Patch posix-acl.patch for FPM related Bug #68526

Patch version 2014-11-30 10:31 UTC

Obsoleted by patches:

• posix-acl.patch, revision 2014-11-30 16:50 UTC

Obsolete patches:

• posix-acl.patch, revision 2014-11-30 09:56 UTC

Developer: remi@php.net

   
   struct ini_value_parser_s {
  diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_unix.c sapi/fpm/fpm/fpm_unix.c
  --- /home/php/php-src/sapi/fpm/fpm/fpm_unix.c	2014-11-29 16:52:25.000000000 +0100
 +++ sapi/fpm/fpm/fpm_unix.c	2014-11-30 17:26:22.803198128 +0100
 +++ sapi/fpm/fpm/fpm_unix.c	2014-11-30 11:29:02.516308630 +0100
  @@ -21,6 +21,10 @@
   #include <sys/apparmor.h>
   #endif
   
Line 102 (now 102), was 16 lines, now 12 lines

  +#endif
   	wp->socket_uid = -1;
   	wp->socket_gid = -1;
   	wp->socket_mode = 0660;
 @@ -45,6 +53,117 @@
 @@ -45,6 +53,113 @@
   		return 0;
   	}
   
 +	if (c->listen_mode && *c->listen_mode) {
 +		wp->socket_mode = strtoul(c->listen_mode, 0, 8);
 +	}
 +
  +#ifdef HAVE_FPM_ACL
  +	/* count the users and groups configured */
  +	n = 0;
  +	if (c->listen_acl_users && *c->listen_acl_users) {


  +					0 > acl_clear_perms (perm) ||
  +					0 > acl_add_perm (perm, ACL_READ) ||
  +					0 > acl_add_perm (perm, ACL_WRITE)) {
  +					zlog(ZLOG_SYSERROR, "[pool %s] cannot create ACL for user '%s'", wp->config->name, p);
 +					acl_free(acl);
 +					efree(tmp);
 +					return -1;
 +				}
 +			}
 +					acl_free(acl);
 +					efree(tmp);
 +					return -1;
 +				}
 +			}
  +			efree(tmp);
  +		}
  +		/* Create GROUP ACL */
  +		if (c->listen_acl_groups && *c->listen_acl_groups) {
Line 220 (now 216), was 34 lines, now 25 lines

  +
   	if (c->listen_owner && *c->listen_owner) {
   		struct passwd *pwd;
   
 @@ -69,24 +188,71 @@
  		wp->socket_gid = grp->gr_gid;
  	}
  
 -	if (c->listen_mode && *c->listen_mode) {
 -		wp->socket_mode = strtoul(c->listen_mode, 0, 8);
 -	}
  	return 0;
  }
  /* }}} */
 @@ -78,15 +193,65 @@
   
   int fpm_unix_set_socket_premissions(struct fpm_worker_pool_s *wp, const char *path) /* {{{ */
   {
  +#ifdef HAVE_FPM_ACL
  +	if (wp->socket_acl) {
  +		acl_t aclfile, aclconf;
  +		acl_entry_t entryfile, entryconf;
  +		int i;
 +
 +
  +		/* Read the socket ACL */
  +		aclconf = wp->socket_acl;
  +		aclfile = acl_get_file (path, ACL_TYPE_ACCESS);
  +		if (!aclfile) {
  +			zlog(ZLOG_SYSERROR, "[pool %s] failed to read the ACL of the socket '%s'", wp->config->name, path);
 +			return -1;
 +		}
 +			return -1;
 +		}
  +		/* Copy the new ACL entry from config */
  +		for (i=ACL_FIRST_ENTRY ; acl_get_entry(aclconf, i, &entryconf) ; i=ACL_NEXT_ENTRY) {
  +			if (0 > acl_create_entry (&aclfile, &entryfile) ||
  +			    0 > acl_copy_entry(entryfile, entryconf)) {


  +		}
  +
  +		acl_free(aclfile);
  +		return 0;
 +	}
 +	}
  +	/* When listen.users and listen.groups not configured, continue with standard right */
  +#endif
  +
   	if (wp->socket_uid != -1 || wp->socket_gid != -1) {
Line 357 (now 344), was 96 lines, now 4 lines

  +;listen.acl_groups =
    
   ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
   ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
 --- /dev/null	2014-11-30 17:14:22.119979747 +0100
 +++ sapi/fpm/tests/021-uds-acl.phpt	2014-11-30 17:47:51.667947148 +0100
 @@ -0,0 +1,89 @@
 +--TEST--
 +FPM: Test Unix Domain Socket with Posix ACL
 +--SKIPIF--
 +<?php
 +include "skipif.inc";
 +if (!(file_exists('/usr/bin/getfacl') && file_exists('/etc/passwd') && file_exists('/etc/group'))) die ("skip missing getfacl command");
 +?>
 +--XFAIL--
 +Mark as XFAIL because --with-fpm-acl is not enabled in default build
 +--FILE--
 +<?php
 +
 +include "include.inc";
 +
 +$logfile = dirname(__FILE__).'/php-fpm.log.tmp';
 +$socket  = dirname(__FILE__).'/php-fpm.sock';
 +
 +// Select 3 users and 2 groups known by system (avoid root)
 +$users = $groups = [];
 +$tmp = file('/etc/passwd');
 +for ($i=1 ; $i<=3 ; $i++) {
 +	$tab = explode(':', $tmp[$i]);
 +	$users[] = $tab[0];
 +}
 +$users = implode(',', $users);
 +$tmp = file('/etc/group');
 +for ($i=1 ; $i<=2 ; $i++) {
 +	$tab = explode(':', $tmp[$i]);
 +	$groups[] = $tab[0];
 +}
 +$groups = implode(',', $groups);
 +
 +$cfg = <<<EOT
 +[global]
 +error_log = $logfile
 +[unconfined]
 +listen = $socket
 +listen.acl_users = $users
 +listen.acl_groups = $groups
 +listen.mode = 0600
 +ping.path = /ping
 +ping.response = pong
 +pm = dynamic
 +pm.max_children = 5
 +pm.start_servers = 2
 +pm.min_spare_servers = 1
 +pm.max_spare_servers = 3
 +EOT;
 +
 +$fpm = run_fpm($cfg, $tail);
 +if (is_resource($fpm)) {
 +    fpm_display_log($tail, 2);
 +    try {
 +		var_dump(strpos(run_request('unix://'.$socket, -1), 'pong'));
 +		echo "UDS ok\n";
 +	} catch (Exception $e) {
 +		echo "UDS error\n";
 +	}
 +	passthru("/usr/bin/getfacl -cp $socket");
 +
 +	proc_terminate($fpm);
 +    echo stream_get_contents($tail);
 +    fclose($tail);
 +    proc_close($fpm);
 +}
 +
 +?>
 +--EXPECTF--
 +[%s] NOTICE: fpm is running, pid %d
 +[%s] NOTICE: ready to handle connections
 +int(%d)
 +UDS ok
 +user::rw-
 +user:%s:rw-
 +user:%s:rw-
 +user:%s:rw-
 +group::---
 +group:%s:rw-
 +group:%s:rw-
 +mask::rw-
 +other::---
 +
 +[%s] NOTICE: Terminating ...
 +[%s] NOTICE: exiting, bye-bye!
 +--CLEAN--
 +<?php
 +    $logfile = dirname(__FILE__).'/php-fpm.log.tmp';
 +    @unlink($logfile);
 +?>