php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login | |
Patch posix-acl.patch for FPM related Bug #68526Patch version 2014-11-30 09:56 UTC Return to Bug #68526 | Download this patchThis patch is obsolete Obsoleted by patches: This patch renders other patches obsolete Obsolete patches:
Developer: remi@php.netAC_DEFINE_UNQUOTED(PHP_FPM_SYSTEMD, "$php_fpm_systemd", [fpm systemd service type]) diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_conf.c sapi/fpm/fpm/fpm_conf.c --- /home/php/php-src/sapi/fpm/fpm/fpm_conf.c 2014-11-29 17:28:25.000000000 +0100 +++ sapi/fpm/fpm/fpm_conf.c 2014-11-30 08:20:14.849652988 +0100 +++ sapi/fpm/fpm/fpm_conf.c 2014-11-30 10:54:37.973527763 +0100 @@ -123,6 +123,10 @@ { "group", &fpm_conf_set_string, WPO(group) }, { "listen", &fpm_conf_set_string, WPO(listen_address) }, { "listen.backlog", &fpm_conf_set_integer, WPO(listen_backlog) }, +#ifdef HAVE_FPM_ACL + { "listen.users", &fpm_conf_set_string, WPO(listen_users) }, + { "listen.groups", &fpm_conf_set_string, WPO(listen_groups) }, + { "listen.acl_users", &fpm_conf_set_string, WPO(listen_acl_users) }, + { "listen.acl_groups", &fpm_conf_set_string, WPO(listen_acl_groups) }, +#endif { "listen.owner", &fpm_conf_set_string, WPO(listen_owner) }, { "listen.group", &fpm_conf_set_string, WPO(listen_group) }, { "listen.mode", &fpm_conf_set_string, WPO(listen_mode) }, zlog(ZLOG_NOTICE, "\tgroup = %s", STR2STR(wp->config->group)); zlog(ZLOG_NOTICE, "\tlisten = %s", STR2STR(wp->config->listen_address)); zlog(ZLOG_NOTICE, "\tlisten.backlog = %d", wp->config->listen_backlog); +#ifdef HAVE_FPM_ACL + zlog(ZLOG_NOTICE, "\tlisten.users = %s", STR2STR(wp->config->listen_owner)); + zlog(ZLOG_NOTICE, "\tlisten.groups = %s", STR2STR(wp->config->listen_group)); + zlog(ZLOG_NOTICE, "\tlisten.acl_users = %s", STR2STR(wp->config->listen_acl_users)); + zlog(ZLOG_NOTICE, "\tlisten.acl_groups = %s", STR2STR(wp->config->listen_acl_groups)); +#endif zlog(ZLOG_NOTICE, "\tlisten.owner = %s", STR2STR(wp->config->listen_owner)); zlog(ZLOG_NOTICE, "\tlisten.group = %s", STR2STR(wp->config->listen_group)); zlog(ZLOG_NOTICE, "\tlisten.mode = %s", STR2STR(wp->config->listen_mode)); diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_conf.h sapi/fpm/fpm/fpm_conf.h --- /home/php/php-src/sapi/fpm/fpm/fpm_conf.h 2014-11-24 09:31:58.000000000 +0100 +++ sapi/fpm/fpm/fpm_conf.h 2014-11-30 08:22:22.538125786 +0100 +++ sapi/fpm/fpm/fpm_conf.h 2014-11-30 10:52:52.919133385 +0100 @@ -58,6 +58,7 @@ char *group; char *listen_address; int listen_backlog; char *apparmor_hat; #endif +#ifdef HAVE_FPM_ACL + /* Using Posix ACL */ + char *listen_users; + char *listen_groups; + char *listen_acl_users; + char *listen_acl_groups; +#endif }; struct ini_value_parser_s { diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_unix.c sapi/fpm/fpm/fpm_unix.c --- /home/php/php-src/sapi/fpm/fpm/fpm_unix.c 2014-11-29 16:52:25.000000000 +0100 +++ sapi/fpm/fpm/fpm_unix.c 2014-11-30 09:29:28.072318768 +0100 +++ sapi/fpm/fpm/fpm_unix.c 2014-11-30 10:54:07.380413029 +0100 @@ -21,6 +21,10 @@ #include <sys/apparmor.h> #endif +#endif wp->socket_uid = -1; wp->socket_gid = -1; wp->socket_mode = 0660; @@ -45,6 +53,107 @@ @@ -45,6 +53,113 @@ return 0; } +#ifdef HAVE_FPM_ACL + /* count the users and groups configured */ + n = 0; + if (c->listen_users && *c->listen_users) { + if (c->listen_acl_users && *c->listen_acl_users) { + char *p; + n++; + for (p=strchr(c->listen_users, ',') ; p ; p=strchr(p+1, ',')) { + for (p=strchr(c->listen_acl_users, ',') ; p ; p=strchr(p+1, ',')) { + n++; + } + } + if (c->listen_groups && *c->listen_groups) { + if (c->listen_acl_groups && *c->listen_acl_groups) { + char *p; + n++; + for (p=strchr(c->listen_groups, ',') ; p ; p=strchr(p+1, ',')) { + for (p=strchr(c->listen_acl_groups, ',') ; p ; p=strchr(p+1, ',')) { + n++; + } + } + /* if ACL configured */ + zlog(ZLOG_SYSERROR, "[pool %s] cannot allocated ACL", wp->config->name); + return -1; + } + /* Create USER ACL */ + if (c->listen_users && *c->listen_users) { + if (c->listen_acl_users && *c->listen_acl_users) { + struct passwd *pwd; + + tmp = estrdup(c->listen_users); + tmp = estrdup(c->listen_acl_users); + for (p=tmp ; p ; p=end) { + if ((end = strchr(p, ','))) { + *end++ = 0; + } + } + efree(tmp); + } + /* Create GROUP ACL */ + if (c->listen_groups && *c->listen_groups) { + if (c->listen_acl_groups && *c->listen_acl_groups) { + struct group *grp; + + tmp = estrdup(c->listen_groups); + tmp = estrdup(c->listen_acl_groups); + for (p=tmp ; p ; p=end) { + if ((end = strchr(p, ','))) { + *end++ = 0; + } + return -1; + } + } + efree(tmp); + } + if (c->listen_owner && *c->listen_owner) { + zlog(ZLOG_WARNING, "[pool %s] ACL set, listen.owner = '%s' is ignored", wp->config->name, c->listen_owner); + } + if (c->listen_group && *c->listen_group) { + zlog(ZLOG_WARNING, "[pool %s] ACL set, listen.group = '%s' is ignored", wp->config->name, c->listen_group); + } + wp->socket_acl = acl; + return 0; + } Line 210 (now 216), was 24 lines, now 23 lines + if (c->listen_owner && *c->listen_owner) { struct passwd *pwd; @@ -78,9 +187,49 @@ @@ -78,15 +193,65 @@ int fpm_unix_set_socket_premissions(struct fpm_worker_pool_s *wp, const char *path) /* {{{ */ { +#ifdef HAVE_FPM_ACL + if (wp->socket_acl) { + acl_t aclfile, aclconf; + acl_entry_t entryfile, entryconf; + int i; + + + /* Read the socket ACL */ + aclconf = wp->socket_acl; + aclfile = acl_get_file (path, ACL_TYPE_ACCESS); + if (!aclfile) { + zlog(ZLOG_SYSERROR, "[pool %s] failed to read the ACL of the socket '%s'", wp->config->name, path); + acl_free(aclfile); + return -1; + } + /* Copy the new ACL entry from config */ + for (i=ACL_FIRST_ENTRY ; acl_get_entry(aclconf, i, &entryconf) ; i=ACL_NEXT_ENTRY) { + zlog(ZLOG_SYSERROR, "[pool %s] failed to chown() the socket '%s'", wp->config->name, wp->config->listen_address); return -1; } } @@ -88,6 +237,16 @@ return 0; } /* }}} */ + +int fpm_unix_free_socket_premissions(struct fpm_worker_pool_s *wp) /* {{{ */ +{ +#ifdef HAVE_FPM_ACL + if (wp->socket_acl) { + acl_free(wp->socket_acl); + return acl_free(wp->socket_acl); + } +#endif + return 0; +} +/* }}} */ + static int fpm_unix_conf_wp(struct fpm_worker_pool_s *wp) /* {{{ */ { struct passwd *pwd; diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_unix.h sapi/fpm/fpm/fpm_unix.h --- /home/php/php-src/sapi/fpm/fpm/fpm_unix.h 2014-11-29 16:52:25.000000000 +0100 +++ sapi/fpm/fpm/fpm_unix.h 2014-11-30 08:26:06.904956526 +0100 @@ -9,6 +9,8 @@ +#endif }; struct fpm_worker_pool_s *fpm_worker_pool_alloc(); diff -ru /home/php/php-src/sapi/fpm/php-fpm.conf.in sapi/fpm/php-fpm.conf.in --- /home/php/php-src/sapi/fpm/php-fpm.conf.in 2014-11-29 17:28:25.000000000 +0100 +++ sapi/fpm/php-fpm.conf.in 2014-11-30 10:51:33.536836172 +0100 @@ -175,6 +175,11 @@ ;listen.owner = @php_fpm_user@ ;listen.group = @php_fpm_group@ ;listen.mode = 0660 +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a coma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original |
Copyright © 2001-2024 The PHP Group All rights reserved. |
Last updated: Fri Apr 19 11:01:28 2024 UTC |