On 03/05/2015 07:55 AM, Jan Kaluža wrote:
Hi,
currently, the External Rewriting Program (RewriteMap "prg:") is run as
root. I would like to change it but I see three ways how to do it:
1. Execute it right after drop_privileges hook. This looks like best
way, but I haven't found any hook which could be used for that (except
drop_privileges with APR_HOOK_REALLY_LAST, which does not seem as proper
place to me).
2. Execute it in child_init. This is done after drop_privileges, so the
user/group is good. The "problem" here is that it would execute one
rewrite program per child. Right now I'm not sure if it's really
problem. It could be useful to have more instances of rewriting program
to make its bottleneck lower.
3. Execute it where it is now (post_config), but set user/group using
apr_procattr_t. So far I think this would duplicate the code of
mod_unixd and would probably have to also handle the windows equivalent
of that module (if there's any).
I've been thinking about this one more and with introduction of third
argument to RewriteMap, it could be possible with patch similar to
attached one.
You can do "RewriteMap MapName prg:/path user:group" with the patch.
This could be even backported to 2.4.x.
Jan Kaluza
What way do you think is the best, or would you do it differently?
I'm attaching patch for number 2.
Regards,
Jan Kaluza
Index: modules/mappers/mod_rewrite.c
===================================================================
--- modules/mappers/mod_rewrite.c (revision 1663642)
+++ modules/mappers/mod_rewrite.c (working copy)
@@ -267,6 +267,8 @@
const char *dbdq; /* SQL SELECT statement for rewritemap */
const char *checkfile2; /* filename to check for map existence
NULL if only one file */
+ const char *user;
+ const char *group;
} rewritemap_entry;
/* special pattern types for RewriteCond */
@@ -1171,6 +1173,7 @@
static apr_status_t rewritemap_program_child(apr_pool_t *p,
const char *progname, char **argv,
+ const char *user, const char *group,
apr_file_t **fpout,
apr_file_t **fpin)
{
@@ -1183,6 +1186,8 @@
APR_FULL_BLOCK, APR_NO_PIPE))
&& APR_SUCCESS == (rc=apr_procattr_dir_set(procattr,
ap_make_dirstr_parent(p, argv[0])))
+ && (!user || APR_SUCCESS == (rc=apr_procattr_user_set(procattr, user, "")))
+ && (!group || APR_SUCCESS == (rc=apr_procattr_group_set(procattr, group)))
&& APR_SUCCESS == (rc=apr_procattr_cmdtype_set(procattr, APR_PROGRAM))
&& APR_SUCCESS == (rc=apr_procattr_child_errfn_set(procattr,
rewrite_child_errfn))
@@ -1240,6 +1245,7 @@
}
rc = rewritemap_program_child(p, map->argv[0], map->argv,
+ map->user, map->group,
&fpout, &fpin);
if (rc != APR_SUCCESS || fpin == NULL || fpout == NULL) {
ap_log_error(APLOG_MARK, APLOG_ERR, rc, s, APLOGNO(00654)
@@ -3018,7 +3024,7 @@
}
static const char *cmd_rewritemap(cmd_parms *cmd, void *dconf, const char *a1,
- const char *a2)
+ const char *a2, const char *a3)
{
rewrite_server_conf *sconf;
rewritemap_entry *newmap;
@@ -3124,6 +3130,11 @@
newmap->type = MAPTYPE_PRG;
newmap->checkfile = newmap->argv[0];
+ if (a3) {
+ char *tok_cntx;
+ newmap->user = apr_strtok(apr_pstrdup(cmd->pool, a3), ":", &tok_cntx);
+ newmap->group = apr_strtok(NULL, ":", &tok_cntx);
+ }
}
else if (strncasecmp(a2, "int:", 4) == 0) {
newmap->type = MAPTYPE_INT;
@@ -5205,8 +5216,8 @@
"an input string and a to be applied regexp-pattern"),
AP_INIT_RAW_ARGS("RewriteRule", cmd_rewriterule, NULL, OR_FILEINFO,
"an URL-applied regexp-pattern and a substitution URL"),
- AP_INIT_TAKE2( "RewriteMap", cmd_rewritemap, NULL, RSRC_CONF,
- "a mapname and a filename"),
+ AP_INIT_TAKE23( "RewriteMap", cmd_rewritemap, NULL, RSRC_CONF,
+ "a mapname and a filename and options"),
{ NULL }
};
