Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0970869

Browse files
authored
fix lock permission, let people set user and group (microsoft#45)
* fix lock permission, let people set user and group* fix windows build* fix windows build* address review comments add header file* fix build issue for windows* put permission only for linux* add comments for ifdef
1 parentb0e7f17 commit0970869

File tree

10 files changed

+171
-15
lines changed

10 files changed

+171
-15
lines changed

‎apache2/apache2_config.c‎

Lines changed: 32 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1200,20 +1200,35 @@ static const char *cmd_waf_instanceId(cmd_parms *cmd,
12001200

12011201
returnNULL;
12021202
}
1203+
#endif
12031204

1204-
staticconstchar*cmd_waf_lock_owner(cmd_parms*cmd,
1205+
#ifndef_WIN32
1206+
staticconstchar*cmd_waf_lock_user(cmd_parms*cmd,
12051207
void*_dcfg,constchar*p1)
12061208
{
12071209

12081210
if (cmd->server->is_virtual) {
1209-
return"ModSecurity:SecWafLockOwner not allowed in VirtualHost";
1211+
return"ModSecurity:SecWafLockUser not allowed in VirtualHost";
12101212
}
12111213

1212-
msc_waf_lock_owner= (char*)p1;
1214+
msc_waf_lock_user= (char*)p1;
12131215

12141216
returnNULL;
12151217
}
1216-
#endif
1218+
1219+
staticconstchar*cmd_waf_lock_group(cmd_parms*cmd,
1220+
void*_dcfg,constchar*p1)
1221+
{
1222+
1223+
if (cmd->server->is_virtual) {
1224+
return"ModSecurity: SecWafLockGroup not allowed in VirtualHost";
1225+
}
1226+
1227+
msc_waf_lock_group= (char*)p1;
1228+
1229+
returnNULL;
1230+
}
1231+
#endif// _WIN32
12171232

12181233
staticconstchar*cmd_action(cmd_parms*cmd,void*_dcfg,constchar*p1)
12191234
{
@@ -4045,13 +4060,22 @@ const command_rec module_directives[] = {
40454060
CMD_SCOPE_ANY,
40464061
"Set waf instanceId"
40474062
),
4063+
#endif
4064+
#ifndef_WIN32
40484065
AP_INIT_TAKE1 (
4049-
"SecWafLockOwner",
4050-
cmd_waf_lock_owner,
4066+
"SecWafLockUser",
4067+
cmd_waf_lock_user,
40514068
NULL,
40524069
CMD_SCOPE_ANY,
4053-
"Set waf lockowner"
4070+
"Set waf lockuser"
40544071
),
4055-
#endif
4072+
AP_INIT_TAKE1 (
4073+
"SecWafLockGroup",
4074+
cmd_waf_lock_group,
4075+
NULL,
4076+
CMD_SCOPE_ANY,
4077+
"Set waf lock group"
4078+
),
4079+
#endif// __WIN32
40564080
{NULL }
40574081
};

‎apache2/mod_security2.c‎

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -93,9 +93,13 @@ TreeRoot DSOLOCAL *conn_write_state_whitelist = 0;
9393
TreeRootDSOLOCAL*conn_write_state_suspicious_list=0;
9494

9595
#ifdefWAF_JSON_LOGGING_ENABLE
96-
charDSOLOCAL*msc_waf_resourceId="";
97-
charDSOLOCAL*msc_waf_instanceId="";
98-
charDSOLOCAL*msc_waf_lock_owner="root";
96+
charDSOLOCAL*msc_waf_resourceId=NULL;
97+
charDSOLOCAL*msc_waf_instanceId=NULL;
98+
#endif
99+
100+
#ifndef_WIN32
101+
charDSOLOCAL*msc_waf_lock_user;
102+
charDSOLOCAL*msc_waf_lock_group;
99103
#endif
100104

101105
#if defined(WIN32)|| defined(VERSION_NGINX)
@@ -836,6 +840,12 @@ static void hook_child_init(apr_pool_t *mp, server_rec *s) {
836840
modsecurity_child_init(modsecurity);
837841
}
838842

843+
#ifndef_WIN32
844+
staticvoidhook_set_lock_owner(constchar*user,constchar*group) {
845+
modsecurity_set_lock_owner(user,group);
846+
}
847+
#endif
848+
839849
/**
840850
* Initial request processing, executed immediatelly after
841851
* Apache receives the request headers. This function wil create
@@ -1710,7 +1720,10 @@ static void register_hooks(apr_pool_t *mp) {
17101720
ap_hook_post_config(hook_post_config,postconfig_beforeme_list,
17111721
postconfig_afterme_list,APR_HOOK_REALLY_LAST);
17121722
ap_hook_child_init(hook_child_init,NULL,NULL,APR_HOOK_MIDDLE);
1713-
1723+
1724+
#ifndef_WIN32
1725+
ap_hook_set_lock_owner(hook_set_lock_owner,NULL,NULL,APR_HOOK_MIDDLE);
1726+
#endif
17141727
/* Our own hook to handle RPC transactions (not used at the moment).
17151728
* // ap_hook_handler(hook_handler, NULL, NULL, APR_HOOK_MIDDLE);
17161729
*/

‎apache2/modsecurity.c‎

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,8 @@ static void set_lock_args(struct waf_lock_args *lock_args, int lock_id) {
164164

165165
#else
166166
lock_args->lock_id=lock_id;
167+
lock_args->user=msc_waf_lock_user;
168+
lock_args->group=msc_waf_lock_group;
167169
#endif
168170
}
169171

@@ -287,6 +289,13 @@ void modsecurity_child_init(msc_engine *msce) {
287289

288290
}
289291

292+
#ifndef_WIN32
293+
voidmodsecurity_set_lock_owner(constchar*user,constchar*group) {
294+
msc_waf_lock_user=user;
295+
msc_waf_lock_group=group;
296+
}
297+
#endif
298+
290299
/**
291300
* Releases resources held by engine instance.
292301
*/

‎apache2/modsecurity.h‎

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,11 @@ extern DSOLOCAL int *unicode_map_table;
171171
#ifdefWAF_JSON_LOGGING_ENABLE
172172
externDSOLOCALchar*msc_waf_resourceId;
173173
externDSOLOCALchar*msc_waf_instanceId;
174-
externDSOLOCALchar*msc_waf_lock_owner;
174+
#endif
175+
176+
#ifndef_WIN32
177+
externDSOLOCALchar*msc_waf_lock_user;
178+
externDSOLOCALchar*msc_waf_lock_group;
175179
#endif
176180

177181
#defineAUDITLOG_LOCK_ID 1
@@ -736,6 +740,10 @@ int DSOLOCAL modsecurity_init(msc_engine *msce, apr_pool_t *mp);
736740

737741
voidDSOLOCALmodsecurity_child_init(msc_engine*msce);
738742

743+
#ifndef_WIN32
744+
voidDSOLOCALmodsecurity_set_lock_owner(constchar*user,constchar*group);
745+
#endif
746+
739747
voidDSOLOCALmodsecurity_shutdown(msc_engine*msce);
740748

741749
apr_status_tDSOLOCALmodsecurity_tx_init(modsec_rec*msr);

‎apache2/waf_lock/waf_lock.cpp‎

Lines changed: 42 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,8 @@
2121
// Linux
2222
intlock_create(structwaf_lock *new_lock,structwaf_lock_args *new_lock_args) {
2323
union semun sem_union;
24+
uid_t uid;
25+
gid_t gid;
2426

2527
if (new_lock ==NULL)
2628
return WAF_LOCK_ERROR_HANDLE_NULL;
@@ -30,7 +32,23 @@ int lock_create(struct waf_lock *new_lock, struct waf_lock_args *new_lock_args)
3032
// Set permssion
3133
structsemid_ds buf;
3234

33-
buf.sem_perm.mode =0666;
35+
if (new_lock_args->user !=NULL && new_lock_args->group !=NULL)
36+
{
37+
if ((GetUserId(new_lock_args->user, &uid) == WAF_LOCK_ERROR) || (GetGroupId(new_lock_args->group, &gid) == WAF_LOCK_ERROR))
38+
{
39+
lock_destroy(new_lock);
40+
return WAF_ERROR_LOCK_LINUX_SEM_GET_USER_FAIL;
41+
}
42+
43+
buf.sem_perm.uid = uid;
44+
buf.sem_perm.gid = gid;
45+
buf.sem_perm.mode =0600;
46+
}
47+
else
48+
{
49+
buf.sem_perm.mode =0666;
50+
}
51+
3452
sem_union.buf = &buf;
3553
// Set the permission for the new lock
3654
if (semctl(new_lock->sem_id,0, IPC_SET, sem_union) == -1) {
@@ -537,3 +555,26 @@ int waf_close_lock(struct waf_lock *waf_lock) {
537555
else
538556
return WAF_LOCK_SUCCESS;
539557
}
558+
559+
#ifndef _WIN32
560+
intGetGroupId(constchar *name,gid_t *id)
561+
{
562+
structgroup *grp =getgrnam(name);/* don't free, see getgrnam() for details*/
563+
if(grp ==NULL)
564+
{
565+
return WAF_LOCK_ERROR;
566+
}
567+
*id = grp->gr_gid;
568+
return WAF_LOCK_SUCCESS;
569+
}
570+
intGetUserId(constchar *name,uid_t *id)
571+
{
572+
structpasswd *pwd =getpwnam(name);/* don't free, see getpwnam() for details*/
573+
if(pwd ==NULL)
574+
{
575+
return WAF_LOCK_ERROR;
576+
}
577+
*id = pwd->pw_uid;
578+
return WAF_LOCK_SUCCESS;
579+
}
580+
#endif

‎apache2/waf_lock/waf_lock_external.h‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ extern "C" {
3636
#defineWAF_ERROR_LOCK_LINUX_SEM_MODIFY_FAIL 1103
3737
#defineWAF_ERROR_LOCK_LINUX_SEM_DESTROY_FAIL 1104
3838
#defineWAF_ERROR_LOCK_LINUX_SEM_SET_PERMISSION_FAIL 1105
39+
#defineWAF_ERROR_LOCK_LINUX_SEM_GET_USER_FAIL 1106
3940

4041
#defineWAF_ERROR_LOCK_WIN_NAME_INVALID_STRING 1200
4142
#defineWAF_ERROR_LOCK_WIN_MUTEX_CREATE_FAIL 1201
@@ -88,6 +89,8 @@ struct waf_lock {
8889
structwaf_lock_args {
8990
#ifndef_WIN32
9091
intlock_id;
92+
char*user;
93+
char*group;
9194
#else
9295
char*lock_name;
9396
intlock_name_length;

‎apache2/waf_lock/waf_lock_internal.h‎

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,23 @@ int Waf_lock_isstring(const char* str, int str_len);
138138
*/
139139
intWaf_lock_init(structwaf_lock*waf_lock);
140140

141+
#ifndef_WIN32
142+
/**
143+
** Get user id by name.
144+
** @param name: name.
145+
** return: if WAF_LOCK_SUCCESS if success
146+
** or WAF_LOCK_ERROR if the handle is NULL.
147+
*/
148+
intGetUserId(constchar*name,uid_t*id);
149+
/**
150+
** Get group id by name.
151+
** @param name: name.
152+
** return: if WAF_LOCK_SUCCESS if success
153+
** or WAF_LOCK_ERROR if the handle is NULL.
154+
*/
155+
intGetGroupId(constchar*name,gid_t*id);
156+
#endif// _WIN32
157+
141158
#ifdef__cplusplus
142159
}
143160
#endif

‎standalone/api.c‎

100644100755
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@
3939
#include"http_config.h"
4040

4141
#include"api.h"
42+
#include"hooks.h"
4243

4344
#ifdefWIN32
4445
#include"msc_status_engine.h"
@@ -64,6 +65,7 @@ extern ns##_HOOK_##name##_t *hookfn_##name;
6465
#defineDECLARE_HOOK(ret,name,args) \
6566
DECLARE_EXTERNAL_HOOK(ap,AP,ret,name,args)
6667

68+
6769
DECLARE_HOOK(int,pre_config,(apr_pool_t*pconf,apr_pool_t*plog,apr_pool_t*ptemp))
6870
DECLARE_HOOK(int,post_config,(apr_pool_t*pconf,apr_pool_t*plog,apr_pool_t*ptemp,server_rec*s))
6971
DECLARE_HOOK(void,child_init,(apr_pool_t*pchild,server_rec*s))
@@ -78,6 +80,10 @@ DECLARE_HOOK(int,log_transaction,(request_rec *r))
7880
DECLARE_HOOK(void,insert_filter,(request_rec*r))
7981
DECLARE_HOOK(void,insert_error_filter,(request_rec*r))
8082

83+
#ifndef_WIN32
84+
DECLARE_HOOK(void,set_lock_owner,(constchar*user,constchar*group))
85+
#endif
86+
8187
char*sa_name="standalone";
8288
constchar*sa_name_argv[]= {"standalone",NULL };
8389
server_rec*server;
@@ -322,6 +328,12 @@ void modsecInitProcess() {
322328
hookfn_child_init(pool,server);
323329
}
324330

331+
#ifndef_WIN32
332+
voidmodsecSetLockOwner(constchar*user,constchar*group) {
333+
hookfn_set_lock_owner(user,group);
334+
}
335+
#endif
336+
325337
conn_rec*modsecNewConnection() {
326338
conn_rec*c;
327339
apr_pool_t*pc=NULL;

‎standalone/hooks.c‎

100644100755
Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@
3636
#include"apr_lib.h"
3737
#include"ap_config.h"
3838
#include"http_config.h"
39-
39+
#include"hooks.h"
4040

4141
#defineDECLARE_EXTERNAL_HOOK(ns,link,ret,name,args) \
4242
ns##_HOOK_##name##_t *hookfn_##name = NULL; \
@@ -50,6 +50,7 @@ link##_DECLARE(void) ns##_hook_##name(ns##_HOOK_##name##_t *pf, \
5050
#defineDECLARE_HOOK(ret,name,args) \
5151
DECLARE_EXTERNAL_HOOK(ap,AP,ret,name,args)
5252

53+
5354
DECLARE_HOOK(int,pre_config,(apr_pool_t*pconf,apr_pool_t*plog,apr_pool_t*ptemp))
5455
DECLARE_HOOK(int,post_config,(apr_pool_t*pconf,apr_pool_t*plog,apr_pool_t*ptemp,server_rec*s))
5556
DECLARE_HOOK(void,child_init,(apr_pool_t*pchild,server_rec*s))
@@ -63,3 +64,7 @@ DECLARE_HOOK(void, error_log, (const char *file, int line, int level,
6364
DECLARE_HOOK(int,log_transaction,(request_rec*r))
6465
DECLARE_HOOK(void,insert_filter,(request_rec*r))
6566
DECLARE_HOOK(void,insert_error_filter,(request_rec*r))
67+
68+
#ifndef_WIN32
69+
DECLARE_HOOK(void,set_lock_owner,(constchar*user,constchar*group))
70+
#endif

‎standalone/hooks.h‎

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
/*
2+
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
3+
* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
4+
*
5+
* You may not use this file except in compliance with
6+
* the License.  You may obtain a copy of the License at
7+
*
8+
*     http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* If any of the files related to licensing are missing or if you have any
11+
* other questions related to licensing please contact Trustwave Holdings, Inc.
12+
* directly using the email address security@modsecurity.org.
13+
*/
14+
15+
#ifndef_HOOKS_HEADER
16+
#define_HOOKS_HEADER
17+
18+
#include"http_config.h"
19+
20+
#ifndef_WIN32
21+
AP_DECLARE_HOOK(void,set_lock_owner,(constchar*user,constchar*group))
22+
#endif
23+
24+
#endif

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp