Author: amc
Date: Mon Apr 25 19:29:02 2011
New Revision: 1096571
URL: http://svn.apache.org/viewvc?rev=1096571&view=rev
Log:
TS-748
Added:
trafficserver/traffic/trunk/lib/ts/ink_cap.cc
trafficserver/traffic/trunk/lib/ts/ink_cap.h
Modified:
trafficserver/traffic/trunk/lib/ts/Makefile.am
trafficserver/traffic/trunk/proxy/Main.cc
trafficserver/traffic/trunk/proxy/http/HttpSM.cc
trafficserver/traffic/trunk/proxy/http/HttpTransact.cc
Modified: trafficserver/traffic/trunk/lib/ts/Makefile.am
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/lib/ts/Makefile.am?rev=1096571&r1=1096570&r2=1096571&view=diff
==============================================================================
--- trafficserver/traffic/trunk/lib/ts/Makefile.am (original)
+++ trafficserver/traffic/trunk/lib/ts/Makefile.am Mon Apr 25 19:29:02 2011
@@ -23,7 +23,7 @@ TESTS = $(check_PROGRAMS)
lib_LTLIBRARIES = libtsutil.la
libtsutil_la_LDFLAGS = -no-undefined -version-info @TS_LIBTOOL_VERSION@
-libtsutil_la_LIBADD = @LIBOBJS@ @LIBPCRE@ @LIBSSL@ @LIBTCL@ @LIBRESOLV@
@LIBRT@ @LIBICONV@ @LIBSOCKET@ @LIBNSL@ -lc
+libtsutil_la_LIBADD = @LIBOBJS@ @LIBPCRE@ @LIBSSL@ @LIBTCL@ @LIBRESOLV@
@LIBRT@ @LIBICONV@ @LIBSOCKET@ @LIBNSL@ @LIBCAP@ -lc
libtsutil_la_SOURCES = \
Allocator.cc \
@@ -53,6 +53,7 @@ libtsutil_la_SOURCES = \
ink_base64.cc \
ink_base64.h \
ink_bool.h \
+ ink_cap.cc ink_cap.h \
ink_code.cc \
ink_code.h \
ink_defs.cc \
Added: trafficserver/traffic/trunk/lib/ts/ink_cap.cc
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/lib/ts/ink_cap.cc?rev=1096571&view=auto
==============================================================================
--- trafficserver/traffic/trunk/lib/ts/ink_cap.cc (added)
+++ trafficserver/traffic/trunk/lib/ts/ink_cap.cc Mon Apr 25 19:29:02 2011
@@ -0,0 +1,61 @@
+# include "ink_config.h"
+# include "Diags.h"
+# include "ink_cap.h"
+
+# if TS_USE_POSIX_CAP
+# include <sys/capability.h>
+# include <sys/prctl.h>
+# endif
+
+void
+DebugCapabilities(char const* tag) {
+ if (is_debug_tag_set(tag)) {
+# if TS_USE_POSIX_CAP
+ cap_t caps = cap_get_proc();
+ char* caps_text = cap_to_text(caps, 0);
+# endif
+
+ Debug(tag,
+ "uid=%u, gid=%u, euid=%u, egid=%u"
+# if TS_USE_POSIX_CAP
+ ", caps %s thread 0x%x",
+# endif
+ (unsigned)getuid(), (unsigned)getgid(),
+ (unsigned)geteuid(), (unsigned)getegid()
+# if TS_USE_POSIX_CAP
+ ,caps_text
+ ,pthread_self()
+# endif
+ );
+
+# if TS_USE_POSIX_CAP
+ cap_free(caps_text);
+ cap_free(caps);
+# endif
+ }
+}
+
+int
+PreserveCapabilities() {
+ return prctl(PR_SET_KEEPCAPS, 1);
+}
+
+// Adjust the capabilities to only those needed.
+int
+RestrictCapabilities() {
+ int zret = 0; // return value.
+#if TS_USE_POSIX_CAP
+ cap_t caps = cap_get_proc(); // Only way to initialize it AFAICT.
+ cap_clear(caps);
+ // Capabilities we need.
+ cap_value_t cap_list[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
+ static int const CAP_COUNT = sizeof(cap_list)/sizeof(*cap_list);
+
+ cap_set_flag(caps, CAP_INHERITABLE, CAP_COUNT, cap_list, CAP_SET);
+ cap_set_flag(caps, CAP_PERMITTED, CAP_COUNT, cap_list, CAP_SET);
+ cap_set_flag(caps, CAP_EFFECTIVE, CAP_COUNT, cap_list, CAP_SET);
+ zret = cap_set_proc(caps);
+ cap_free(caps);
+#endif
+ return zret;
+}
Added: trafficserver/traffic/trunk/lib/ts/ink_cap.h
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/lib/ts/ink_cap.h?rev=1096571&view=auto
==============================================================================
--- trafficserver/traffic/trunk/lib/ts/ink_cap.h (added)
+++ trafficserver/traffic/trunk/lib/ts/ink_cap.h Mon Apr 25 19:29:02 2011
@@ -0,0 +1,39 @@
+/** @file
+
+ POSIX Capability related utilities.
+
+ @section license License
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+ */
+
+#if !defined (_ink_cap_h_)
+#define _ink_cap_h_
+
+/// Generate a debug message with the current capabilities for the process.
+extern void DebugCapabilities(
+ char const* tag ///< Debug message tag.
+);
+/// Set capabilities to persist across change of user id.
+/// @return 0 on success, non-zero otherwise.
+extern int PreserveCapabilities();
+/// Initialize and restrict the capabilities of a thread.
+/// @return 0 on success, non-zero otherwise.
+extern int RestrictCapabilities();
+
+#endif
Modified: trafficserver/traffic/trunk/proxy/Main.cc
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/Main.cc?rev=1096571&r1=1096570&r2=1096571&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/Main.cc (original)
+++ trafficserver/traffic/trunk/proxy/Main.cc Mon Apr 25 19:29:02 2011
@@ -47,10 +47,6 @@ extern "C" int plock(int);
#include <mcheck.h>
#endif
-#if TS_USE_POSIX_CAP
-#include <sys/capability.h>
-#endif
-
#include "Main.h"
#include "signals.h"
#include "Error.h"
@@ -95,6 +91,8 @@ extern "C" int plock(int);
#include "I_Tasks.h"
+#include <ts/ink_cap.h>
+
#if TS_HAS_PROFILER
#include <google/profiler.h>
#endif
@@ -1061,23 +1059,6 @@ init_core_size()
}
}
-#if TS_USE_POSIX_CAP
-// Restore the effective capabilities that we need.
-int
-restoreCapabilities() {
- int zret = 0; // return value.
- cap_t cap_set = cap_get_proc(); // current capabilities
- // Capabilities to restore.
- cap_value_t cap_list[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
- static int const CAP_COUNT = sizeof(cap_list)/sizeof(*cap_list);
-
- cap_set_flag(cap_set, CAP_EFFECTIVE, CAP_COUNT, cap_list, CAP_SET);
- zret = cap_set_proc(cap_set);
- cap_free(cap_set);
- return zret;
-}
-#endif
-
static void
adjust_sys_settings(void)
{
@@ -1110,9 +1091,6 @@ adjust_sys_settings(void)
#endif
#endif // linux check
-#if TS_USE_POSIX_CAP
- restoreCapabilities();
-#endif
}
struct ShowStats: public Continuation
@@ -1659,6 +1637,26 @@ main(int argc, char **argv)
if (!num_task_threads)
TS_ReadConfigInteger(num_task_threads, "proxy.config.task_threads");
+ // change the user of the process
+ // do this before we start threads so we control the user id of the
+ // threads (rather than have it change asynchronously during thread
+ // execution). We also need to do this before we fiddle with capabilities
+ // as those are thread local and if we change the user id it will
+ // modified the capabilities in other threads, breaking things.
+ const long max_login = sysconf(_SC_LOGIN_NAME_MAX) <= 0 ?
_POSIX_LOGIN_NAME_MAX : sysconf(_SC_LOGIN_NAME_MAX);
+ char *user = (char *)xmalloc(max_login);
+ *user = '\0';
+ if ((TS_ReadConfigString(user, "proxy.config.admin.user_id",
+ max_login) == REC_ERR_OKAY) &&
+ user[0] != '\0' &&
+ strcmp(user, "#-1")) {
+ PreserveCapabilities();
+ change_uid_gid(user);
+ RestrictCapabilities();
+ xfree(user);
+ }
+ DebugCapabilities("server");
+
// This call is required for win_9xMe
//without this this_ethread() is failing when
//start_HttpProxyServer is called from main thread
@@ -1941,22 +1939,6 @@ main(int argc, char **argv)
run_AutoStop();
}
- // change the user of the process
- const long max_login = sysconf(_SC_LOGIN_NAME_MAX) <= 0 ?
_POSIX_LOGIN_NAME_MAX : sysconf(_SC_LOGIN_NAME_MAX);
- char *user = (char *)xmalloc(max_login);
- *user = '\0';
- if ((TS_ReadConfigString(user, "proxy.config.admin.user_id",
- max_login) == REC_ERR_OKAY) &&
- user[0] != '\0' &&
- strcmp(user, "#-1")) {
- change_uid_gid(user);
- xfree(user);
- }
- Debug("server",
- "running as uid=%u, gid=%u, effective uid=%u, gid=%u",
- (unsigned)getuid(), (unsigned)getgid(),
- (unsigned)geteuid(), (unsigned)getegid());
-
this_thread()->execute();
}
Modified: trafficserver/traffic/trunk/proxy/http/HttpSM.cc
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/http/HttpSM.cc?rev=1096571&r1=1096570&r2=1096571&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/http/HttpSM.cc (original)
+++ trafficserver/traffic/trunk/proxy/http/HttpSM.cc Mon Apr 25 19:29:02 2011
@@ -4396,17 +4396,15 @@ void
HttpSM::mark_host_failure(HostDBInfo * info, time_t time_down)
{
if (info->app.http_data.last_failure == 0) {
- int url_len;
- char *url_str;
-
- URL *url = t_state.hdr_info.client_request.url_get();
- url_str = url->string_get(&t_state.arena, &url_len);
+ char *url_str =
t_state.hdr_info.client_request.url_string_get(&t_state.arena, 0);
Log::error("CONNECT: could not connect to %u.%u.%u.%u "
"for '%s' (setting last failure time)",
((unsigned char *) &t_state.current.server->ip)[0],
((unsigned char *) &t_state.current.server->ip)[1],
((unsigned char *) &t_state.current.server->ip)[2],
- ((unsigned char *) &t_state.current.server->ip)[3], url_str);
+ ((unsigned char *) &t_state.current.server->ip)[3],
+ url_str ? url_str : "<none>"
+ );
if (url_str)
t_state.arena.str_free(url_str);
}
Modified: trafficserver/traffic/trunk/proxy/http/HttpTransact.cc
URL:
http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/http/HttpTransact.cc?rev=1096571&r1=1096570&r2=1096571&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/http/HttpTransact.cc (original)
+++ trafficserver/traffic/trunk/proxy/http/HttpTransact.cc Mon Apr 25 19:29:02
2011
@@ -832,7 +832,6 @@ HttpTransact::EndRemapRequest(State* s)
Debug("http_trans", "START HttpTransact::EndRemapRequest");
HTTPHdr *incoming_request = &s->hdr_info.client_request;
- //URL *url = incoming_request->url_get();
int method = incoming_request->method_get_wksidx();
int host_len;
const char *host = incoming_request->host_get(&host_len);
@@ -955,12 +954,6 @@ done:
TRANSACT_RETURN(PROXY_INTERNAL_CACHE_NOOP, NULL);
}
- if (s->reverse_proxy) {
- Debug("url_rewrite", "s->reverse_proxy is true");
- } else {
- Debug("url_rewrite", "s->reverse_proxy is false");
- }
-
if (is_debug_tag_set("http_chdr_describe") || is_debug_tag_set("http_trans")
|| is_debug_tag_set("url_rewrite")) {
Debug("http_trans", "After Remapping:");
obj_describe(s->hdr_info.client_request.m_http, 1);
@@ -3769,8 +3762,7 @@ HttpTransact::retry_server_connection_no
ink_debug_assert(s->current.attempts <= max_retries);
ink_debug_assert(s->current.server->connect_failure != 0);
- URL *url = s->hdr_info.client_request.url_get();
- char *url_string = url->valid()? url->string_get(&s->arena) : NULL;
+ char *url_string = s->hdr_info.client_request.url_string_get(&s->arena) :
NULL;
Debug("http_trans", "[%d] failed to connect [%d] to %u.%u.%u.%u",
s->current.attempts, conn_state,
PRINT_IP(s->current.server->ip));
