arm64/machdep.c: strncpy+overlap - "boot> boot -s" behaviour
Hi,
another user mentioned on irc about issue w/"boot -s" not working on rpi3.
diff below fixes secondary the strncpy() w/dst==src, and also adds blank
line after the function which does the correct strncpy.
-Artturi
diff --git sys/arch/arm64/arm64/machdep.c sys/arch/arm64/arm64/machdep.c
index ac3a9f6344b..db4bd8532eb 100644
--- sys/arch/arm64/arm64/machdep.c
+++ sys/arch/arm64/arm64/machdep.c
@@ -1121,6 +1121,7 @@ collect_kernel_args(char *args)
/* Make a local copy of the bootargs */
strncpy(bootargs, args, MAX_BOOT_STRING - sizeof(int));
}
+
void
process_kernel_args(void)
{
@@ -1132,11 +1133,6 @@ process_kernel_args(void)
}
boothowto = 0;
-
- /* Make a local copy of the bootargs */
- strncpy(bootargs, cp, MAX_BOOT_STRING - sizeof(int));
-
- cp = bootargs;
boot_file = bootargs;
/* Skip the kernel image filename */
Re: [patch] spamd-setup.c
On 03/07/18 18:55, William Ahern wrote: On Wed, Mar 07, 2018 at 05:17:59PM -0600, Edgar Pettijohn wrote: This looks like a good place for reallocarray. Yes? Index: spamd-setup.c === RCS file: /cvs/src/libexec/spamd-setup/spamd-setup.c,v retrieving revision 1.50 diff -u -p -u -r1.50 spamd-setup.c --- spamd-setup.c7 Jul 2017 00:10:15 -1.50 +++ spamd-setup.c7 Mar 2018 23:14:00 - @@ -363,7 +363,7 @@ fix_quoted_colons(char *buf) char *newbuf, last; /* Allocate enough space for a buf of all colons (impossible). */ -newbuf = malloc(2 * strlen(buf) + 1); +newbuf = reallocarray(NULL, 2, strlen(buf) + 1); if (newbuf == NULL) return (NULL); last = '\0'; FWIW, the old code evaluates as (2 * strlen(buf)) + 1 but the new code evaluates as 2 * (strlen(buf) + 1) Those pesky parenthesis. I guess I could argue that the benefits of reallocarray() outweigh the wasted memory. However, that is probably why it hasn't been changed already.
Re: [patch] spamd-setup.c
On Wed, Mar 07, 2018 at 05:17:59PM -0600, Edgar Pettijohn wrote: > This looks like a good place for reallocarray. Yes? > > Index: spamd-setup.c > === > RCS file: /cvs/src/libexec/spamd-setup/spamd-setup.c,v > retrieving revision 1.50 > diff -u -p -u -r1.50 spamd-setup.c > --- spamd-setup.c7 Jul 2017 00:10:15 -1.50 > +++ spamd-setup.c7 Mar 2018 23:14:00 - > @@ -363,7 +363,7 @@ fix_quoted_colons(char *buf) > char *newbuf, last; > > /* Allocate enough space for a buf of all colons (impossible). */ > -newbuf = malloc(2 * strlen(buf) + 1); > +newbuf = reallocarray(NULL, 2, strlen(buf) + 1); > if (newbuf == NULL) > return (NULL); > last = '\0'; FWIW, the old code evaluates as (2 * strlen(buf)) + 1 but the new code evaluates as 2 * (strlen(buf) + 1)
Re: close filedescriptors of children
On Wed, 7 Mar 2018, Gerhard Roth wrote: > Below is an updated patch that includes proc.c of switchd and vmd. > It also passes the 'debug' flag to proc_init() so that it won't touch > std* in that case. FWIW sshd unconditionally clobbers stdin and stdout and will also clobber stderr if the debug flag isn't set. -d
[patch] spamd-setup.c
This looks like a good place for reallocarray. Yes? Index: spamd-setup.c === RCS file: /cvs/src/libexec/spamd-setup/spamd-setup.c,v retrieving revision 1.50 diff -u -p -u -r1.50 spamd-setup.c --- spamd-setup.c7 Jul 2017 00:10:15 -1.50 +++ spamd-setup.c7 Mar 2018 23:14:00 - @@ -363,7 +363,7 @@ fix_quoted_colons(char *buf) char *newbuf, last; /* Allocate enough space for a buf of all colons (impossible). */ -newbuf = malloc(2 * strlen(buf) + 1); +newbuf = reallocarray(NULL, 2, strlen(buf) + 1); if (newbuf == NULL) return (NULL); last = '\0';
Re: httpd: single FastCGI script handling all requests
On 03/06/18 16:39, Diogo Galvao wrote:
The following patch makes it possible to handle all FastCGI requests
with a single script so it can route clean URLs itself.
Was it already possible some other way?
It's already possible to achieve the same result with the root option:
server "example.com" {
listen on * port 80
root "/htdocs/example.com"
location "*" {
fastcgi socket "/run/php-fpm.sock"
root "/htdocs/example.com/router.php"
}
}
So below is a small addition to httpd.conf.5 to make it more obvious to
future users, in case you find it relevant.
Sorry for the noise.
Index: httpd.conf.5
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.89
diff -u -p -u -p -r1.89 httpd.conf.5
--- httpd.conf.54 Jan 2018 20:38:12 - 1.89
+++ httpd.conf.57 Mar 2018 22:59:17 -
@@ -468,6 +468,16 @@ root directory of
.Nm httpd .
If not specified, it defaults to
.Pa /htdocs .
+.It Ar script
+When served by FastCGI, the
+.Ic root
+option may be the pathname to the single script within the
+.Xr chroot 2
+root directory that's responsible for handling all requests. In this case,
+the actual path requested by the client is made available to the FastCGI
+handler in the
+.Ic PATH_INFO
+variable.
.It Ic strip Ar number
Strip
.Ar number
Re: httpd: single FastCGI script handling all requests
On 03/07/18 05:36, Hiltjo Posthuma wrote: Hi, I wonder if it can't be done simpler with some wrapper program/script that sets $SCRIPT_FILENAME to your router PHP script beforehand? It it would then it would require no changes to httpd and be more useful in other cases aswell. Hi. Thanks for the idea. As I understand it, this wrapper would be another FastCGI server that receives requests from httpd through its own socket, modifies $SCRIPT_FILENAME, then forwards it to php-fpm. Unless it replaces php-fpm altogether. Either way, if this really is the alternative then I'm not sure it's any simpler than that diff. I'll do some more research to see if it's possible to get the same result of that diff with httpd as is.
Re: handle updates via Adj-RIB-Out
On Fri, Mar 02, 2018 at 04:55:23PM +0100, Claudio Jeker wrote:
> On Wed, Feb 07, 2018 at 05:52:09AM +0100, Claudio Jeker wrote:
> > This diff changes the way bgpd does updates. Instead of having its own
> > special update queue/tree it uses a regular RIB (Adj-RIB-Out) to store all
> > updates to be sent. Stuff that has been sent is linked to the prefixes
> > queue. On the peer there are also queues for updates and withdraws.
> > The whole update code becomes a lot simpler but also results in the bulk
> > of the diff. Other changes include the bgpctl show rib handling (we can
> > just walk the Adj-RIB-Out now). Last but not least the EOR records are
> > also now a magic rde_aspath (flag F_ATTR_EOR) which is added to the update
> > queue.
> >
> > This diff is still very large and the changes are intrusive so reviews and
> > testing is very welcome.
>
> No news on this? Anyone?
"Rebased" diff to -current (thanks job@ for the cluestick)
--
:wq Claudio
Index: rde.c
===
RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
retrieving revision 1.379
diff -u -p -r1.379 rde.c
--- rde.c 10 Feb 2018 05:54:31 - 1.379
+++ rde.c 6 Mar 2018 09:41:34 -
@@ -81,8 +81,6 @@ void rde_dump_rib_as(struct prefix *,
int);
voidrde_dump_filter(struct prefix *,
struct ctl_show_rib_request *);
-voidrde_dump_filterout(struct rde_peer *, struct prefix *,
-struct ctl_show_rib_request *);
voidrde_dump_upcall(struct rib_entry *, void *);
voidrde_dump_prefix_upcall(struct rib_entry *, void *);
voidrde_dump_ctx_new(struct ctl_show_rib_request *, pid_t,
@@ -2317,71 +2315,33 @@ rde_dump_rib_as(struct prefix *p, struct
}
void
-rde_dump_filterout(struct rde_peer *peer, struct prefix *p,
-struct ctl_show_rib_request *req)
+rde_dump_filter(struct prefix *p, struct ctl_show_rib_request *req)
{
- struct bgpd_addr addr;
- struct rde_aspath *asp, *fasp;
- enum filter_actions a;
+ struct rde_aspath *asp;
- if (up_test_update(peer, p) != 1)
+ if (req->peerid && req->peerid != prefix_peer(p)->conf.id)
return;
+ if (p->flags & F_PREFIX_USE_PEER)
+ return; /* pending withdraw, skip */
- pt_getaddr(p->re->prefix, &addr);
asp = prefix_aspath(p);
- a = rde_filter(out_rules, &fasp, peer, asp, &addr,
- p->re->prefix->prefixlen, asp->peer);
- if (fasp)
- fasp->peer = asp->peer;
- else
- fasp = asp;
-
- if (a == ACTION_ALLOW)
- rde_dump_rib_as(p, fasp, req->pid, req->flags);
-
- if (fasp != asp)
- path_put(fasp);
-}
-
-void
-rde_dump_filter(struct prefix *p, struct ctl_show_rib_request *req)
-{
- struct rde_peer *peer;
- struct rde_aspath *asp;
-
- if (req->flags & F_CTL_ADJ_IN ||
- !(req->flags & (F_CTL_ADJ_IN|F_CTL_ADJ_OUT))) {
- asp = prefix_aspath(p);
- if (req->peerid && req->peerid != asp->peer->conf.id)
- return;
- if (req->type == IMSG_CTL_SHOW_RIB_AS &&
- !aspath_match(asp->aspath->data, asp->aspath->len,
- &req->as, req->as.as))
- return;
- if (req->type == IMSG_CTL_SHOW_RIB_COMMUNITY &&
- !community_match(asp, req->community.as,
- req->community.type))
- return;
- if (req->type == IMSG_CTL_SHOW_RIB_EXTCOMMUNITY &&
- !community_ext_match(asp, &req->extcommunity, 0))
- return;
- if (req->type == IMSG_CTL_SHOW_RIB_LARGECOMMUNITY &&
- !community_large_match(asp, req->large_community.as,
- req->large_community.ld1, req->large_community.ld2))
- return;
- if ((req->flags & F_CTL_ACTIVE) && p->re->active != p)
- return;
- rde_dump_rib_as(p, asp, req->pid, req->flags);
- } else if (req->flags & F_CTL_ADJ_OUT) {
- if (p->re->active != p)
- /* only consider active prefix */
- return;
- if (req->peerid) {
- if ((peer = peer_get(req->peerid)) != NULL)
- rde_dump_filterout(peer, p, req);
- return;
- }
- }
+ if (req->type == IMSG_CTL_SHOW_RIB_AS &&
+ !aspath_match(asp->aspath->data, asp->aspath->len,
+ &req->as, req->as.as))
+ return;
+ if (req->type == IMSG_CTL_SHOW_RIB_COMMUNITY &&
+ !community_match(asp, req->community.as, req->community.type))
+ return;
+ if (req->type == IMSG_
Re: slaacd(8): RFC 7136
yup, makes sense. OK
On 2018 Mar 07 (Wed) at 18:29:07 +0100 (+0100), Florian Obser wrote:
:RFC 7136 clarifies that the "u" and "g" bits are only significant when
:IPv6 unicast interface identifiers are derived from IEEE link-layer
:addresses. In all other cases the interface identifier should be
:treated as an opaque value.
:
:Accordingly stop fiddling with the bits for privacy addresses.
:
:While here initialize the whole priv_in6 struct with random data,
:currently no functional change but reduces amount of magic numbers,
:pointed out by phessler as part of a larger diff.
:
:OK?
:
:diff --git slaacd/engine.c slaacd/engine.c
:index f2424c392f2..ab955c3b5e3 100644
:--- slaacd/engine.c
:+++ slaacd/engine.c
:@@ -1243,18 +1243,6 @@ gen_addr(struct slaacd_iface *iface, struct radv_prefix
*prefix, struct
: /* XXX from in6.h, guarded by #ifdef _KERNEL XXX nonstandard */
: #define s6_addr32 __u6_addr.__u6_addr32
:
:- /* XXX from in6_ifattach.c */
:-#define EUI64_GBIT0x01
:-#define EUI64_UBIT0x02
:-
:- if (privacy) {
:- arc4random_buf(&priv_in6.s6_addr32[2], 8);
:- priv_in6.s6_addr[8] &= ~EUI64_GBIT; /* g bit to "individual" */
:- priv_in6.s6_addr[8] |= EUI64_UBIT; /* u bit to "local" */
:- /* convert EUI64 into IPv6 interface identifier */
:- priv_in6.s6_addr[8] ^= EUI64_UBIT;
:- }
:-
: in6_prefixlen2mask(&addr_proposal->mask, addr_proposal->prefix_len);
:
: memset(&addr_proposal->addr, 0, sizeof(addr_proposal->addr));
:@@ -1275,6 +1263,7 @@ gen_addr(struct slaacd_iface *iface, struct radv_prefix
*prefix, struct
: addr_proposal->mask.s6_addr32[3];
:
: if (privacy) {
:+ arc4random_buf(&priv_in6.s6_addr, sizeof(priv_in6.s6_addr));
: addr_proposal->addr.sin6_addr.s6_addr32[0] |=
: (priv_in6.s6_addr32[0] & ~addr_proposal->mask.s6_addr32[0]);
: addr_proposal->addr.sin6_addr.s6_addr32[1] |=
:
:--
:I'm not entirely sure you are real.
:
--
Just go with the flow control, roll with the crunches, and, when you
get a prompt, type like hell.
slaacd(8): RFC 7136
RFC 7136 clarifies that the "u" and "g" bits are only significant when
IPv6 unicast interface identifiers are derived from IEEE link-layer
addresses. In all other cases the interface identifier should be
treated as an opaque value.
Accordingly stop fiddling with the bits for privacy addresses.
While here initialize the whole priv_in6 struct with random data,
currently no functional change but reduces amount of magic numbers,
pointed out by phessler as part of a larger diff.
OK?
diff --git slaacd/engine.c slaacd/engine.c
index f2424c392f2..ab955c3b5e3 100644
--- slaacd/engine.c
+++ slaacd/engine.c
@@ -1243,18 +1243,6 @@ gen_addr(struct slaacd_iface *iface, struct radv_prefix
*prefix, struct
/* XXX from in6.h, guarded by #ifdef _KERNEL XXX nonstandard */
#define s6_addr32 __u6_addr.__u6_addr32
- /* XXX from in6_ifattach.c */
-#define EUI64_GBIT 0x01
-#define EUI64_UBIT 0x02
-
- if (privacy) {
- arc4random_buf(&priv_in6.s6_addr32[2], 8);
- priv_in6.s6_addr[8] &= ~EUI64_GBIT; /* g bit to "individual" */
- priv_in6.s6_addr[8] |= EUI64_UBIT; /* u bit to "local" */
- /* convert EUI64 into IPv6 interface identifier */
- priv_in6.s6_addr[8] ^= EUI64_UBIT;
- }
-
in6_prefixlen2mask(&addr_proposal->mask, addr_proposal->prefix_len);
memset(&addr_proposal->addr, 0, sizeof(addr_proposal->addr));
@@ -1275,6 +1263,7 @@ gen_addr(struct slaacd_iface *iface, struct radv_prefix
*prefix, struct
addr_proposal->mask.s6_addr32[3];
if (privacy) {
+ arc4random_buf(&priv_in6.s6_addr, sizeof(priv_in6.s6_addr));
addr_proposal->addr.sin6_addr.s6_addr32[0] |=
(priv_in6.s6_addr32[0] & ~addr_proposal->mask.s6_addr32[0]);
addr_proposal->addr.sin6_addr.s6_addr32[1] |=
--
I'm not entirely sure you are real.
Re: close filedescriptors of children
On 7 March 2018 at 17:27, Gerhard Roth wrote: > > On Wed, 7 Mar 2018 17:20:06 +0100 Mike Belopuhov wrote: > > On 7 March 2018 at 17:01, Gerhard Roth wrote: > > > > > > Hi Benno, > > > > > > thanks for your reply. > > > > > > On Wed, 7 Mar 2018 15:22:28 +0100 Sebastian Benoit > > wrote: > > > > Hi, > > > > > > > > switchd and vmd use the same proc.c,and should stay in sync. > > > > > > Ack. I missed them. > > > > > > > iked also uses proc.c. I think you've got all the others, > > but perhaps you should run a find? > > > > Cheers, > > Mike > > Hi Mike, > > but iked still uses an older version of proc.c that just forks off > the children but does not execve() the own binary. > > Also, iked is the only one that daemon(3)-izes before calling > proc_init(). So here stdout, stdin, and stderr is already remapped > to /dev/null before forking the kids. > > Gerhard I see. Reyk always wanted to keep them all in sync, but I guess it's too late to care about that if they've already diverged.
Re: close filedescriptors of children
On Wed, 7 Mar 2018 17:20:06 +0100 Mike Belopuhov wrote: > On 7 March 2018 at 17:01, Gerhard Roth wrote: > > > > Hi Benno, > > > > thanks for your reply. > > > > On Wed, 7 Mar 2018 15:22:28 +0100 Sebastian Benoit > wrote: > > > Hi, > > > > > > switchd and vmd use the same proc.c,and should stay in sync. > > > > Ack. I missed them. > > > > iked also uses proc.c. I think you've got all the others, > but perhaps you should run a find? > > Cheers, > Mike Hi Mike, but iked still uses an older version of proc.c that just forks off the children but does not execve() the own binary. Also, iked is the only one that daemon(3)-izes before calling proc_init(). So here stdout, stdin, and stderr is already remapped to /dev/null before forking the kids. Gerhard
Re: close filedescriptors of children
On 7 March 2018 at 17:01, Gerhard Roth wrote: > > Hi Benno, > > thanks for your reply. > > On Wed, 7 Mar 2018 15:22:28 +0100 Sebastian Benoit wrote: > > Hi, > > > > switchd and vmd use the same proc.c,and should stay in sync. > > Ack. I missed them. > iked also uses proc.c. I think you've got all the others, but perhaps you should run a find? Cheers, Mike
Re: close filedescriptors of children
Hi Benno,
thanks for your reply.
On Wed, 7 Mar 2018 15:22:28 +0100 Sebastian Benoit wrote:
> Hi,
>
> switchd and vmd use the same proc.c,and should stay in sync.
Ack. I missed them.
>
> Also, this breaks -dvv (i.e. debug output when running inthe foreground),
> at least for relayd.
Stupid me, indeed.
>
> /Benno
>
Below is an updated patch that includes proc.c of switchd and vmd.
It also passes the 'debug' flag to proc_init() so that it won't touch
std* in that case.
I was wandering if this would be a good idea to move the daemon(3)
call into the PROC_PARENT case of proc_init(), too?
Gerhard
Index: usr.sbin/httpd/httpd.c
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
retrieving revision 1.67
diff -u -p -u -p -r1.67 httpd.c
--- usr.sbin/httpd/httpd.c 28 May 2017 10:37:26 - 1.67
+++ usr.sbin/httpd/httpd.c 7 Mar 2018 15:49:47 -
@@ -215,7 +215,7 @@ main(int argc, char *argv[])
}
/* only the parent returns */
- proc_init(ps, procs, nitems(procs), argc0, argv, proc_id);
+ proc_init(ps, procs, nitems(procs), argc0, argv, proc_id, debug);
log_procinit("parent");
if (!debug && daemon(1, 0) == -1)
Index: usr.sbin/httpd/httpd.h
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.135
diff -u -p -u -p -r1.135 httpd.h
--- usr.sbin/httpd/httpd.h 7 Feb 2018 03:28:05 - 1.135
+++ usr.sbin/httpd/httpd.h 7 Mar 2018 15:49:30 -
@@ -761,7 +761,7 @@ __dead void fatalx(const char *, ...)
enum privsep_procid
proc_getid(struct privsep_proc *, unsigned int, const char *);
voidproc_init(struct privsep *, struct privsep_proc *, unsigned int,
- int, char **, enum privsep_procid);
+ int, char **, enum privsep_procid, int);
voidproc_kill(struct privsep *);
voidproc_connect(struct privsep *);
voidproc_dispatch(int, short event, void *);
Index: usr.sbin/httpd/proc.c
===
RCS file: /cvs/src/usr.sbin/httpd/proc.c,v
retrieving revision 1.37
diff -u -p -u -p -r1.37 proc.c
--- usr.sbin/httpd/proc.c 28 May 2017 10:37:26 - 1.37
+++ usr.sbin/httpd/proc.c 7 Mar 2018 15:50:06 -
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -191,13 +192,14 @@ proc_connect(struct privsep *ps)
void
proc_init(struct privsep *ps, struct privsep_proc *procs, unsigned int nproc,
-int argc, char **argv, enum privsep_procid proc_id)
+int argc, char **argv, enum privsep_procid proc_id, int debug)
{
struct privsep_proc *p = NULL;
struct privsep_pipes*pa, *pb;
unsigned int proc;
unsigned int dst;
int fds[2];
+ int fd;
/* Don't initiate anything if we are not really going to run. */
if (ps->ps_noaction)
@@ -246,6 +248,13 @@ proc_init(struct privsep *ps, struct pri
fatalx("%s: process %d missing process initialization",
__func__, proc_id);
+ if (!debug && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
+ dup2(fd, STDIN_FILENO);
+ dup2(fd, STDOUT_FILENO);
+ dup2(fd, STDERR_FILENO);
+ if (fd > 2)
+ close(fd);
+ }
p->p_init(ps, p);
fatalx("failed to initiate child process");
Index: usr.sbin/relayd/proc.c
===
RCS file: /cvs/src/usr.sbin/relayd/proc.c,v
retrieving revision 1.39
diff -u -p -u -p -r1.39 proc.c
--- usr.sbin/relayd/proc.c 28 May 2017 10:39:15 - 1.39
+++ usr.sbin/relayd/proc.c 7 Mar 2018 15:43:03 -
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -191,13 +192,14 @@ proc_connect(struct privsep *ps)
void
proc_init(struct privsep *ps, struct privsep_proc *procs, unsigned int nproc,
-int argc, char **argv, enum privsep_procid proc_id)
+int argc, char **argv, enum privsep_procid proc_id, int debug)
{
struct privsep_proc *p = NULL;
struct privsep_pipes*pa, *pb;
unsigned int proc;
unsigned int dst;
int fds[2];
+ int fd;
/* Don't initiate anything if we are not really going to run. */
if (ps->ps_noaction)
@@ -246,6 +248,13 @@ proc_init(struct privsep *ps, struct pri
fatalx("%s: process %d missing process initialization",
__func__, proc_id);
+ if (!debug && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
+ dup2(fd, STDIN_FILENO);
+ dup2(fd, STDOUT_FILENO);
+ dup2(fd, STDERR_FILENO);
+
Re: close filedescriptors of children
Hi,
switchd and vmd use the same proc.c,and should stay in sync.
Also, this breaks -dvv (i.e. debug output when running inthe foreground),
at least for relayd.
/Benno
Gerhard Roth(gerhard_r...@genua.de) on 2018.03.07 13:43:05 +0100:
> Hi,
>
> proc_init() is done before daemon() and for the child processes of httpd,
> relayd and snmpd() this function never returns. That means that the
> children inherit stdin, stdout, and stderr of the caller and never close
> them.
>
> This fix this, proc_init() should map these filedes to /dev/null for a
> child. The code is simpled and copied from deamon(3), without the lintish
> (void) casts.
>
> Gerhard
>
>
> Index: usr.sbin/httpd/proc.c
> ===
> RCS file: /cvs/src/usr.sbin/httpd/proc.c,v
> retrieving revision 1.37
> diff -u -p -u -p -r1.37 proc.c
> --- usr.sbin/httpd/proc.c 28 May 2017 10:37:26 - 1.37
> +++ usr.sbin/httpd/proc.c 7 Mar 2018 12:31:11 -
> @@ -27,6 +27,7 @@
> #include
> #include
> #include
> +#include
> #include
> #include
> #include
> @@ -198,6 +199,7 @@ proc_init(struct privsep *ps, struct pri
> unsigned int proc;
> unsigned int dst;
> int fds[2];
> + int fd;
>
> /* Don't initiate anything if we are not really going to run. */
> if (ps->ps_noaction)
> @@ -246,6 +248,13 @@ proc_init(struct privsep *ps, struct pri
> fatalx("%s: process %d missing process initialization",
> __func__, proc_id);
>
> + if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
> + dup2(fd, STDIN_FILENO);
> + dup2(fd, STDOUT_FILENO);
> + dup2(fd, STDERR_FILENO);
> + if (fd > 2)
> + close(fd);
> + }
> p->p_init(ps, p);
>
> fatalx("failed to initiate child process");
> Index: usr.sbin/relayd/proc.c
> ===
> RCS file: /cvs/src/usr.sbin/relayd/proc.c,v
> retrieving revision 1.39
> diff -u -p -u -p -r1.39 proc.c
> --- usr.sbin/relayd/proc.c28 May 2017 10:39:15 - 1.39
> +++ usr.sbin/relayd/proc.c7 Mar 2018 12:32:28 -
> @@ -27,6 +27,7 @@
> #include
> #include
> #include
> +#include
> #include
> #include
> #include
> @@ -198,6 +199,7 @@ proc_init(struct privsep *ps, struct pri
> unsigned int proc;
> unsigned int dst;
> int fds[2];
> + int fd;
>
> /* Don't initiate anything if we are not really going to run. */
> if (ps->ps_noaction)
> @@ -246,6 +248,13 @@ proc_init(struct privsep *ps, struct pri
> fatalx("%s: process %d missing process initialization",
> __func__, proc_id);
>
> + if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
> + dup2(fd, STDIN_FILENO);
> + dup2(fd, STDOUT_FILENO);
> + dup2(fd, STDERR_FILENO);
> + if (fd > 2)
> + close(fd);
> + }
> p->p_init(ps, p);
>
> fatalx("failed to initiate child process");
> Index: usr.sbin/snmpd/proc.c
> ===
> RCS file: /cvs/src/usr.sbin/snmpd/proc.c,v
> retrieving revision 1.24
> diff -u -p -u -p -r1.24 proc.c
> --- usr.sbin/snmpd/proc.c 29 May 2017 12:56:26 - 1.24
> +++ usr.sbin/snmpd/proc.c 7 Mar 2018 12:34:02 -
> @@ -27,6 +27,7 @@
> #include
> #include
> #include
> +#include
> #include
> #include
> #include
> @@ -198,6 +199,7 @@ proc_init(struct privsep *ps, struct pri
> unsigned int proc;
> unsigned int dst;
> int fds[2];
> + int fd;
>
> /* Don't initiate anything if we are not really going to run. */
> if (ps->ps_noaction)
> @@ -246,6 +248,13 @@ proc_init(struct privsep *ps, struct pri
> fatalx("%s: process %d missing process initialization",
> __func__, proc_id);
>
> + if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
> + dup2(fd, STDIN_FILENO);
> + dup2(fd, STDOUT_FILENO);
> + dup2(fd, STDERR_FILENO);
> + if (fd > 2)
> + close(fd);
> + }
> p->p_init(ps, p);
>
> fatalx("failed to initiate child process");
>
close filedescriptors of children
Hi,
proc_init() is done before daemon() and for the child processes of httpd,
relayd and snmpd() this function never returns. That means that the
children inherit stdin, stdout, and stderr of the caller and never close
them.
This fix this, proc_init() should map these filedes to /dev/null for a
child. The code is simpled and copied from deamon(3), without the lintish
(void) casts.
Gerhard
Index: usr.sbin/httpd/proc.c
===
RCS file: /cvs/src/usr.sbin/httpd/proc.c,v
retrieving revision 1.37
diff -u -p -u -p -r1.37 proc.c
--- usr.sbin/httpd/proc.c 28 May 2017 10:37:26 - 1.37
+++ usr.sbin/httpd/proc.c 7 Mar 2018 12:31:11 -
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -198,6 +199,7 @@ proc_init(struct privsep *ps, struct pri
unsigned int proc;
unsigned int dst;
int fds[2];
+ int fd;
/* Don't initiate anything if we are not really going to run. */
if (ps->ps_noaction)
@@ -246,6 +248,13 @@ proc_init(struct privsep *ps, struct pri
fatalx("%s: process %d missing process initialization",
__func__, proc_id);
+ if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
+ dup2(fd, STDIN_FILENO);
+ dup2(fd, STDOUT_FILENO);
+ dup2(fd, STDERR_FILENO);
+ if (fd > 2)
+ close(fd);
+ }
p->p_init(ps, p);
fatalx("failed to initiate child process");
Index: usr.sbin/relayd/proc.c
===
RCS file: /cvs/src/usr.sbin/relayd/proc.c,v
retrieving revision 1.39
diff -u -p -u -p -r1.39 proc.c
--- usr.sbin/relayd/proc.c 28 May 2017 10:39:15 - 1.39
+++ usr.sbin/relayd/proc.c 7 Mar 2018 12:32:28 -
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -198,6 +199,7 @@ proc_init(struct privsep *ps, struct pri
unsigned int proc;
unsigned int dst;
int fds[2];
+ int fd;
/* Don't initiate anything if we are not really going to run. */
if (ps->ps_noaction)
@@ -246,6 +248,13 @@ proc_init(struct privsep *ps, struct pri
fatalx("%s: process %d missing process initialization",
__func__, proc_id);
+ if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
+ dup2(fd, STDIN_FILENO);
+ dup2(fd, STDOUT_FILENO);
+ dup2(fd, STDERR_FILENO);
+ if (fd > 2)
+ close(fd);
+ }
p->p_init(ps, p);
fatalx("failed to initiate child process");
Index: usr.sbin/snmpd/proc.c
===
RCS file: /cvs/src/usr.sbin/snmpd/proc.c,v
retrieving revision 1.24
diff -u -p -u -p -r1.24 proc.c
--- usr.sbin/snmpd/proc.c 29 May 2017 12:56:26 - 1.24
+++ usr.sbin/snmpd/proc.c 7 Mar 2018 12:34:02 -
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -198,6 +199,7 @@ proc_init(struct privsep *ps, struct pri
unsigned int proc;
unsigned int dst;
int fds[2];
+ int fd;
/* Don't initiate anything if we are not really going to run. */
if (ps->ps_noaction)
@@ -246,6 +248,13 @@ proc_init(struct privsep *ps, struct pri
fatalx("%s: process %d missing process initialization",
__func__, proc_id);
+ if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
+ dup2(fd, STDIN_FILENO);
+ dup2(fd, STDOUT_FILENO);
+ dup2(fd, STDERR_FILENO);
+ if (fd > 2)
+ close(fd);
+ }
p->p_init(ps, p);
fatalx("failed to initiate child process");
Re: httpd: single FastCGI script handling all requests
On Tue, Mar 06, 2018 at 04:39:04PM -0300, Diogo Galvao wrote:
> The following patch makes it possible to handle all FastCGI requests
> with a single script so it can route clean URLs itself.
>
> Was it already possible some other way?
>
> And, regardless of this patch, is it even a feature you'd
> like to see in base? Any suggestion for a better implementation?
>
>
> server "example.com" {
> listen on * port 80
> root "/htdocs/example.com"
>
> location "/robots.txt" {
> pass
> }
> location "/favicon.ico" {
> pass
> }
> location "*" {
> fastcgi {
> socket "/run/php-fpm.sock"
> with "/htdocs/example.com/router.php"
> }
> }
> }
>
>
> Index: httpd.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> retrieving revision 1.89
> diff -u -p -u -p -r1.89 httpd.conf.5
> --- httpd.conf.5 4 Jan 2018 20:38:12 - 1.89
> +++ httpd.conf.5 6 Mar 2018 19:11:56 -
> @@ -272,7 +272,12 @@ Disable the directory index.
> .Xr httpd 8
> will neither display nor generate a directory index.
> .El
> -.It Oo Ic no Oc Ic fastcgi Op Ic socket Ar socket
> +.It Xo
> +.Op Ic no
> +.Ic fastcgi
> +.Op Ic socket Ar socket
> +.Op Ic with Ar script
> +.Xc
> Enable FastCGI instead of serving files.
> The
> .Ar socket
> @@ -282,6 +287,14 @@ root directory of
> .Xr httpd 8
> and defaults to
> .Pa /run/slowcgi.sock .
> +.Pp
> +If provided,
> +.Ar script
> +is a local path name within the
> +.Xr chroot 2
> +root directory of
> +.Xr httpd 8
> +that is used as the SCRIPT_FILENAME for all requests.
> .Pp
> The FastCGI handler will be given the following variables:
> .Pp
> Index: httpd.h
> ===
> RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
> retrieving revision 1.135
> diff -u -p -u -p -r1.135 httpd.h
> --- httpd.h 7 Feb 2018 03:28:05 - 1.135
> +++ httpd.h 6 Mar 2018 19:11:56 -
> @@ -397,13 +397,14 @@ SPLAY_HEAD(client_tree, client);
> #define SRVFLAG_SERVER_MATCH 0x0020
> #define SRVFLAG_SERVER_HSTS 0x0040
> #define SRVFLAG_DEFAULT_TYPE 0x0080
> +#define SRVFLAG_FCGISCRIPT 0x0100
> #define SRVFLAG_BITS \
> "\10\01INDEX\02NO_INDEX\03AUTO_INDEX\04NO_AUTO_INDEX" \
> "\05ROOT\06LOCATION\07FCGI\10NO_FCGI\11LOG\12NO_LOG\13SOCKET" \
> "\14SYSLOG\15NO_SYSLOG\16TLS\17ACCESS_LOG\20ERROR_LOG" \
> "\21AUTH\22NO_AUTH\23BLOCK\24NO_BLOCK\25LOCATION_MATCH" \
> - "\26SERVER_MATCH\27SERVER_HSTS\30DEFAULT_TYPE"
> + "\26SERVER_MATCH\27SERVER_HSTS\30DEFAULT_TYPE\31FCGISCRIPT"
> #define TCPFLAG_NODELAY 0x01
> #define TCPFLAG_NNODELAY 0x02
> @@ -467,6 +468,7 @@ struct server_config {
> char index[PATH_MAX];
> char root[PATH_MAX];
> char socket[PATH_MAX];
> + char fcgiscript[PATH_MAX];
> char accesslog[PATH_MAX];
> char errorlog[PATH_MAX];
> struct media_typedefault_type;
> Index: parse.y
> ===
> RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
> retrieving revision 1.92
> diff -u -p -u -p -r1.92 parse.y
> --- parse.y 28 Aug 2017 06:00:05 - 1.92
> +++ parse.y 6 Mar 2018 19:11:57 -
> @@ -674,6 +674,17 @@ fcgiflags: SOCKET STRING {
> free($2);
> srv_conf->flags |= SRVFLAG_SOCKET;
> }
> + | WITH STRING {
> + if (strlcpy(srv_conf->fcgiscript, $2,
> + sizeof(srv_conf->fcgiscript)) >=
> + sizeof(srv_conf->fcgiscript)) {
> + yyerror("fastcgi script too long");
> + free($2);
> + YYERROR;
> + }
> + free($2);
> + srv_conf->flags |= SRVFLAG_FCGISCRIPT;
> + }
> ;
> connection : CONNECTION '{' optnl conflags_l '}'
> Index: server_fcgi.c
> ===
> RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
> retrieving revision 1.75
> diff -u -p -u -p -r1.75 server_fcgi.c
> --- server_fcgi.c 31 Jul 2017 08:02:49 - 1.75
> +++ server_fcgi.c 6 Mar 2018 19:11:57 -
> @@ -236,9 +236,18 @@ server_fcgi(struct httpd *env, struct cl
> errstr = "failed to encode param";
> goto fail;
> }
> - if (fcgi_add_param(¶m, "SCRIPT_FILENAME", script, clt) == -1) {
> - errstr = "failed to encode param";
> - goto fail;
>
