php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #68526
Patch posix-acl.patch revision 2014-11-30 17:34 UTC by remi@php.net
revision 2014-11-30 16:50 UTC by remi@php.net
revision 2014-11-30 10:31 UTC by remi@php.net
revision 2014-11-30 09:56 UTC by remi@php.net
revision 2014-11-30 09:44 UTC by remi@php.net
revision 2014-11-30 09:21 UTC by remi@php.net
revision 2014-11-30 08:35 UTC by remi@php.net

Patch posix-acl.patch for FPM related Bug #68526

Patch version 2014-11-30 09:56 UTC

Return to Bug #68526 | Download this patch
This patch is obsolete

Obsoleted by patches:

This patch renders other patches obsolete

Obsolete patches:

Patch Revisions: 2014-11-30 17:34 UTC | 2014-11-30 16:50 UTC | 2014-11-30 10:31 UTC | 2014-11-30 09:56 UTC | 2014-11-30 09:44 UTC | 2014-11-30 09:21 UTC | 2014-11-30 08:35 UTC

Developer: remi@php.net



     AC_DEFINE_UNQUOTED(PHP_FPM_SYSTEMD, "$php_fpm_systemd", [fpm systemd service type])
   
  diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_conf.c sapi/fpm/fpm/fpm_conf.c
  --- /home/php/php-src/sapi/fpm/fpm/fpm_conf.c	2014-11-29 17:28:25.000000000 +0100
 +++ sapi/fpm/fpm/fpm_conf.c	2014-11-30 08:20:14.849652988 +0100
 +++ sapi/fpm/fpm/fpm_conf.c	2014-11-30 10:54:37.973527763 +0100
  @@ -123,6 +123,10 @@
   	{ "group",                     &fpm_conf_set_string,      WPO(group) },
   	{ "listen",                    &fpm_conf_set_string,      WPO(listen_address) },
   	{ "listen.backlog",            &fpm_conf_set_integer,     WPO(listen_backlog) },
  +#ifdef HAVE_FPM_ACL
 +	{ "listen.users",              &fpm_conf_set_string,      WPO(listen_users) },
 +	{ "listen.groups",             &fpm_conf_set_string,      WPO(listen_groups) },
 +	{ "listen.acl_users",          &fpm_conf_set_string,      WPO(listen_acl_users) },
 +	{ "listen.acl_groups",         &fpm_conf_set_string,      WPO(listen_acl_groups) },
  +#endif
   	{ "listen.owner",              &fpm_conf_set_string,      WPO(listen_owner) },
   	{ "listen.group",              &fpm_conf_set_string,      WPO(listen_group) },
   	{ "listen.mode",               &fpm_conf_set_string,      WPO(listen_mode) },


   		zlog(ZLOG_NOTICE, "\tgroup = %s",                      STR2STR(wp->config->group));
   		zlog(ZLOG_NOTICE, "\tlisten = %s",                     STR2STR(wp->config->listen_address));
   		zlog(ZLOG_NOTICE, "\tlisten.backlog = %d",             wp->config->listen_backlog);
  +#ifdef HAVE_FPM_ACL
 +		zlog(ZLOG_NOTICE, "\tlisten.users = %s",               STR2STR(wp->config->listen_owner));
 +		zlog(ZLOG_NOTICE, "\tlisten.groups = %s",              STR2STR(wp->config->listen_group));
 +		zlog(ZLOG_NOTICE, "\tlisten.acl_users = %s",           STR2STR(wp->config->listen_acl_users));
 +		zlog(ZLOG_NOTICE, "\tlisten.acl_groups = %s",          STR2STR(wp->config->listen_acl_groups));
  +#endif
   		zlog(ZLOG_NOTICE, "\tlisten.owner = %s",               STR2STR(wp->config->listen_owner));
   		zlog(ZLOG_NOTICE, "\tlisten.group = %s",               STR2STR(wp->config->listen_group));
   		zlog(ZLOG_NOTICE, "\tlisten.mode = %s",                STR2STR(wp->config->listen_mode));
  diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_conf.h sapi/fpm/fpm/fpm_conf.h
  --- /home/php/php-src/sapi/fpm/fpm/fpm_conf.h	2014-11-24 09:31:58.000000000 +0100
 +++ sapi/fpm/fpm/fpm_conf.h	2014-11-30 08:22:22.538125786 +0100
 +++ sapi/fpm/fpm/fpm_conf.h	2014-11-30 10:52:52.919133385 +0100
  @@ -58,6 +58,7 @@
   	char *group;
   	char *listen_address;
   	int listen_backlog;


   	char *apparmor_hat;
   #endif
  +#ifdef HAVE_FPM_ACL
  +	/* Using Posix ACL */
 +	char *listen_users;
 +	char *listen_groups;
 +	char *listen_acl_users;
 +	char *listen_acl_groups;
  +#endif
   };
   
   struct ini_value_parser_s {
  diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_unix.c sapi/fpm/fpm/fpm_unix.c
  --- /home/php/php-src/sapi/fpm/fpm/fpm_unix.c	2014-11-29 16:52:25.000000000 +0100
 +++ sapi/fpm/fpm/fpm_unix.c	2014-11-30 09:29:28.072318768 +0100
 +++ sapi/fpm/fpm/fpm_unix.c	2014-11-30 10:54:07.380413029 +0100
  @@ -21,6 +21,10 @@
   #include <sys/apparmor.h>
   #endif
   


  +#endif
   	wp->socket_uid = -1;
   	wp->socket_gid = -1;
   	wp->socket_mode = 0660;
 @@ -45,6 +53,107 @@
 @@ -45,6 +53,113 @@
   		return 0;
   	}
   
  +#ifdef HAVE_FPM_ACL
  +	/* count the users and groups configured */
  +	n = 0;
 +	if (c->listen_users && *c->listen_users) {
 +	if (c->listen_acl_users && *c->listen_acl_users) {
  +		char *p;
  +		n++;
 +		for (p=strchr(c->listen_users, ',') ; p ; p=strchr(p+1, ',')) {
 +		for (p=strchr(c->listen_acl_users, ',') ; p ; p=strchr(p+1, ',')) {
  +			n++;
  +		}
  +	}
 +	if (c->listen_groups && *c->listen_groups) {
 +	if (c->listen_acl_groups && *c->listen_acl_groups) {
  +		char *p;
  +		n++;
 +		for (p=strchr(c->listen_groups, ',') ; p ; p=strchr(p+1, ',')) {
 +		for (p=strchr(c->listen_acl_groups, ',') ; p ; p=strchr(p+1, ',')) {
  +			n++;
  +		}
  +	}
  +	/* if ACL configured */


  +			zlog(ZLOG_SYSERROR, "[pool %s] cannot allocated ACL", wp->config->name);
  +			return -1;
  +		}
  +		/* Create USER ACL */
 +		if (c->listen_users && *c->listen_users) {
 +		if (c->listen_acl_users && *c->listen_acl_users) {
  +			struct passwd *pwd;
  +
 +			tmp = estrdup(c->listen_users);
 +			tmp = estrdup(c->listen_acl_users);
  +			for (p=tmp ; p ; p=end) {
  +				if ((end = strchr(p, ','))) {
  +					*end++ = 0;
  +				}


  +			}
  +			efree(tmp);
  +		}
  +		/* Create GROUP ACL */
 +		if (c->listen_groups && *c->listen_groups) {
 +		if (c->listen_acl_groups && *c->listen_acl_groups) {
  +			struct group *grp;
  +
 +			tmp = estrdup(c->listen_groups);
 +			tmp = estrdup(c->listen_acl_groups);
  +			for (p=tmp ; p ; p=end) {
  +				if ((end = strchr(p, ','))) {
  +					*end++ = 0;
  +				}


  +					return -1;
  +				}
  +			}
  +			efree(tmp);
 +		}
 +		if (c->listen_owner && *c->listen_owner) {
 +			zlog(ZLOG_WARNING, "[pool %s] ACL set, listen.owner = '%s' is ignored", wp->config->name, c->listen_owner);
 +		}
 +		if (c->listen_group && *c->listen_group) {
 +			zlog(ZLOG_WARNING, "[pool %s] ACL set, listen.group = '%s' is ignored", wp->config->name, c->listen_group);
  +		}
  +		wp->socket_acl  = acl;
  +		return 0;
  +	}
Line 210 (now 216), was 24 lines, now 23 lines

  +
   	if (c->listen_owner && *c->listen_owner) {
   		struct passwd *pwd;
   
 @@ -78,9 +187,49 @@
  
 @@ -78,15 +193,65 @@
  
   int fpm_unix_set_socket_premissions(struct fpm_worker_pool_s *wp, const char *path) /* {{{ */
   {
  +#ifdef HAVE_FPM_ACL
  +	if (wp->socket_acl) {
  +		acl_t aclfile, aclconf;
  +		acl_entry_t entryfile, entryconf;
  +		int i;
 +
 +
  +		/* Read the socket ACL */
  +		aclconf = wp->socket_acl;
  +		aclfile = acl_get_file (path, ACL_TYPE_ACCESS);
  +		if (!aclfile) {
  +			zlog(ZLOG_SYSERROR, "[pool %s] failed to read the ACL of the socket '%s'", wp->config->name, path);
 +			acl_free(aclfile);
  +			return -1;
  +		}
  +		/* Copy the new ACL entry from config */
  +		for (i=ACL_FIRST_ENTRY ; acl_get_entry(aclconf, i, &entryconf) ; i=ACL_NEXT_ENTRY) {


  +			zlog(ZLOG_SYSERROR, "[pool %s] failed to chown() the socket '%s'", wp->config->name, wp->config->listen_address);
   			return -1;
   		}
   	}
 @@ -88,6 +237,16 @@
  	return 0;
   }
   /* }}} */
  
 +
  +int fpm_unix_free_socket_premissions(struct fpm_worker_pool_s *wp) /* {{{ */
  +{
  +#ifdef HAVE_FPM_ACL
  +	if (wp->socket_acl) {
 +		acl_free(wp->socket_acl);
 +		return acl_free(wp->socket_acl);
  +	}
  +#endif
 +	return 0;
  +}
  +/* }}} */
 +
  
   static int fpm_unix_conf_wp(struct fpm_worker_pool_s *wp) /* {{{ */
   {
  	struct passwd *pwd;
  diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_unix.h sapi/fpm/fpm/fpm_unix.h
  --- /home/php/php-src/sapi/fpm/fpm/fpm_unix.h	2014-11-29 16:52:25.000000000 +0100
  +++ sapi/fpm/fpm/fpm_unix.h	2014-11-30 08:26:06.904956526 +0100
  @@ -9,6 +9,8 @@


  +#endif
   };
   
   struct fpm_worker_pool_s *fpm_worker_pool_alloc();
 diff -ru /home/php/php-src/sapi/fpm/php-fpm.conf.in sapi/fpm/php-fpm.conf.in
 --- /home/php/php-src/sapi/fpm/php-fpm.conf.in	2014-11-29 17:28:25.000000000 +0100
 +++ sapi/fpm/php-fpm.conf.in	2014-11-30 10:51:33.536836172 +0100
 @@ -175,6 +175,11 @@
  ;listen.owner = @php_fpm_user@
  ;listen.group = @php_fpm_group@
  ;listen.mode = 0660
 +; When POSIX Access Control Lists are supported you can set them using
 +; these options, value is a coma separated list of user/group names.
 +; When set, listen.owner and listen.group are ignored
 +;listen.acl_users =
 +;listen.acl_groups =
   
  ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
  ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Apr 19 11:01:28 2024 UTC