php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #68526
Patch posix-acl.patch revision 2014-11-30 17:34 UTC by remi@php.net
revision 2014-11-30 16:50 UTC by remi@php.net
revision 2014-11-30 10:31 UTC by remi@php.net
revision 2014-11-30 09:56 UTC by remi@php.net
revision 2014-11-30 09:44 UTC by remi@php.net
revision 2014-11-30 09:21 UTC by remi@php.net
revision 2014-11-30 08:35 UTC by remi@php.net

Patch posix-acl.patch for FPM related Bug #68526

Patch version 2014-11-30 09:56 UTC

Return to Bug #68526 | Download this patch
This patch is obsolete

Obsoleted by patches:

This patch renders other patches obsolete

Obsolete patches:

Patch Revisions: 2014-11-30 17:34 UTC | 2014-11-30 16:50 UTC | 2014-11-30 10:31 UTC | 2014-11-30 09:56 UTC | 2014-11-30 09:44 UTC | 2014-11-30 09:21 UTC | 2014-11-30 08:35 UTC

Developer: remi@php.net



  diff -ru /home/php/php-src/sapi/fpm/config.m4 sapi/fpm/config.m4
  --- /home/php/php-src/sapi/fpm/config.m4	2014-11-24 09:31:58.000000000 +0100
 +++ sapi/fpm/config.m4	2014-11-30 18:31:27.193354685 +0100
 +++ sapi/fpm/config.m4	2014-11-29 17:27:07.173921156 +0100
  @@ -583,6 +583,9 @@
     PHP_ARG_WITH(fpm-systemd,,
     [  --with-fpm-systemd      Activate systemd integration], no, no)
   
Line 10 (now 10), was 15 lines, now 14 lines

  +
     if test "$PHP_FPM_SYSTEMD" != "no" ; then
       if test -z "$PKG_CONFIG"; then
         AC_PATH_PROG(PKG_CONFIG, pkg-config, no)
 @@ -624,6 +627,17 @@
 @@ -624,6 +627,16 @@
     else
       php_fpm_systemd=simple
     fi
  +
  +  if test "$PHP_FPM_ACL" != "no" ; then
 +    AC_CHECK_HEADERS([sys/acl.h])
  +    AC_CHECK_LIB(acl, acl_free, [
  +      PHP_ADD_LIBRARY(acl)
  +      AC_DEFINE(HAVE_FPM_ACL, 1, [ POSIX Access Control List ])
  +    ],[


   
   struct ini_value_parser_s {
  diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_unix.c sapi/fpm/fpm/fpm_unix.c
  --- /home/php/php-src/sapi/fpm/fpm/fpm_unix.c	2014-11-29 16:52:25.000000000 +0100
 +++ sapi/fpm/fpm/fpm_unix.c	2014-11-30 18:33:09.211756546 +0100
 +++ sapi/fpm/fpm/fpm_unix.c	2014-11-30 10:54:07.380413029 +0100
  @@ -21,6 +21,10 @@
   #include <sys/apparmor.h>
   #endif
   
 +#ifdef HAVE_SYS_ACL_H
 +#ifdef HAVE_FPM_ACL
  +#include <sys/acl.h>
 +#endif
 +#endif
  +
   #include "fpm.h"
   #include "fpm_conf.h"
   #include "fpm_cleanup.h"
Line 103 (now 102), was 16 lines, now 12 lines

  +#endif
   	wp->socket_uid = -1;
   	wp->socket_gid = -1;
   	wp->socket_mode = 0660;
 @@ -45,6 +53,117 @@
 @@ -45,6 +53,113 @@
   		return 0;
   	}
   
 +	if (c->listen_mode && *c->listen_mode) {
 +		wp->socket_mode = strtoul(c->listen_mode, 0, 8);
 +	}
 +
  +#ifdef HAVE_FPM_ACL
  +	/* count the users and groups configured */
  +	n = 0;
  +	if (c->listen_acl_users && *c->listen_acl_users) {


  +		char *tmp, *p, *end;
  +
  +		acl = acl_init(n);
  +		if (!acl) {
 +			zlog(ZLOG_SYSERROR, "[pool %s] cannot allocate ACL", wp->config->name);
 +			zlog(ZLOG_SYSERROR, "[pool %s] cannot allocated ACL", wp->config->name);
  +			return -1;
  +		}
  +		/* Create USER ACL */
  +		if (c->listen_acl_users && *c->listen_acl_users) {
  +			struct passwd *pwd;
  +
  +			tmp = estrdup(c->listen_acl_users);
 +			for (p=tmp ; p ; p=end) {
 +				if ((end = strchr(p, ','))) {
 +					*end++ = 0;
 +				}
 +			for (p=tmp ; p ; p=end) {
 +				if ((end = strchr(p, ','))) {
 +					*end++ = 0;
 +				}
  +				pwd = getpwnam(p);
  +				if (pwd) {
  +					zlog(ZLOG_DEBUG, "[pool %s] user '%s' have uid=%d", wp->config->name, p, pwd->pw_uid);
  +				} else {


  +			efree(tmp);
  +		}
  +		if (c->listen_owner && *c->listen_owner) {
  +			zlog(ZLOG_WARNING, "[pool %s] ACL set, listen.owner = '%s' is ignored", wp->config->name, c->listen_owner);
 +		}
 +		}
  +		if (c->listen_group && *c->listen_group) {
  +			zlog(ZLOG_WARNING, "[pool %s] ACL set, listen.group = '%s' is ignored", wp->config->name, c->listen_group);
  +		}
  +		wp->socket_acl  = acl;
Line 221 (now 216), was 18 lines, now 9 lines

  +
   	if (c->listen_owner && *c->listen_owner) {
   		struct passwd *pwd;
   
 @@ -69,24 +188,71 @@
  		wp->socket_gid = grp->gr_gid;
  	}
  
 -	if (c->listen_mode && *c->listen_mode) {
 -		wp->socket_mode = strtoul(c->listen_mode, 0, 8);
 -	}
  	return 0;
  }
  /* }}} */
 @@ -78,15 +193,65 @@
   
   int fpm_unix_set_socket_premissions(struct fpm_worker_pool_s *wp, const char *path) /* {{{ */
   {
  +#ifdef HAVE_FPM_ACL
Line 308 (now 294), was 29 lines, now 10 lines

  +int fpm_unix_free_socket_premissions(struct fpm_worker_pool_s *wp);
  +
   int fpm_unix_init_child(struct fpm_worker_pool_s *wp);
   int fpm_unix_init_main();
  
  
  Les fichiers binaires /home/php/php-src/sapi/fpm/fpm/fpm_unix.o et sapi/fpm/fpm/fpm_unix.o sont différents
 diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_worker_pool.c sapi/fpm/fpm/fpm_worker_pool.c
 --- /home/php/php-src/sapi/fpm/fpm/fpm_worker_pool.c	2014-03-06 11:00:20.000000000 +0100
 +++ sapi/fpm/fpm/fpm_worker_pool.c	2014-11-30 11:30:15.460576401 +0100
 @@ -15,6 +15,7 @@
  #include "fpm_shm.h"
  #include "fpm_scoreboard.h"
  #include "fpm_conf.h"
 +#include "fpm_unix.h"
  
  struct fpm_worker_pool_s *fpm_worker_all_pools;
  
 @@ -29,6 +30,7 @@
  	if (wp->home) {
  		free(wp->home);
  	}
 +	fpm_unix_free_socket_premissions(wp);
  	free(wp);
  }
  /* }}} */
  diff -ru /home/php/php-src/sapi/fpm/fpm/fpm_worker_pool.h sapi/fpm/fpm/fpm_worker_pool.h
  --- /home/php/php-src/sapi/fpm/fpm/fpm_worker_pool.h	2014-03-06 11:00:20.000000000 +0100
  +++ sapi/fpm/fpm/fpm_worker_pool.h	2014-11-30 08:39:44.687175401 +0100
  @@ -42,6 +42,10 @@
Line 358 (now 325), was 96 lines, now 4 lines

  +;listen.acl_groups =
    
   ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
   ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
 --- /dev/null	2014-11-30 17:14:22.119979747 +0100
 +++ sapi/fpm/tests/021-uds-acl.phpt	2014-11-30 17:47:51.667947148 +0100
 @@ -0,0 +1,89 @@
 +--TEST--
 +FPM: Test Unix Domain Socket with Posix ACL
 +--SKIPIF--
 +<?php
 +include "skipif.inc";
 +if (!(file_exists('/usr/bin/getfacl') && file_exists('/etc/passwd') && file_exists('/etc/group'))) die ("skip missing getfacl command");
 +?>
 +--XFAIL--
 +Mark as XFAIL because --with-fpm-acl is not enabled in default build
 +--FILE--
 +<?php
 +
 +include "include.inc";
 +
 +$logfile = dirname(__FILE__).'/php-fpm.log.tmp';
 +$socket  = dirname(__FILE__).'/php-fpm.sock';
 +
 +// Select 3 users and 2 groups known by system (avoid root)
 +$users = $groups = [];
 +$tmp = file('/etc/passwd');
 +for ($i=1 ; $i<=3 ; $i++) {
 +	$tab = explode(':', $tmp[$i]);
 +	$users[] = $tab[0];
 +}
 +$users = implode(',', $users);
 +$tmp = file('/etc/group');
 +for ($i=1 ; $i<=2 ; $i++) {
 +	$tab = explode(':', $tmp[$i]);
 +	$groups[] = $tab[0];
 +}
 +$groups = implode(',', $groups);
 +
 +$cfg = <<<EOT
 +[global]
 +error_log = $logfile
 +[unconfined]
 +listen = $socket
 +listen.acl_users = $users
 +listen.acl_groups = $groups
 +listen.mode = 0600
 +ping.path = /ping
 +ping.response = pong
 +pm = dynamic
 +pm.max_children = 5
 +pm.start_servers = 2
 +pm.min_spare_servers = 1
 +pm.max_spare_servers = 3
 +EOT;
 +
 +$fpm = run_fpm($cfg, $tail);
 +if (is_resource($fpm)) {
 +    fpm_display_log($tail, 2);
 +    try {
 +		var_dump(strpos(run_request('unix://'.$socket, -1), 'pong'));
 +		echo "UDS ok\n";
 +	} catch (Exception $e) {
 +		echo "UDS error\n";
 +	}
 +	passthru("/usr/bin/getfacl -cp $socket");
 +
 +	proc_terminate($fpm);
 +    echo stream_get_contents($tail);
 +    fclose($tail);
 +    proc_close($fpm);
 +}
 +
 +?>
 +--EXPECTF--
 +[%s] NOTICE: fpm is running, pid %d
 +[%s] NOTICE: ready to handle connections
 +int(%d)
 +UDS ok
 +user::rw-
 +user:%s:rw-
 +user:%s:rw-
 +user:%s:rw-
 +group::---
 +group:%s:rw-
 +group:%s:rw-
 +mask::rw-
 +other::---
 +
 +[%s] NOTICE: Terminating ...
 +[%s] NOTICE: exiting, bye-bye!
 +--CLEAN--
 +<?php
 +    $logfile = dirname(__FILE__).'/php-fpm.log.tmp';
 +    @unlink($logfile);
 +?>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 15:01:28 2024 UTC