diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c index 786a3bd20b2..1df2326ffe3 100644 --- a/sapi/litespeed/lsapilib.c +++ b/sapi/litespeed/lsapilib.c @@ -868,6 +868,190 @@ static int setUID_LVE(LSAPI_Request * pReq, uid_t uid, gid_t gid, const char * p #endif return 0; } +#endif + + +static int setUID_LVE(LSAPI_Request * pReq, uid_t uid, gid_t gid, const char * pChroot) +{ + int rv; + struct passwd * pw; + pw = getpwuid( uid ); +#if defined(linux) || defined(__linux) || defined(__linux__) || defined(__gnu_linux__) + if ( s_lve ) + { + if( lsapi_enterLVE( pReq, uid ) == -1 ) + return -1; + if ( pw && fp_lve_jail) + { + rv = lsapi_jailLVE( pReq, uid, pw ); + if ( rv == -1 ) + return -1; + if (( rv == 1 )&&(s_enable_lve == LSAPI_CAGEFS_NO_SUEXEC )) //this mode only use cageFS, does not use suEXEC + { + uid = s_defaultUid; + gid = s_defaultGid; + pw = getpwuid( uid ); + } + } + } +#endif + //if ( !uid || !gid ) //do not allow root + //{ + // return -1; + //} + +#if defined(__FreeBSD__ ) || defined(__NetBSD__) || defined(__OpenBSD__) \ + || defined(macintosh) || defined(__APPLE__) || defined(__APPLE_CC__) + if ( s_enable_core_dump ) + lsapi_enable_core_dump(); +#endif + + rv = setgid(gid); + if (rv == -1) + { + LSAPI_perror_r(pReq, "LSAPI: setgid()", NULL); + return -1; + } + if ( pw && (pw->pw_gid == gid )) + { + rv = initgroups( pw->pw_name, gid ); + if (rv == -1) + { + LSAPI_perror_r(pReq, "LSAPI: initgroups()", NULL); + return -1; + } + } + else + { + rv = setgroups(1, &gid); + if (rv == -1) + { + LSAPI_perror_r(pReq, "LSAPI: setgroups()", NULL); + } + } + if ( pChroot ) + { + rv = chroot( pChroot ); + if ( rv == -1 ) + { + LSAPI_perror_r(pReq, "LSAPI: chroot()", NULL); + return -1; + } + } + rv = setuid(uid); + if (rv == -1) + { + LSAPI_perror_r(pReq, "LSAPI: setuid()", NULL); + return -1; + } +#if defined(linux) || defined(__linux) || defined(__linux__) || defined(__gnu_linux__) + if ( s_enable_core_dump ) + lsapi_enable_core_dump(); +#endif + return 0; +} + +static int lsapi_suexec_auth( LSAPI_Request *pReq, + char * pAuth, int len, char * pUgid, int ugidLen ) +{ + lsapi_MD5_CTX md5ctx; + unsigned char achMD5[16]; + if ( len < 32 ) + return -1; + memmove( achMD5, pAuth + 16, 16 ); + memmove( pAuth + 16, s_pSecret, 16 ); + lsapi_MD5Init( &md5ctx ); + lsapi_MD5Update( &md5ctx, (unsigned char *)pAuth, 32 ); + lsapi_MD5Update( &md5ctx, (unsigned char *)pUgid, 8 ); + lsapi_MD5Final( (unsigned char *)pAuth + 16, &md5ctx); + if ( memcmp( achMD5, pAuth + 16, 16 ) == 0 ) + return 0; + return 1; +} + + +static int lsapi_changeUGid( LSAPI_Request * pReq ) +{ + int uid = s_defaultUid; + int gid = s_defaultGid; + const char * pChroot = NULL; + struct LSAPI_key_value_pair * pEnv; + struct LSAPI_key_value_pair * pAuth; + int i; + if ( s_uid ) + return 0; + //with special ID 0x00 + //authenticate the suEXEC request; + //first one should be MD5( nonce + lscgid secret ) + //remember to clear the secret after verification + //it should be set at the end of special env + i = pReq->m_pHeader->m_cntSpecialEnv - 1; + if ( i >= 0 ) + { + pEnv = pReq->m_pSpecialEnvList + i; + if (( *pEnv->pKey == '\000' )&& + ( strcmp( pEnv->pKey+1, "SUEXEC_AUTH" ) == 0 )) + { + --pReq->m_pHeader->m_cntSpecialEnv; + pAuth = pEnv--; + if (( *pEnv->pKey == '\000' )&& + ( strcmp( pEnv->pKey+1, "SUEXEC_UGID" ) == 0 )) + { + --pReq->m_pHeader->m_cntSpecialEnv; + uid = *(uint32_t *)pEnv->pValue; + gid = *(((uint32_t *)pEnv->pValue) + 1 ); + //fprintf( stderr, "LSAPI: SUEXEC_UGID set UID: %d, GID: %d\n", uid, gid ); + } + else + { + fprintf( stderr, "LSAPI: missing SUEXEC_UGID env, use default user!\n" ); + pEnv = NULL; + } + if ( pEnv&& lsapi_suexec_auth( pReq, pAuth->pValue, pAuth->valLen, pEnv->pValue, pEnv->valLen ) == 0 ) + { + //read UID, GID from specialEnv + + } + else + { + //authentication error + fprintf( stderr, "LSAPI: SUEXEC_AUTH authentication failed, use default user!\n" ); + uid = 0; + } + } + else + { + //fprintf( stderr, "LSAPI: no SUEXEC_AUTH env, use default user!\n" ); + } + } + + + if ( !uid ) + { + uid = s_defaultUid; + gid = s_defaultGid; + } + + //change uid + if ( setUID_LVE( pReq, uid, gid, pChroot ) == -1 ) + { + return -1; + } + + s_uid = uid; + + return 0; + +} + +static int parseContentLenFromHeader(LSAPI_Request * pReq) +{ + const char * pContentLen = LSAPI_GetHeader_r( pReq, H_CONTENT_LENGTH ); + if ( pContentLen ) + pReq->m_reqBodyLen = strtoll( pContentLen, NULL, 10 ); + return 0; +} + static int lsapi_suexec_auth( LSAPI_Request *pReq, char * pAuth, int len, char * pUgid, int ugidLen ) diff --git a/sapi/litespeed/lsapilib.h b/sapi/litespeed/lsapilib.h index cae1863c792..02543ef1a63 100644 --- a/sapi/litespeed/lsapilib.h +++ b/sapi/litespeed/lsapilib.h @@ -48,6 +48,13 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/*************************************************************************** + lsapilib.h - description + ------------------- + begin : Mon Feb 21 2005 + copyright : (C) 2005 by George Wang + email : gwang@litespeedtech.com + ***************************************************************************/ #ifndef _LSAPILIB_H_ #define _LSAPILIB_H_ diff --git a/win32/build/Makefile.phpize b/win32/build/Makefile.phpize index 17cfc90fbda..0463d332fb0 100644 --- a/win32/build/Makefile.phpize +++ b/win32/build/Makefile.phpize @@ -5,10 +5,7 @@ MT="$(MT)" PHPSDK_DIR=$(PHP_DIR) PHPLIB=$(PHPSDK_DIR)\lib\$(PHPLIB) -LDFLAGS=/libpath:"$(PHPSDK_DIR)\lib\;$(PHPSDK_DIR)" - -CFLAGS=/nologo /FD $(BASE_INCLUDES) /D _WINDOWS /D ZEND_WIN32=1 /D PHP_WIN32=1 /D WIN32 /D_USE_32BIT_TIME_T=1 /D ZEND_WIN32_FORCE_INLINE /GF /D ZEND_DEBUG=0 /D ZTS=1 /D FD_SETSIZE=256 -CFLAGS_PHP=/D _USRDLL /D PHP5DLLTS_EXPORTS /D PHP_EXPORTS /D TSRM_EXPORTS /D SAPI_EXPORTS /D WINVER=0x500 /D COMPILE_DL_AJAXMIN +LDFLAGS=$(LDFLAGS) /libpath:"$(PHPSDK_DIR)\lib\;$(PHPSDK_DIR)" all: $(EXT_TARGETS) $(PECL_TARGETS) diff --git a/win32/build/confutils.js b/win32/build/confutils.js index 0a261fb9b41..bb61a448e6e 100644 --- a/win32/build/confutils.js +++ b/win32/build/confutils.js @@ -1170,11 +1170,6 @@ function ADD_EXTENSION_DEP(extname, dependson, optional) var dep_present = false; var dep_shared = false; - if (MODE_PHPIZE) { - ext_deps_js = file_get_contents(PHP_DIR + "\\script\\ext_deps.js"); - eval(ext_deps_js); - } - try { dep_present = eval("PHP_" + DEP); @@ -1525,7 +1520,7 @@ function output_as_table(header, ar_out) var min = new Array(l); var max = new Array(l); - if (l != ar_out[0].length) { + if (!!ar_out[0] && l != ar_out[0].length) { STDOUT.WriteLine("Invalid header argument, can't output the table " + l + " " + ar_out[0].length ); return; } @@ -1847,7 +1842,9 @@ function generate_makefile() MFO.Close(); TF = FSO.OpenTextFile("Makefile.objects", 1); - MF.Write(TF.ReadAll()); + if (!TF.AtEndOfStream) { + MF.Write(TF.ReadAll()); + } TF.Close(); MF.Close(); diff --git a/win32/build/phpize.js.in b/win32/build/phpize.js.in index 4813ec0b5d6..235c0816a33 100644 --- a/win32/build/phpize.js.in +++ b/win32/build/phpize.js.in @@ -209,6 +209,8 @@ C.WriteLine("/* This file automatically generated from script/confutils.js */"); C.WriteLine("var MODE_PHPIZE = true;"); C.WriteLine("var PHP_DIR = " + '"' + PHP_DIR.replace(new RegExp('(["\\\\])', "g"), '\\$1') + '"'); +C.Write(file_get_contents(PHP_DIR + "//script//ext_deps.js")); + C.Write(file_get_contents(PHP_DIR + "/script/confutils.js")); C.Write(file_get_contents(PHP_DIR + "/script/config.phpize.js"));