Mono
 » 
Mono - Dev

RFC: mod_mono group membership patch

View: New views
1 Messages — Rating Filter:   Alert me  

RFC: mod_mono group membership patch

by Philip Tricca-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hey,

I'm run a shared host for a few friends and recently I set up mono for
them (latest source release on Debian Lenny).  Typically, to separate
users I create a unique, shared group between each user and the web
server (pretty standard user of DAC).

When I deployed mod_mono & mod-mono-server2 using this scheme I got a
System.UnauthorizedAccessException when the mono server would try to
read files owned by such a group.  It was however able to access files
with group perms for the default apache group.  This exception was
thrown even though the web server could access the same files without
any troubles.

Going through the code for mod_mono I was able to find the location
where the server drops root privileges, assuming the uid and gid of the
apache user and group.  I was not able to find any call to initgroups
where it would normally set up the supplementary group membership.
Using getgroups to see which groups the forked process belonged to did
not return the expected group list, which seems to be the source of the
problem.

The attached patch fixes this.  I've been running it on two live system
for a few days now and it work fine.  If you like the patch it's free
for the taking.  If not, let me know what the preferred solution is.

Regards,
- Philip

--
http://twobit.us

--- ./mod_mono-2.4.2.orig/src/mod_mono.c 2009-06-08 13:40:01.000000000 -0400
+++ ./mod_mono-2.4.2.grpfix/src/mod_mono.c 2009-11-06 11:12:05.000000000 -0500
@@ -1644,6 +1644,13 @@
       "setgid: unable to set group id to %u. %s",
       (unsigned)apache_get_groupid (), strerror (errno));
 
+                DEBUG_PRINT (2, "initializing groups for forked process user %s", apache_get_username ());
+                if (initgroups (apache_get_username (), apache_get_groupid ()) == -1)
+                        ap_log_error (APLOG_MARK, APLOG_ERR, STATUS_AND_SERVER,
+                                      "initgroups: unable to initialize supplementary group list for user %s: %s",
+                                      apache_get_username (),
+                                      strerror (errno));
+
  DEBUG_PRINT (2, "switching forked process user to %s", apache_get_username ());
  if (setuid (apache_get_userid ()) == -1)
  ap_log_error (APLOG_MARK, APLOG_ALERT, STATUS_AND_SERVER,

_______________________________________________
Mono-devel-list mailing list
Mono-devel-list@...
http://lists.ximian.com/mailman/listinfo/mono-devel-list
Free embeddable forum powered by Nabble Forum Help