall -Wmissing-declarations -Wdeclaration-after-statement -Wcast-align -Winline -Wsign-compare -Wnested-externs -Wpointer-arith -Wl,--as-needed -D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security]) fi AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/doc/Makefile.am new/spawn-fcgi-1.6.4/doc/Makefile.am --- old/spawn-fcgi-1.6.3/doc/Makefile.am 2009-09-23 14:01:42.000000000 +0200 +++ new/spawn-fcgi-1.6.4/doc/Makefile.am 2014-06-01 13:17:36.000000000 +0200 @@ -1 +1 @@ -EXTRA_DIST=run-generic run-php run-rails +EXTRA_DIST=run-generic run-php run-rails apparmor.d-abstractions-spawn-fcgi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/doc/apparmor.d-abstractions-spawn-fcgi new/spawn-fcgi-1.6.4/doc/apparmor.d-abstractions-spawn-fcgi --- old/spawn-fcgi-1.6.3/doc/apparmor.d-abstractions-spawn-fcgi 1970-01-01 01:00:00.000000000 +0100 +++ new/spawn-fcgi-1.6.4/doc/apparmor.d-abstractions-spawn-fcgi 2014-06-05 13:04:50.000000000 +0200 @@ -0,0 +1,51 @@ +# /etc/apparmor.d/abstractions/spawn-fcgi +# +# a (nested) spawn-fcgi profile should include this abstraction +# and a rule to execute the FastCGI application itself +# +# Example for runit (or daemontools) service "foo" starting php: +# +# #include <tunables/global> +# /etc/sv/foo/run { +# #include <abstractions/base> +# /bin/dash ix, +# /etc/sv/foo/run r, +# +# # spawn-fcgi + alternatives handling in debian +# /usr/bin/spawn-fcgi* px -> /etc/sv/foo/run//spawn-fcgi, +# +# profile spawn-fcgi { +# #include <abstractions/spawn-fcgi> +# /usr/bin/php5-cgi px -> /etc/sv/foo/run//php, +# } +# +# profile php { +# #include <abstractions/base> +# #include <abstractions/php5> +# /var/www/** r, +# } +# } + + +#include <abstractions/base> +#include <abstractions/nameservice> + +capability net_bind_service, +capability setgid, +capability setuid, +capability chown, +capability dac_override, + +network inet stream, +network inet6 stream, +network inet dgram, +network inet6 dgram, + +# if the binary is compiled with hardening options it might try to make a +# previously writable mmapped area readonly (RELRO, mprotect PROT_READ), which +# requires additional permissions in AppArmor. +# more permissions -> more secure, obviously. +# again match standard location + debian alternatives: +/usr/bin/spawn-fcgi* r, + +/{,var/}run/*.sock rw, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/missing new/spawn-fcgi-1.6.4/missing --- old/spawn-fcgi-1.6.3/missing 2009-09-23 14:14:11.000000000 +0200 +++ new/spawn-fcgi-1.6.4/missing 2014-06-05 13:51:39.000000000 +0200 @@ -1,11 +1,10 @@ #! /bin/sh -# Common stub for a few missing GNU programs while installing. +# Common wrapper for a few potentially missing GNU programs. -scriptversion=2009-04-28.21; # UTC +scriptversion=2013-10-28.13; # UTC -# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006, -# 2008, 2009 Free Software Foundation, Inc. -# Originally by Fran,cois Pinard <[email protected]>, 1996. +# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Originally written by Fran,cois Pinard <[email protected]>, 1996. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -26,69 +25,40 @@ # the same distribution terms that you use for the rest of that program. if test $# -eq 0; then - echo 1>&2 "Try \`$0 --help' for more information" + echo 1>&2 "Try '$0 --help' for more information" exit 1 fi -run=: -sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p' -sed_minuso='s/.* -o \([^ ]*\).*/\1/p' - -# In the cases where this matters, `missing' is being run in the -# srcdir already. -if test -f configure.ac; then - configure_ac=configure.ac -else - configure_ac=configure.in -fi +case $1 in -msg="missing on your system" + --is-lightweight) + # Used by our autoconf macros to check whether the available missing + # script is modern enough. + exit 0 + ;; -case $1 in ---run) - # Try to run requested program, and just exit if it succeeds. - run= - shift - "$@" && exit 0 - # Exit code 63 means version mismatch. This often happens - # when the user try to use an ancient version of a tool on - # a file that requires a minimum version. In this case we - # we should proceed has if the program had been absent, or - # if --run hadn't been passed. - if test $? = 63; then - run=: - msg="probably too old" - fi - ;; + --run) + # Back-compat with the calling convention used by older automake. + shift + ;; -h|--h|--he|--hel|--help) echo "\ $0 [OPTION]... PROGRAM [ARGUMENT]... -Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an -error status if there is no known handling for PROGRAM. +Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due +to PROGRAM being missing or too old. Options: -h, --help display this help and exit -v, --version output version information and exit - --run try to run the given command, and emulate it if it fails Supported PROGRAM values: - aclocal touch file \`aclocal.m4' - autoconf touch file \`configure' - autoheader touch file \`config.h.in' - autom4te touch the output file, or create a stub one - automake touch all \`Makefile.in' files - bison create \`y.tab.[ch]', if possible, from existing .[ch] - flex create \`lex.yy.c', if possible, from existing .c - help2man touch the output file - lex create \`lex.yy.c', if possible, from existing .c - makeinfo touch the output file - tar try tar, gnutar, gtar, then tar without non-portable flags - yacc create \`y.tab.[ch]', if possible, from existing .[ch] + aclocal autoconf autoheader autom4te automake makeinfo + bison yacc flex lex help2man -Version suffixes to PROGRAM as well as the prefixes \`gnu-', \`gnu', and -\`g' are ignored when checking the name. +Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and +'g' are ignored when checking the name. Send bug reports to <[email protected]>." exit $? @@ -100,272 +70,141 @@ ;; -*) - echo 1>&2 "$0: Unknown \`$1' option" - echo 1>&2 "Try \`$0 --help' for more information" + echo 1>&2 "$0: unknown '$1' option" + echo 1>&2 "Try '$0 --help' for more information" exit 1 ;; esac -# normalize program name to check for. -program=`echo "$1" | sed ' - s/^gnu-//; t - s/^gnu//; t - s/^g//; t'` - -# Now exit if we have it, but it failed. Also exit now if we -# don't have it and --version was passed (most likely to detect -# the program). This is about non-GNU programs, so use $1 not -# $program. -case $1 in - lex*|yacc*) - # Not GNU programs, they don't have --version. - ;; - - tar*) - if test -n "$run"; then - echo 1>&2 "ERROR: \`tar' requires --run" - exit 1 - elif test "x$2" = "x--version" || test "x$2" = "x--help"; then - exit 1 - fi - ;; +# Run the given program, remember its exit status. +"$@"; st=$? - *) - if test -z "$run" && ($1 --version) > /dev/null 2>&1; then - # We have it, but it failed. - exit 1 - elif test "x$2" = "x--version" || test "x$2" = "x--help"; then - # Could not run --version or --help. This is probably someone - # running `$TOOL --version' or `$TOOL --help' to check whether - # $TOOL exists and not knowing $TOOL uses missing. - exit 1 - fi - ;; -esac - -# If it does not exist, or fails to run (possibly an outdated version), -# try to emulate it. -case $program in - aclocal*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`acinclude.m4' or \`${configure_ac}'. You might want - to install the \`Automake' and \`Perl' packages. Grab them from - any GNU archive site." - touch aclocal.m4 - ;; - - autoconf*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`${configure_ac}'. You might want to install the - \`Autoconf' and \`GNU m4' packages. Grab them from any GNU - archive site." - touch configure - ;; - - autoheader*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`acconfig.h' or \`${configure_ac}'. You might want - to install the \`Autoconf' and \`GNU m4' packages. Grab them - from any GNU archive site." - files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}` - test -z "$files" && files="config.h" - touch_files= - for f in $files; do - case $f in - *:*) touch_files="$touch_files "`echo "$f" | - sed -e 's/^[^:]*://' -e 's/:.*//'`;; - *) touch_files="$touch_files $f.in";; - esac - done - touch $touch_files - ;; - - automake*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'. - You might want to install the \`Automake' and \`Perl' packages. - Grab them from any GNU archive site." - find . -type f -name Makefile.am -print | - sed 's/\.am$/.in/' | - while read f; do touch "$f"; done - ;; +# If it succeeded, we are done. +test $st -eq 0 && exit 0 - autom4te*) - echo 1>&2 "\ -WARNING: \`$1' is needed, but is $msg. - You might have modified some files without having the - proper tools for further handling them. - You can get \`$1' as part of \`Autoconf' from any GNU - archive site." - - file=`echo "$*" | sed -n "$sed_output"` - test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` - if test -f "$file"; then - touch $file - else - test -z "$file" || exec >$file - echo "#! /bin/sh" - echo "# Created by GNU Automake missing as a replacement of" - echo "# $ $@" - echo "exit 0" - chmod +x $file - exit 1 - fi - ;; - - bison*|yacc*) - echo 1>&2 "\ -WARNING: \`$1' $msg. You should only need it if - you modified a \`.y' file. You may need the \`Bison' package - in order for those modifications to take effect. You can get - \`Bison' from any GNU archive site." - rm -f y.tab.c y.tab.h - if test $# -ne 1; then - eval LASTARG="\${$#}" - case $LASTARG in - *.y) - SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` - if test -f "$SRCFILE"; then - cp "$SRCFILE" y.tab.c - fi - SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` - if test -f "$SRCFILE"; then - cp "$SRCFILE" y.tab.h - fi - ;; - esac - fi - if test ! -f y.tab.h; then - echo >y.tab.h - fi - if test ! -f y.tab.c; then - echo 'main() { return 0; }' >y.tab.c - fi - ;; - - lex*|flex*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a \`.l' file. You may need the \`Flex' package - in order for those modifications to take effect. You can get - \`Flex' from any GNU archive site." - rm -f lex.yy.c - if test $# -ne 1; then - eval LASTARG="\${$#}" - case $LASTARG in - *.l) - SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` - if test -f "$SRCFILE"; then - cp "$SRCFILE" lex.yy.c - fi - ;; - esac - fi - if test ! -f lex.yy.c; then - echo 'main() { return 0; }' >lex.yy.c - fi - ;; - - help2man*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a dependency of a manual page. You may need the - \`Help2man' package in order for those modifications to take - effect. You can get \`Help2man' from any GNU archive site." - - file=`echo "$*" | sed -n "$sed_output"` - test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` - if test -f "$file"; then - touch $file - else - test -z "$file" || exec >$file - echo ".ab help2man is required to generate this page" - exit $? - fi - ;; - - makeinfo*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a \`.texi' or \`.texinfo' file, or any other file - indirectly affecting the aspect of the manual. The spurious - call might also be the consequence of using a buggy \`make' (AIX, - DU, IRIX). You might want to install the \`Texinfo' package or - the \`GNU make' package. Grab either from any GNU archive site." - # The file to touch is that specified with -o ... - file=`echo "$*" | sed -n "$sed_output"` - test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` - if test -z "$file"; then - # ... or it is the one specified with @setfilename ... - infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` - file=`sed -n ' - /^@setfilename/{ - s/.* \([^ ]*\) *$/\1/ - p - q - }' $infile` - # ... or it is derived from the source name (dir/f.texi becomes f.info) - test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info - fi - # If the file does not exist, the user really needs makeinfo; - # let's fail without touching anything. - test -f $file || exit 1 - touch $file - ;; - - tar*) - shift - - # We have already tried tar in the generic part. - # Look for gnutar/gtar before invocation to avoid ugly error - # messages. - if (gnutar --version > /dev/null 2>&1); then - gnutar "$@" && exit 0 - fi - if (gtar --version > /dev/null 2>&1); then - gtar "$@" && exit 0 - fi - firstarg="$1" - if shift; then - case $firstarg in - *o*) - firstarg=`echo "$firstarg" | sed s/o//` - tar "$firstarg" "$@" && exit 0 - ;; - esac - case $firstarg in - *h*) - firstarg=`echo "$firstarg" | sed s/h//` - tar "$firstarg" "$@" && exit 0 - ;; - esac - fi - - echo 1>&2 "\ -WARNING: I can't seem to be able to run \`tar' with the given arguments. - You may want to install GNU tar or Free paxutils, or check the - command line arguments." - exit 1 - ;; - - *) - echo 1>&2 "\ -WARNING: \`$1' is needed, and is $msg. - You might have modified some files without having the - proper tools for further handling them. Check the \`README' file, - it often tells you about the needed prerequisites for installing - this package. You may also peek at any GNU archive site, in case - some other package would contain this missing \`$1' program." - exit 1 - ;; -esac +# Also exit now if we it failed (or wasn't found), and '--version' was +# passed; such an option is passed most likely to detect whether the +# program is present and works. +case $2 in --version|--help) exit $st;; esac + +# Exit code 63 means version mismatch. This often happens when the user +# tries to use an ancient version of a tool on a file that requires a +# minimum version. +if test $st -eq 63; then + msg="probably too old" +elif test $st -eq 127; then + # Program was missing. + msg="missing on your system" +else + # Program was found and executed, but failed. Give up. + exit $st +fi -exit 0 +perl_URL=http://www.perl.org/ +flex_URL=http://flex.sourceforge.net/ +gnu_software_URL=http://www.gnu.org/software + +program_details () +{ + case $1 in + aclocal|automake) + echo "The '$1' program is part of the GNU Automake package:" + echo "<$gnu_software_URL/automake>" + echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:" + echo "<$gnu_software_URL/autoconf>" + echo "<$gnu_software_URL/m4/>" + echo "<$perl_URL>" + ;; + autoconf|autom4te|autoheader) + echo "The '$1' program is part of the GNU Autoconf package:" + echo "<$gnu_software_URL/autoconf/>" + echo "It also requires GNU m4 and Perl in order to run:" + echo "<$gnu_software_URL/m4/>" + echo "<$perl_URL>" + ;; + esac +} + +give_advice () +{ + # Normalize program name to check for. + normalized_program=`echo "$1" | sed ' + s/^gnu-//; t + s/^gnu//; t + s/^g//; t'` + + printf '%s\n' "'$1' is $msg." + + configure_deps="'configure.ac' or m4 files included by 'configure.ac'" + case $normalized_program in + autoconf*) + echo "You should only need it if you modified 'configure.ac'," + echo "or m4 files included by it." + program_details 'autoconf' + ;; + autoheader*) + echo "You should only need it if you modified 'acconfig.h' or" + echo "$configure_deps." + program_details 'autoheader' + ;; + automake*) + echo "You should only need it if you modified 'Makefile.am' or" + echo "$configure_deps." + program_details 'automake' + ;; + aclocal*) + echo "You should only need it if you modified 'acinclude.m4' or" + echo "$configure_deps." + program_details 'aclocal' + ;; + autom4te*) + echo "You might have modified some maintainer files that require" + echo "the 'autom4te' program to be rebuilt." + program_details 'autom4te' + ;; + bison*|yacc*) + echo "You should only need it if you modified a '.y' file." + echo "You may want to install the GNU Bison package:" + echo "<$gnu_software_URL/bison/>" + ;; + lex*|flex*) + echo "You should only need it if you modified a '.l' file." + echo "You may want to install the Fast Lexical Analyzer package:" + echo "<$flex_URL>" + ;; + help2man*) + echo "You should only need it if you modified a dependency" \ + "of a man page." + echo "You may want to install the GNU Help2man package:" + echo "<$gnu_software_URL/help2man/>" + ;; + makeinfo*) + echo "You should only need it if you modified a '.texi' file, or" + echo "any other file indirectly affecting the aspect of the manual." + echo "You might want to install the Texinfo package:" + echo "<$gnu_software_URL/texinfo/>" + echo "The spurious makeinfo call might also be the consequence of" + echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might" + echo "want to install GNU make:" + echo "<$gnu_software_URL/make/>" + ;; + *) + echo "You might have modified some files without having the proper" + echo "tools for further handling them. Check the 'README' file, it" + echo "often tells you about the needed prerequisites for installing" + echo "this package. You may also peek at any GNU archive site, in" + echo "case some other package contains this missing '$1' program." + ;; + esac +} + +give_advice "$1" | sed -e '1s/^/WARNING: /' \ + -e '2,$s/^/ /' >&2 + +# Propagate the correct exit status (expected to be 127 for a program +# not found, 63 for a program that failed due to version mismatch). +exit $st # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/spawn-fcgi.1 new/spawn-fcgi-1.6.4/spawn-fcgi.1 --- old/spawn-fcgi-1.6.3/spawn-fcgi.1 2009-03-29 18:33:18.000000000 +0200 +++ new/spawn-fcgi-1.6.4/spawn-fcgi.1 2014-06-01 13:08:09.000000000 +0200 @@ -1,4 +1,4 @@ -.TH spawn-fcgi 1 "26 March 2009" +.TH spawn-fcgi 1 "21 November 2012" . .SH NAME . @@ -69,6 +69,12 @@ .BR multiwatch(1) if you want to supervise multiple forks on the same socket. .TP 8 +.B \-b <backlog> +backlog to allow on the socket (default 1024). This is usually limited by the kernel too, +check sysctl net.core.somaxconn (default 128) for linux. +.IP +backlog is the queue of connections that the kernel accepts before the userspace application sees them. +.TP 8 .B \-P <path> Name of the PID file for spawned processes (ignored in no-fork mode) .TP 8 @@ -76,7 +82,8 @@ No forking should take place (for daemontools) .TP 8 .B \-M <mode> -Change file mode of the Unix domain socket; only used if \-s is given too. +Change file mode of the Unix domain socket (octal integer); only used if \-s is given too. +Defaults to read+write for user and group (0660) as far as the umask allows it. .TP 8 .B \-?, \-h General usage instructions diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/src/CMakeLists.txt new/spawn-fcgi-1.6.4/src/CMakeLists.txt --- old/spawn-fcgi-1.6.3/src/CMakeLists.txt 2009-06-03 18:50:25.000000000 +0200 +++ new/spawn-fcgi-1.6.4/src/CMakeLists.txt 2014-06-01 18:07:37.000000000 +0200 @@ -9,7 +9,7 @@ OPTION(BUILD_EXTRA_WARNINGS "extra warnings") IF(BUILD_EXTRA_WARNINGS) - SET(WARN_FLAGS "-g -O2 -g2 -Wall -Wmissing-declarations -Wdeclaration-after-statement -Wcast-align -Winline -Wsign-compare -Wnested-externs -Wpointer-arith -Wl,--as-needed -Wformat-security") + SET(WARN_FLAGS "-g -O2 -g2 -Wall -Wmissing-declarations -Wdeclaration-after-statement -Wcast-align -Winline -Wsign-compare -Wnested-externs -Wpointer-arith -Wl,--as-needed -D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security") # -Wno-pointer-sign -Werror -Wbad-function-cast -Wmissing-prototypes ELSE(BUILD_EXTRA_WARNINGS) SET(WARN_FLAGS "") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/spawn-fcgi-1.6.3/src/spawn-fcgi.c new/spawn-fcgi-1.6.4/src/spawn-fcgi.c --- old/spawn-fcgi-1.6.3/src/spawn-fcgi.c 2009-09-19 11:48:40.000000000 +0200 +++ new/spawn-fcgi-1.6.4/src/spawn-fcgi.c 2014-06-04 13:38:56.000000000 +0200 @@ -24,20 +24,6 @@ #define FCGI_LISTENSOCK_FILENO 0 -/* "sys-socket.h" */ -#ifdef __WIN32 - -# include <winsock2.h> - -# define ECONNRESET WSAECONNRESET -# define EINPROGRESS WSAEINPROGRESS -# define EALREADY WSAEALREADY -# define ECONNABORTED WSAECONNABORTED -# define ioctl ioctlsocket -# define hstrerror(x) "" - -#else /* _WIN32 */ - # include <sys/socket.h> # include <sys/ioctl.h> # include <netinet/in.h> @@ -47,9 +33,6 @@ # include <netdb.h> -#endif /* _WIN32 */ -/* end "sys-socket.h" */ - #ifdef HAVE_SYS_WAIT_H # include <sys/wait.h> #endif @@ -79,7 +62,27 @@ #define CONST_STR_LEN(s) s, sizeof(s) - 1 -static int bind_socket(const char *addr, unsigned short port, const char *unixsocket, uid_t uid, gid_t gid, int mode) { +static mode_t read_umask(void) { + mode_t mask = umask(0); + umask(mask); + return mask; +} + +static ssize_t write_all(int fildes, const void *buf, size_t nbyte) { + size_t rem; + for (rem = nbyte; rem > 0;) { + ssize_t res = write(fildes, buf, rem); + if (-1 == res) { + if (EINTR != errno) return res; + } else { + buf = res + (char const*) buf; + rem -= res; + } + } + return nbyte; +} + +static int bind_socket(const char *addr, unsigned short port, const char *unixsocket, uid_t uid, gid_t gid, mode_t mode, int backlog) { int fcgi_fd, socket_type, val; struct sockaddr_un fcgi_addr_un; @@ -95,6 +98,8 @@ memset(&fcgi_addr_un, 0, sizeof(fcgi_addr_un)); fcgi_addr_un.sun_family = AF_UNIX; + /* already checked in main() */ + if (strlen(unixsocket) > sizeof(fcgi_addr_un.sun_path) - 1) return -1; strcpy(fcgi_addr_un.sun_path, unixsocket); #ifdef SUN_LEN @@ -127,6 +132,7 @@ break; default: fprintf(stderr, "spawn-fcgi: removing old socket failed: %s\n", strerror(errno)); + close(fcgi_fd); return -1; } } @@ -180,15 +186,24 @@ val = 1; if (setsockopt(fcgi_fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) { fprintf(stderr, "spawn-fcgi: couldn't set SO_REUSEADDR: %s\n", strerror(errno)); + close(fcgi_fd); return -1; } if (-1 == bind(fcgi_fd, fcgi_addr, servlen)) { fprintf(stderr, "spawn-fcgi: bind failed: %s\n", strerror(errno)); + close(fcgi_fd); return -1; } if (unixsocket) { + if (-1 == chmod(unixsocket, mode)) { + fprintf(stderr, "spawn-fcgi: couldn't chmod socket: %s\n", strerror(errno)); + close(fcgi_fd); + unlink(unixsocket); + return -1; + } + if (0 != uid || 0 != gid) { if (0 == uid) uid = -1; if (0 == gid) gid = -1; @@ -199,17 +214,12 @@ return -1; } } - - if (-1 != mode && -1 == chmod(unixsocket, mode)) { - fprintf(stderr, "spawn-fcgi: couldn't chmod socket: %s\n", strerror(errno)); - close(fcgi_fd); - unlink(unixsocket); - return -1; - } } - if (-1 == listen(fcgi_fd, 1024)) { + if (-1 == listen(fcgi_fd, backlog)) { fprintf(stderr, "spawn-fcgi: listen failed: %s\n", strerror(errno)); + close(fcgi_fd); + if (unixsocket) unlink(unixsocket); return -1; } @@ -278,6 +288,8 @@ /* exec the cgi */ execl("/bin/sh", "sh", "-c", b, (char *)NULL); + + free(b); } /* in nofork mode stderr is still open */ @@ -301,16 +313,24 @@ fprintf(stdout, "spawn-fcgi: child spawned successfully: PID: %d\n", child); /* write pid file */ - if (pid_fd != -1) { + if (-1 != pid_fd) { /* assume a 32bit pid_t */ char pidbuf[12]; snprintf(pidbuf, sizeof(pidbuf) - 1, "%d", child); - write(pid_fd, pidbuf, strlen(pidbuf)); + if (-1 == write_all(pid_fd, pidbuf, strlen(pidbuf))) { + fprintf(stderr, "spawn-fcgi: writing pid file failed: %s\n", strerror(errno)); + close(pid_fd); + pid_fd = -1; + } /* avoid eol for the last one */ - if (fork_count != 0) { - write(pid_fd, "\n", 1); + if (-1 != pid_fd && fork_count != 0) { + if (-1 == write_all(pid_fd, "\n", 1)) { + fprintf(stderr, "spawn-fcgi: writing pid file failed: %s\n", strerror(errno)); + close(pid_fd); + pid_fd = -1; + } } } @@ -336,7 +356,10 @@ break; } } - close(pid_fd); + + if (-1 != pid_fd) { + close(pid_fd); + } close(fcgi_fd); @@ -404,14 +427,13 @@ } static void show_version () { - write(1, CONST_STR_LEN( - PACKAGE_DESC \ - "Build-Date: " __DATE__ " " __TIME__ "\n" + (void) write_all(1, CONST_STR_LEN( + PACKAGE_DESC )); } static void show_help () { - write(1, CONST_STR_LEN( + (void) write_all(1, CONST_STR_LEN( "Usage: spawn-fcgi [options] [-- <fcgiapp> [fcgi app arguments]]\n" \ "\n" \ PACKAGE_DESC \ @@ -423,10 +445,12 @@ " -a <address> bind to IPv4/IPv6 address (defaults to 0.0.0.0)\n" \ " -p <port> bind to TCP-port\n" \ " -s <path> bind to Unix domain socket\n" \ - " -M <mode> change Unix domain socket mode\n" \ + " -M <mode> change Unix domain socket mode (octal integer, default: allow\n" \ + " read+write for user and group as far as umask allows it) \n" \ " -C <children> (PHP only) numbers of childs to spawn (default: not setting\n" \ " the PHP_FCGI_CHILDREN environment variable - PHP defaults to 0)\n" \ " -F <children> number of children to fork (default 1)\n" \ + " -b <backlog> backlog to allow on the socket (default 1024)\n" \ " -P <path> name of PID-file for spawned process (ignored in no-fork mode)\n" \ " -n no fork (for daemontools)\n" \ " -v show version\n" \ @@ -452,9 +476,10 @@ char **fcgi_app_argv = { NULL }; char *endptr = NULL; unsigned short port = 0; - int sockmode = -1; + mode_t sockmode = (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP) & ~read_umask(); int child_count = -1; int fork_count = 1; + int backlog = 1024; int i_am_root, o; int pid_fd = -1; int nofork = 0; @@ -469,7 +494,7 @@ i_am_root = (getuid() == 0); - while (-1 != (o = getopt(argc, argv, "c:d:f:g:?hna:p:u:vC:F:s:P:U:G:M:S"))) { + while (-1 != (o = getopt(argc, argv, "c:d:f:g:?hna:p:b:u:vC:F:s:P:U:G:M:S"))) { switch(o) { case 'f': fcgi_app = optarg; break; case 'd': fcgi_dir = optarg; break; @@ -482,6 +507,7 @@ break; case 'C': child_count = strtol(optarg, NULL, 10);/* */ break; case 'F': fork_count = strtol(optarg, NULL, 10);/* */ break; + case 'b': backlog = strtol(optarg, NULL, 10);/* */ break; case 's': unixsocket = optarg; /* unix-domain socket */ break; case 'c': if (i_am_root) { changeroot = optarg; }/* chroot() */ break; case 'u': if (i_am_root) { username = optarg; } /* set user */ break; @@ -489,7 +515,7 @@ case 'U': if (i_am_root) { sockusername = optarg; } /* set socket user */ break; case 'G': if (i_am_root) { sockgroupname = optarg; } /* set socket group */ break; case 'S': if (i_am_root) { sockbeforechroot = 1; } /* open socket before chroot() */ break; - case 'M': sockmode = strtol(optarg, NULL, 0); /* set socket mode */ break; + case 'M': sockmode = strtol(optarg, NULL, 8); /* set socket mode */ break; case 'n': nofork = 1; break; case 'P': pid_file = optarg; /* PID file */ break; case 'v': show_version(); return 0; @@ -581,17 +607,26 @@ if (0 == sockuid) sockuid = uid; if (0 == sockgid) sockgid = gid; - if (sockbeforechroot && -1 == (fcgi_fd = bind_socket(addr, port, unixsocket, sockuid, sockgid, sockmode))) + if (sockbeforechroot && -1 == (fcgi_fd = bind_socket(addr, port, unixsocket, sockuid, sockgid, sockmode, backlog))) return -1; /* Change group before chroot, when we have access * to /etc/group */ if (gid != 0) { - setgid(gid); - setgroups(0, NULL); + if (-1 == setgid(gid)) { + fprintf(stderr, "spawn-fcgi: setgid(%i) failed: %s\n", (int) gid, strerror(errno)); + return -1; + } + if (-1 == setgroups(0, NULL)) { + fprintf(stderr, "spawn-fcgi: setgroups(0, NULL) failed: %s\n", strerror(errno)); + return -1; + } if (real_username) { - initgroups(real_username, gid); + if (-1 == initgroups(real_username, gid)) { + fprintf(stderr, "spawn-fcgi: initgroups('%s', %i) failed: %s\n", real_username, (int) gid, strerror(errno)); + return -1; + } } } @@ -606,15 +641,18 @@ } } - if (!sockbeforechroot && -1 == (fcgi_fd = bind_socket(addr, port, unixsocket, sockuid, sockgid, sockmode))) + if (!sockbeforechroot && -1 == (fcgi_fd = bind_socket(addr, port, unixsocket, sockuid, sockgid, sockmode, backlog))) return -1; /* drop root privs */ if (uid != 0) { - setuid(uid); + if (-1 == setuid(uid)) { + fprintf(stderr, "spawn-fcgi: setuid(%i) failed: %s\n", (int) uid, strerror(errno)); + return -1; + } } } else { - if (-1 == (fcgi_fd = bind_socket(addr, port, unixsocket, 0, 0, sockmode))) + if (-1 == (fcgi_fd = bind_socket(addr, port, unixsocket, 0, 0, sockmode, backlog))) return -1; } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
