php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login | |
Patch posix-acl.patch for FPM related Bug #68526Patch version 2014-11-30 10:31 UTC Return to Bug #68526 | Download this patchThis patch is obsolete Obsoleted by patches: This patch renders other patches obsolete Obsolete patches: Patch Revisions: 2014-11-30 17:34 UTC | 2014-11-30 16:50 UTC | 2014-11-30 10:31 UTC | 2014-11-30 09:56 UTC | 2014-11-30 09:44 UTC | 2014-11-30 09:21 UTC | 2014-11-30 08:35 UTCDeveloper: remi@php.netstruct ini_value_parser_s { diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_unix.c sapi/fpm/fpm/fpm_unix.c --- /home/php/php-src/sapi/fpm/fpm/fpm_unix.c 2014-11-29 16:52:25.000000000 +0100 +++ sapi/fpm/fpm/fpm_unix.c 2014-11-30 17:26:22.803198128 +0100 +++ sapi/fpm/fpm/fpm_unix.c 2014-11-30 11:29:02.516308630 +0100 @@ -21,6 +21,10 @@ #include <sys/apparmor.h> #endif Line 102 (now 102), was 16 lines, now 12 lines +#endif wp->socket_uid = -1; wp->socket_gid = -1; wp->socket_mode = 0660; @@ -45,6 +53,117 @@ @@ -45,6 +53,113 @@ return 0; } + if (c->listen_mode && *c->listen_mode) { + wp->socket_mode = strtoul(c->listen_mode, 0, 8); + } + +#ifdef HAVE_FPM_ACL + /* count the users and groups configured */ + n = 0; + if (c->listen_acl_users && *c->listen_acl_users) { + 0 > acl_clear_perms (perm) || + 0 > acl_add_perm (perm, ACL_READ) || + 0 > acl_add_perm (perm, ACL_WRITE)) { + zlog(ZLOG_SYSERROR, "[pool %s] cannot create ACL for user '%s'", wp->config->name, p); + acl_free(acl); + efree(tmp); + return -1; + } + } + acl_free(acl); + efree(tmp); + return -1; + } + } + efree(tmp); + } + /* Create GROUP ACL */ + if (c->listen_acl_groups && *c->listen_acl_groups) { Line 220 (now 216), was 34 lines, now 25 lines + if (c->listen_owner && *c->listen_owner) { struct passwd *pwd; @@ -69,24 +188,71 @@ wp->socket_gid = grp->gr_gid; } - if (c->listen_mode && *c->listen_mode) { - wp->socket_mode = strtoul(c->listen_mode, 0, 8); - } return 0; } /* }}} */ @@ -78,15 +193,65 @@ int fpm_unix_set_socket_premissions(struct fpm_worker_pool_s *wp, const char *path) /* {{{ */ { +#ifdef HAVE_FPM_ACL + if (wp->socket_acl) { + acl_t aclfile, aclconf; + acl_entry_t entryfile, entryconf; + int i; + + + /* Read the socket ACL */ + aclconf = wp->socket_acl; + aclfile = acl_get_file (path, ACL_TYPE_ACCESS); + if (!aclfile) { + zlog(ZLOG_SYSERROR, "[pool %s] failed to read the ACL of the socket '%s'", wp->config->name, path); + return -1; + } + return -1; + } + /* Copy the new ACL entry from config */ + for (i=ACL_FIRST_ENTRY ; acl_get_entry(aclconf, i, &entryconf) ; i=ACL_NEXT_ENTRY) { + if (0 > acl_create_entry (&aclfile, &entryfile) || + 0 > acl_copy_entry(entryfile, entryconf)) { + } + + acl_free(aclfile); + return 0; + } + } + /* When listen.users and listen.groups not configured, continue with standard right */ +#endif + if (wp->socket_uid != -1 || wp->socket_gid != -1) { Line 357 (now 344), was 96 lines, now 4 lines +;listen.acl_groups = ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original --- /dev/null 2014-11-30 17:14:22.119979747 +0100 +++ sapi/fpm/tests/021-uds-acl.phpt 2014-11-30 17:47:51.667947148 +0100 @@ -0,0 +1,89 @@ +--TEST-- +FPM: Test Unix Domain Socket with Posix ACL +--SKIPIF-- +<?php +include "skipif.inc"; +if (!(file_exists('/usr/bin/getfacl') && file_exists('/etc/passwd') && file_exists('/etc/group'))) die ("skip missing getfacl command"); +?> +--XFAIL-- +Mark as XFAIL because --with-fpm-acl is not enabled in default build +--FILE-- +<?php + +include "include.inc"; + +$logfile = dirname(__FILE__).'/php-fpm.log.tmp'; +$socket = dirname(__FILE__).'/php-fpm.sock'; + +// Select 3 users and 2 groups known by system (avoid root) +$users = $groups = []; +$tmp = file('/etc/passwd'); +for ($i=1 ; $i<=3 ; $i++) { + $tab = explode(':', $tmp[$i]); + $users[] = $tab[0]; +} +$users = implode(',', $users); +$tmp = file('/etc/group'); +for ($i=1 ; $i<=2 ; $i++) { + $tab = explode(':', $tmp[$i]); + $groups[] = $tab[0]; +} +$groups = implode(',', $groups); + +$cfg = <<<EOT +[global] +error_log = $logfile +[unconfined] +listen = $socket +listen.acl_users = $users +listen.acl_groups = $groups +listen.mode = 0600 +ping.path = /ping +ping.response = pong +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +EOT; + +$fpm = run_fpm($cfg, $tail); +if (is_resource($fpm)) { + fpm_display_log($tail, 2); + try { + var_dump(strpos(run_request('unix://'.$socket, -1), 'pong')); + echo "UDS ok\n"; + } catch (Exception $e) { + echo "UDS error\n"; + } + passthru("/usr/bin/getfacl -cp $socket"); + + proc_terminate($fpm); + echo stream_get_contents($tail); + fclose($tail); + proc_close($fpm); +} + +?> +--EXPECTF-- +[%s] NOTICE: fpm is running, pid %d +[%s] NOTICE: ready to handle connections +int(%d) +UDS ok +user::rw- +user:%s:rw- +user:%s:rw- +user:%s:rw- +group::--- +group:%s:rw- +group:%s:rw- +mask::rw- +other::--- + +[%s] NOTICE: Terminating ... +[%s] NOTICE: exiting, bye-bye! +--CLEAN-- +<?php + $logfile = dirname(__FILE__).'/php-fpm.log.tmp'; + @unlink($logfile); +?> |
Copyright © 2001-2024 The PHP Group All rights reserved. |
Last updated: Wed Apr 24 09:01:28 2024 UTC |