trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a..@apache.org
Subject svn commit: r1096571 - in /trafficserver/traffic/trunk: lib/ts/Makefile.am lib/ts/ink_cap.cc lib/ts/ink_cap.h proxy/Main.cc proxy/http/HttpSM.cc proxy/http/HttpTransact.cc
Date Mon, 25 Apr 2011 19:29:02 GMT
Author: amc
Date: Mon Apr 25 19:29:02 2011
New Revision: 1096571

URL: http://svn.apache.org/viewvc?rev=1096571&view=rev
Log:
TS-748

Added:
    trafficserver/traffic/trunk/lib/ts/ink_cap.cc
    trafficserver/traffic/trunk/lib/ts/ink_cap.h
Modified:
    trafficserver/traffic/trunk/lib/ts/Makefile.am
    trafficserver/traffic/trunk/proxy/Main.cc
    trafficserver/traffic/trunk/proxy/http/HttpSM.cc
    trafficserver/traffic/trunk/proxy/http/HttpTransact.cc

Modified: trafficserver/traffic/trunk/lib/ts/Makefile.am
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/lib/ts/Makefile.am?rev=1096571&r1=1096570&r2=1096571&view=diff
==============================================================================
--- trafficserver/traffic/trunk/lib/ts/Makefile.am (original)
+++ trafficserver/traffic/trunk/lib/ts/Makefile.am Mon Apr 25 19:29:02 2011
@@ -23,7 +23,7 @@ TESTS = $(check_PROGRAMS)
 lib_LTLIBRARIES = libtsutil.la
 
 libtsutil_la_LDFLAGS = -no-undefined -version-info @TS_LIBTOOL_VERSION@
-libtsutil_la_LIBADD = @LIBOBJS@ @LIBPCRE@ @LIBSSL@ @LIBTCL@ @LIBRESOLV@ @LIBRT@ @LIBICONV@
@LIBSOCKET@ @LIBNSL@ -lc
+libtsutil_la_LIBADD = @LIBOBJS@ @LIBPCRE@ @LIBSSL@ @LIBTCL@ @LIBRESOLV@ @LIBRT@ @LIBICONV@
@LIBSOCKET@ @LIBNSL@ @LIBCAP@ -lc
 
 libtsutil_la_SOURCES = \
   Allocator.cc \
@@ -53,6 +53,7 @@ libtsutil_la_SOURCES = \
   ink_base64.cc \
   ink_base64.h \
   ink_bool.h \
+  ink_cap.cc ink_cap.h \
   ink_code.cc \
   ink_code.h \
   ink_defs.cc \

Added: trafficserver/traffic/trunk/lib/ts/ink_cap.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/lib/ts/ink_cap.cc?rev=1096571&view=auto
==============================================================================
--- trafficserver/traffic/trunk/lib/ts/ink_cap.cc (added)
+++ trafficserver/traffic/trunk/lib/ts/ink_cap.cc Mon Apr 25 19:29:02 2011
@@ -0,0 +1,61 @@
+# include "ink_config.h"
+# include "Diags.h"
+# include "ink_cap.h"
+
+# if TS_USE_POSIX_CAP
+# include <sys/capability.h>
+# include <sys/prctl.h>
+# endif
+
+void
+DebugCapabilities(char const* tag) {
+  if (is_debug_tag_set(tag)) {
+# if TS_USE_POSIX_CAP
+    cap_t caps = cap_get_proc();
+    char* caps_text = cap_to_text(caps, 0);
+# endif
+
+    Debug(tag,
+      "uid=%u, gid=%u, euid=%u, egid=%u"
+# if TS_USE_POSIX_CAP
+      ", caps %s thread 0x%x",
+# endif
+      (unsigned)getuid(), (unsigned)getgid(),
+      (unsigned)geteuid(), (unsigned)getegid()
+# if TS_USE_POSIX_CAP
+      ,caps_text
+      ,pthread_self()
+# endif
+    );
+
+# if TS_USE_POSIX_CAP
+    cap_free(caps_text);
+    cap_free(caps);
+# endif
+  }
+}
+
+int
+PreserveCapabilities() {
+  return prctl(PR_SET_KEEPCAPS, 1);
+}
+
+// Adjust the capabilities to only those needed.
+int
+RestrictCapabilities() {
+  int zret = 0; // return value.
+#if TS_USE_POSIX_CAP
+  cap_t caps = cap_get_proc(); // Only way to initialize it AFAICT.
+  cap_clear(caps);
+  // Capabilities we need.
+  cap_value_t cap_list[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
+  static int const CAP_COUNT = sizeof(cap_list)/sizeof(*cap_list);
+
+  cap_set_flag(caps, CAP_INHERITABLE, CAP_COUNT, cap_list, CAP_SET);
+  cap_set_flag(caps, CAP_PERMITTED, CAP_COUNT, cap_list, CAP_SET);
+  cap_set_flag(caps, CAP_EFFECTIVE, CAP_COUNT, cap_list, CAP_SET);
+  zret = cap_set_proc(caps);
+  cap_free(caps);
+#endif
+  return zret;
+}

Added: trafficserver/traffic/trunk/lib/ts/ink_cap.h
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/lib/ts/ink_cap.h?rev=1096571&view=auto
==============================================================================
--- trafficserver/traffic/trunk/lib/ts/ink_cap.h (added)
+++ trafficserver/traffic/trunk/lib/ts/ink_cap.h Mon Apr 25 19:29:02 2011
@@ -0,0 +1,39 @@
+/** @file
+
+  POSIX Capability related utilities.
+
+  @section license License
+
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+ */
+
+#if !defined (_ink_cap_h_)
+#define _ink_cap_h_
+
+/// Generate a debug message with the current capabilities for the process.
+extern void DebugCapabilities(
+  char const* tag ///< Debug message tag.
+);
+/// Set capabilities to persist across change of user id.
+/// @return 0 on success, non-zero otherwise.
+extern int PreserveCapabilities();
+/// Initialize and restrict the capabilities of a thread.
+/// @return 0 on success, non-zero otherwise.
+extern int RestrictCapabilities();
+
+#endif

Modified: trafficserver/traffic/trunk/proxy/Main.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/Main.cc?rev=1096571&r1=1096570&r2=1096571&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/Main.cc (original)
+++ trafficserver/traffic/trunk/proxy/Main.cc Mon Apr 25 19:29:02 2011
@@ -47,10 +47,6 @@ extern "C" int plock(int);
 #include <mcheck.h>
 #endif
 
-#if TS_USE_POSIX_CAP
-#include <sys/capability.h>
-#endif
-
 #include "Main.h"
 #include "signals.h"
 #include "Error.h"
@@ -95,6 +91,8 @@ extern "C" int plock(int);
 
 #include "I_Tasks.h"
 
+#include <ts/ink_cap.h>
+
 #if TS_HAS_PROFILER
 #include <google/profiler.h>
 #endif
@@ -1061,23 +1059,6 @@ init_core_size()
   }
 }
 
-#if TS_USE_POSIX_CAP
-// Restore the effective capabilities that we need.
-int
-restoreCapabilities() {
-  int zret = 0; // return value.
-  cap_t cap_set = cap_get_proc(); // current capabilities
-  // Capabilities to restore.
-  cap_value_t cap_list[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
-  static int const CAP_COUNT = sizeof(cap_list)/sizeof(*cap_list);
-
-  cap_set_flag(cap_set, CAP_EFFECTIVE, CAP_COUNT, cap_list, CAP_SET);
-  zret = cap_set_proc(cap_set);
-  cap_free(cap_set);
-  return zret;
-}
-#endif
-
 static void
 adjust_sys_settings(void)
 {
@@ -1110,9 +1091,6 @@ adjust_sys_settings(void)
 #endif
 
 #endif  // linux check
-#if TS_USE_POSIX_CAP
-  restoreCapabilities();
-#endif
 }
 
 struct ShowStats: public Continuation
@@ -1659,6 +1637,26 @@ main(int argc, char **argv)
   if (!num_task_threads)
     TS_ReadConfigInteger(num_task_threads, "proxy.config.task_threads");
 
+  // change the user of the process
+  // do this before we start threads so we control the user id of the
+  // threads (rather than have it change asynchronously during thread
+  // execution). We also need to do this before we fiddle with capabilities
+  // as those are thread local and if we change the user id it will
+  // modified the capabilities in other threads, breaking things.
+  const long max_login =  sysconf(_SC_LOGIN_NAME_MAX) <= 0 ? _POSIX_LOGIN_NAME_MAX : 
sysconf(_SC_LOGIN_NAME_MAX);
+  char *user = (char *)xmalloc(max_login);
+  *user = '\0';
+  if ((TS_ReadConfigString(user, "proxy.config.admin.user_id",
+                           max_login) == REC_ERR_OKAY) &&
+                           user[0] != '\0' &&
+                           strcmp(user, "#-1")) {
+    PreserveCapabilities();
+    change_uid_gid(user);
+    RestrictCapabilities();
+    xfree(user);
+  }
+  DebugCapabilities("server");
+
   // This call is required for win_9xMe
   //without this this_ethread() is failing when
   //start_HttpProxyServer is called from main thread
@@ -1941,22 +1939,6 @@ main(int argc, char **argv)
     run_AutoStop();
   }
 
-  // change the user of the process
-  const long max_login =  sysconf(_SC_LOGIN_NAME_MAX) <= 0 ? _POSIX_LOGIN_NAME_MAX : 
sysconf(_SC_LOGIN_NAME_MAX);
-  char *user = (char *)xmalloc(max_login);
-  *user = '\0';
-  if ((TS_ReadConfigString(user, "proxy.config.admin.user_id",
-                           max_login) == REC_ERR_OKAY) &&
-                           user[0] != '\0' &&
-                           strcmp(user, "#-1")) {
-    change_uid_gid(user);
-    xfree(user);
-  }
-  Debug("server",
-        "running as uid=%u, gid=%u, effective uid=%u, gid=%u",
-        (unsigned)getuid(), (unsigned)getgid(),
-        (unsigned)geteuid(), (unsigned)getegid());
-
   this_thread()->execute();
 }
 

Modified: trafficserver/traffic/trunk/proxy/http/HttpSM.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/http/HttpSM.cc?rev=1096571&r1=1096570&r2=1096571&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/http/HttpSM.cc (original)
+++ trafficserver/traffic/trunk/proxy/http/HttpSM.cc Mon Apr 25 19:29:02 2011
@@ -4396,17 +4396,15 @@ void
 HttpSM::mark_host_failure(HostDBInfo * info, time_t time_down)
 {
   if (info->app.http_data.last_failure == 0) {
-    int url_len;
-    char *url_str;
-
-    URL *url = t_state.hdr_info.client_request.url_get();
-    url_str = url->string_get(&t_state.arena, &url_len);
+    char *url_str = t_state.hdr_info.client_request.url_string_get(&t_state.arena, 0);
     Log::error("CONNECT: could not connect to %u.%u.%u.%u "
                "for '%s' (setting last failure time)",
                ((unsigned char *) &t_state.current.server->ip)[0],
                ((unsigned char *) &t_state.current.server->ip)[1],
                ((unsigned char *) &t_state.current.server->ip)[2],
-               ((unsigned char *) &t_state.current.server->ip)[3], url_str);
+               ((unsigned char *) &t_state.current.server->ip)[3],
+               url_str ? url_str : "<none>"
+    );
     if (url_str)
       t_state.arena.str_free(url_str);
   }

Modified: trafficserver/traffic/trunk/proxy/http/HttpTransact.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/http/HttpTransact.cc?rev=1096571&r1=1096570&r2=1096571&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/http/HttpTransact.cc (original)
+++ trafficserver/traffic/trunk/proxy/http/HttpTransact.cc Mon Apr 25 19:29:02 2011
@@ -832,7 +832,6 @@ HttpTransact::EndRemapRequest(State* s)
   Debug("http_trans", "START HttpTransact::EndRemapRequest");
 
   HTTPHdr *incoming_request = &s->hdr_info.client_request;
-  //URL *url = incoming_request->url_get();
   int method = incoming_request->method_get_wksidx();
   int host_len;
   const char *host = incoming_request->host_get(&host_len);
@@ -955,12 +954,6 @@ done:
     TRANSACT_RETURN(PROXY_INTERNAL_CACHE_NOOP, NULL);
   }
 
-  if (s->reverse_proxy) {
-    Debug("url_rewrite", "s->reverse_proxy is true");
-  } else {
-    Debug("url_rewrite", "s->reverse_proxy is false");
-  }
-
   if (is_debug_tag_set("http_chdr_describe") || is_debug_tag_set("http_trans") || is_debug_tag_set("url_rewrite"))
{
     Debug("http_trans", "After Remapping:");
     obj_describe(s->hdr_info.client_request.m_http, 1);
@@ -3769,8 +3762,7 @@ HttpTransact::retry_server_connection_no
   ink_debug_assert(s->current.attempts <= max_retries);
   ink_debug_assert(s->current.server->connect_failure != 0);
 
-  URL *url = s->hdr_info.client_request.url_get();
-  char *url_string = url->valid()? url->string_get(&s->arena) : NULL;
+  char *url_string = s->hdr_info.client_request.url_string_get(&s->arena) : NULL;
 
   Debug("http_trans", "[%d] failed to connect [%d] to %u.%u.%u.%u", s->current.attempts,
conn_state,
         PRINT_IP(s->current.server->ip));



Mime
View raw message