On Thu, Jul 19, 2012 at 11:38 AM, Steinar H. Gunderson
<[email protected]> wrote:
> On Thu, Jul 19, 2012 at 11:27:04AM -0400, Jeff Trawick wrote:
>> What changes are needed to httpd trunk so that you can build mpm-itk
>> with apxs and enable it via LoadModule, such that mpm-itk is fully
>> functional? As I'm sure you're aware, prefork, worker, and event are
>> all untied from core enough to support that in httpd >= 2.4.
>
> We'd need:
>
> 1. A hook right after merging the perdir config.
> 2. Fixes to get Apache to drop the connection if it detects
> (during .htaccess lookup) that it would need to change the uid.
>
> Both patches are simple, although for #2 to be truly generic (ie. be usable
> by mod_privileges as well) we'd need some sort of signalling mechanism saying
> “we have switched uids and cannot switch back”, which then both
> mod_privileges (in secure mode) and mpm-itk could set.
>
> I've attached the current versions of both patches from my current Apache 2.4
> patch set; you can see the “ap_running_under_mpm_itk” variable which would
> probably need to be replaced by ap_mpm_query() or similar.
>
> /* Steinar */
> --
> Homepage: http://www.sesse.net/
>
Your post-perdir-config patch has been committed to trunk with r1368121.
(http://svn.apache.org/viewvc?view=revision&revision=r1368121)
Attached is a patch to trunk that allows you to hook in to the stat
calls from directory walk. Call apr_stat() like core_dirwalk_stat()
but check for APR_STATUS_IS_EACCES(rv) and decide whether to run
lingering close and exit. Let us know how that goes.
You still need the parse-htaccess patch for now.
--
Born in Roswell... married an alien...
http://emptyhammock.com/
Index: server/core.c
===================================================================
--- server/core.c (revision 1368124)
+++ server/core.c (working copy)
@@ -4779,6 +4779,12 @@
return APR_SUCCESS;
}
+static apr_status_t core_dirwalk_stat(apr_finfo_t *finfo, request_rec *r,
+ apr_int32_t wanted)
+{
+ return apr_stat(finfo, r->filename, wanted, r->pool);
+}
+
static void core_dump_config(apr_pool_t *p, server_rec *s)
{
core_server_config *sconf = ap_get_core_module_config(s->module_config);
@@ -4855,7 +4861,8 @@
ap_hook_child_status(ap_core_child_status, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_insert_network_bucket(core_insert_network_bucket, NULL, NULL,
APR_HOOK_REALLY_LAST);
-
+ ap_hook_dirwalk_stat(core_dirwalk_stat, NULL, NULL, APR_HOOK_REALLY_LAST);
+
/* register the core's insert_filter hook and register core-provided
* filters
*/
Index: server/request.c
===================================================================
--- server/request.c (revision 1368131)
+++ server/request.c (working copy)
@@ -70,6 +70,7 @@
APR_HOOK_LINK(insert_filter)
APR_HOOK_LINK(create_request)
APR_HOOK_LINK(post_perdir_config)
+ APR_HOOK_LINK(dirwalk_stat)
)
AP_IMPLEMENT_HOOK_RUN_FIRST(int,translate_name,
@@ -93,6 +94,9 @@
(request_rec *r), (r), OK, DECLINED)
AP_IMPLEMENT_HOOK_RUN_ALL(int, post_perdir_config,
(request_rec *r), (r), OK, DECLINED)
+AP_IMPLEMENT_HOOK_RUN_FIRST(apr_status_t,dirwalk_stat,
+ (apr_finfo_t *finfo, request_rec *r, apr_int32_t
wanted),
+ (finfo, r, wanted), AP_DECLINED)
static int auth_internal_per_conf = 0;
static int auth_internal_per_conf_hooks = 0;
@@ -609,7 +613,7 @@
* with APR_ENOENT, knowing that the path is good.
*/
if (r->finfo.filetype == APR_NOFILE || r->finfo.filetype == APR_LNK) {
- rv = apr_stat(&r->finfo, r->filename, APR_FINFO_MIN, r->pool);
+ rv = ap_run_dirwalk_stat(&r->finfo, r, APR_FINFO_MIN);
/* some OSs will return APR_SUCCESS/APR_REG if we stat
* a regular file but we have '/' at the end of the name;
@@ -675,9 +679,8 @@
* check.
*/
if (!(opts & OPT_SYM_LINKS)) {
- rv = apr_stat(&thisinfo, r->filename,
- APR_FINFO_MIN | APR_FINFO_NAME | APR_FINFO_LINK,
- r->pool);
+ rv = ap_run_dirwalk_stat(&thisinfo, r,
+ APR_FINFO_MIN | APR_FINFO_NAME |
APR_FINFO_LINK);
/*
* APR_INCOMPLETE is as fine as result as APR_SUCCESS as we
* have added APR_FINFO_NAME to the wanted parameter of
@@ -1092,9 +1095,8 @@
* the name of its target, if we are fixing the filename
* case/resolving aliases.
*/
- rv = apr_stat(&thisinfo, r->filename,
- APR_FINFO_MIN | APR_FINFO_NAME | APR_FINFO_LINK,
- r->pool);
+ rv = ap_run_dirwalk_stat(&thisinfo, r,
+ APR_FINFO_MIN | APR_FINFO_NAME |
APR_FINFO_LINK);
if (APR_STATUS_IS_ENOENT(rv)) {
/* Nothing? That could be nice. But our directory
Index: include/http_request.h
===================================================================
--- include/http_request.h (revision 1368124)
+++ include/http_request.h (working copy)
@@ -538,6 +538,15 @@
*/
AP_DECLARE_HOOK(int,post_perdir_config,(request_rec *r))
+/**
+ * This hook allows modules to handle/emulate the apr_stat() calls
+ * needed for directory walk.
+ * @param r The current request
+ * @return apr_status_t or AP_DECLINED (let later modules decide)
+ * @ingroup hooks
+ */
+AP_DECLARE_HOOK(apr_status_t,dirwalk_stat,(apr_finfo_t *finfo, request_rec *r,
apr_int32_t wanted))
+
AP_DECLARE(int) ap_location_walk(request_rec *r);
AP_DECLARE(int) ap_directory_walk(request_rec *r);
AP_DECLARE(int) ap_file_walk(request_rec *r);
